summaryrefslogtreecommitdiff
path: root/network/shorewall/patch-4.4.7.1
diff options
context:
space:
mode:
Diffstat (limited to 'network/shorewall/patch-4.4.7.1')
-rw-r--r--network/shorewall/patch-4.4.7.1167
1 files changed, 167 insertions, 0 deletions
diff --git a/network/shorewall/patch-4.4.7.1 b/network/shorewall/patch-4.4.7.1
new file mode 100644
index 0000000000..966e83c3cf
--- /dev/null
+++ b/network/shorewall/patch-4.4.7.1
@@ -0,0 +1,167 @@
+diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.7/changelog.txt shorewall-4.4.7.1/changelog.txt
+--- shorewall-4.4.7/changelog.txt 2010-02-11 07:29:41.000000000 -0800
++++ shorewall-4.4.7.1/changelog.txt 2010-02-13 07:28:22.000000000 -0800
+@@ -1,3 +1,7 @@
++Changes in Shorewall 4.4.7-1
++
++1) Don't apply rate limiting twice in NAT rules.
++
+ Changes in Shorewall 4.4.7
+
+ 1) Backport optimization changes from 4.5.
+diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.7/install.sh shorewall-4.4.7.1/install.sh
+--- shorewall-4.4.7/install.sh 2010-02-11 07:29:41.000000000 -0800
++++ shorewall-4.4.7.1/install.sh 2010-02-13 07:28:22.000000000 -0800
+@@ -22,7 +22,7 @@
+ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ #
+
+-VERSION=4.4.7
++VERSION=4.4.7.1
+
+ usage() # $1 = exit status
+ {
+diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.7/known_problems.txt shorewall-4.4.7.1/known_problems.txt
+--- shorewall-4.4.7/known_problems.txt 2010-02-11 07:29:41.000000000 -0800
++++ shorewall-4.4.7.1/known_problems.txt 2010-02-13 07:28:22.000000000 -0800
+@@ -1 +1,5 @@
+-There are no known problems in Shorewall 4.4.7.
++1) All versions of Shorewall-perl mishandle per-IP rate limiting in
++ REDIRECT and DNAT rules. The effective rate and burst are 1/2 of
++ the values given in the rule.
++
++ Corrected in 4.4.7.1
+diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.7/Perl/Shorewall/Config.pm shorewall-4.4.7.1/Perl/Shorewall/Config.pm
+--- shorewall-4.4.7/Perl/Shorewall/Config.pm 2010-02-11 07:29:41.000000000 -0800
++++ shorewall-4.4.7.1/Perl/Shorewall/Config.pm 2010-02-13 07:28:22.000000000 -0800
+@@ -337,7 +337,7 @@
+ TC_SCRIPT => '',
+ EXPORT => 0,
+ UNTRACKED => 0,
+- VERSION => "4.4.7",
++ VERSION => "4.4.7.1",
+ CAPVERSION => 40407 ,
+ );
+
+diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.7/Perl/Shorewall/Rules.pm shorewall-4.4.7.1/Perl/Shorewall/Rules.pm
+--- shorewall-4.4.7/Perl/Shorewall/Rules.pm 2010-02-11 07:29:41.000000000 -0800
++++ shorewall-4.4.7.1/Perl/Shorewall/Rules.pm 2010-02-13 07:28:22.000000000 -0800
+@@ -1182,13 +1182,25 @@
+ #
+ # Generate Fixed part of the rule
+ #
+- $rule = join( '',
+- do_proto($proto, $ports, $sports),
+- do_ratelimit( $ratelimit, $basictarget ) ,
+- do_user( $user ) ,
+- do_test( $mark , $globals{TC_MASK} ) ,
+- do_connlimit( $connlimit ),
+- do_time( $time ) );
++ if ( ( $actiontype & ( NATRULE | NATONLY ) ) == NATRULE ) {
++ #
++ # Don't apply rate limiting twice
++ #
++ $rule = join( '',
++ do_proto($proto, $ports, $sports),
++ do_user( $user ) ,
++ do_test( $mark , $globals{TC_MASK} ) ,
++ do_connlimit( $connlimit ),
++ do_time( $time ) );
++ } else {
++ $rule = join( '',
++ do_proto($proto, $ports, $sports),
++ do_ratelimit( $ratelimit, $basictarget ) ,
++ do_user( $user ) ,
++ do_test( $mark , $globals{TC_MASK} ) ,
++ do_connlimit( $connlimit ),
++ do_time( $time ) );
++ }
+
+ unless ( $section eq 'NEW' ) {
+ fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" if $config{FASTACCEPT};
+diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.7/releasenotes.txt shorewall-4.4.7.1/releasenotes.txt
+--- shorewall-4.4.7/releasenotes.txt 2010-02-11 07:29:41.000000000 -0800
++++ shorewall-4.4.7.1/releasenotes.txt 2010-02-13 07:28:22.000000000 -0800
+@@ -1,4 +1,4 @@
+-Shorewall 4.4.7
++Shorewall 4.4.7 Patch Release 1.
+
+ ----------------------------------------------------------------------------
+ R E L E A S E 4 . 4 H I G H L I G H T S
+@@ -184,7 +184,15 @@
+ one from the release (not recommended).
+
+ ----------------------------------------------------------------------------
+- P R O B L E M S C O R R E C T E D I N 4 . 4 . 7
++ P R O B L E M S C O R R E C T E D I N 4 . 4 . 7 . 1
++----------------------------------------------------------------------------
++
++1) All versions of Shorewall-perl mishandle per-IP rate limiting in
++ REDIRECT and DNAT rules. The effective rate and burst are 1/2 of
++ the values given in the rule.
++
++----------------------------------------------------------------------------
++ P R O B L E M S C O R R E C T E D I N 4 . 4 . 7
+ ----------------------------------------------------------------------------
+
+ 1) The tcinterfaces and tcpri files are now installed by the
+@@ -211,12 +219,19 @@
+
+ 5) Previously, specifying a TYPE in /etc/shorewall/tcinterfaces would
+ cause start/restart to fail on systems lacking 'flow' classifier
+- support. While we currently know of no safe way to test for that
+- support, in Shorewall 4.4.7 we use other hints to surmise that the
+- installed toolset is likely to be too old to support 'flow' and
+- simply ignore the TYPE setting. In particular, RHEL5 and
+- derivatives no lonter experience a startup failure when TYPE is
+- specified.
++ support. In Shorewall 4.4.7, we detect the ability of the 'tc'
++ utility to support that classifier.
++
++ There are two caveats:
++
++ - 'tc' may support 'flow' but the kernel does not. In that case,
++ start/restart will still fail.
++
++ - If you use a capabilities file, you will need to regenerate the
++ file using shorewall-lite 4.4.7 in order for 'flow' to be
++ accurately detected. If you do not regenerate the file, the
++ compiler will use other hints to try to determine if 'flow' is
++ available.
+
+ ----------------------------------------------------------------------------
+ K N O W N P R O B L E M S R E M A I N I N G
+diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.7/shorewall.spec shorewall-4.4.7.1/shorewall.spec
+--- shorewall-4.4.7/shorewall.spec 2010-02-11 07:29:41.000000000 -0800
++++ shorewall-4.4.7.1/shorewall.spec 2010-02-13 07:28:22.000000000 -0800
+@@ -1,6 +1,6 @@
+ %define name shorewall
+ %define version 4.4.7
+-%define release 0base
++%define release 1
+
+ Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
+ Name: %{name}
+@@ -107,6 +107,10 @@
+ %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples
+
+ %changelog
++* Sat Feb 13 2010 Tom Eastep tom@shorewall.net
++- Updated to 4.4.7-1
++* Thu Feb 11 2010 Tom Eastep tom@shorewall.net
++- Updated to 4.4.7-0base
+ * Fri Feb 05 2010 Tom Eastep tom@shorewall.net
+ - Updated to 4.4.7-0base
+ * Tue Feb 02 2010 Tom Eastep tom@shorewall.net
+diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.7/uninstall.sh shorewall-4.4.7.1/uninstall.sh
+--- shorewall-4.4.7/uninstall.sh 2010-02-11 07:29:41.000000000 -0800
++++ shorewall-4.4.7.1/uninstall.sh 2010-02-13 07:28:22.000000000 -0800
+@@ -26,7 +26,7 @@
+ # You may only use this script to uninstall the version
+ # shown below. Simply run this script to remove Shorewall Firewall
+
+-VERSION=4.4.7
++VERSION=4.4.7.1
+
+ usage() # $1 = exit status
+ {