network/shorewall: Added to 13.0 repository

2024-11-21 19:42:24 +01:00 · 2010-05-13 01:00:22 +02:00 · 2010-05-13 01:00:22 +02:00 · ab1d59ca5d
commit ab1d59ca5d
parent 7d2aa13af5
6 changed files with 339 additions and 0 deletions
--- a/network/shorewall/README
+++ b/network/shorewall/README
@ -0,0 +1,11 @@
+Shorewall (Iptables Made Easy)
+
+The Shoreline Firewall, more commonly known as "Shorewall", is a 
+Netfilter (iptables) based firewall that can be used on a dedicated
+firewall system, a multi-function gateway/router/server or on a 
+standalone GNU/Linux system.
+
+This is the replacement for shorewall-common and shorewall-perl.
+Shorewall-shell support has been dropped from 4.4. If you are upgrading
+from versions 4.2 and below make sure you read the documentation, as a
+lot has changed.
--- a/network/shorewall/doinst.sh
+++ b/network/shorewall/doinst.sh
@ -0,0 +1,29 @@
+#!/bin/sh
+# vim: et ts=2 sw=2 
+
+config() {
+  NEW="$1"
+  OLD="${NEW%*.new}"
+  # If there's no config file by that name, mv it over:
+  if [ ! -r $OLD ]; then
+    mv $NEW $OLD
+  elif [ "$(cat $OLD | md5sum)" = "$(cat $NEW | md5sum)" ]; then # toss the redundant copy
+    rm $NEW
+  fi
+  # Otherwise, we leave the .new copy for the admin to consider...
+}
+
+preserve_perms() {
+  NEW="$1"
+  OLD="$(dirname $NEW)/$(basename $NEW .new)"
+  if [ -e $OLD ]; then
+    cp -a $OLD ${NEW}.incoming
+    cat $NEW > ${NEW}.incoming
+    mv ${NEW}.incoming $NEW
+  fi
+  config $NEW
+}
+
+preserve_perms etc/rc.d/rc.firewall.new
+preserve_perms etc/rc.d/rc.shorewall.new
+
--- a/network/shorewall/patch-4.4.7.1
+++ b/network/shorewall/patch-4.4.7.1
@ -0,0 +1,167 @@
+diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.7/changelog.txt shorewall-4.4.7.1/changelog.txt
+--- shorewall-4.4.7/changelog.txt	2010-02-11 07:29:41.000000000 -0800
+++ shorewall-4.4.7.1/changelog.txt	2010-02-13 07:28:22.000000000 -0800
+@@ -1,3 +1,7 @@
+Changes in Shorewall 4.4.7-1
+
+1)  Don't apply rate limiting twice in NAT rules.
+
+ Changes in Shorewall 4.4.7
+ 
+ 1)  Backport optimization changes from 4.5.
+diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.7/install.sh shorewall-4.4.7.1/install.sh
+--- shorewall-4.4.7/install.sh	2010-02-11 07:29:41.000000000 -0800
+++ shorewall-4.4.7.1/install.sh	2010-02-13 07:28:22.000000000 -0800
+@@ -22,7 +22,7 @@
+ #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ #
+ 
+-VERSION=4.4.7
+VERSION=4.4.7.1
+ 
+ usage() # $1 = exit status
+ {
+diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.7/known_problems.txt shorewall-4.4.7.1/known_problems.txt
+--- shorewall-4.4.7/known_problems.txt	2010-02-11 07:29:41.000000000 -0800
+++ shorewall-4.4.7.1/known_problems.txt	2010-02-13 07:28:22.000000000 -0800
+@@ -1 +1,5 @@
+-There are no known problems in Shorewall 4.4.7.
+1)  All versions of Shorewall-perl mishandle per-IP rate limiting in
+    REDIRECT and DNAT rules. The effective rate and burst are 1/2 of
+    the values given in the rule.
+
+    Corrected in 4.4.7.1
+diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.7/Perl/Shorewall/Config.pm shorewall-4.4.7.1/Perl/Shorewall/Config.pm
+--- shorewall-4.4.7/Perl/Shorewall/Config.pm	2010-02-11 07:29:41.000000000 -0800
+++ shorewall-4.4.7.1/Perl/Shorewall/Config.pm	2010-02-13 07:28:22.000000000 -0800
+@@ -337,7 +337,7 @@
+ 		    TC_SCRIPT => '',
+ 		    EXPORT => 0,
+ 		    UNTRACKED => 0,
+-		    VERSION => "4.4.7",
+		    VERSION => "4.4.7.1",
+ 		    CAPVERSION => 40407 ,
+ 		  );
+ 
+diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.7/Perl/Shorewall/Rules.pm shorewall-4.4.7.1/Perl/Shorewall/Rules.pm
+--- shorewall-4.4.7/Perl/Shorewall/Rules.pm	2010-02-11 07:29:41.000000000 -0800
+++ shorewall-4.4.7.1/Perl/Shorewall/Rules.pm	2010-02-13 07:28:22.000000000 -0800
+@@ -1182,13 +1182,25 @@
+     #
+     # Generate Fixed part of the rule
+     #
+-    $rule = join( '', 
+-		  do_proto($proto, $ports, $sports),
+-		  do_ratelimit( $ratelimit, $basictarget ) ,
+-		  do_user( $user ) ,
+-		  do_test( $mark , $globals{TC_MASK} ) ,
+-		  do_connlimit( $connlimit ),
+-		  do_time( $time ) );
+    if ( ( $actiontype & ( NATRULE | NATONLY ) ) == NATRULE ) {
+	#
+	# Don't apply rate limiting twice
+	#
+	$rule = join( '', 
+		      do_proto($proto, $ports, $sports),
+		      do_user( $user ) ,
+		      do_test( $mark , $globals{TC_MASK} ) ,
+		      do_connlimit( $connlimit ),
+		      do_time( $time ) );
+    } else {
+	$rule = join( '', 
+		      do_proto($proto, $ports, $sports),
+		      do_ratelimit( $ratelimit, $basictarget ) ,
+		      do_user( $user ) ,
+		      do_test( $mark , $globals{TC_MASK} ) ,
+		      do_connlimit( $connlimit ),
+		      do_time( $time ) );
+    }
+ 
+     unless ( $section eq 'NEW' ) {
+ 	fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" if $config{FASTACCEPT};
+diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.7/releasenotes.txt shorewall-4.4.7.1/releasenotes.txt
+--- shorewall-4.4.7/releasenotes.txt	2010-02-11 07:29:41.000000000 -0800
+++ shorewall-4.4.7.1/releasenotes.txt	2010-02-13 07:28:22.000000000 -0800
+@@ -1,4 +1,4 @@
+-Shorewall 4.4.7
+Shorewall 4.4.7 Patch Release 1.
+ 
+ ----------------------------------------------------------------------------
+                R E L E A S E  4 . 4  H I G H L I G H T S
+@@ -184,7 +184,15 @@
+     one from the release (not recommended).
+ 
+ ----------------------------------------------------------------------------
+-        P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 7
+       P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 7 . 1
+----------------------------------------------------------------------------
+
+1)  All versions of Shorewall-perl mishandle per-IP rate limiting in
+    REDIRECT and DNAT rules. The effective rate and burst are 1/2 of
+    the values given in the rule.
+
+----------------------------------------------------------------------------
+          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 7
+ ----------------------------------------------------------------------------
+ 
+ 1)  The tcinterfaces and tcpri files are now installed by the
+@@ -211,12 +219,19 @@
+ 
+ 5)  Previously, specifying a TYPE in /etc/shorewall/tcinterfaces would
+     cause start/restart to fail on systems lacking 'flow' classifier
+-    support. While we currently know of no safe way to test for that
+-    support, in Shorewall 4.4.7 we use other hints to surmise that the
+-    installed toolset is likely to be too old to support 'flow' and
+-    simply ignore the TYPE setting. In particular, RHEL5 and
+-    derivatives no lonter experience a startup failure when TYPE is
+-    specified.
+    support. In Shorewall 4.4.7, we detect the ability of the 'tc'
+    utility to support that classifier.
+
+    There are two caveats:
+
+    - 'tc' may support 'flow' but the kernel does not. In that case,
+      start/restart will still fail.
+
+    - If you use a capabilities file, you will need to regenerate the
+      file using shorewall-lite 4.4.7 in order for 'flow' to be
+      accurately detected. If you do not regenerate the file, the
+      compiler will use other hints to try to determine if 'flow' is
+      available.
+ 
+ ----------------------------------------------------------------------------
+              K N O W N   P R O B L E M S   R E M A I N I N G
+diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.7/shorewall.spec shorewall-4.4.7.1/shorewall.spec
+--- shorewall-4.4.7/shorewall.spec	2010-02-11 07:29:41.000000000 -0800
+++ shorewall-4.4.7.1/shorewall.spec	2010-02-13 07:28:22.000000000 -0800
+@@ -1,6 +1,6 @@
+ %define name shorewall
+ %define version 4.4.7
+-%define release 0base
+%define release 1
+ 
+ Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
+ Name: %{name}
+@@ -107,6 +107,10 @@
+ %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples 
+ 
+ %changelog
+* Sat Feb 13 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-1
+* Thu Feb 11 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0base
+ * Fri Feb 05 2010 Tom Eastep tom@shorewall.net
+ - Updated to 4.4.7-0base
+ * Tue Feb 02 2010 Tom Eastep tom@shorewall.net
+diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.7/uninstall.sh shorewall-4.4.7.1/uninstall.sh
+--- shorewall-4.4.7/uninstall.sh	2010-02-11 07:29:41.000000000 -0800
+++ shorewall-4.4.7.1/uninstall.sh	2010-02-13 07:28:22.000000000 -0800
+@@ -26,7 +26,7 @@
+ #       You may only use this script to uninstall the version
+ #       shown below. Simply run this script to remove Shorewall Firewall
+ 
+-VERSION=4.4.7
+VERSION=4.4.7.1
+ 
+ usage() # $1 = exit status
+ {
--- a/network/shorewall/shorewall.SlackBuild
+++ b/network/shorewall/shorewall.SlackBuild
@ -0,0 +1,101 @@
+#!/bin/sh
+# vim: et ts=2 sw=2
+
+# Slackware build script for shorewall-common
+
+# Copyright (c) 2008-2009 Gregory J.L. Tourte (artourter@gmail.com)
+# All rights reserved.
+#
+# Redistribution and use of this script, with or without modification, is
+# permitted provided that the following conditions are met:
+#
+# 1. Redistributions of this script must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ''AS IS'' AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
+# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
+# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+PRGNAM=shorewall
+VERSION=${VERSION:-4.4.7.1}
+ARCH=noarch
+BUILD=${BUILD:-1}
+TAG=${TAG:-_SBo}
+
+BASEVERS=4.4.7
+
+CWD=$(pwd)
+TMP=${TMP:-/tmp/SBo}
+PKG=$TMP/package-$PRGNAM
+OUTPUT=${OUTPUT:-/tmp}
+
+set -e # Exit on most errors
+
+rm -rf $PKG
+mkdir -p $TMP $PKG $OUTPUT
+cd $TMP
+rm -rf $PRGNAM-$BASEVERS
+tar xvf $CWD/$PRGNAM-$BASEVERS.tar.bz2
+cd $TMP/$PRGNAM-$BASEVERS
+chown -R root:root .
+
+# Patch the base against all the patchlevel patches in order if present
+if [ $(ls $CWD/patch-$BASEVERS.* 2>/dev/null | wc -l) -gt 0 ]; then
+  for PATCH in $CWD/patch-$BASEVERS.* ; do
+    patch -p1 < $PATCH
+  done
+fi
+
+PREFIX=$PKG \
+  OWNER='root' \
+  GROUP='root' \
+  DEST=/etc/rc.d \
+  MANDIR=/usr/man \
+  SLACKWARE=yes \
+  ./install.sh
+
+# Don't clobber config files
+( cd $PKG/etc/shorewall
+  for i in $(ls|grep -v Makefile) ; do
+    mv $i $i.new;
+  done
+)
+( cd $PKG/etc/rc.d/
+  mv rc.firewall rc.firewall.new
+  mv rc.shorewall rc.shorewall.new
+)
+
+mkdir -p $PKG/var/lock/subsys
+chmod 0755 $PKG/{etc,usr/share,var/lib}/shorewall $PKG/var/lock/subsys
+chmod 0644 $PKG/etc/shorewall/* $PKG/etc/rc.d/*
+
+mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION
+cp -a \
+  COPYING INSTALL changelog.txt releasenotes.txt README.txt known_problems.txt Samples \
+    $PKG/usr/doc/$PRGNAM-$VERSION
+cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild
+
+mkdir -p $PKG/install 
+cat $CWD/slack-desc > $PKG/install/slack-desc
+cat $CWD/doinst.sh > $PKG/install/doinst.sh
+
+for NEW in $PKG/etc/shorewall/*.new;
+do 
+     echo $NEW | sed 's/.*etc/config etc/' >> $PKG/install/doinst.sh
+done
+
+cd $PKG
+/sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.${PKGTYPE:-tgz}
+
+# Clean up the extra stuff:
+if [ "$1" = "--cleanup" ]; then
+  rm -rf $TMP/$PRGNAM-$BASEVERS
+  rm -rf $PKG
+fi
--- a/network/shorewall/shorewall.info
+++ b/network/shorewall/shorewall.info
@ -0,0 +1,12 @@
+PRGNAM="shorewall"
+VERSION="4.4.7.1"
+HOMEPAGE="http://www.shorewall.net"
+DOWNLOAD="http://www.shorewall.net/pub/shorewall/4.4/shorewall-4.4.7/base/shorewall-4.4.7.tar.bz2 \
+	http://www.shorewall.net/pub/shorewall/4.4/shorewall-4.4.7/patch-4.4.7.1"
+MD5SUM="bbf0ad51faae6c079485f171ce585844 \
+	d392606277e325a8bcb7fd04519700da"
+DOWNLOAD_x86_64=""
+MD5SUM_x86_64=""
+MAINTAINER="ArTourter"
+EMAIL="artourter@gmail.com"
+APPROVED="dsomero"
--- a/network/shorewall/slack-desc
+++ b/network/shorewall/slack-desc
@ -0,0 +1,19 @@
+# HOW TO EDIT THIS FILE:
+# The "handy ruler" below makes it easier to edit a package description.  Line
+# up the first '|' above the ':' following the base package name, and the '|'
+# on the right side marks the last column you can put a character in.  You must
+# make exactly 11 lines for the formatting to be correct.  It's also
+# customary to leave one space after the ':'.
+
+         |-----handy-ruler---------------------------------------------|
+shorewall: Shorewall (Iptables Made Easy)
+shorewall:
+shorewall: The Shoreline Firewall, more commonly known as "Shorewall",
+shorewall: is a Netfilter (iptables) based firewall that can be used on
+shorewall: a dedicated firewall system, a multi-function gateway / 
+shorewall: router / server, or on a standalone GNU/Linux system.
+shorewall: This package contains common files required by both the 
+shorewall: shorewall-perl and shorewall-shell compilers for Shoreline.
+shorewall:
+shorewall: http://www.shorewall.net/
+shorewall: