Upgrade to Version 250 from CVS, fixes some Bugs, also adjust for newer bash by using %b instead of %q in printf-statements.

(Portage version: 2.1.2_rc2-r2)
author: Dominik Stadler <centic@gentoo.org> 2006-12-28 20:59:13 +0000
committer: Dominik Stadler <centic@gentoo.org> 2006-12-28 20:59:13 +0000
commit: e5a9cc138abf22cf9bf75921ca67bb2ac91dc60d (patch)
tree: 87f774f8d3cbec8408426ee8bc5061d946dc1a81 /net-firewall/firehol
parent: Add a live SVN version of Amarok. Although not supported and a bad idea in ge... (diff)
download: gentoo-2-e5a9cc138abf22cf9bf75921ca67bb2ac91dc60d.tar.gz
gentoo-2-e5a9cc138abf22cf9bf75921ca67bb2ac91dc60d.tar.bz2
gentoo-2-e5a9cc138abf22cf9bf75921ca67bb2ac91dc60d.zip
5 files changed, 888 insertions, 1 deletions
diff --git a/net-firewall/firehol/ChangeLog b/net-firewall/firehol/ChangeLog
index b9df3e9417a9..a438eabb0cbb 100644
--- a/net-firewall/firehol/ChangeLog
+++ b/net-firewall/firehol/ChangeLog
@@ -1,6 +1,14 @@
 # ChangeLog for net-firewall/firehol
 # Copyright 2002-2006 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/net-firewall/firehol/ChangeLog,v 1.21 2006/08/20 03:58:25 weeve Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-firewall/firehol/ChangeLog,v 1.22 2006/12/28 20:59:13 centic Exp $
+
+*firehol-1.250 (27 Dec 2006)
+
+  27 Dec 2006; Dominik Stadler <centic@gentoo.org>
+  +files/firehol-1.226-to-250.patch, +files/firehol-1.250-printf.patch,
+  +firehol-1.250.ebuild:
+  Add version 250 from CVS, fixes bug 151588. Depend on iproute2, fixes Bug
+  152537. Change printf-statements, fixes Bugs 153858 and 139526
 
   20 Aug 2006; Jason Wever <weeve@gentoo.org> firehol-1.226-r1.ebuild:
   Added ~sparc keyword wrt bug #137899.
diff --git a/net-firewall/firehol/files/digest-firehol-1.250 b/net-firewall/firehol/files/digest-firehol-1.250
new file mode 100644
index 000000000000..d2c0f0cf477c
--- /dev/null
+++ b/net-firewall/firehol/files/digest-firehol-1.250
@@ -0,0 +1,3 @@
+MD5 958f6e95bad37013e544da587f55c8b7 firehol-1.226.tar.bz2 118113
+RMD160 bff910e8a3a67ce91f0634177b5ee361edc90e96 firehol-1.226.tar.bz2 118113
+SHA256 b434e8142eb4093516794c6f2213d03efa3c08161758ff836dbd266f0a9438cf firehol-1.226.tar.bz2 118113
diff --git a/net-firewall/firehol/files/firehol-1.226-to-250.patch b/net-firewall/firehol/files/firehol-1.226-to-250.patch
new file mode 100644
index 000000000000..2e042f7f05be
--- /dev/null
+++ b/net-firewall/firehol/files/firehol-1.226-to-250.patch
@@ -0,0 +1,748 @@
+--- firehol.new	2006-12-27 14:13:39.000000000 +0100
++++ firehol.sh 2006-12-27 14:15:57.000000000 +0100
+@@ -10,7 +10,7 @@
+ #
+ # config: /etc/firehol/firehol.conf
+ #
+-# $Id: firehol-1.226-to-250.patch,v 1.1 2006/12/28 20:59:13 centic Exp $
++# $Id: firehol-1.226-to-250.patch,v 1.1 2006/12/28 20:59:13 centic Exp $
+ #
+ 
+ # Make sure only root can run us.
+@@ -74,13 +74,16 @@
+ 	return 0
+ }
+ 
+-# Check for a command during runtime.
+-# Currently the following commands are required only when needed:
+-#
+-# wget or curl (either is fine)
+-# gzcat
+-#
++# command on demand support.
+ require_cmd() {
++	local block=1
++	if [ "a$1" = "a-n" ]
++	then
++		local block=0
++		shift
++	fi
++	
++	# if one is found, return success
+ 	for x in $1
+ 	do
+ 		eval var=`echo ${x} | tr 'a-z' 'A-Z'`_CMD
+@@ -92,21 +95,56 @@
+ 		fi
+ 	done
+ 	
++	if [ $block -eq 1 ]
++	then
++		echo >&2
++		echo >&2 "ERROR:	THE REQUESTED FEATURE REQUIRES THESE PROGRAMS:"
++		echo >&2
++		echo >&2 "	$*"
++		echo >&2
++		echo >&2 "	You have requested the use of an optional FireHOL"
++		echo >&2 "	feature that requires certain external programs"
++		echo >&2 "	to be installed in the running system."
++		echo >&2
++		echo >&2 "	Please consult your Linux distribution manual to"
++		echo >&2 "	install the package(s) that provide these external"
++		echo >&2 "	programs and retry."
++		echo >&2
++		echo >&2 "	Note that you need an operational 'which' command"
++		echo >&2 "	for FireHOL to find all the external programs it"
++		echo >&2 "	needs. Check it yourself. Run:"
++		echo >&2
++		for x in $1
++		do
++			echo >&2 "	which $x"
++		done
++		
++		exit 1
++	fi
++	
+ 	return 1
+ }
+ 
++# Currently the following commands are required only when needed.
++# (i.e. Command on Demand)
++#
++# wget or curl (either is fine)
++# gzcat
++# ip
++# netstat
++# egrep
++# date
++# hostname
++
++# Commands that are mandatory for FireHOL operation:
+ which_cmd CAT_CMD cat
+ which_cmd CUT_CMD cut
+ which_cmd CHOWN_CMD chown
+ which_cmd CHMOD_CMD chmod
+-which_cmd DATE_CMD date
+-which_cmd EGREP_CMD egrep
+ which_cmd EXPR_CMD expr
+ which_cmd GAWK_CMD gawk
+ which_cmd GREP_CMD grep
+ which_cmd HEAD_CMD head
+-which_cmd HOSTNAME_CMD hostname
+-which_cmd IP_CMD ip
+ which_cmd IPTABLES_CMD iptables
+ which_cmd IPTABLES_SAVE_CMD iptables-save
+ which_cmd LESS_CMD less
+@@ -114,7 +152,6 @@
+ which_cmd MKDIR_CMD mkdir
+ which_cmd MV_CMD mv
+ which_cmd MODPROBE_CMD modprobe
+-which_cmd NETSTAT_CMD netstat
+ which_cmd RENICE_CMD renice
+ which_cmd RM_CMD rm
+ which_cmd SED_CMD sed
+@@ -134,7 +171,7 @@
+ # Find our minor version
+ firehol_minor_version() {
+ ${CAT_CMD} <<"EOF" | ${CUT_CMD} -d ' ' -f 3 | ${CUT_CMD} -d '.' -f 2
+-$Id: firehol-1.226-to-250.patch,v 1.1 2006/12/28 20:59:13 centic Exp $
++$Id: firehol-1.226-to-250.patch,v 1.1 2006/12/28 20:59:13 centic Exp $
+ EOF
+ }
+ 
+@@ -170,6 +207,9 @@
+ FIREHOL_SAVED="${FIREHOL_DIR}/firehol-save.sh"
+ FIREHOL_TMP="${FIREHOL_DIR}/firehol-tmp.sh"
+ 
++FIREHOL_LOCK_DIR="/var/lock/subsys"
++test ! -d "${FIREHOL_LOCK_DIR}" && FIREHOL_LOCK_DIR="/var/lock"
++
+ FIREHOL_SPOOL_DIR="/var/spool/firehol"
+ 
+ # The default configuration file
+@@ -209,6 +249,7 @@
+ 
+ # Run our exit even if we don't call exit.
+ trap firehol_exit EXIT
++trap firehol_exit SIGHUP
+ 
+ 
+ # ------------------------------------------------------------------------------
+@@ -267,8 +308,8 @@
+ if [ ! -d "${FIREHOL_SPOOL_DIR}" ]
+ then
+ 	"${MKDIR_CMD}" "${FIREHOL_SPOOL_DIR}"			|| exit 1
+-	"${CHOWN_CMD}" root:root "${FIREHOL_CONFIG_DIR}"	|| exit 1
+-	"${CHMOD_CMD}" 700 "${FIREHOL_CONFIG_DIR}"		|| exit 1
++	"${CHOWN_CMD}" root:root "${FIREHOL_SPOOL_DIR}"		|| exit 1
++	"${CHMOD_CMD}" 700 "${FIREHOL_SPOOL_DIR}"		|| exit 1
+ fi
+ 
+ 
+@@ -280,7 +321,7 @@
+ # Optimized (CIDR) by Marc 'HE' Brockschmidt <marc@marcbrockschmidt.de>
+ # Further optimized and reduced by http://www.vergenet.net/linux/aggregate/
+ # The supplied get-iana.sh uses 'aggregate-flim' if it finds it in the path.
+-RESERVED_IPS="0.0.0.0/7 2.0.0.0/8 5.0.0.0/8 7.0.0.0/8 23.0.0.0/8 27.0.0.0/8 31.0.0.0/8 36.0.0.0/7 39.0.0.0/8 41.0.0.0/8 42.0.0.0/8 73.0.0.0/8 74.0.0.0/7 76.0.0.0/6 89.0.0.0/8 90.0.0.0/7 92.0.0.0/6 96.0.0.0/3 173.0.0.0/8 174.0.0.0/7 176.0.0.0/5 184.0.0.0/6 189.0.0.0/8 190.0.0.0/8 197.0.0.0/8 223.0.0.0/8 240.0.0.0/4"
++RESERVED_IPS="0.0.0.0/7 2.0.0.0/8 5.0.0.0/8 7.0.0.0/8 23.0.0.0/8 27.0.0.0/8 31.0.0.0/8 36.0.0.0/7 39.0.0.0/8 42.0.0.0/8 92.0.0.0/6 100.0.0.0/6 104.0.0.0/5 112.0.0.0/5 120.0.0.0/8 127.0.0.0/8 173.0.0.0/8 174.0.0.0/7 176.0.0.0/5 184.0.0.0/6 197.0.0.0/8 223.0.0.0/8 240.0.0.0/4 "
+ 
+ # Private IPv4 address space
+ # Suggested by Fco.Felix Belmonte <ffelix@gescosoft.com>
+@@ -306,6 +347,11 @@
+ # policy interface subscommand. 
+ DEFAULT_INTERFACE_POLICY="DROP"
+ 
++# The default policy for the router commands of the firewall.
++# This can be controlled on a per interface basis using the
++# policy interface subscommand. 
++DEFAULT_ROUTER_POLICY="RETURN"
++
+ # Which is the filter table chains policy during firewall activation?
+ FIREHOL_INPUT_ACTIVATION_POLICY="ACCEPT"
+ FIREHOL_OUTPUT_ACTIVATION_POLICY="ACCEPT"
+@@ -329,6 +375,10 @@
+ FIREHOL_LOG_MODE="LOG"
+ FIREHOL_LOG_FREQUENCY="1/second"
+ FIREHOL_LOG_BURST="5"
++FIREHOL_LOG_PREFIX=""
++
++# If enabled, FireHOL will silently drop orphan TCP packets with ACK,FIN set.
++FIREHOL_DROP_ORPHAN_TCP_ACK_FIN=0
+ 
+ # The client ports to be used for "default" client ports when the
+ # client specified is a foreign host.
+@@ -427,7 +477,7 @@
+ work_name=
+ work_inface=
+ work_outface=
+-work_policy="${DEFAULT_INTERFACE_POLICY}"
++work_policy=
+ work_error=0
+ work_function="Initializing"
+ 
+@@ -618,6 +668,9 @@
+ server_microsoft_ds_ports="tcp/445"
+ client_microsoft_ds_ports="default"
+ 
++server_ms_ds_ports="tcp/445"
++client_ms_ds_ports="default"
++
+ server_mms_ports="tcp/1755 udp/1755"
+ client_mms_ports="default"
+ require_mms_modules="ip_conntrack_mms"
+@@ -666,6 +719,9 @@
+ server_oracle_ports="tcp/1521"
+ client_oracle_ports="default"
+ 
++server_OSPF_ports="89/any"
++client_OSPF_ports="any"
++
+ server_pop3_ports="tcp/110"
+ client_pop3_ports="default"
+ 
+@@ -708,7 +764,7 @@
+ client_rtp_ports="any"
+ 
+ server_sip_ports="udp/5060"
+-client_sip_ports="default"
++client_sip_ports="5060 default"
+ 
+ server_socks_ports="tcp/1080 udp/1080"
+ client_socks_ports="default"
+@@ -769,7 +825,7 @@
+ server_vmwareauth_ports="tcp/903"
+ client_vmwareauth_ports="default"
+ 
+-server_vmwareweb_ports="tcp/8222"
++server_vmwareweb_ports="tcp/8222 tcp/8333"
+ client_vmwareweb_ports="default"
+ 
+ server_vnc_ports="tcp/5900:5903"
+@@ -1090,10 +1146,12 @@
+ 		local server_rquotad_ports="`${CAT_CMD} "${tmp}" | ${GREP_CMD} " rquotad$"  | ( while read a b proto port s; do echo "$proto/$port"; done ) | ${SORT_CMD} | ${UNIQ_CMD}`"
+ 		local server_mountd_ports="`${CAT_CMD} "${tmp}" | ${GREP_CMD} " mountd$"  | ( while read a b proto port s; do echo "$proto/$port"; done ) | ${SORT_CMD} | ${UNIQ_CMD}`"
+ 		local server_lockd_ports="`${CAT_CMD} "${tmp}" | ${GREP_CMD} " nlockmgr$" | ( while read a b proto port s; do echo "$proto/$port"; done ) | ${SORT_CMD} | ${UNIQ_CMD}`"
++		local server_statd_ports="`${CAT_CMD} "${tmp}" | ${GREP_CMD} " status$" | ( while read a b proto port s; do echo "$proto/$port"; done ) | ${SORT_CMD} | ${UNIQ_CMD}`"
+ 		local server_nfsd_ports="`${CAT_CMD} "${tmp}" | ${GREP_CMD} " nfs$"       | ( while read a b proto port s; do echo "$proto/$port"; done ) | ${SORT_CMD} | ${UNIQ_CMD}`"
+ 		
+ 		test -z "${server_mountd_ports}" && error "Cannot find mountd ports for nfs server '${x}'" && return 1
+ 		test -z "${server_lockd_ports}"  && error "Cannot find lockd ports for nfs server '${x}'" && return 1
++		test -z "${server_statd_ports}"  && error "Cannot find statd ports for nfs server '${x}'" && return 1
+ 		test -z "${server_nfsd_ports}"   && error "Cannot find nfsd ports for nfs server '${x}'" && return 1
+ 		
+ 		local dst=
+@@ -1113,6 +1171,9 @@
+ 		
+ 		set_work_function "Processing lockd rules for server '${x}'"
+ 		rules_custom "${mychain}" "${type}" nfs-lockd "${server_lockd_ports}" "500:65535" "${action}" $dst "$@"
++
++		set_work_function "Processing statd rules for server '${x}'"
++		rules_custom "${mychain}" "${type}" nfs-statd "${server_statd_ports}" "500:65535" "${action}" $dst "$@"
+ 		
+ 		set_work_function "Processing nfsd rules for server '${x}'"
+ 		rules_custom "${mychain}" "${type}" nfs-nfsd   "${server_nfsd_ports}"   "500:65535" "${action}" $dst "$@"
+@@ -1798,7 +1859,7 @@
+ firehol_wget() {
+ 	local url="${1}"
+ 	
+-	require_cmd wget curl || error "Cannot find 'wget' or 'curl' in the path."
++	require_cmd wget curl
+ 	
+ 	if [ ! -z "${WGET_CMD}" ]
+ 	then
+@@ -2407,9 +2468,9 @@
+ policy() {
+         work_realcmd_secondary ${FUNCNAME} "$@"
+ 	
+-	require_work set interface || return 1
++	require_work set any || return 1
+ 	
+-	set_work_function "Setting interface '${work_inface}' (${work_name}) policy to ${1}"
++	set_work_function "Setting policy of ${work_name} to ${1}"
+ 	work_policy="$*"
+ 	
+ 	return 0
+@@ -2482,6 +2543,11 @@
+ 				return 0
+ 				;;
+ 			
++			bad-packets|BAD-PACKETS)
++				protection ${reverse} "invalid fragments new-tcp-w/o-syn malformed-xmas malformed-null malformed-bad" "${rate}" "${burst}"
++				return $?
++				;;
++			
+ 			strong|STRONG|full|FULL|all|ALL)
+ 				protection ${reverse} "invalid fragments new-tcp-w/o-syn icmp-floods syn-floods malformed-xmas malformed-null malformed-bad" "${rate}" "${burst}"
+ 				return $?
+@@ -2529,6 +2595,16 @@
+ 				rule in chain "${mychain}" loglimit "SYN FLOOD" action drop					|| return 1
+ 				;;
+ 				
++			all-floods|ALL-FLOODS)
++				local mychain="${pre}_${work_name}_allflood"
++				create_chain filter "${mychain}" "${in}_${work_name}" in state NEW		|| return 1
++				
++				set_work_function "Generating rules to be protected from ALL floods on '${prface}' for ${work_cmd} '${work_name}'"
++				
++				rule in chain "${mychain}" limit "${rate}" "${burst}" action return				|| return 1
++				rule in chain "${mychain}" loglimit "ALL FLOOD" action drop					|| return 1
++				;;
++				
+ 			malformed-xmas|MALFORMED-XMAS)
+ 				local mychain="${pre}_${work_name}_malxmas"
+ 				create_chain filter "${mychain}" "${in}_${work_name}" in proto tcp custom "--tcp-flags ALL ALL"	|| return 1
+@@ -2589,7 +2665,7 @@
+ # kernel modules.
+ 
+ # optionaly require command gzcat
+-require_cmd gzcat
++require_cmd -n gzcat
+ 
+ KERNEL_CONFIG=
+ if [ -f "/proc/config" ]
+@@ -2632,6 +2708,7 @@
+ 	echo >&2 " all kernel modules for the services used, without"
+ 	echo >&2 " being able to detect failures."
+ 	echo >&2 " "
++	sleep 2
+ fi
+ 
+ # activation-phase command to check for the existance of
+@@ -2824,11 +2901,12 @@
+ 	work_name=
+ 	work_inface=
+ 	work_outface=
+-	work_policy="${DEFAULT_INTERFACE_POLICY}"
++	work_policy=
+ 	
+ 	return 0
+ }
+ 
++
+ # ------------------------------------------------------------------------------
+ # close_interface
+ # WHY:
+@@ -2841,6 +2919,12 @@
+ 	
+ 	set_work_function "Finilizing interface '${work_name}'"
+ 	
++	# Accept all related traffic to the established connections
++	rule chain "in_${work_name}" state RELATED action ACCEPT || return 1
++	rule chain "out_${work_name}" state RELATED action ACCEPT || return 1
++	
++	# make sure we have a policy
++	test -z "${work_policy}" && work_policy="${DEFAULT_INTERFACE_POLICY}"
+ 	case "${work_policy}" in
+ 		return|RETURN)
+ 			return 0
+@@ -2849,15 +2933,18 @@
+ 		accept|ACCEPT)
+ 			;;
+ 		
+-		*)
++		*)	
+ 			local -a inlog=(loglimit "'IN-${work_name}'")
+ 			local -a outlog=(loglimit "'OUT-${work_name}'")
+ 			;;
+ 	esac
+ 	
+-	# Accept all related traffic to the established connections
+-	rule chain "in_${work_name}" state RELATED action ACCEPT || return 1
+-	rule chain "out_${work_name}" state RELATED action ACCEPT || return 1
++	if [ "${FIREHOL_DROP_ORPHAN_TCP_ACK_FIN}" = "1" ]
++	then
++		# Silently drop orphan TCP/ACK FIN packets
++		rule chain "in_${work_name}" state NEW proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1
++		rule reverse chain "out_${work_name}" state NEW proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1
++	fi
+ 	
+ 	rule chain "in_${work_name}" "${inlog[@]}" action ${work_policy} || return 1
+ 	rule reverse chain "out_${work_name}" "${outlog[@]}" action ${work_policy} || return 1
+@@ -2882,6 +2969,32 @@
+ 	rule chain "in_${work_name}" state RELATED action ACCEPT || return 1
+ 	rule chain "out_${work_name}" state RELATED action ACCEPT || return 1
+ 	
++	# make sure we have a policy
++	test -z "${work_policy}" && work_policy="${DEFAULT_ROUTER_POLICY}"
++	case "${work_policy}" in
++		return|RETURN)
++			return 0
++			;;
++			
++		accept|ACCEPT)
++			;;
++		
++		*)	
++			local -a inlog=(loglimit "'PASS-${work_name}'")
++			local -a outlog=(loglimit "'PASS-${work_name}'")
++			;;
++	esac
++	
++	if [ "${FIREHOL_DROP_ORPHAN_TCP_ACK_FIN}" = "1" ]
++	then
++		# Silently drop orphan TCP/ACK FIN packets
++		rule chain "in_${work_name}" state NEW proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1
++		rule reverse chain "out_${work_name}" state NEW proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1
++	fi
++	
++	rule chain "in_${work_name}" "${inlog[@]}" action ${work_policy} || return 1
++	rule reverse chain "out_${work_name}" "${outlog[@]}" action ${work_policy} || return 1
++	
+ 	return 0
+ }
+ 
+@@ -2900,6 +3013,14 @@
+ 	rule chain OUTPUT state RELATED action ACCEPT || return 1
+ 	rule chain FORWARD state RELATED action ACCEPT || return 1
+ 	
++	if [ "${FIREHOL_DROP_ORPHAN_TCP_ACK_FIN}" = "1" ]
++	then
++		# Silently drop orphan TCP/ACK FIN packets
++		rule chain INPUT state NEW proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1
++		rule chain OUTPUT state NEW proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1
++		rule chain FORWARD state NEW proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1
++	fi
++	
+ 	rule chain INPUT loglimit "IN-unknown" action ${UNMATCHED_INPUT_POLICY} || return 1
+ 	rule chain OUTPUT loglimit "OUT-unknown" action ${UNMATCHED_OUTPUT_POLICY} || return 1
+ 	rule chain FORWARD loglimit "PASS-unknown" action ${UNMATCHED_ROUTER_POLICY} || return 1
+@@ -3055,7 +3176,7 @@
+ 						# to pass.
+ 						if [ "${do_accept_limit}" = "1" ]
+ 						then
+-							local accept_limit_chain="`echo "ACCEPT ${freq} ${burst} ${overflow}" | tr " /." "___"`"
++							local accept_limit_chain="`echo "ACCEPT LIMIT ${freq} ${burst} ${overflow}" | tr " /." "___"`"
+ 							
+ 							# does the chain we need already exist?
+ 							if [ ! -f "${FIREHOL_CHAINS_DIR}/${accept_limit_chain}" ]
+@@ -3075,9 +3196,9 @@
+ 								local -a logopts_arg=()
+ 								if [ "${FIREHOL_LOG_MODE}" = "ULOG" ]
+ 								then
+-									local -a logopts_arg=("--ulog-prefix='OVERFLOW:'")
++									local -a logopts_arg=("--ulog-prefix='${FIREHOL_LOG_PREFIX}LIMIT_OVERFLOW:'")
+ 								else
+-									local -a logopts_arg=("--log-level" "${FIREHOL_LOG_LEVEL}" "--log-prefix='OVERFLOW:'")
++									local -a logopts_arg=("--log-level" "${FIREHOL_LOG_LEVEL}" "--log-prefix='${FIREHOL_LOG_PREFIX}LIMIT_OVERFLOW:'")
+ 								fi
+ 								iptables ${table} -A "${accept_limit_chain}" -m limit --limit "${FIREHOL_LOG_FREQUENCY}" --limit-burst "${FIREHOL_LOG_BURST}" -j ${FIREHOL_LOG_MODE} ${FIREHOL_LOG_OPTIONS} "${logopts_arg[@]}"
+ 								
+@@ -3096,6 +3217,62 @@
+ 						fi
+ 						;;
+ 						
++					"recent")
++						# limit NEW connections to the specified rate
++						local name="${action_param[1]}"
++						local seconds="${action_param[2]}"
++						local hits="${action_param[3]}"
++						
++						# unset the action_param, so that if this rule does not include NEW connections,
++						# we will not append anything to the generated iptables statements.
++						local -a action_param=()
++						
++						# find is this rule matches NEW connections
++						local has_new=`echo "${state}" | grep -i NEW`
++						local do_accept_recent=0
++						if [ -z "${statenot}" ]
++						then
++							test ! -z "${has_new}" && local do_accept_recent=1
++						else
++							test -z "${has_new}" && local do_accept_recent=1
++						fi
++						
++						# we have a match for NEW connections.
++						# redirect the traffic to a new chain, which will control
++						# the NEW connections while allowing all the other traffic
++						# to pass.
++						if [ "${do_accept_recent}" = "1" ]
++						then
++							local accept_recent_chain="`echo "ACCEPT RECENT $name $seconds $hits" | tr " /." "___"`"
++							
++							# does the chain we need already exist?
++							if [ ! -f "${FIREHOL_CHAINS_DIR}/${accept_recent_chain}" ]
++							then
++								# the chain does not exist. create it.
++								iptables ${table} -N "${accept_recent_chain}"
++								touch "${FIREHOL_CHAINS_DIR}/${accept_recent_chain}"
++								
++								# first, if the traffic is not a NEW connection, allow it.
++								# doing this first will speed up normal traffic.
++								iptables ${table} -A "${accept_recent_chain}" -m state ! --state NEW -j ACCEPT
++								
++								# accept NEW connections within the given limits.
++								iptables ${table} -A "${accept_recent_chain}" -m recent --set --name "${name}"
++								
++								local t1=
++								test ! -z $seconds && local t1="--seconds ${seconds}"
++								local t2=
++								test ! -z $hits && local t2="--hitcount ${hits}"
++								
++								iptables ${table} -A "${accept_recent_chain}" -m recent --update ${t1} ${t2} --name "${name}" -j RETURN
++								iptables ${table} -A "${accept_recent_chain}" -j ACCEPT
++							fi
++							
++							# send the rule to be generated to this chain
++							local action=${accept_recent_chain}
++						fi
++						;;
++						
+ 					'knock')
+ 						# the name of the knock
+ 						local name="knock_${action_param[1]}"
+@@ -3175,6 +3352,12 @@
+ 	local dst=any
+ 	local dstnot=
+ 	
++	local srctype=
++	local srctypenot=
++	
++	local dsttype=
++	local dsttypenot=
++	
+ 	local sport=any
+ 	local sportnot=
+ 	
+@@ -3397,7 +3580,7 @@
+ 				if [ "${1}" = "not" -o "${1}" = "NOT" ]
+ 				then
+ 					shift
+-					macnot="!"
++					test ${nomac} -eq 0 && macnot="!"
+ 				fi
+ 				test ${softwarnings} -eq 1 -a ! "${mac}" = "any" && softwarning "Overwritting param: mac '${mac}' becomes '${1}'"
+ 				test ${nomac} -eq 0 && mac="${1}"
+@@ -3454,6 +3637,56 @@
+ 				shift
+ 				;;
+ 				
++			srctype|SRCTYPE|sourcetype|SOURCETYPE)
++				shift
++				if [ ${reverse} -eq 0 ]
++				then
++					srctypenot=
++					if [ "${1}" = "not" -o "${1}" = "NOT" ]
++					then
++						shift
++						srctypenot="!"
++					fi
++					test ${softwarnings} -eq 1 -a ! "${srctype}" = "" && softwarning "Overwritting param: srctype '${srctype}' becomes '${1}'"
++					srctype="`echo ${1} | sed "s|^ \+||" | sed "s| \+\$||" | sed "s| \+|,|g" | tr a-z A-Z`"
++				else
++					dsttypenot=
++					if [ "${1}" = "not" -o "${1}" = "NOT" ]
++					then
++						shift
++						dsttypenot="!"
++					fi
++					test ${softwarnings} -eq 1 -a ! "${dsttype}" = "" && softwarning "Overwritting param: dsttype '${dsttype}' becomes '${1}'"
++					dsttype="`echo ${1} | sed "s|^ \+||" | sed "s| \+\$||" | sed "s| \+|,|g" | tr a-z A-Z`"
++				fi
++				shift
++				;;
++				
++			dsttype|DSTTYPE|destinationtype|DESTINATIONTYPE)
++				shift
++				if [ ${reverse} -eq 0 ]
++				then
++					dsttypenot=
++					if [ "${1}" = "not" -o "${1}" = "NOT" ]
++					then
++						shift
++						dsttypenot="!"
++					fi
++					test ${softwarnings} -eq 1 -a ! "${dsttype}" = "" && softwarning "Overwritting param: dsttype '${dsttype}' becomes '${1}'"
++					dsttype="`echo ${1} | sed "s|^ \+||" | sed "s| \+\$||" | sed "s| \+|,|g" | tr a-z A-Z`"
++				else
++					srctypenot=
++					if [ "${1}" = "not" -o "${1}" = "NOT" ]
++					then
++						shift
++						srctypenot="!"
++					fi
++					test ${softwarnings} -eq 1 -a ! "${srctype}" = "" && softwarning "Overwritting param: srctype '${srctype}' becomes '${1}'"
++					srctype="`echo ${1} | sed "s|^ \+||" | sed "s| \+\$||" | sed "s| \+|,|g" | tr a-z A-Z`"
++				fi
++				shift
++				;;
++				
+ 			sport|SPORT|sourceport|SOURCEPORT)
+ 				shift
+ 				if [ ${reverse} -eq 0 ]
+@@ -3591,6 +3824,11 @@
+ 									fi
+ 									;;
+ 								
++								recent|RECENT)
++									local -a action_param=("recent" "${2}" "${3}" "${4}")
++									shift 4
++									;;
++								
+ 								knock|KNOCK)
+ 									local -a action_param=("knock" "${2}")
+ 									shift 2
+@@ -3750,6 +3988,10 @@
+ 						fi
+ 						;;
+ 						
++					tarpit|TARPIT)
++						action="TARPIT"
++						;;
++						
+ 					*)
+ 						chain_exists "${action}"
+ 						local action_is_chain=$?
+@@ -3991,7 +4233,7 @@
+ 	#         this temporary chain.
+ 	
+ 	
+-	# ignore 'statenot' since it is negated in the positive rules
++	# ignore 'statenot', 'srctypenot', 'dsttypenot' since it is negated in the positive rules
+ 	if [ ! -z "${infacenot}${outfacenot}${physinnot}${physoutnot}${macnot}${srcnot}${dstnot}${sportnot}${dportnot}${protonot}${uidnot}${gidnot}${pidnot}${sidnot}${cmdnot}${marknot}${tosnot}${dscpnot}" ]
+ 	then
+ 		if [ ${action_is_chain} -eq 1 ]
+@@ -4540,6 +4782,25 @@
+ 				;;
+ 		esac
+ 	
++	# addrtype (srctype, dsttype)
++	local -a addrtype_arg=()
++	local -a stp_arg=()
++	local -a dtp_arg=()
++	if [ ! -z "${srctype}${dsttype}" ]
++	then
++		local -a addrtype_arg=("-m" "addrtype")
++		
++		if [ ! -z "${srctype}" ]
++		then
++			local -a stp_arg=("${srctypenot}" "--src-type" "${srctype}")
++		fi
++		
++		if [ ! -z "${dsttype}" ]
++		then
++			local -a dtp_arg=("${dsttypenot}" "--dst-type" "${dsttype}")
++		fi
++	fi
++	
+ 	# state
+ 	local -a state_arg=()
+ 	if [ ! -z "${state}" ]
+@@ -4562,15 +4823,15 @@
+ 	fi
+ 	
+ 	# build the command
+-	declare -a basecmd=("${inf_arg[@]}" "${outf_arg[@]}" "${physdev_arg[@]}" "${inph_arg[@]}" "${outph_arg[@]}" "${limit_arg[@]}" "${iplimit_arg[@]}" "${proto_arg[@]}" "${s_arg[@]}" "${sp_arg[@]}" "${d_arg[@]}" "${dp_arg[@]}" "${owner_arg[@]}" "${uid_arg[@]}" "${gid_arg[@]}" "${pid_arg[@]}" "${sid_arg[@]}" "${cmd_arg[@]}" "${state_arg[@]}" "${mc_arg[@]}" "${mark_arg[@]}" "${tos_arg[@]}" "${dscp_arg[@]}")
++	declare -a basecmd=("${inf_arg[@]}" "${outf_arg[@]}" "${physdev_arg[@]}" "${inph_arg[@]}" "${outph_arg[@]}" "${limit_arg[@]}" "${iplimit_arg[@]}" "${proto_arg[@]}" "${s_arg[@]}" "${sp_arg[@]}" "${d_arg[@]}" "${dp_arg[@]}" "${owner_arg[@]}" "${uid_arg[@]}" "${gid_arg[@]}" "${pid_arg[@]}" "${sid_arg[@]}" "${cmd_arg[@]}" "${addrtype_arg[@]}" "${stp_arg[@]}" "${dtp_arg[@]}" "${state_arg[@]}" "${mc_arg[@]}" "${mark_arg[@]}" "${tos_arg[@]}" "${dscp_arg[@]}")
+ 	
+ 	# log mode selection
+ 	local -a logopts_arg=()
+ 	if [ "${FIREHOL_LOG_MODE}" = "ULOG" ]
+ 	then
+-		local -a logopts_arg=("--ulog-prefix='${logtxt}:'")
++		local -a logopts_arg=("--ulog-prefix='${FIREHOL_LOG_PREFIX}${logtxt}:'")
+ 	else
+-		local -a logopts_arg=("--log-level" "${loglevel}" "--log-prefix='${logtxt}:'")
++		local -a logopts_arg=("--log-level" "${loglevel}" "--log-prefix='${FIREHOL_LOG_PREFIX}${logtxt}:'")
+ 	fi
+ 	
+ 	# log / loglimit
+@@ -5005,8 +5266,8 @@
+ 	stop)
+ 		test ! -z "${1}" && softwarning "Arguments after parameter '${arg}' are ignored."
+ 		
+-		test -f /var/lock/subsys/firehol && ${RM_CMD} -f /var/lock/subsys/firehol
+-		test -f /var/lock/subsys/iptables && ${RM_CMD} -f /var/lock/subsys/iptables
++		test -f "${FIREHOL_LOCK_DIR}/firehol" && ${RM_CMD} -f "${FIREHOL_LOCK_DIR}/firehol"
++		test -f "${FIREHOL_LOCK_DIR}/iptables" && ${RM_CMD} -f "${FIREHOL_LOCK_DIR}/iptables"
+ 		
+ 		echo -n $"FireHOL: Clearing Firewall:"
+ 		load_kernel_module ip_tables
+@@ -5038,7 +5299,7 @@
+ 	condrestart)
+ 		test ! -z "${1}" && softwarning "Arguments after parameter '${arg}' are ignored."
+ 		FIREHOL_TRY=0
+-		if [ -f /var/lock/subsys/firehol ]
++		if [ -f "${FIREHOL_LOCK_DIR}/firehol" ]
+ 		then
+ 			exit 0
+ 		fi
+@@ -5154,7 +5415,7 @@
+ 		else
+ 		
+ 		${CAT_CMD} <<EOF
+-$Id: firehol-1.226-to-250.patch,v 1.1 2006/12/28 20:59:13 centic Exp $
++$Id: firehol-1.226-to-250.patch,v 1.1 2006/12/28 20:59:13 centic Exp $
+ (C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr>
+ FireHOL is distributed under GPL.
+ 
+@@ -5340,7 +5601,7 @@
+ 	
+ 	${CAT_CMD} <<EOF
+ 
+-$Id: firehol-1.226-to-250.patch,v 1.1 2006/12/28 20:59:13 centic Exp $
++$Id: firehol-1.226-to-250.patch,v 1.1 2006/12/28 20:59:13 centic Exp $
+ (C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr>
+ FireHOL is distributed under GPL.
+ Home Page: http://firehol.sourceforge.net
+@@ -5459,6 +5720,13 @@
+ 
+ if [ ${FIREHOL_WIZARD} -eq 1 ]
+ then
++	# require commands for wizard mode
++	require_cmd ip
++	require_cmd netstat
++	require_cmd egrep
++	require_cmd date
++	require_cmd hostname
++	
+ 	wizard_ask() {
+ 		local prompt="${1}"; shift
+ 		local def="${1}"; shift
+@@ -5603,7 +5871,12 @@
+ 		local i4=${4}
+ 		local i5=${5:-32}
+ 		
+-		echo ${i1}.${i2}.${i3}.${i4}/${i5}
++		if [ "${i5}" = "32" ]
++		then
++			echo ${i1}.${i2}.${i3}.${i4}
++		else
++			echo ${i1}.${i2}.${i3}.${i4}/${i5}
++		fi
+ 	}
+ 	
+ 	ips2net() {
+@@ -5634,7 +5907,7 @@
+ 	
+ 	"${CAT_CMD}" >&2 <<EOF
+ 
+-$Id: firehol-1.226-to-250.patch,v 1.1 2006/12/28 20:59:13 centic Exp $
++$Id: firehol-1.226-to-250.patch,v 1.1 2006/12/28 20:59:13 centic Exp $
+ (C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr>
+ FireHOL is distributed under GPL.
+ Home Page: http://firehol.sourceforge.net
+@@ -5717,7 +5990,7 @@
+ 	echo "# "
+ 
+ 	${CAT_CMD} <<EOF
+-# $Id: firehol-1.226-to-250.patch,v 1.1 2006/12/28 20:59:13 centic Exp $
++# $Id: firehol-1.226-to-250.patch,v 1.1 2006/12/28 20:59:13 centic Exp $
+ # (C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr>
+ # FireHOL is distributed under GPL.
+ # Home Page: http://firehol.sourceforge.net
+@@ -6354,11 +6627,11 @@
+ # Remove the saved firewall, so that the trap will not restore it.
+ ${RM_CMD} -f "${FIREHOL_SAVED}"
+ 
+-# RedHat startup service locking.
+-if [ -d /var/lock/subsys ]
++# Startup service locking.
++if [ -d "${FIREHOL_LOCK_DIR}" ]
+ then
+-	${TOUCH_CMD} /var/lock/subsys/iptables
+-	${TOUCH_CMD} /var/lock/subsys/firehol
++	${TOUCH_CMD} "${FIREHOL_LOCK_DIR}/iptables"
++	${TOUCH_CMD} "${FIREHOL_LOCK_DIR}/firehol"
+ fi
+ 
+ 
diff --git a/net-firewall/firehol/files/firehol-1.250-printf.patch b/net-firewall/firehol/files/firehol-1.250-printf.patch
new file mode 100644
index 000000000000..1222e15de65d
--- /dev/null
+++ b/net-firewall/firehol/files/firehol-1.250-printf.patch
@@ -0,0 +1,47 @@
+--- firehol.sh	2006-12-27 14:34:58.000000000 +0100
++++ firehol.new	2006-12-27 14:53:16.000000000 +0100
+@@ -2412,7 +2412,7 @@
+ 		printf "runcmd '${check}' '${FIREHOL_LINEID}' " >>${FIREHOL_OUTPUT}
+ 	fi
+ 	
+-	printf "%q " "$@" >>${FIREHOL_OUTPUT}
++	printf "%b " "$@" >>${FIREHOL_OUTPUT}
+ 	printf "\n" >>${FIREHOL_OUTPUT}
+ 	
+ 	if [ ${FIREHOL_EXPLAIN} -eq 1 ]
+@@ -4885,7 +4885,7 @@
+ 	echo >&2 "WARNING"
+ 	echo >&2 "WHAT   : ${work_function}"
+ 	echo >&2 "WHY    :" "$@"
+-	printf >&2 "COMMAND: "; printf >&2 "%q " "${work_realcmd[@]}"; echo >&2
++	printf >&2 "COMMAND: "; printf >&2 "%b " "${work_realcmd[@]}"; echo >&2
+ 	echo >&2 "SOURCE : line ${FIREHOL_LINEID} of ${FIREHOL_CONFIG}"
+ 	echo >&2
+ 	
+@@ -4906,7 +4906,7 @@
+ 	echo >&2 "ERROR #: ${work_error}"
+ 	echo >&2 "WHAT   : ${work_function}"
+ 	echo >&2 "WHY    :" "$@"
+-	printf >&2 "COMMAND: "; printf >&2 "%q " "${work_realcmd[@]}"; echo >&2
++	printf >&2 "COMMAND: "; printf >&2 "%b " "${work_realcmd[@]}"; echo >&2
+ 	echo >&2 "SOURCE : line ${FIREHOL_LINEID} of ${FIREHOL_CONFIG}"
+ 	echo >&2
+ 	
+@@ -4960,7 +4960,7 @@
+ 	echo >&2 "WHAT    : A runtime command failed to execute (returned error ${ret})."
+ 	echo >&2 "SOURCE  : line ${line} of ${FIREHOL_CONFIG}"
+ 	printf >&2 "COMMAND : "
+-	printf >&2 "%q " "$@"
++	printf >&2 "%b " "$@"
+ 	printf >&2 "\n"
+ 	echo >&2 "OUTPUT  : "
+ 	echo >&2
+@@ -5157,7 +5157,7 @@
+ 			*)	;;
+ 		esac
+ 		
+-		printf "%q " "${work_realcmd[@]}"
++		printf "%b " "${work_realcmd[@]}"
+ 		printf "\n\n"
+ 	) >>${FIREHOL_OUTPUT}
+ }
diff --git a/net-firewall/firehol/firehol-1.250.ebuild b/net-firewall/firehol/firehol-1.250.ebuild
new file mode 100644
index 000000000000..40a31bb072b9
--- /dev/null
+++ b/net-firewall/firehol/firehol-1.250.ebuild
@@ -0,0 +1,81 @@
+# Copyright 1999-2006 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-firewall/firehol/firehol-1.250.ebuild,v 1.1 2006/12/28 20:59:13 centic Exp $
+
+inherit eutils
+
+DESCRIPTION="iptables firewall generator"
+HOMEPAGE="http://firehol.sourceforge.net/"
+SRC_URI="mirror://sourceforge/${PN}/${PN}-1.226.tar.bz2"
+
+
+LICENSE="GPL-2"
+SLOT="0"
+IUSE=""
+KEYWORDS="~amd64 ~ppc ~sparc ~x86"
+
+DEPEND="sys-apps/iproute2"
+RDEPEND="net-firewall/iptables
+	sys-apps/iproute2
+	virtual/modutils
+	|| (
+		net-misc/wget
+		net-misc/curl
+	)"
+
+S="${WORKDIR}/${PN}-1.226"
+
+pkg_setup() {
+	# Bug 81600 fail if iproute2 is built with minimal
+	if built_with_use sys-apps/iproute2 minimal; then
+		eerror "Firehol requires iproute2 to be emerged without"
+		eerror "the USE-Flag \"minimal\"."
+		eerror "Re-emerge iproute2 with"
+		eerror "USE=\"-minimal\" emerge sys-apps/iproute2"
+		die "sys-apps/iproute2 without USE=\"minimal\" needed"
+	fi
+}
+
+# patch for embedded Gentoo - GNAP
+# backport from firehol-CVS.
+src_unpack() {
+	unpack ${A}
+	cd ${S} || die
+	epatch ${FILESDIR}/firehol-1.226-to-228.patch || die
+	epatch ${FILESDIR}/firehol-1.226-to-250.patch || die
+	epatch ${FILESDIR}/${P}-printf.patch || die
+}
+
+src_install() {
+	newsbin firehol.sh firehol
+
+	dodir /etc/firehol /etc/firehol/examples /etc/firehol/services
+	insinto /etc/firehol/examples
+	doins examples/* || die
+
+	insinto /etc/conf.d
+	newins ${FILESDIR}/firehol.conf.d firehol || die
+
+	dodoc ChangeLog README TODO WhatIsNew || die
+	dohtml doc/*.html doc/*.css  || die
+
+	docinto scripts
+	dodoc get-iana.sh adblock.sh || die
+
+	doman man/*.1 man/*.5 || die
+
+	exeinto /etc/init.d
+	newexe ${FILESDIR}/firehol.initrd firehol || die
+}
+
+pkg_postinst() {
+	einfo "The default path to firehol's configuration file is /etc/firehol/firehol.conf"
+	einfo "See /etc/firehol/examples for configuration examples."
+	#
+	# Install a default configuration if none is available yet
+	if [[ ! -e "${ROOT}/etc/firehol/firehol.conf" ]]; then
+		einfo "Installing a sample configuration as ${ROOT}/etc/firehol/firehol.conf"
+		cp "${ROOT}/etc/firehol/examples/client-all.conf" "${ROOT}/etc/firehol/firehol.conf"
+	fi
+}
+
author	Dominik Stadler <centic@gentoo.org>	2006-12-28 20:59:13 +0000
committer	Dominik Stadler <centic@gentoo.org>	2006-12-28 20:59:13 +0000
commit	e5a9cc138abf22cf9bf75921ca67bb2ac91dc60d (patch)
tree	87f774f8d3cbec8408426ee8bc5061d946dc1a81 /net-firewall/firehol
parent	Add a live SVN version of Amarok. Although not supported and a bad idea in ge... (diff)
download	gentoo-2-e5a9cc138abf22cf9bf75921ca67bb2ac91dc60d.tar.gz gentoo-2-e5a9cc138abf22cf9bf75921ca67bb2ac91dc60d.tar.bz2 gentoo-2-e5a9cc138abf22cf9bf75921ca67bb2ac91dc60d.zip