summaryrefslogtreecommitdiff
path: root/network/shorewall/patch-4.4.12.2
diff options
context:
space:
mode:
Diffstat (limited to 'network/shorewall/patch-4.4.12.2')
-rw-r--r--network/shorewall/patch-4.4.12.2215
1 files changed, 215 insertions, 0 deletions
diff --git a/network/shorewall/patch-4.4.12.2 b/network/shorewall/patch-4.4.12.2
new file mode 100644
index 0000000000..7d43ff1599
--- /dev/null
+++ b/network/shorewall/patch-4.4.12.2
@@ -0,0 +1,215 @@
+diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12.1/Perl/Shorewall/Chains.pm shorewall-4.4.12.2/Perl/Shorewall/Chains.pm
+--- shorewall-4.4.12.1/Perl/Shorewall/Chains.pm 2010-08-24 13:15:35.000000000 -0700
++++ shorewall-4.4.12.2/Perl/Shorewall/Chains.pm 2010-09-04 07:30:24.000000000 -0700
+@@ -687,7 +687,7 @@
+ # deleting elements from the array over which we are iterating.
+ #
+ for ( my $rule = 0; $rule <= $#{$rules}; $rule++ ) {
+- if ( $rules->[$rule] =~ / -[gj] ${to}( -m comment .*)?\s*$/ ) {
++ if ( $rules->[$rule] =~ / -[gj] ${to}(\s+-m comment .*)?\s*$/ ) {
+ trace( $fromref, 'D', $rule + 1, $rules->[$rule] ) if $debug;
+ splice( @$rules, $rule, 1 );
+ last unless --$refs > 0;
+@@ -3392,7 +3392,7 @@
+ #
+ # We have non-trivial exclusion -- need to create an exclusion chain
+ #
+- fatal_error "Exclusion is not possible in ACCEPT+/CONTINUE/NONAT rules" if $disposition eq 'RETURN';
++ fatal_error "Exclusion is not possible in ACCEPT+/CONTINUE/NONAT rules" if $disposition eq 'RETURN' || $disposition eq 'CONTINUE';
+
+ #
+ # Create the Exclusion Chain
+diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12.1/Perl/Shorewall/Config.pm shorewall-4.4.12.2/Perl/Shorewall/Config.pm
+--- shorewall-4.4.12.1/Perl/Shorewall/Config.pm 2010-08-24 13:15:35.000000000 -0700
++++ shorewall-4.4.12.2/Perl/Shorewall/Config.pm 2010-09-04 07:30:24.000000000 -0700
+@@ -345,7 +345,7 @@
+ EXPORT => 0,
+ STATEMATCH => '-m state --state',
+ UNTRACKED => 0,
+- VERSION => "4.4.12.1",
++ VERSION => "4.4.12.2",
+ CAPVERSION => 40411 ,
+ );
+
+diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12.1/Perl/Shorewall/Rules.pm shorewall-4.4.12.2/Perl/Shorewall/Rules.pm
+--- shorewall-4.4.12.1/Perl/Shorewall/Rules.pm 2010-08-24 13:15:35.000000000 -0700
++++ shorewall-4.4.12.2/Perl/Shorewall/Rules.pm 2010-09-04 07:30:24.000000000 -0700
+@@ -303,7 +303,7 @@
+ my $target = source_exclusion( $hostref->[3], $chainref );
+
+ for my $chain ( first_chains $interface ) {
+- add_jump $filter_table->{$chain} , $chainref, 0, "${source}${state}${policy}";
++ add_jump $filter_table->{$chain} , $target, 0, "${source}${state}${policy}";
+ }
+
+ set_interface_option $interface, 'use_input_chain', 1;
+@@ -675,12 +675,12 @@
+
+ for $interface ( @$list ) {
+ my $chainref = $filter_table->{input_chain $interface};
+- my $base = uc chain_base $interface;
++ my $base = uc chain_base get_physical $interface;
+ my $variable = get_interface_gateway $interface;
+
+ if ( interface_is_optional $interface ) {
+ add_commands( $chainref,
+- qq(if [ -n "\$${base}_IS_USABLE" -a -n "$variable" ]; then) ,
++ qq(if [ -n "\$SW_${base}_IS_USABLE" -a -n "$variable" ]; then) ,
+ ' echo "-A ' . match_source_dev( $interface ) . qq(-s $variable -p udp -j ACCEPT" >&3) ,
+ qq(fi) );
+ } else {
+diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12.1/changelog.txt shorewall-4.4.12.2/changelog.txt
+--- shorewall-4.4.12.1/changelog.txt 2010-08-24 13:15:35.000000000 -0700
++++ shorewall-4.4.12.2/changelog.txt 2010-09-04 07:30:24.000000000 -0700
+@@ -1,9 +1,17 @@
++Changes in Shorewall 4.4.12.2
++
++1) Add tweak to 4.4.12.1 optimization fix.
++
++2) Fix exclusion in the blacklist file.
++
+ Changes in Shorewall 4.4.12.1
+
+ 1) Fix optimization bugs.
+
+ 2) Fix detection of old ipset match capability
+
++3) Fix REQUIRE_INTERFACE=Yes
++
+ Changes in Shorewall 4.4.12
+
+ 1) Fix IPv6 shorecap program.
+diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12.1/install.sh shorewall-4.4.12.2/install.sh
+--- shorewall-4.4.12.1/install.sh 2010-08-24 13:15:35.000000000 -0700
++++ shorewall-4.4.12.2/install.sh 2010-09-04 07:30:24.000000000 -0700
+@@ -22,7 +22,7 @@
+ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ #
+
+-VERSION=4.4.12.1
++VERSION=4.4.12.2
+
+ usage() # $1 = exit status
+ {
+diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12.1/known_problems.txt shorewall-4.4.12.2/known_problems.txt
+--- shorewall-4.4.12.1/known_problems.txt 2010-08-24 13:15:35.000000000 -0700
++++ shorewall-4.4.12.2/known_problems.txt 2010-09-04 07:30:24.000000000 -0700
+@@ -5,9 +5,33 @@
+ to rules, OPTIMIZE 8 through 15 can result in invalid
+ iptables-restore (ip6tables-restore) input.
+
+- Workaround: Don't use optimizaiton levels greater than 7.
++ Corrected in Shorewall 4.4.12.1.
+
+ 3) Under rare circumstances unvolving exclusion, OPTIMIZE 8 through 15
+ canresult in invalid iptables-restore (ip6tables-restore) input.
+
+- Workaround: Don't use optimizaiton levels greater than 7.
++ Corrected in Shorewall 4.4.12.1.
++
++4) The change in 4.4.12 to detect and use the new ipset match syntax
++ broke the ability to detect the old ipset match capability.
++
++ Corrected in Shorewall 4.4.12.1.
++
++5) If REQUIRE_INTERFACE=Yes then start/restart will fail
++ if the last optional interface tested is not available.
++
++ Corrected in Shorewall 4.4.12.1.
++
++6) The fix for COMMENT and optimization in 4.4.12.1 is incomplete.
++
++ Corrected in Shorewall 4.4.12.2
++
++7) Exclusion in the blacklist file is correctly validated but is then
++ ignored when generating iptables (ip6tables) rules.
++
++ Corrected in Shorewall 4.4.12.2.
++
++8) Shorewall allows CONTINUE rules with exclusion. These rules
++ generate valid but incorrect iptables (ip6tables) input.
++
++ Corrected in Shorewall 4.4.12.2 -- these rules are now disallowed.
+diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12.1/releasenotes.txt shorewall-4.4.12.2/releasenotes.txt
+--- shorewall-4.4.12.1/releasenotes.txt 2010-08-24 13:15:35.000000000 -0700
++++ shorewall-4.4.12.2/releasenotes.txt 2010-09-04 07:30:24.000000000 -0700
+@@ -1,5 +1,5 @@
+ ----------------------------------------------------------------------------
+- S H O R E W A L L 4 . 4 . 1 2 . 1
++ S H O R E W A L L 4 . 4 . 1 2 . 2
+ ----------------------------------------------------------------------------
+
+ I. RELEASE 4.4 HIGHLIGHTS
+@@ -224,21 +224,38 @@
+ I I I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
+ ----------------------------------------------------------------------------
+
++4.4.12.2
++
++1) Earlier releases allowed CONTINUE rules with exclusion. These rules
++ generated valid but incorrect iptables (ip6tables) input. Such
++ rules are now disallowed.
++
++2) The fix for COMMENT and OPTIMIZE 8-15 in 4.4.12.1 missed one case
++ which has now been corrected.
++
++3) Previously, exclusion in the blacklist file was correctly validated
++ but was then ignored when generating iptables (ip6tables) rules.
++
++4) Previously, the interface option combination of 'optional' and
++ 'upnpclient' did not work correctly.
++
+ 4.4.12.1
+
+ 1) Under rare circumstances where COMMENT is used to attach comments
+ to rules, OPTIMIZE 8 through 15 could result in invalid
+ iptables-restore (ip6tables-restore) input.
+
+-2) Under rare circumstances unvolving exclusion, OPTIMIZE 8 through 15
++2) Under rare circumstances involving exclusion, OPTIMIZE 8 through 15
+ could result in invalid iptables-restore (ip6tables-restore) input.
+
+ 3) The change in 4.4.12 to detect and use the new ipset match syntax
+ broke the ability to detect the old ipset match capability. Now,
+ both versions of the capability can be correctly detected.
+
+-4.4.12
++4) Previously, if REQUIRE_INTERFACE=Yes then start/restart would fail
++ if the last optional interface tested was not available.
+
++4.4.12
+
+ 1) Previously, the Shorewall6-lite version of shorecap was using
+ iptables rather than ip6tables, with the result that many capabilities
+diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12.1/shorewall.spec shorewall-4.4.12.2/shorewall.spec
+--- shorewall-4.4.12.1/shorewall.spec 2010-08-24 13:15:35.000000000 -0700
++++ shorewall-4.4.12.2/shorewall.spec 2010-09-04 07:30:24.000000000 -0700
+@@ -1,6 +1,6 @@
+ %define name shorewall
+ %define version 4.4.12
+-%define release 1
++%define release 2
+
+ Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
+ Name: %{name}
+@@ -108,6 +108,8 @@
+ %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples
+
+ %changelog
++* Sat Sep 04 2010 Tom Eastep tom@shorewall.net
++- Updated to 4.4.12-2
+ * Mon Aug 23 2010 Tom Eastep tom@shorewall.net
+ - Updated to 4.4.12-1
+ * Sun Aug 15 2010 Tom Eastep tom@shorewall.net
+diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12.1/uninstall.sh shorewall-4.4.12.2/uninstall.sh
+--- shorewall-4.4.12.1/uninstall.sh 2010-08-24 13:15:35.000000000 -0700
++++ shorewall-4.4.12.2/uninstall.sh 2010-09-04 07:30:24.000000000 -0700
+@@ -26,7 +26,7 @@
+ # You may only use this script to uninstall the version
+ # shown below. Simply run this script to remove Shorewall Firewall
+
+-VERSION=4.4.12.1
++VERSION=4.4.12.2
+
+ usage() # $1 = exit status
+ {