Recent changes to patches

Use https://github.com/ktsaou/firehol/issues

Phil Whineray — Mon, 02 Mar 2015 07:46:48 -0000

Use https://github.com/ktsaou/firehol/issues to submit patches

PATCH: CVS 2013-04-20 get-iana.sh POSIX

Jari Aalto — Sat, 20 Apr 2013 09:30:33 -0000

This patch is against CVS 2013-04-20 get-iana.sh

- Use /bin/sh. The file is POSIX compliant now.
- Remove EOL (end of line) whitespaces.
- Send errors to STDERR, normal messages to STDOUT.
- Remove continuation backslashes "\" when shell syntax already
knowns the line will continue e.g. after pipe "|" character.
- Fit text in column 80 (comment at the beginning).
- Instead of ${var}, simplify variables to $var.
- Prefer POSIX $((i + 1)) instead of bashism $[i + 1]
- Prefer POSIX $() to archaic backquotes `` [1]
- Use standard built-in echo(1) instead of external printf(1).

[1]
POSIX standard provides the $(...) command substitution syntax, which
improves legibility and allows nested structures.
http://www.opengroup.org/onlinepubs/009695399/utilities/xcu_chap02.html#tag_02_06_03
Also a good read: http://mywiki.wooledge.org/BashFAQ/082

PATCH: CVS 2013-04-20 check-iana.sh POSIX

Jari Aalto — Sat, 20 Apr 2013 09:21:44 -0000

This patch is against CVS 2013-04-20 check-iana.sh

PATCH: CVS 2013-04-20 buildrpm.sh POSIX

Jari Aalto — Sat, 20 Apr 2013 09:16:33 -0000

This patch is against CVS 2013-04-20 buildrpm.sh

- Use /bin/sh. The file is POSIX compliant now.
- Instead of ${var}, simplify variabled to $var.
- Send errors to STDERR, normal messages to STDOUT.
- Prefer POSIX $() to archaic backquotes `` [1]
- Prefer simple [ "$var" ] and [ ! "$var" ] test. The -n and -z
tests are not needed.
- Use standard built-in echo(1) instead of external printf(1).
- Prefer built-in "[]" instead of possibly external call test(1).
- Prefer "[ test ] COND [ test ]" instead of "[ test COND test ]"
which does not short circuit and may be portability problem [2]

[2] http://mywiki.wooledge.org/BashPitfalls#A.5B_.22.24foo.22_.3D_bar_.26.26_.22.24bar.22_.3D_foo_.5D

PATCH: cvs 2013-04-20 prettyconf.sh POSIX

Jari Aalto — Sat, 20 Apr 2013 08:48:01 -0000

This patch is against CVS 2013-04-20, prettyconf.sh

- Use /bin/sh. The file is POSIX compliant now.
- Instead of ${var}, simplify variabled to $var.
- Send errors to STDERR, normal messages to STDOUT. (E.g. missing arg $1)

Use DENY, not TARPIT on OUTPUT chain

Phil Whineray — Sat, 17 Mar 2012 16:17:45 -0000

Seems that TARPIT is only usable on INPUT and FORWARD chains.

Note, I have not verified this patch beyond checking that it solves the immediate error and there may be a better way to implement it.

Patch is against 1.273, per the forum report, not latest.

Parse kernel 3.x correctly

Phil Whineray — Fri, 14 Oct 2011 19:57:54 -0000

Was unable to apply patch created by SanskritFritz

Here is my take on the solution; make the minor number parse correctly for new x.y-extra format as well as old x.y.z-extra.

Use iptables-restore for faster startup

Josh Mahonin — Mon, 27 Sep 2010 20:06:21 -0000

This patches FireHOL to a version we're testing internally on embedded platforms. On a complex firewall, every call to iptables takes a non-trivial amount of time - on a Soekris board, loading the firewall can be in the range of 30-60s.

Instead of calling iptables for every rule, instead populate a list of chains, and use iptables-restore to load them all at once. Every rule is still documented and traceable for debug mode. Calls to 'touch' have also been replaced with '>', the builtin concat operation which also speeds up processing.

As well, add ability to match packets based on whether it is marked AND whether it is incoming or outgoing from an interface, via 'inmark' and 'outmark'.

Experimental IPv6 support

Phil Whineray — Fri, 28 May 2010 19:23:57 -0000

Move some direct command calls to functions, in preparation for adding ipv4/ipv6 logic

Add further command alternatives for other systems

Phil Whineray — Sun, 23 May 2010 17:26:31 -0000

Please consider for inclusion:

With the following additional choices, firehol can be made to run on an openwrt system:
awk if gawk is not available
insmod if modprobe is not available
nothing if renice is not available