diff options
Diffstat (limited to 'network/shorewall/patch-4.4.7.1')
-rw-r--r-- | network/shorewall/patch-4.4.7.1 | 167 |
1 files changed, 167 insertions, 0 deletions
diff --git a/network/shorewall/patch-4.4.7.1 b/network/shorewall/patch-4.4.7.1 new file mode 100644 index 0000000000..966e83c3cf --- /dev/null +++ b/network/shorewall/patch-4.4.7.1 @@ -0,0 +1,167 @@ +diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.7/changelog.txt shorewall-4.4.7.1/changelog.txt +--- shorewall-4.4.7/changelog.txt 2010-02-11 07:29:41.000000000 -0800 ++++ shorewall-4.4.7.1/changelog.txt 2010-02-13 07:28:22.000000000 -0800 +@@ -1,3 +1,7 @@ ++Changes in Shorewall 4.4.7-1 ++ ++1) Don't apply rate limiting twice in NAT rules. ++ + Changes in Shorewall 4.4.7 + + 1) Backport optimization changes from 4.5. +diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.7/install.sh shorewall-4.4.7.1/install.sh +--- shorewall-4.4.7/install.sh 2010-02-11 07:29:41.000000000 -0800 ++++ shorewall-4.4.7.1/install.sh 2010-02-13 07:28:22.000000000 -0800 +@@ -22,7 +22,7 @@ + # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + # + +-VERSION=4.4.7 ++VERSION=4.4.7.1 + + usage() # $1 = exit status + { +diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.7/known_problems.txt shorewall-4.4.7.1/known_problems.txt +--- shorewall-4.4.7/known_problems.txt 2010-02-11 07:29:41.000000000 -0800 ++++ shorewall-4.4.7.1/known_problems.txt 2010-02-13 07:28:22.000000000 -0800 +@@ -1 +1,5 @@ +-There are no known problems in Shorewall 4.4.7. ++1) All versions of Shorewall-perl mishandle per-IP rate limiting in ++ REDIRECT and DNAT rules. The effective rate and burst are 1/2 of ++ the values given in the rule. ++ ++ Corrected in 4.4.7.1 +diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.7/Perl/Shorewall/Config.pm shorewall-4.4.7.1/Perl/Shorewall/Config.pm +--- shorewall-4.4.7/Perl/Shorewall/Config.pm 2010-02-11 07:29:41.000000000 -0800 ++++ shorewall-4.4.7.1/Perl/Shorewall/Config.pm 2010-02-13 07:28:22.000000000 -0800 +@@ -337,7 +337,7 @@ + TC_SCRIPT => '', + EXPORT => 0, + UNTRACKED => 0, +- VERSION => "4.4.7", ++ VERSION => "4.4.7.1", + CAPVERSION => 40407 , + ); + +diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.7/Perl/Shorewall/Rules.pm shorewall-4.4.7.1/Perl/Shorewall/Rules.pm +--- shorewall-4.4.7/Perl/Shorewall/Rules.pm 2010-02-11 07:29:41.000000000 -0800 ++++ shorewall-4.4.7.1/Perl/Shorewall/Rules.pm 2010-02-13 07:28:22.000000000 -0800 +@@ -1182,13 +1182,25 @@ + # + # Generate Fixed part of the rule + # +- $rule = join( '', +- do_proto($proto, $ports, $sports), +- do_ratelimit( $ratelimit, $basictarget ) , +- do_user( $user ) , +- do_test( $mark , $globals{TC_MASK} ) , +- do_connlimit( $connlimit ), +- do_time( $time ) ); ++ if ( ( $actiontype & ( NATRULE | NATONLY ) ) == NATRULE ) { ++ # ++ # Don't apply rate limiting twice ++ # ++ $rule = join( '', ++ do_proto($proto, $ports, $sports), ++ do_user( $user ) , ++ do_test( $mark , $globals{TC_MASK} ) , ++ do_connlimit( $connlimit ), ++ do_time( $time ) ); ++ } else { ++ $rule = join( '', ++ do_proto($proto, $ports, $sports), ++ do_ratelimit( $ratelimit, $basictarget ) , ++ do_user( $user ) , ++ do_test( $mark , $globals{TC_MASK} ) , ++ do_connlimit( $connlimit ), ++ do_time( $time ) ); ++ } + + unless ( $section eq 'NEW' ) { + fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" if $config{FASTACCEPT}; +diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.7/releasenotes.txt shorewall-4.4.7.1/releasenotes.txt +--- shorewall-4.4.7/releasenotes.txt 2010-02-11 07:29:41.000000000 -0800 ++++ shorewall-4.4.7.1/releasenotes.txt 2010-02-13 07:28:22.000000000 -0800 +@@ -1,4 +1,4 @@ +-Shorewall 4.4.7 ++Shorewall 4.4.7 Patch Release 1. + + ---------------------------------------------------------------------------- + R E L E A S E 4 . 4 H I G H L I G H T S +@@ -184,7 +184,15 @@ + one from the release (not recommended). + + ---------------------------------------------------------------------------- +- P R O B L E M S C O R R E C T E D I N 4 . 4 . 7 ++ P R O B L E M S C O R R E C T E D I N 4 . 4 . 7 . 1 ++---------------------------------------------------------------------------- ++ ++1) All versions of Shorewall-perl mishandle per-IP rate limiting in ++ REDIRECT and DNAT rules. The effective rate and burst are 1/2 of ++ the values given in the rule. ++ ++---------------------------------------------------------------------------- ++ P R O B L E M S C O R R E C T E D I N 4 . 4 . 7 + ---------------------------------------------------------------------------- + + 1) The tcinterfaces and tcpri files are now installed by the +@@ -211,12 +219,19 @@ + + 5) Previously, specifying a TYPE in /etc/shorewall/tcinterfaces would + cause start/restart to fail on systems lacking 'flow' classifier +- support. While we currently know of no safe way to test for that +- support, in Shorewall 4.4.7 we use other hints to surmise that the +- installed toolset is likely to be too old to support 'flow' and +- simply ignore the TYPE setting. In particular, RHEL5 and +- derivatives no lonter experience a startup failure when TYPE is +- specified. ++ support. In Shorewall 4.4.7, we detect the ability of the 'tc' ++ utility to support that classifier. ++ ++ There are two caveats: ++ ++ - 'tc' may support 'flow' but the kernel does not. In that case, ++ start/restart will still fail. ++ ++ - If you use a capabilities file, you will need to regenerate the ++ file using shorewall-lite 4.4.7 in order for 'flow' to be ++ accurately detected. If you do not regenerate the file, the ++ compiler will use other hints to try to determine if 'flow' is ++ available. + + ---------------------------------------------------------------------------- + K N O W N P R O B L E M S R E M A I N I N G +diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.7/shorewall.spec shorewall-4.4.7.1/shorewall.spec +--- shorewall-4.4.7/shorewall.spec 2010-02-11 07:29:41.000000000 -0800 ++++ shorewall-4.4.7.1/shorewall.spec 2010-02-13 07:28:22.000000000 -0800 +@@ -1,6 +1,6 @@ + %define name shorewall + %define version 4.4.7 +-%define release 0base ++%define release 1 + + Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. + Name: %{name} +@@ -107,6 +107,10 @@ + %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples + + %changelog ++* Sat Feb 13 2010 Tom Eastep tom@shorewall.net ++- Updated to 4.4.7-1 ++* Thu Feb 11 2010 Tom Eastep tom@shorewall.net ++- Updated to 4.4.7-0base + * Fri Feb 05 2010 Tom Eastep tom@shorewall.net + - Updated to 4.4.7-0base + * Tue Feb 02 2010 Tom Eastep tom@shorewall.net +diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.7/uninstall.sh shorewall-4.4.7.1/uninstall.sh +--- shorewall-4.4.7/uninstall.sh 2010-02-11 07:29:41.000000000 -0800 ++++ shorewall-4.4.7.1/uninstall.sh 2010-02-13 07:28:22.000000000 -0800 +@@ -26,7 +26,7 @@ + # You may only use this script to uninstall the version + # shown below. Simply run this script to remove Shorewall Firewall + +-VERSION=4.4.7 ++VERSION=4.4.7.1 + + usage() # $1 = exit status + { |