summaryrefslogtreecommitdiffstats
path: root/network/shorewall/patch-4.4.12.1
blob: a8ba7f242e478b93d16711b81280d809212432d3 (plain) 
diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12/Perl/Shorewall/Chains.pm shorewall-4.4.12.1/Perl/Shorewall/Chains.pm
--- shorewall-4.4.12/Perl/Shorewall/Chains.pm	2010-08-17 07:34:21.000000000 -0700
+++ shorewall-4.4.12.1/Perl/Shorewall/Chains.pm	2010-08-24 13:15:35.000000000 -0700
@@ -687,7 +687,7 @@
     # deleting elements from the array over which we are iterating.
     #
     for ( my $rule = 0; $rule <= $#{$rules}; $rule++ ) {
-	if (  $rules->[$rule] =~ / -[gj] ${to}\s*$/ ) {
+	if (  $rules->[$rule] =~ / -[gj] ${to}( -m comment .*)?\s*$/ ) {
 	    trace( $fromref, 'D', $rule + 1, $rules->[$rule] ) if $debug;
 	    splice(  @$rules, $rule, 1 );
 	    last unless --$refs > 0;
@@ -3118,17 +3118,6 @@
 	fatal_error "LOG requires a level";
     }
     #
-    # Mark Target as referenced, if it's a chain
-    #
-    if ( $target =~ /-[jg]\s+([^\s]+)/ ) {
-	my $targetref = $chain_table{$chainref->{table}}{$1};
-	if ( $targetref ) {
-	    $targetref->{referenced} = 1;
-	    add_reference $chainref, $targetref;
-	}
-    }
-
-    #
     # Isolate Source Interface, if any
     #
     if ( $source ) {
@@ -3397,6 +3386,8 @@
     fatal_error "SOURCE interface may not be specified with a source IP address in the POSTROUTING chain"   if $restriction == POSTROUTE_RESTRICT && $iiface && ( $inets ne ALLIP || $iexcl || $trivialiexcl);
     fatal_error "DEST interface may not be specified with a destination IP address in the PREROUTING chain" if $restriction == PREROUTE_RESTRICT &&  $diface && ( $dnets ne ALLIP || $dexcl || $trivialdexcl);
 
+    my $fromref;
+
     if ( $iexcl || $dexcl || $oexcl ) {
 	#
 	# We have non-trivial exclusion -- need to create an exclusion chain
@@ -3438,7 +3429,7 @@
 	#
 	# Generate Final Rule
 	#
-	add_rule( $echainref, $exceptionrule . $target, 1 ) unless $disposition eq 'LOG';
+	add_rule( $fromref = $echainref, $exceptionrule . $target, 1 ) unless $disposition eq 'LOG';
     } else {
 	#
 	# No exclusions
@@ -3478,7 +3469,7 @@
 					       'add',
 					       $matches );
 
-				add_rule( $chainref, $matches . $target, 1 );
+				add_rule( $fromref = $chainref, $matches . $target, 1 );
 			    }
 			} else {
 			    #
@@ -3499,12 +3490,22 @@
 			#
 			# No logging -- add the target rule with matches to the rule chain
 			#
-			add_rule( $chainref, $matches . $target , 1 );
+			add_rule( $fromref = $chainref, $matches . $target , 1 );
 		    }
 		}
 	    }
 	}
     }
+    #
+    # Mark Target as referenced, if it's a chain
+    #
+    if ( $fromref && $target =~ /-[jg]\s+([^\s]+)/ ) {
+	my $targetref = $chain_table{$chainref->{table}}{$1};
+	if ( $targetref ) {
+	    $targetref->{referenced} = 1;
+	    add_reference $fromref, $targetref;
+	}
+    }
 
     while ( @ends ) {
 	decr_cmd_level $chainref;
diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12/Perl/Shorewall/Config.pm shorewall-4.4.12.1/Perl/Shorewall/Config.pm
--- shorewall-4.4.12/Perl/Shorewall/Config.pm	2010-08-17 07:34:21.000000000 -0700
+++ shorewall-4.4.12.1/Perl/Shorewall/Config.pm	2010-08-24 13:15:35.000000000 -0700
@@ -345,7 +345,7 @@
 		    EXPORT => 0,
 		    STATEMATCH => '-m state --state',
 		    UNTRACKED => 0,
-		    VERSION => "4.4.12",
+		    VERSION => "4.4.12.1",
 		    CAPVERSION => 40411 ,
 		  );
 
@@ -2411,7 +2411,7 @@
 		qt1( "$iptables -D $sillyname -m set --match-set $sillyname src -j ACCEPT" );
 		$result = ! ( $capabilities{OLD_IPSET_MATCH} = 0 );
 	    } else {
-		have_capability 'OLD_IPSET_MATCH';
+		$result = have_capability 'OLD_IPSET_MATCH';
 	    }
 
 	    qt( "$ipset -X $sillyname" );
diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12/Perl/Shorewall/Providers.pm shorewall-4.4.12.1/Perl/Shorewall/Providers.pm
--- shorewall-4.4.12/Perl/Shorewall/Providers.pm	2010-08-17 07:34:21.000000000 -0700
+++ shorewall-4.4.12.1/Perl/Shorewall/Providers.pm	2010-08-24 13:15:35.000000000 -0700
@@ -853,6 +853,11 @@
     #
     my $interfaces = find_interfaces_by_option1 'optional';
 
+    if ( $config{REQUIRE_INTERFACE} ) {
+	emit( 'HAVE_INTERFACE=' );
+	emit( '' );
+    }
+
     if ( @$interfaces ) {
 	for my $interface ( @$interfaces ) {
 	    my $provider = $provider_interfaces{$interface};
@@ -861,11 +866,6 @@
 
 	    emit( '' );
 
-	    if ( $config{REQUIRE_INTERFACE} ) {
-		emit( 'HAVE_INTERFACE=' );
-		emit( '' );
-	    }
-
 	    if ( $provider ) {
 		#
 		# This interface is associated with a non-shared provider -- get the provider table entry
diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12/changelog.txt shorewall-4.4.12.1/changelog.txt
--- shorewall-4.4.12/changelog.txt	2010-08-17 07:34:21.000000000 -0700
+++ shorewall-4.4.12.1/changelog.txt	2010-08-24 13:15:35.000000000 -0700
@@ -1,3 +1,9 @@
+Changes in Shorewall 4.4.12.1
+
+1)  Fix optimization bugs.
+
+2)  Fix detection of old ipset match capability
+
 Changes in Shorewall 4.4.12
 
 1)  Fix IPv6 shorecap program.
diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12/install.sh shorewall-4.4.12.1/install.sh
--- shorewall-4.4.12/install.sh	2010-08-17 07:34:21.000000000 -0700
+++ shorewall-4.4.12.1/install.sh	2010-08-24 13:15:35.000000000 -0700
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.12
+VERSION=4.4.12.1
 
 usage() # $1 = exit status
 {
diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12/known_problems.txt shorewall-4.4.12.1/known_problems.txt
--- shorewall-4.4.12/known_problems.txt	2010-08-17 07:34:21.000000000 -0700
+++ shorewall-4.4.12.1/known_problems.txt	2010-08-24 13:15:35.000000000 -0700
@@ -1,2 +1,13 @@
 1)  On systems running Upstart, Shorewall-init cannot reliably close
     the firewall before interfaces come up.
+
+2)  Under rare circumstances where COMMENT is used to attach comments
+    to rules, OPTIMIZE 8 through 15 can result in invalid
+    iptables-restore (ip6tables-restore) input.
+
+    Workaround: Don't use optimizaiton levels greater than 7.
+
+3)  Under rare circumstances unvolving exclusion, OPTIMIZE 8 through 15
+    canresult in invalid iptables-restore (ip6tables-restore) input.
+
+    Workaround: Don't use optimizaiton levels greater than 7.
diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12/releasenotes.txt shorewall-4.4.12.1/releasenotes.txt
--- shorewall-4.4.12/releasenotes.txt	2010-08-17 07:34:21.000000000 -0700
+++ shorewall-4.4.12.1/releasenotes.txt	2010-08-24 13:15:35.000000000 -0700
@@ -1,5 +1,5 @@
 ----------------------------------------------------------------------------
-                      S H O R E W A L L  4 . 4 . 1 2
+                   S H O R E W A L L  4 . 4 . 1 2 . 1
 ----------------------------------------------------------------------------
 
 I.    RELEASE 4.4 HIGHLIGHTS
@@ -10,7 +10,7 @@
 VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
 
 ----------------------------------------------------------------------------
-             I.  R E L E A S E  4 . 4  H I G H L I G H T S
+                I.  R E L E A S E  4 . 4  H I G H L I G H T S
 ----------------------------------------------------------------------------
 
 1)  Support for Shorewall-shell has been discontinued. Shorewall-perl
@@ -224,6 +224,22 @@
 I I I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
 ----------------------------------------------------------------------------
 
+4.4.12.1
+
+1)  Under rare circumstances where COMMENT is used to attach comments
+    to rules, OPTIMIZE 8 through 15 could result in invalid
+    iptables-restore (ip6tables-restore) input.
+
+2)  Under rare circumstances unvolving exclusion, OPTIMIZE 8 through 15
+    could result in invalid iptables-restore (ip6tables-restore) input.
+
+3)  The change in 4.4.12 to detect and use the new ipset match syntax
+    broke the ability to detect the old ipset match capability. Now,
+    both versions of the capability can be correctly detected.
+
+4.4.12
+
+
 1)  Previously, the Shorewall6-lite version of shorecap was using
     iptables rather than ip6tables, with the result that many capabilities
     that are only available in IPv4 were being reported as available.
diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12/shorewall.spec shorewall-4.4.12.1/shorewall.spec
--- shorewall-4.4.12/shorewall.spec	2010-08-17 07:34:21.000000000 -0700
+++ shorewall-4.4.12.1/shorewall.spec	2010-08-24 13:15:35.000000000 -0700
@@ -1,6 +1,6 @@
 %define name shorewall
 %define version 4.4.12
-%define release 0base
+%define release 1
 
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -108,6 +108,8 @@
 %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples
 
 %changelog
+* Mon Aug 23 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-1
 * Sun Aug 15 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0base
 * Fri Aug 06 2010 Tom Eastep tom@shorewall.net
diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12/uninstall.sh shorewall-4.4.12.1/uninstall.sh
--- shorewall-4.4.12/uninstall.sh	2010-08-17 07:34:21.000000000 -0700
+++ shorewall-4.4.12.1/uninstall.sh	2010-08-24 13:15:35.000000000 -0700
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.12
+VERSION=4.4.12.1
 
 usage() # $1 = exit status
 {
generated by cgit v1.2.3 (git 2.32.0) at 2024-06-13 20:54:01 +0200