Recent changes to patches

Use https://github.com/ktsaou/firehol/issues

2015-03-02T07:46:48.662000Z

Use https://github.com/ktsaou/firehol/issues to submit patches

PATCH: CVS 2013-04-20 get-iana.sh POSIX

2013-04-20T09:30:33Z

This patch is against CVS 2013-04-20 get-iana.sh

- Use /bin/sh. The file is POSIX compliant now.
- Remove EOL (end of line) whitespaces.
- Send errors to STDERR, normal messages to STDOUT.
- Remove continuation backslashes "\" when shell syntax already
knowns the line will continue e.g. after pipe "|" character.
- Fit text in column 80 (comment at the beginning).
- Instead of ${var}, simplify variables to $var.
- Prefer POSIX $((i + 1)) instead of bashism $[i + 1]
- Prefer POSIX $() to archaic backquotes `` [1]
- Use standard built-in echo(1) instead of external printf(1).

[1]
POSIX standard provides the $(...) command substitution syntax, which
improves legibility and allows nested structures.
http://www.opengroup.org/onlinepubs/009695399/utilities/xcu_chap02.html#tag_02_06_03
Also a good read: http://mywiki.wooledge.org/BashFAQ/082

PATCH: CVS 2013-04-20 check-iana.sh POSIX

2013-04-20T09:21:44Z

This patch is against CVS 2013-04-20 check-iana.sh

PATCH: CVS 2013-04-20 buildrpm.sh POSIX

2013-04-20T09:16:33Z

This patch is against CVS 2013-04-20 buildrpm.sh

- Use /bin/sh. The file is POSIX compliant now.
- Instead of ${var}, simplify variabled to $var.
- Send errors to STDERR, normal messages to STDOUT.
- Prefer POSIX $() to archaic backquotes `` [1]
- Prefer simple [ "$var" ] and [ ! "$var" ] test. The -n and -z
tests are not needed.
- Use standard built-in echo(1) instead of external printf(1).
- Prefer built-in "[]" instead of possibly external call test(1).
- Prefer "[ test ] COND [ test ]" instead of "[ test COND test ]"
which does not short circuit and may be portability problem [2]

[2] http://mywiki.wooledge.org/BashPitfalls#A.5B_.22.24foo.22_.3D_bar_.26.26_.22.24bar.22_.3D_foo_.5D

PATCH: cvs 2013-04-20 prettyconf.sh POSIX

2013-04-20T08:48:01Z

This patch is against CVS 2013-04-20, prettyconf.sh

- Use /bin/sh. The file is POSIX compliant now.
- Instead of ${var}, simplify variabled to $var.
- Send errors to STDERR, normal messages to STDOUT. (E.g. missing arg $1)

Use DENY, not TARPIT on OUTPUT chain

2012-03-17T16:17:45Z

Seems that TARPIT is only usable on INPUT and FORWARD chains.

Note, I have not verified this patch beyond checking that it solves the immediate error and there may be a better way to implement it.

Patch is against 1.273, per the forum report, not latest.

Parse kernel 3.x correctly

2011-10-14T19:57:54Z

Was unable to apply patch created by SanskritFritz

Here is my take on the solution; make the minor number parse correctly for new x.y-extra format as well as old x.y.z-extra.

Use iptables-restore for faster startup

2010-09-27T20:06:21Z

This patches FireHOL to a version we're testing internally on embedded platforms. On a complex firewall, every call to iptables takes a non-trivial amount of time - on a Soekris board, loading the firewall can be in the range of 30-60s.

Instead of calling iptables for every rule, instead populate a list of chains, and use iptables-restore to load them all at once. Every rule is still documented and traceable for debug mode. Calls to 'touch' have also been replaced with '>', the builtin concat operation which also speeds up processing.

As well, add ability to match packets based on whether it is marked AND whether it is incoming or outgoing from an interface, via 'inmark' and 'outmark'.

Experimental IPv6 support

2010-05-28T19:23:57Z

Move some direct command calls to functions, in preparation for adding ipv4/ipv6 logic

Add further command alternatives for other systems

2010-05-23T17:26:31Z

Please consider for inclusion:

With the following additional choices, firehol can be made to run on an openwrt system:
awk if gawk is not available
insmod if modprobe is not available
nothing if renice is not available