Updated init script with simplified dependencies addresses security bug #288992 by Hugo Mildenberger.

(Portage version: 2.1.8.3/cvs/Linux x86_64)

3 files changed, 186 insertions, 1 deletions

diff --git a/net-firewall/shorewall-common/ChangeLog b/net-firewall/shorewall-common/ChangeLog
index 3101e21e46eb..f5a76d2981e0 100644
--- a/net-firewall/shorewall-common/ChangeLog
+++ b/net-firewall/shorewall-common/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for net-firewall/shorewall-common
 # Copyright 1999-2010 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/net-firewall/shorewall-common/ChangeLog,v 1.33 2010/03/16 14:23:02 chainsaw Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-firewall/shorewall-common/ChangeLog,v 1.34 2010/04/13 13:33:31 chainsaw Exp $
+
+*shorewall-common-4.2.11-r1 (13 Apr 2010)
+
+  13 Apr 2010; <chainsaw@gentoo.org> +shorewall-common-4.2.11-r1.ebuild,
+  +files/shorewall.initd2:
+  Updated init script with simplified dependencies addresses security bug
+  #288992 by Hugo Mildenberger.
 
   16 Mar 2010; <chainsaw@gentoo.org> metadata.xml:
   Taking over maintainership from Vieri who is stepping down due to time
diff --git a/net-firewall/shorewall-common/files/shorewall.initd2 b/net-firewall/shorewall-common/files/shorewall.initd2
new file mode 100644
index 000000000000..249bc48e02e5
--- /dev/null
+++ b/net-firewall/shorewall-common/files/shorewall.initd2
@@ -0,0 +1,79 @@
+#!/sbin/runscript
+# Copyright 1999-2006 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-firewall/shorewall-common/files/shorewall.initd2,v 1.1 2010/04/13 13:33:32 chainsaw Exp $
+
+opts="start stop restart clear reset refresh check"
+
+depend() {
+	before net
+	provide firewall
+}
+
+start() {
+	ebegin "Starting firewall"
+	/sbin/shorewall -f start 1>/dev/null
+	eend $? 
+}
+
+stop() {
+	ebegin "Stopping firewall"
+	/sbin/shorewall stop 1>/dev/null
+	eend $?
+}
+
+restart() {
+	# shorewall comes with its own control script that includes a
+	# restart function, so refrain from calling svc_stop/svc_start
+	# here.  Note that this comment is required to fix bug 55576;
+	# runscript.sh greps this script...  (09 Jul 2004 agriffis)
+	ebegin "Restarting firewall"
+	/sbin/shorewall status >/dev/null
+	if [ $? != 0 ] ; then
+	    svc_start
+	else
+	    if [ -f /var/lib/shorewall/restore ] ; then
+		/sbin/shorewall restore
+	    else
+		/sbin/shorewall restart 1>/dev/null
+	    fi
+	fi
+	eend $?
+}
+
+clear() {
+	# clear will remove all the rules and bring the system to an unfirewalled
+	# state. (21 Nov 2004 eldad)
+
+	ebegin "Clearing all firewall rules and setting policy to ACCEPT"
+	/sbin/shorewall clear
+	eend $?
+}
+
+reset() {
+	# reset the packet and byte counters in the firewall
+
+	ebegin "Resetting the packet and byte counters in the firewall"
+	/sbin/shorewall reset
+	eend $?
+}
+
+refresh() {
+	# refresh the rules involving the broadcast addresses of firewall 
+	# interfaces, the black list, traffic control rules and 
+	# ECN control rules
+
+	ebegin "Refreshing firewall rules"
+	/sbin/shorewall refresh
+	eend $?
+}
+
+check() {
+	# perform cursory validation of the zones, interfaces, hosts, rules
+	# and policy files. CAUTION: does not parse and validate the generated 
+	# iptables commands.
+
+	ebegin "Checking configuration files"
+	/sbin/shorewall check
+	eend $?
+}
diff --git a/net-firewall/shorewall-common/shorewall-common-4.2.11-r1.ebuild b/net-firewall/shorewall-common/shorewall-common-4.2.11-r1.ebuild
new file mode 100644
index 000000000000..a37b82c1f547
--- /dev/null
+++ b/net-firewall/shorewall-common/shorewall-common-4.2.11-r1.ebuild
@@ -0,0 +1,99 @@
+# Copyright 1999-2010 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-firewall/shorewall-common/shorewall-common-4.2.11-r1.ebuild,v 1.1 2010/04/13 13:33:31 chainsaw Exp $
+
+EAPI="2"
+
+inherit eutils versionator
+
+# Select version (stable, RC, Beta):
+MY_PV_TREE=$(get_version_component_range 1-2)   # for devel versions use "development/$(get_version_component_range 1-2)"
+MY_P_BETA=""                                    # stable or experimental (eg. "-RC1" or "-Beta4")
+MY_PV_BASE=$(get_version_component_range 1-3)
+
+MY_PN="${PN/-common/}"
+MY_P="${MY_PN}-${MY_PV_BASE}${MY_P_BETA}"
+MY_P_DOCS="${MY_P/${MY_PN}/${MY_PN}-docs-html}"
+
+DESCRIPTION="Shoreline Firewall is an iptables-based firewall for Linux."
+HOMEPAGE="http://www.shorewall.net/"
+SRC_URI="http://www1.shorewall.net/pub/${MY_PN}/${MY_PV_TREE}/${MY_P}/${P}${MY_P_BETA}.tar.bz2
+	doc? ( http://www1.shorewall.net/pub/${MY_PN}/${MY_PV_TREE}/${MY_P}/${MY_P_DOCS}.tar.bz2 )"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~hppa ~ppc ~ppc64 ~sparc ~x86"
+IUSE="doc"
+
+DEPEND=">=net-firewall/iptables-1.2.4
+	sys-apps/iproute2[-minimal]
+	!<net-firewall/shorewall-4.0
+	!>=net-firewall/shorewall-4.4.0"
+RDEPEND="${DEPEND}"
+
+src_compile() {
+	einfo "Nothing to compile."
+}
+
+src_install() {
+	keepdir /var/lib/shorewall
+
+	cd "${WORKDIR}/${P}${MY_P_BETA}"
+	PREFIX="${D}" ./install.sh || die "install.sh failed"
+	newinitd "${FILESDIR}"/shorewall.initd2 shorewall || die "doinitd failed"
+
+	dodoc changelog.txt releasenotes.txt || die
+
+	if use doc; then
+		cd "${WORKDIR}/${MY_P_DOCS}"
+		# install documentation
+		dohtml -r *
+		## dosym Documentation_Index.html "/usr/share/doc/${PF}/html/index.htm"
+		# install samples
+		cp -pR "${S}${MY_P_BETA}/Samples" "${D}/usr/share/doc/${PF}"
+	fi
+}
+
+pkg_postinst() {
+	elog
+	if use doc ; then
+		elog "Documentation is available at /usr/share/doc/${PF}/html."
+		elog "Please read the Release Notes in /usr/share/doc/${PF}."
+		elog "Samples are available at /usr/share/doc/${PF}/Samples."
+	else
+		elog "Documentation is available at http://www.shorewall.net"
+	fi
+	elog "There are man pages for shorewall(8) and for each configuration file."
+	elog
+	elog "Bridging configuration has changed with kernel 2.6.20+."
+	elog "Check the documentation."
+	elog
+	elog "Do not blindly start shorewall, edit the files in /etc/shorewall first"
+	elog "At the very least, you must change 'STARTUP_ENABLED' in shorewall.conf"
+	elog
+	elog "Be aware that version ${MY_PV_TREE} differs substantially from previous releases."
+	elog "Information on upgrading is available at:"
+	elog "http://www.shorewall.net/upgrade_issues.htm"
+	elog
+	elog "There is a 'shorewall compile' command to generate scripts to run"
+	elog "on systems with Shorewall Lite installed."
+	elog "Please refer to http://www.shorewall.net/CompiledPrograms.html"
+	elog "It is advised to copy the /usr/share/shorewall/configfiles dir to your"
+	elog "own 'export directories'. However, whenever you upgrade Shorewall you"
+	elog "should check for changes in configfiles and manually update your exports."
+	elog "Alternatively, if you only have one Shorewall-Lite system in your network"
+	elog "then you can use the configfiles dir but set CONFIG_PROTECT appropriately"
+	elog "in /etc/make.conf (man make.conf)."
+	elog
+	elog "Known problems:"
+	elog "http://shorewall.net/pub/${MY_PN}/${MY_PV_TREE}/${MY_P}/known_problems.txt"
+	elog
+	elog "Whether upgrading or installing you should run shorewall check,"
+	elog "correct any errors found and run shorewall restart|start."
+	elog
+	elog "${PN} requires a compiler."
+	elog "You can choose to emerge shorewall-shell and/or shorewall-perl."
+	elog
+	elog "${PN} will be removed in the future."
+	elog "Please consider emerging the latest version of ${MY_PN}."
+}