diff options
Diffstat (limited to 'network/shorewall/patch-4.4.12.2')
-rw-r--r-- | network/shorewall/patch-4.4.12.2 | 215 |
1 files changed, 215 insertions, 0 deletions
diff --git a/network/shorewall/patch-4.4.12.2 b/network/shorewall/patch-4.4.12.2 new file mode 100644 index 0000000000..7d43ff1599 --- /dev/null +++ b/network/shorewall/patch-4.4.12.2 @@ -0,0 +1,215 @@ +diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12.1/Perl/Shorewall/Chains.pm shorewall-4.4.12.2/Perl/Shorewall/Chains.pm +--- shorewall-4.4.12.1/Perl/Shorewall/Chains.pm 2010-08-24 13:15:35.000000000 -0700 ++++ shorewall-4.4.12.2/Perl/Shorewall/Chains.pm 2010-09-04 07:30:24.000000000 -0700 +@@ -687,7 +687,7 @@ + # deleting elements from the array over which we are iterating. + # + for ( my $rule = 0; $rule <= $#{$rules}; $rule++ ) { +- if ( $rules->[$rule] =~ / -[gj] ${to}( -m comment .*)?\s*$/ ) { ++ if ( $rules->[$rule] =~ / -[gj] ${to}(\s+-m comment .*)?\s*$/ ) { + trace( $fromref, 'D', $rule + 1, $rules->[$rule] ) if $debug; + splice( @$rules, $rule, 1 ); + last unless --$refs > 0; +@@ -3392,7 +3392,7 @@ + # + # We have non-trivial exclusion -- need to create an exclusion chain + # +- fatal_error "Exclusion is not possible in ACCEPT+/CONTINUE/NONAT rules" if $disposition eq 'RETURN'; ++ fatal_error "Exclusion is not possible in ACCEPT+/CONTINUE/NONAT rules" if $disposition eq 'RETURN' || $disposition eq 'CONTINUE'; + + # + # Create the Exclusion Chain +diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12.1/Perl/Shorewall/Config.pm shorewall-4.4.12.2/Perl/Shorewall/Config.pm +--- shorewall-4.4.12.1/Perl/Shorewall/Config.pm 2010-08-24 13:15:35.000000000 -0700 ++++ shorewall-4.4.12.2/Perl/Shorewall/Config.pm 2010-09-04 07:30:24.000000000 -0700 +@@ -345,7 +345,7 @@ + EXPORT => 0, + STATEMATCH => '-m state --state', + UNTRACKED => 0, +- VERSION => "4.4.12.1", ++ VERSION => "4.4.12.2", + CAPVERSION => 40411 , + ); + +diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12.1/Perl/Shorewall/Rules.pm shorewall-4.4.12.2/Perl/Shorewall/Rules.pm +--- shorewall-4.4.12.1/Perl/Shorewall/Rules.pm 2010-08-24 13:15:35.000000000 -0700 ++++ shorewall-4.4.12.2/Perl/Shorewall/Rules.pm 2010-09-04 07:30:24.000000000 -0700 +@@ -303,7 +303,7 @@ + my $target = source_exclusion( $hostref->[3], $chainref ); + + for my $chain ( first_chains $interface ) { +- add_jump $filter_table->{$chain} , $chainref, 0, "${source}${state}${policy}"; ++ add_jump $filter_table->{$chain} , $target, 0, "${source}${state}${policy}"; + } + + set_interface_option $interface, 'use_input_chain', 1; +@@ -675,12 +675,12 @@ + + for $interface ( @$list ) { + my $chainref = $filter_table->{input_chain $interface}; +- my $base = uc chain_base $interface; ++ my $base = uc chain_base get_physical $interface; + my $variable = get_interface_gateway $interface; + + if ( interface_is_optional $interface ) { + add_commands( $chainref, +- qq(if [ -n "\$${base}_IS_USABLE" -a -n "$variable" ]; then) , ++ qq(if [ -n "\$SW_${base}_IS_USABLE" -a -n "$variable" ]; then) , + ' echo "-A ' . match_source_dev( $interface ) . qq(-s $variable -p udp -j ACCEPT" >&3) , + qq(fi) ); + } else { +diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12.1/changelog.txt shorewall-4.4.12.2/changelog.txt +--- shorewall-4.4.12.1/changelog.txt 2010-08-24 13:15:35.000000000 -0700 ++++ shorewall-4.4.12.2/changelog.txt 2010-09-04 07:30:24.000000000 -0700 +@@ -1,9 +1,17 @@ ++Changes in Shorewall 4.4.12.2 ++ ++1) Add tweak to 4.4.12.1 optimization fix. ++ ++2) Fix exclusion in the blacklist file. ++ + Changes in Shorewall 4.4.12.1 + + 1) Fix optimization bugs. + + 2) Fix detection of old ipset match capability + ++3) Fix REQUIRE_INTERFACE=Yes ++ + Changes in Shorewall 4.4.12 + + 1) Fix IPv6 shorecap program. +diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12.1/install.sh shorewall-4.4.12.2/install.sh +--- shorewall-4.4.12.1/install.sh 2010-08-24 13:15:35.000000000 -0700 ++++ shorewall-4.4.12.2/install.sh 2010-09-04 07:30:24.000000000 -0700 +@@ -22,7 +22,7 @@ + # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + # + +-VERSION=4.4.12.1 ++VERSION=4.4.12.2 + + usage() # $1 = exit status + { +diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12.1/known_problems.txt shorewall-4.4.12.2/known_problems.txt +--- shorewall-4.4.12.1/known_problems.txt 2010-08-24 13:15:35.000000000 -0700 ++++ shorewall-4.4.12.2/known_problems.txt 2010-09-04 07:30:24.000000000 -0700 +@@ -5,9 +5,33 @@ + to rules, OPTIMIZE 8 through 15 can result in invalid + iptables-restore (ip6tables-restore) input. + +- Workaround: Don't use optimizaiton levels greater than 7. ++ Corrected in Shorewall 4.4.12.1. + + 3) Under rare circumstances unvolving exclusion, OPTIMIZE 8 through 15 + canresult in invalid iptables-restore (ip6tables-restore) input. + +- Workaround: Don't use optimizaiton levels greater than 7. ++ Corrected in Shorewall 4.4.12.1. ++ ++4) The change in 4.4.12 to detect and use the new ipset match syntax ++ broke the ability to detect the old ipset match capability. ++ ++ Corrected in Shorewall 4.4.12.1. ++ ++5) If REQUIRE_INTERFACE=Yes then start/restart will fail ++ if the last optional interface tested is not available. ++ ++ Corrected in Shorewall 4.4.12.1. ++ ++6) The fix for COMMENT and optimization in 4.4.12.1 is incomplete. ++ ++ Corrected in Shorewall 4.4.12.2 ++ ++7) Exclusion in the blacklist file is correctly validated but is then ++ ignored when generating iptables (ip6tables) rules. ++ ++ Corrected in Shorewall 4.4.12.2. ++ ++8) Shorewall allows CONTINUE rules with exclusion. These rules ++ generate valid but incorrect iptables (ip6tables) input. ++ ++ Corrected in Shorewall 4.4.12.2 -- these rules are now disallowed. +diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12.1/releasenotes.txt shorewall-4.4.12.2/releasenotes.txt +--- shorewall-4.4.12.1/releasenotes.txt 2010-08-24 13:15:35.000000000 -0700 ++++ shorewall-4.4.12.2/releasenotes.txt 2010-09-04 07:30:24.000000000 -0700 +@@ -1,5 +1,5 @@ + ---------------------------------------------------------------------------- +- S H O R E W A L L 4 . 4 . 1 2 . 1 ++ S H O R E W A L L 4 . 4 . 1 2 . 2 + ---------------------------------------------------------------------------- + + I. RELEASE 4.4 HIGHLIGHTS +@@ -224,21 +224,38 @@ + I I I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E + ---------------------------------------------------------------------------- + ++4.4.12.2 ++ ++1) Earlier releases allowed CONTINUE rules with exclusion. These rules ++ generated valid but incorrect iptables (ip6tables) input. Such ++ rules are now disallowed. ++ ++2) The fix for COMMENT and OPTIMIZE 8-15 in 4.4.12.1 missed one case ++ which has now been corrected. ++ ++3) Previously, exclusion in the blacklist file was correctly validated ++ but was then ignored when generating iptables (ip6tables) rules. ++ ++4) Previously, the interface option combination of 'optional' and ++ 'upnpclient' did not work correctly. ++ + 4.4.12.1 + + 1) Under rare circumstances where COMMENT is used to attach comments + to rules, OPTIMIZE 8 through 15 could result in invalid + iptables-restore (ip6tables-restore) input. + +-2) Under rare circumstances unvolving exclusion, OPTIMIZE 8 through 15 ++2) Under rare circumstances involving exclusion, OPTIMIZE 8 through 15 + could result in invalid iptables-restore (ip6tables-restore) input. + + 3) The change in 4.4.12 to detect and use the new ipset match syntax + broke the ability to detect the old ipset match capability. Now, + both versions of the capability can be correctly detected. + +-4.4.12 ++4) Previously, if REQUIRE_INTERFACE=Yes then start/restart would fail ++ if the last optional interface tested was not available. + ++4.4.12 + + 1) Previously, the Shorewall6-lite version of shorecap was using + iptables rather than ip6tables, with the result that many capabilities +diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12.1/shorewall.spec shorewall-4.4.12.2/shorewall.spec +--- shorewall-4.4.12.1/shorewall.spec 2010-08-24 13:15:35.000000000 -0700 ++++ shorewall-4.4.12.2/shorewall.spec 2010-09-04 07:30:24.000000000 -0700 +@@ -1,6 +1,6 @@ + %define name shorewall + %define version 4.4.12 +-%define release 1 ++%define release 2 + + Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. + Name: %{name} +@@ -108,6 +108,8 @@ + %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples + + %changelog ++* Sat Sep 04 2010 Tom Eastep tom@shorewall.net ++- Updated to 4.4.12-2 + * Mon Aug 23 2010 Tom Eastep tom@shorewall.net + - Updated to 4.4.12-1 + * Sun Aug 15 2010 Tom Eastep tom@shorewall.net +diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12.1/uninstall.sh shorewall-4.4.12.2/uninstall.sh +--- shorewall-4.4.12.1/uninstall.sh 2010-08-24 13:15:35.000000000 -0700 ++++ shorewall-4.4.12.2/uninstall.sh 2010-09-04 07:30:24.000000000 -0700 +@@ -26,7 +26,7 @@ + # You may only use this script to uninstall the version + # shown below. Simply run this script to remove Shorewall Firewall + +-VERSION=4.4.12.1 ++VERSION=4.4.12.2 + + usage() # $1 = exit status + { |