Miroirs/slackbuilds_ponce
1
0
Fork 0
mirror of https://github.com/Ponce/slackbuilds synced 2024-11-20 19:41:34 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

network/shorewall: Updated for version 4.4.13.1.

Browse source 
Signed-off-by: Robby Workman <rworkman@slackbuilds.org>
This commit is contained in:
ArTourter 2010-10-16 23:29:14 -05:00 committed by Robby Workman
parent 786bc54895
commit 96fa4df9ae
4 changed files with 8 additions and 470 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

245
network/shorewall/patch-4.4.12.1
View file

@ -1,245 +0,0 @@
diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12/Perl/Shorewall/Chains.pm shorewall-4.4.12.1/Perl/Shorewall/Chains.pm
--- shorewall-4.4.12/Perl/Shorewall/Chains.pm 2010-08-17 07:34:21.000000000 -0700
+++ shorewall-4.4.12.1/Perl/Shorewall/Chains.pm 2010-08-24 13:15:35.000000000 -0700
@@ -687,7 +687,7 @@
# deleting elements from the array over which we are iterating.
#
for ( my $rule = 0; $rule <= $#{$rules}; $rule++ ) {
- if ( $rules->[$rule] =~ / -[gj] ${to}\s*$/ ) {
+ if ( $rules->[$rule] =~ / -[gj] ${to}( -m comment .*)?\s*$/ ) {
trace( $fromref, 'D', $rule + 1, $rules->[$rule] ) if $debug;
splice( @$rules, $rule, 1 );
last unless --$refs > 0;
@@ -3118,17 +3118,6 @@
fatal_error "LOG requires a level";
}
#
- # Mark Target as referenced, if it's a chain
- #
- if ( $target =~ /-[jg]\s+([^\s]+)/ ) {
- my $targetref = $chain_table{$chainref->{table}}{$1};
- if ( $targetref ) {
- $targetref->{referenced} = 1;
- add_reference $chainref, $targetref;
- }
- }
-
- #
# Isolate Source Interface, if any
#
if ( $source ) {
@@ -3397,6 +3386,8 @@
fatal_error "SOURCE interface may not be specified with a source IP address in the POSTROUTING chain" if $restriction == POSTROUTE_RESTRICT && $iiface && ( $inets ne ALLIP || $iexcl || $trivialiexcl);
fatal_error "DEST interface may not be specified with a destination IP address in the PREROUTING chain" if $restriction == PREROUTE_RESTRICT && $diface && ( $dnets ne ALLIP || $dexcl || $trivialdexcl);
+ my $fromref;
+
if ( $iexcl || $dexcl || $oexcl ) {
#
# We have non-trivial exclusion -- need to create an exclusion chain
@@ -3438,7 +3429,7 @@
#
# Generate Final Rule
#
- add_rule( $echainref, $exceptionrule . $target, 1 ) unless $disposition eq 'LOG';
+ add_rule( $fromref = $echainref, $exceptionrule . $target, 1 ) unless $disposition eq 'LOG';
} else {
#
# No exclusions
@@ -3478,7 +3469,7 @@
'add',
$matches );
- add_rule( $chainref, $matches . $target, 1 );
+ add_rule( $fromref = $chainref, $matches . $target, 1 );
}
} else {
#
@@ -3499,12 +3490,22 @@
#
# No logging -- add the target rule with matches to the rule chain
#
- add_rule( $chainref, $matches . $target , 1 );
+ add_rule( $fromref = $chainref, $matches . $target , 1 );
}
}
}
}
}
+ #
+ # Mark Target as referenced, if it's a chain
+ #
+ if ( $fromref && $target =~ /-[jg]\s+([^\s]+)/ ) {
+ my $targetref = $chain_table{$chainref->{table}}{$1};
+ if ( $targetref ) {
+ $targetref->{referenced} = 1;
+ add_reference $fromref, $targetref;
+ }
+ }
while ( @ends ) {
decr_cmd_level $chainref;
diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12/Perl/Shorewall/Config.pm shorewall-4.4.12.1/Perl/Shorewall/Config.pm
--- shorewall-4.4.12/Perl/Shorewall/Config.pm 2010-08-17 07:34:21.000000000 -0700
+++ shorewall-4.4.12.1/Perl/Shorewall/Config.pm 2010-08-24 13:15:35.000000000 -0700
@@ -345,7 +345,7 @@
EXPORT => 0,
STATEMATCH => '-m state --state',
UNTRACKED => 0,
- VERSION => "4.4.12",
+ VERSION => "4.4.12.1",
CAPVERSION => 40411 ,
);
@@ -2411,7 +2411,7 @@
qt1( "$iptables -D $sillyname -m set --match-set $sillyname src -j ACCEPT" );
$result = ! ( $capabilities{OLD_IPSET_MATCH} = 0 );
} else {
- have_capability 'OLD_IPSET_MATCH';
+ $result = have_capability 'OLD_IPSET_MATCH';
}
qt( "$ipset -X $sillyname" );
diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12/Perl/Shorewall/Providers.pm shorewall-4.4.12.1/Perl/Shorewall/Providers.pm
--- shorewall-4.4.12/Perl/Shorewall/Providers.pm 2010-08-17 07:34:21.000000000 -0700
+++ shorewall-4.4.12.1/Perl/Shorewall/Providers.pm 2010-08-24 13:15:35.000000000 -0700
@@ -853,6 +853,11 @@
#
my $interfaces = find_interfaces_by_option1 'optional';
+ if ( $config{REQUIRE_INTERFACE} ) {
+ emit( 'HAVE_INTERFACE=' );
+ emit( '' );
+ }
+
if ( @$interfaces ) {
for my $interface ( @$interfaces ) {
my $provider = $provider_interfaces{$interface};
@@ -861,11 +866,6 @@
emit( '' );
- if ( $config{REQUIRE_INTERFACE} ) {
- emit( 'HAVE_INTERFACE=' );
- emit( '' );
- }
-
if ( $provider ) {
#
# This interface is associated with a non-shared provider -- get the provider table entry
diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12/changelog.txt shorewall-4.4.12.1/changelog.txt
--- shorewall-4.4.12/changelog.txt 2010-08-17 07:34:21.000000000 -0700
+++ shorewall-4.4.12.1/changelog.txt 2010-08-24 13:15:35.000000000 -0700
@@ -1,3 +1,9 @@
+Changes in Shorewall 4.4.12.1
+
+1) Fix optimization bugs.
+
+2) Fix detection of old ipset match capability
+
Changes in Shorewall 4.4.12
1) Fix IPv6 shorecap program.
diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12/install.sh shorewall-4.4.12.1/install.sh
--- shorewall-4.4.12/install.sh 2010-08-17 07:34:21.000000000 -0700
+++ shorewall-4.4.12.1/install.sh 2010-08-24 13:15:35.000000000 -0700
@@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
-VERSION=4.4.12
+VERSION=4.4.12.1
usage() # $1 = exit status
{
diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12/known_problems.txt shorewall-4.4.12.1/known_problems.txt
--- shorewall-4.4.12/known_problems.txt 2010-08-17 07:34:21.000000000 -0700
+++ shorewall-4.4.12.1/known_problems.txt 2010-08-24 13:15:35.000000000 -0700
@@ -1,2 +1,13 @@
1) On systems running Upstart, Shorewall-init cannot reliably close
the firewall before interfaces come up.
+
+2) Under rare circumstances where COMMENT is used to attach comments
+ to rules, OPTIMIZE 8 through 15 can result in invalid
+ iptables-restore (ip6tables-restore) input.
+
+ Workaround: Don't use optimizaiton levels greater than 7.
+
+3) Under rare circumstances unvolving exclusion, OPTIMIZE 8 through 15
+ canresult in invalid iptables-restore (ip6tables-restore) input.
+
+ Workaround: Don't use optimizaiton levels greater than 7.
diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12/releasenotes.txt shorewall-4.4.12.1/releasenotes.txt
--- shorewall-4.4.12/releasenotes.txt 2010-08-17 07:34:21.000000000 -0700
+++ shorewall-4.4.12.1/releasenotes.txt 2010-08-24 13:15:35.000000000 -0700
@@ -1,5 +1,5 @@
----------------------------------------------------------------------------
- S H O R E W A L L 4 . 4 . 1 2
+ S H O R E W A L L 4 . 4 . 1 2 . 1
----------------------------------------------------------------------------
I. RELEASE 4.4 HIGHLIGHTS
@@ -10,7 +10,7 @@
VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
----------------------------------------------------------------------------
- I. R E L E A S E 4 . 4 H I G H L I G H T S
+ I. R E L E A S E 4 . 4 H I G H L I G H T S
----------------------------------------------------------------------------
1) Support for Shorewall-shell has been discontinued. Shorewall-perl
@@ -224,6 +224,22 @@
I I I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
+4.4.12.1
+
+1) Under rare circumstances where COMMENT is used to attach comments
+ to rules, OPTIMIZE 8 through 15 could result in invalid
+ iptables-restore (ip6tables-restore) input.
+
+2) Under rare circumstances unvolving exclusion, OPTIMIZE 8 through 15
+ could result in invalid iptables-restore (ip6tables-restore) input.
+
+3) The change in 4.4.12 to detect and use the new ipset match syntax
+ broke the ability to detect the old ipset match capability. Now,
+ both versions of the capability can be correctly detected.
+
+4.4.12
+
+
1) Previously, the Shorewall6-lite version of shorecap was using
iptables rather than ip6tables, with the result that many capabilities
that are only available in IPv4 were being reported as available.
diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12/shorewall.spec shorewall-4.4.12.1/shorewall.spec
--- shorewall-4.4.12/shorewall.spec 2010-08-17 07:34:21.000000000 -0700
+++ shorewall-4.4.12.1/shorewall.spec 2010-08-24 13:15:35.000000000 -0700
@@ -1,6 +1,6 @@
%define name shorewall
%define version 4.4.12
-%define release 0base
+%define release 1
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
Name: %{name}
@@ -108,6 +108,8 @@
%doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples
%changelog
+* Mon Aug 23 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-1
* Sun Aug 15 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.12-0base
* Fri Aug 06 2010 Tom Eastep tom@shorewall.net
diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12/uninstall.sh shorewall-4.4.12.1/uninstall.sh
--- shorewall-4.4.12/uninstall.sh 2010-08-17 07:34:21.000000000 -0700
+++ shorewall-4.4.12.1/uninstall.sh 2010-08-24 13:15:35.000000000 -0700
@@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
-VERSION=4.4.12
+VERSION=4.4.12.1
usage() # $1 = exit status
{

215
network/shorewall/patch-4.4.12.2
View file

@ -1,215 +0,0 @@
diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12.1/Perl/Shorewall/Chains.pm shorewall-4.4.12.2/Perl/Shorewall/Chains.pm
--- shorewall-4.4.12.1/Perl/Shorewall/Chains.pm 2010-08-24 13:15:35.000000000 -0700
+++ shorewall-4.4.12.2/Perl/Shorewall/Chains.pm 2010-09-04 07:30:24.000000000 -0700
@@ -687,7 +687,7 @@
# deleting elements from the array over which we are iterating.
#
for ( my $rule = 0; $rule <= $#{$rules}; $rule++ ) {
- if ( $rules->[$rule] =~ / -[gj] ${to}( -m comment .*)?\s*$/ ) {
+ if ( $rules->[$rule] =~ / -[gj] ${to}(\s+-m comment .*)?\s*$/ ) {
trace( $fromref, 'D', $rule + 1, $rules->[$rule] ) if $debug;
splice( @$rules, $rule, 1 );
last unless --$refs > 0;
@@ -3392,7 +3392,7 @@
#
# We have non-trivial exclusion -- need to create an exclusion chain
#
- fatal_error "Exclusion is not possible in ACCEPT+/CONTINUE/NONAT rules" if $disposition eq 'RETURN';
+ fatal_error "Exclusion is not possible in ACCEPT+/CONTINUE/NONAT rules" if $disposition eq 'RETURN' || $disposition eq 'CONTINUE';
#
# Create the Exclusion Chain
diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12.1/Perl/Shorewall/Config.pm shorewall-4.4.12.2/Perl/Shorewall/Config.pm
--- shorewall-4.4.12.1/Perl/Shorewall/Config.pm 2010-08-24 13:15:35.000000000 -0700
+++ shorewall-4.4.12.2/Perl/Shorewall/Config.pm 2010-09-04 07:30:24.000000000 -0700
@@ -345,7 +345,7 @@
EXPORT => 0,
STATEMATCH => '-m state --state',
UNTRACKED => 0,
- VERSION => "4.4.12.1",
+ VERSION => "4.4.12.2",
CAPVERSION => 40411 ,
);
diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12.1/Perl/Shorewall/Rules.pm shorewall-4.4.12.2/Perl/Shorewall/Rules.pm
--- shorewall-4.4.12.1/Perl/Shorewall/Rules.pm 2010-08-24 13:15:35.000000000 -0700
+++ shorewall-4.4.12.2/Perl/Shorewall/Rules.pm 2010-09-04 07:30:24.000000000 -0700
@@ -303,7 +303,7 @@
my $target = source_exclusion( $hostref->[3], $chainref );
for my $chain ( first_chains $interface ) {
- add_jump $filter_table->{$chain} , $chainref, 0, "${source}${state}${policy}";
+ add_jump $filter_table->{$chain} , $target, 0, "${source}${state}${policy}";
}
set_interface_option $interface, 'use_input_chain', 1;
@@ -675,12 +675,12 @@
for $interface ( @$list ) {
my $chainref = $filter_table->{input_chain $interface};
- my $base = uc chain_base $interface;
+ my $base = uc chain_base get_physical $interface;
my $variable = get_interface_gateway $interface;
if ( interface_is_optional $interface ) {
add_commands( $chainref,
- qq(if [ -n "\$${base}_IS_USABLE" -a -n "$variable" ]; then) ,
+ qq(if [ -n "\$SW_${base}_IS_USABLE" -a -n "$variable" ]; then) ,
' echo "-A ' . match_source_dev( $interface ) . qq(-s $variable -p udp -j ACCEPT" >&3) ,
qq(fi) );
} else {
diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12.1/changelog.txt shorewall-4.4.12.2/changelog.txt
--- shorewall-4.4.12.1/changelog.txt 2010-08-24 13:15:35.000000000 -0700
+++ shorewall-4.4.12.2/changelog.txt 2010-09-04 07:30:24.000000000 -0700
@@ -1,9 +1,17 @@
+Changes in Shorewall 4.4.12.2
+
+1) Add tweak to 4.4.12.1 optimization fix.
+
+2) Fix exclusion in the blacklist file.
+
Changes in Shorewall 4.4.12.1
1) Fix optimization bugs.
2) Fix detection of old ipset match capability
+3) Fix REQUIRE_INTERFACE=Yes
+
Changes in Shorewall 4.4.12
1) Fix IPv6 shorecap program.
diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12.1/install.sh shorewall-4.4.12.2/install.sh
--- shorewall-4.4.12.1/install.sh 2010-08-24 13:15:35.000000000 -0700
+++ shorewall-4.4.12.2/install.sh 2010-09-04 07:30:24.000000000 -0700
@@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
-VERSION=4.4.12.1
+VERSION=4.4.12.2
usage() # $1 = exit status
{
diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12.1/known_problems.txt shorewall-4.4.12.2/known_problems.txt
--- shorewall-4.4.12.1/known_problems.txt 2010-08-24 13:15:35.000000000 -0700
+++ shorewall-4.4.12.2/known_problems.txt 2010-09-04 07:30:24.000000000 -0700
@@ -5,9 +5,33 @@
to rules, OPTIMIZE 8 through 15 can result in invalid
iptables-restore (ip6tables-restore) input.
- Workaround: Don't use optimizaiton levels greater than 7.
+ Corrected in Shorewall 4.4.12.1.
3) Under rare circumstances unvolving exclusion, OPTIMIZE 8 through 15
canresult in invalid iptables-restore (ip6tables-restore) input.
- Workaround: Don't use optimizaiton levels greater than 7.
+ Corrected in Shorewall 4.4.12.1.
+
+4) The change in 4.4.12 to detect and use the new ipset match syntax
+ broke the ability to detect the old ipset match capability.
+
+ Corrected in Shorewall 4.4.12.1.
+
+5) If REQUIRE_INTERFACE=Yes then start/restart will fail
+ if the last optional interface tested is not available.
+
+ Corrected in Shorewall 4.4.12.1.
+
+6) The fix for COMMENT and optimization in 4.4.12.1 is incomplete.
+
+ Corrected in Shorewall 4.4.12.2
+
+7) Exclusion in the blacklist file is correctly validated but is then
+ ignored when generating iptables (ip6tables) rules.
+
+ Corrected in Shorewall 4.4.12.2.
+
+8) Shorewall allows CONTINUE rules with exclusion. These rules
+ generate valid but incorrect iptables (ip6tables) input.
+
+ Corrected in Shorewall 4.4.12.2 -- these rules are now disallowed.
diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12.1/releasenotes.txt shorewall-4.4.12.2/releasenotes.txt
--- shorewall-4.4.12.1/releasenotes.txt 2010-08-24 13:15:35.000000000 -0700
+++ shorewall-4.4.12.2/releasenotes.txt 2010-09-04 07:30:24.000000000 -0700
@@ -1,5 +1,5 @@
----------------------------------------------------------------------------
- S H O R E W A L L 4 . 4 . 1 2 . 1
+ S H O R E W A L L 4 . 4 . 1 2 . 2
----------------------------------------------------------------------------
I. RELEASE 4.4 HIGHLIGHTS
@@ -224,21 +224,38 @@
I I I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
+4.4.12.2
+
+1) Earlier releases allowed CONTINUE rules with exclusion. These rules
+ generated valid but incorrect iptables (ip6tables) input. Such
+ rules are now disallowed.
+
+2) The fix for COMMENT and OPTIMIZE 8-15 in 4.4.12.1 missed one case
+ which has now been corrected.
+
+3) Previously, exclusion in the blacklist file was correctly validated
+ but was then ignored when generating iptables (ip6tables) rules.
+
+4) Previously, the interface option combination of 'optional' and
+ 'upnpclient' did not work correctly.
+
4.4.12.1
1) Under rare circumstances where COMMENT is used to attach comments
to rules, OPTIMIZE 8 through 15 could result in invalid
iptables-restore (ip6tables-restore) input.
-2) Under rare circumstances unvolving exclusion, OPTIMIZE 8 through 15
+2) Under rare circumstances involving exclusion, OPTIMIZE 8 through 15
could result in invalid iptables-restore (ip6tables-restore) input.
3) The change in 4.4.12 to detect and use the new ipset match syntax
broke the ability to detect the old ipset match capability. Now,
both versions of the capability can be correctly detected.
-4.4.12
+4) Previously, if REQUIRE_INTERFACE=Yes then start/restart would fail
+ if the last optional interface tested was not available.
+4.4.12
1) Previously, the Shorewall6-lite version of shorecap was using
iptables rather than ip6tables, with the result that many capabilities
diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12.1/shorewall.spec shorewall-4.4.12.2/shorewall.spec
--- shorewall-4.4.12.1/shorewall.spec 2010-08-24 13:15:35.000000000 -0700
+++ shorewall-4.4.12.2/shorewall.spec 2010-09-04 07:30:24.000000000 -0700
@@ -1,6 +1,6 @@
%define name shorewall
%define version 4.4.12
-%define release 1
+%define release 2
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
Name: %{name}
@@ -108,6 +108,8 @@
%doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples
%changelog
+* Sat Sep 04 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-2
* Mon Aug 23 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.12-1
* Sun Aug 15 2010 Tom Eastep tom@shorewall.net
diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12.1/uninstall.sh shorewall-4.4.12.2/uninstall.sh
--- shorewall-4.4.12.1/uninstall.sh 2010-08-24 13:15:35.000000000 -0700
+++ shorewall-4.4.12.2/uninstall.sh 2010-09-04 07:30:24.000000000 -0700
@@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
-VERSION=4.4.12.1
+VERSION=4.4.12.2
usage() # $1 = exit status
{

4
network/shorewall/shorewall.SlackBuild
View file

@ -24,12 +24,12 @@
# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
PRGNAM=shorewall
VERSION=${VERSION:-4.4.12.2}
VERSION=${VERSION:-4.4.13.1}
ARCH=noarch
BUILD=${BUILD:-1}
TAG=${TAG:-_SBo}
BASEVERS=4.4.12
BASEVERS=4.4.13
CWD=$(pwd)
TMP=${TMP:-/tmp/SBo}

14
network/shorewall/shorewall.info
View file

@ -1,14 +1,12 @@
PRGNAM="shorewall"
VERSION="4.4.12.2"
VERSION="4.4.13.1"
HOMEPAGE="http://www.shorewall.net"
DOWNLOAD="http://www.shorewall.net/pub/shorewall/4.4/shorewall-4.4.12/base/shorewall-4.4.12.tar.bz2 \
http://www.shorewall.net/pub/shorewall/4.4/shorewall-4.4.12/patch-4.4.12.1 \
http://www.shorewall.net/pub/shorewall/4.4/shorewall-4.4.12/patch-4.4.12.2"
MD5SUM="245617f3db1312c64eff6e595eed8d18 \
e32cc02eaaa71f85f346623db9a3ec6b \
ac5d09f6965bbc8f1ec5d6596dcb32f4"
DOWNLOAD="http://www.shorewall.net/pub/shorewall/4.4/shorewall-4.4.13/base/shorewall-4.4.13.tar.bz2 \
http://www.shorewall.net/pub/shorewall/4.4/shorewall-4.4.13/patch-4.4.13.1"
MD5SUM="70b6e8033f93a7985a8a614645218305 \
753e1afe6de17ed2e4aa98072c664764"
DOWNLOAD_x86_64=""
MD5SUM_x86_64=""
MAINTAINER="ArTourter"
EMAIL="artourter@gmail.com"
APPROVED="dsomero"
APPROVED="rworkman"