Hello community,
here is the log from the commit of package shorewall for openSUSE:Factory checked in at 2015-05-10 10:46:53
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/shorewall (Old)
and /work/SRC/openSUSE:Factory/.shorewall.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shorewall"
Changes:
--------
--- /work/SRC/openSUSE:Factory/shorewall/shorewall.changes 2015-04-15 16:24:55.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.shorewall.new/shorewall.changes 2015-05-10 10:46:55.000000000 +0200
@@ -1,0 +2,25 @@
+Thu May 7 16:39:16 UTC 2015 - toganm@opensuse.org
+
+- Update to version 4.6.9 For more details see changelog.txt and
+ releasenotes.txt
+
+ * This release contains defect repair from Shorewall 4.6.8.1 and
+ earlier releases.
+
+ * The means for preventing loading of helper modules has been
+ clarified in the documentation.
+
+ * The SetEvent and ResetEvent actions previously set/reset the
+ event even if the packet did not match the other specified
+ columns. This has been corrected.
+
+ * Previously, the 'show capabilities' command was ignoring the
+ HELPERS setting. This resulted in unwanted modules being
+ autoloaded and, when the -f option was given, an incorrect
+ capabilities file was generated.
+
+ * Previously, when 'wait' was specified for an interface, the
+ generated script erroneously checked for required interfaces on
+ all commands rather than just start, restart and restore.
+
+-------------------------------------------------------------------
Old:
----
shorewall-4.6.8.1.tar.bz2
shorewall-core-4.6.8.1.tar.bz2
shorewall-docs-html-4.6.8.1.tar.bz2
shorewall-init-4.6.8.1.tar.bz2
shorewall-lite-4.6.8.1.tar.bz2
shorewall6-4.6.8.1.tar.bz2
shorewall6-lite-4.6.8.1.tar.bz2
New:
----
shorewall-4.6.9.tar.bz2
shorewall-core-4.6.9.tar.bz2
shorewall-docs-html-4.6.9.tar.bz2
shorewall-init-4.6.9.tar.bz2
shorewall-lite-4.6.9.tar.bz2
shorewall6-4.6.9.tar.bz2
shorewall6-lite-4.6.9.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ shorewall.spec ++++++
--- /var/tmp/diff_new_pack.chsjFV/_old 2015-05-10 10:46:56.000000000 +0200
+++ /var/tmp/diff_new_pack.chsjFV/_new 2015-05-10 10:46:56.000000000 +0200
@@ -20,19 +20,19 @@
%define have_systemd 1
Name: shorewall
-Version: 4.6.8.1
+Version: 4.6.9
Release: 0
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems
License: GPL-2.0
Group: Productivity/Networking/Security
Url: http://www.shorewall.net/
-Source: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.8/%{name}-%version.tar.bz2
-Source1: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.8/%{name}-core-%version.tar.bz2
-Source2: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.8/%{name}-lite-%version.tar.bz2
-Source3: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.8/%{name}-init-%version.tar.bz2
-Source4: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.8/%{name}6-lite-%version.tar.bz2
-Source5: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.8/%{name}6-%version.tar.bz2
-Source6: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.8/%{name}-docs-html-%version.tar.bz2
+Source: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.9/%{name}-%version.tar.bz2
+Source1: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.9/%{name}-core-%version.tar.bz2
+Source2: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.9/%{name}-lite-%version.tar.bz2
+Source3: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.9/%{name}-init-%version.tar.bz2
+Source4: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.9/%{name}6-lite-%version.tar.bz2
+Source5: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.9/%{name}6-%version.tar.bz2
+Source6: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.9/%{name}-docs-html-%version.tar.bz2
Source7: %{name}-4.4.22.rpmlintrc
Source8: README.openSUSE
# PATCH-FIX-UPSTREAM toganm@opensuse.org Shorewall-lite init.suse.sh Required Stop
++++++ shorewall-4.6.8.1.tar.bz2 -> shorewall-4.6.9.tar.bz2 ++++++
++++ 2622 lines of diff (skipped)
++++++ shorewall-core-4.6.8.1.tar.bz2 -> shorewall-core-4.6.9.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.8.1/changelog.txt new/shorewall-core-4.6.9/changelog.txt
--- old/shorewall-core-4.6.8.1/changelog.txt 2015-04-11 16:50:07.000000000 +0200
+++ new/shorewall-core-4.6.9/changelog.txt 2015-05-06 18:14:15.000000000 +0200
@@ -1,9 +1,55 @@
-Changes in 4.6.8.1
+Changes in 4.6.9 Final
1) Update release documents.
-2) Add 'wants=network-online.target' to service files so that the
- firewall will start when there are required interfaces.
+Changes in 4.6.9 RC 2
+
+1) Update release documents.
+
+2) Fix generated code.
+
+ - Eliminate syntax error
+ - Correct handling of required interfaces when 'wait' is specified.
+
+Changes in 4.6.9 RC 1
+
+1) Update release documents.
+
+2) More detect_configuration() optimization.
+
+3) Add 'reenable' command.
+
+4) Fix helper capabilities detection.
+
+Changes in 4.6.9 Beta 3
+
+1) Update release documents.
+
+2) Clarify how to avoid loading helper modules.
+
+3) Merge Tuomo Soini's QUIC macro.
+
+4) Merge Tuomo Soini's deprecation of the JabberSecure macro.
+
+5) Correct rule generated by SetEvent and ResetEvent.
+
+6) Optimize detect_configuration() for enable/disable.
+
+Changes in 4.6.9 Beta 2
+
+1) Update release documents.
+
+2) Add brief mention of 'list' and 'ls' to the CLI manpages.
+
+3) Add complete syntax in the CLI manpages.
+
+4) Add Tuomo Soini's fixes for .service files.
+
+Changes in 4.6.9 Beta 1
+
+1) Update release documents.
+
+2) Implement TCPMSS_TARGET capability.
Changes in 4.6.8 Final
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.8.1/configure new/shorewall-core-4.6.9/configure
--- old/shorewall-core-4.6.8.1/configure 2015-04-11 16:50:07.000000000 +0200
+++ new/shorewall-core-4.6.9/configure 2015-05-06 18:14:15.000000000 +0200
@@ -28,7 +28,7 @@
#
# Build updates this
#
-VERSION=4.6.8.1
+VERSION=4.6.9
case "$BASH_VERSION" in
[4-9].*)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.8.1/configure.pl new/shorewall-core-4.6.9/configure.pl
--- old/shorewall-core-4.6.8.1/configure.pl 2015-04-11 16:50:07.000000000 +0200
+++ new/shorewall-core-4.6.9/configure.pl 2015-05-06 18:14:15.000000000 +0200
@@ -31,7 +31,7 @@
# Build updates this
#
use constant {
- VERSION => '4.6.8.1'
+ VERSION => '4.6.9'
};
my %params;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.8.1/install.sh new/shorewall-core-4.6.9/install.sh
--- old/shorewall-core-4.6.8.1/install.sh 2015-04-11 16:50:07.000000000 +0200
+++ new/shorewall-core-4.6.9/install.sh 2015-05-06 18:14:15.000000000 +0200
@@ -22,7 +22,7 @@
# along with this program; if not, see http://www.gnu.org/licenses/.
#
-VERSION=4.6.8.1
+VERSION=4.6.9
usage() # $1 = exit status
{
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.8.1/known_problems.txt new/shorewall-core-4.6.9/known_problems.txt
--- old/shorewall-core-4.6.8.1/known_problems.txt 2015-04-11 16:50:07.000000000 +0200
+++ new/shorewall-core-4.6.9/known_problems.txt 2015-05-06 18:14:15.000000000 +0200
@@ -1,7 +1,11 @@
1) On systems running Upstart, shorewall-init cannot reliably secure
the firewall before interfaces are brought up.
-2) When servicd is installed and there were one or more required
- interfaces, the firewall may fail to start at boot.
+2) The SetEvent and ResetEvent actions currently set/reset the named
+ event even if the packet does not match the other specified
+ columns.
- Corrected in Shorewall 4.6.8.1.
+3) The 'show capabilities' command ignores the HELPERS setting. This
+ results in unwanted modules being autoloaded and, when the -f
+ option is given, an incorrect capabilities file is generated.
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.8.1/lib.cli new/shorewall-core-4.6.9/lib.cli
--- old/shorewall-core-4.6.8.1/lib.cli 2015-04-11 16:49:05.000000000 +0200
+++ new/shorewall-core-4.6.9/lib.cli 2015-05-05 20:28:13.000000000 +0200
@@ -2475,6 +2475,7 @@
local chain
local chain1
local arptables
+ local helper
if [ -z "$g_tool" ]; then
[ $g_family -eq 4 ] && tool=iptables || tool=ip6tables
@@ -2776,21 +2777,44 @@
if qt $g_tool -t raw -A $chain -j CT --notrack; then
CT_TARGET=Yes;
- qt $g_tool -t raw -A $chain -p udp --dport 10080 -j CT --helper amanda && AMANDA_HELPER=Yes
- qt $g_tool -t raw -A $chain -p tcp --dport 21 -j CT --helper ftp && FTP_HELPER=Yes
- qt $g_tool -t raw -A $chain -p tcp --dport 21 -j CT --helper ftp-0 && FTP0_HELPER=Yes
- qt $g_tool -t raw -A $chain -p udp --dport 1719 -j CT --helper RAS && H323_HELPER=Yes
- qt $g_tool -t raw -A $chain -p tcp --dport 6667 -j CT --helper irc && IRC_HELPER=Yes
- qt $g_tool -t raw -A $chain -p tcp --dport 6667 -j CT --helper irc-0 && IRC0_HELPER=Yes
- qt $g_tool -t raw -A $chain -p udp --dport 137 -j CT --helper netbios-ns && NETBIOS_NS_HELPER=Yes
- qt $g_tool -t raw -A $chain -p tcp --dport 1729 -j CT --helper pptp && PPTP_HELPER=Yes
- qt $g_tool -t raw -A $chain -p tcp --dport 6566 -j CT --helper sane && SANE_HELPER=Yes
- qt $g_tool -t raw -A $chain -p tcp --dport 6566 -j CT --helper sane-0 && SANE0_HELPER=Yes
- qt $g_tool -t raw -A $chain -p udp --dport 5060 -j CT --helper sip && SIP_HELPER=Yes
- qt $g_tool -t raw -A $chain -p udp --dport 5060 -j CT --helper sip-0 && SIP0_HELPER=Yes
- qt $g_tool -t raw -A $chain -p udp --dport 161 -j CT --helper snmp && SNMP_HELPER=Yes
- qt $g_tool -t raw -A $chain -p udp --dport 69 -j CT --helper tftp && TFTP_HELPER=Yes
- qt $g_tool -t raw -A $chain -p udp --dport 69 -j CT --helper tftp-0 && TFTP0_HELPER=Yes
+ for helper in amanda ftp ftp0 h323 irc irc0 netbios_ns pptp sane sane0 sip sip0 snmp tftp tftp0; do
+ eval ${helper}_ENABLED=''
+ done
+
+ if [ -n "$HELPERS" ]; then
+ for helper in $(split_list "$HELPERS"); do
+ case $helper in
+ none)
+ ;;
+ amanda|ftp|ftp0|h323|irc|irc0|netbios_ns|pptp|sane|sane0|sip|sip0|snmp|tftp|tftp0)
+ eval ${helper}_ENABLED=Yes
+ ;;
+ *)
+ error_message "WARNING: Invalid helper ($helper) ignored"
+ ;;
+ esac
+ done
+ else
+ for helper in amanda ftp ftp0 h323 irc irc0 netbios_ns pptp sane sane0 sip sip0 snmp tftp tftp0; do
+ eval ${helper}_ENABLED=Yes
+ done
+ fi
+
+ [ -n "$amanda_ENABLED" ] && qt $g_tool -t raw -A $chain -p udp --dport 10080 -j CT --helper amanda && AMANDA_HELPER=Yes
+ [ -n "$ftp_ENABLED" ] && qt $g_tool -t raw -A $chain -p tcp --dport 21 -j CT --helper ftp && FTP_HELPER=Yes
+ [ -n "$ftp0_ENABLED" ] && qt $g_tool -t raw -A $chain -p tcp --dport 21 -j CT --helper ftp-0 && FTP0_HELPER=Yes
+ [ -n "$h323_ENABLED" ] && qt $g_tool -t raw -A $chain -p udp --dport 1719 -j CT --helper RAS && H323_HELPER=Yes
+ [ -n "$irc_ENABLED" ] && qt $g_tool -t raw -A $chain -p tcp --dport 6667 -j CT --helper irc && IRC_HELPER=Yes
+ [ -n "$irc0_ENABLED" ] && qt $g_tool -t raw -A $chain -p tcp --dport 6667 -j CT --helper irc-0 && IRC0_HELPER=Yes
+ [ -n "$netbios_ns_ENABLED" ] && qt $g_tool -t raw -A $chain -p udp --dport 137 -j CT --helper netbios-ns && NETBIOS_NS_HELPER=Yes
+ [ -n "$pptp_ENABLED" ] && qt $g_tool -t raw -A $chain -p tcp --dport 1729 -j CT --helper pptp && PPTP_HELPER=Yes
+ [ -n "$sane_ENABLED" ] && qt $g_tool -t raw -A $chain -p tcp --dport 6566 -j CT --helper sane && SANE_HELPER=Yes
+ [ -n "$sane0_ENABLED" ] && qt $g_tool -t raw -A $chain -p tcp --dport 6566 -j CT --helper sane-0 && SANE0_HELPER=Yes
+ [ -n "$sip_ENABLED" ] && qt $g_tool -t raw -A $chain -p udp --dport 5060 -j CT --helper sip && SIP_HELPER=Yes
+ [ -n "$sip0_ENABLED" ] && qt $g_tool -t raw -A $chain -p udp --dport 5060 -j CT --helper sip-0 && SIP0_HELPER=Yes
+ [ -n "$snmp_ENABLED" ] && qt $g_tool -t raw -A $chain -p udp --dport 161 -j CT --helper snmp && SNMP_HELPER=Yes
+ [ -n "$tftp_ENABLED" ] && qt $g_tool -t raw -A $chain -p udp --dport 69 -j CT --helper tftp && TFTP_HELPER=Yes
+ [ -n "$tftp0_ENABLED" ] && qt $g_tool -t raw -A $chain -p udp --dport 69 -j CT --helper tftp-0 && TFTP0_HELPER=Yes
fi
qt $g_tool -t raw -F $chain
@@ -3834,6 +3858,7 @@
echo " logwatch [<refresh interval>]"
echo " open <source> <dest> [ <protocol> [ <port> ] ]"
echo " reject <address> ..."
+ echo " reenable <interface>"
echo " reset [ <chain> ... ]"
echo " restart [ -n ] [ -p ] [ -f ] [ -C ] [ <directory> ]"
echo " restore [ -n ] [ -p ] [ -C ] [ <file name> ]"
@@ -4102,7 +4127,7 @@
shift
restart_command $@
;;
- disable|enable)
+ disable|enable|reenable)
get_config Yes
if product_is_started; then
run_it ${VARDIR}/firewall $g_debugging $@
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.8.1/lib.common new/shorewall-core-4.6.9/lib.common
--- old/shorewall-core-4.6.8.1/lib.common 2015-04-11 16:49:05.000000000 +0200
+++ new/shorewall-core-4.6.9/lib.common 2015-05-05 20:28:13.000000000 +0200
@@ -212,6 +212,17 @@
}
#
+# Split a comma-separated list into a space-separated list
+#
+split_list() {
+ local ifs
+ ifs=$IFS
+ IFS=,
+ echo $*
+ IFS=$ifs
+}
+
+#
# Search a list looking for a match -- returns zero if a match found
# 1 otherwise
#
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.8.1/releasenotes.txt new/shorewall-core-4.6.9/releasenotes.txt
--- old/shorewall-core-4.6.8.1/releasenotes.txt 2015-04-11 16:50:07.000000000 +0200
+++ new/shorewall-core-4.6.9/releasenotes.txt 2015-05-06 18:14:15.000000000 +0200
@@ -1,7 +1,7 @@
----------------------------------------------------------------------------
- S H O R E W A L L 4 . 6 . 8 . 1
- ------------------------------------
- A p r i l 1 1 , 2 0 1 5
+ S H O R E W A L L 4 . 6 . 9
+ ----------------------------
+ M a y 0 6 , 2 0 1 5
----------------------------------------------------------------------------
I. PROBLEMS CORRECTED IN THIS RELEASE
@@ -14,36 +14,24 @@
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
-4.6.8.1
-
-1) Previously, when servicd was installed and there were one or more
- required interfaces, the firewall would fail to start at boot. This
- has been corrected by Tuomo Soini.
-
-2) Some startup logic in lib.cli has been deleted. A bug prevented the
- code from working as intended, so there is no loss of functionality
- resulting from deletion of the code.
-
-4.6.8
-
-1) This release includes defect repair from Shorewall 4.6.6.2 and
+1) This release contains defect repair from Shorewall 4.6.8.1 and
earlier releases.
-2) Previously, when the -n option was specified and NetworkManager was
- installed on the target system, the Shorewall-init installer would
- still create
- ${DESTDIR}etc/NetworkManager/dispatcher.d/01-shorewall, regardless
- of the setting of $CONFDIR. That has been corrected such that the
- directory
- ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/01-shorewall is
- created instead.
-
-3) Previously, handling of the IPTABLES and IP6TABLES actions in the
- conntrack file was broken. nfw provided a fix on IRC.
+2) The means for preventing loading of helper modules has been
+ clarified in the documentation.
-4) The Shorewall-core and Shorewall6 installers would previously
- report incorrectly that the product release was not installed. Matt
- Darfeuille provided fixes.
+3) The SetEvent and ResetEvent actions previously set/reset the event
+ even if the packet did not match the other specified columns. This
+ has been corrected.
+
+4) Previously, the 'show capabilities' command was ignoring the
+ HELPERS setting. This resulted in unwanted modules being autoloaded
+ and, when the -f option was given, an incorrect capabilities file
+ was generated.
+
+6) Previously, when 'wait' was specified for an interface, the
+ generated script erroneously checked for required interfaces on all
+ commands rather than just start, restart and restore.
----------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G
@@ -56,63 +44,36 @@
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
-1) The CLI programs (shorewall, shorewall6, etc) now support 'open'
- and 'close' commands. The 'open' command temporarily opens the
- firewall for a specified type of connection; the syntax is:
-
- open <source> <destination> [ <protocol> [ <port> ] ]
-
- The <source> and <destination> may be any of the following:
-
- - a host IP address
- - a network IP address
- - a valid DNS name (usual warnings apply)
- - the word 'all', indicating that the <source> or <destination> is
- not restricted
-
- The protocol may be specified by number or by a name. Same with
- <port>.
-
- Example: Open SSH connections to 1.2.3.4 in Shorewall:
-
- shorewall open all 1.2.3.4 tcp ssh
-
- The 'close' command reverses the effect of an earlier 'open'
- command and has two forms:
-
- close <open-number>
- close <source> <destination> [ shorewall-docs-html-4.6.9.tar.bz2 ++++++
++++ 7951 lines of diff (skipped)
++++++ shorewall-init-4.6.8.1.tar.bz2 -> shorewall-init-4.6.9.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.8.1/changelog.txt new/shorewall-init-4.6.9/changelog.txt
--- old/shorewall-init-4.6.8.1/changelog.txt 2015-04-11 16:50:08.000000000 +0200
+++ new/shorewall-init-4.6.9/changelog.txt 2015-05-06 18:14:16.000000000 +0200
@@ -1,9 +1,55 @@
-Changes in 4.6.8.1
+Changes in 4.6.9 Final
1) Update release documents.
-2) Add 'wants=network-online.target' to service files so that the
- firewall will start when there are required interfaces.
+Changes in 4.6.9 RC 2
+
+1) Update release documents.
+
+2) Fix generated code.
+
+ - Eliminate syntax error
+ - Correct handling of required interfaces when 'wait' is specified.
+
+Changes in 4.6.9 RC 1
+
+1) Update release documents.
+
+2) More detect_configuration() optimization.
+
+3) Add 'reenable' command.
+
+4) Fix helper capabilities detection.
+
+Changes in 4.6.9 Beta 3
+
+1) Update release documents.
+
+2) Clarify how to avoid loading helper modules.
+
+3) Merge Tuomo Soini's QUIC macro.
+
+4) Merge Tuomo Soini's deprecation of the JabberSecure macro.
+
+5) Correct rule generated by SetEvent and ResetEvent.
+
+6) Optimize detect_configuration() for enable/disable.
+
+Changes in 4.6.9 Beta 2
+
+1) Update release documents.
+
+2) Add brief mention of 'list' and 'ls' to the CLI manpages.
+
+3) Add complete syntax in the CLI manpages.
+
+4) Add Tuomo Soini's fixes for .service files.
+
+Changes in 4.6.9 Beta 1
+
+1) Update release documents.
+
+2) Implement TCPMSS_TARGET capability.
Changes in 4.6.8 Final
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.8.1/configure new/shorewall-init-4.6.9/configure
--- old/shorewall-init-4.6.8.1/configure 2015-04-11 16:50:08.000000000 +0200
+++ new/shorewall-init-4.6.9/configure 2015-05-06 18:14:16.000000000 +0200
@@ -28,7 +28,7 @@
#
# Build updates this
#
-VERSION=4.6.8.1
+VERSION=4.6.9
case "$BASH_VERSION" in
[4-9].*)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.8.1/configure.pl new/shorewall-init-4.6.9/configure.pl
--- old/shorewall-init-4.6.8.1/configure.pl 2015-04-11 16:50:08.000000000 +0200
+++ new/shorewall-init-4.6.9/configure.pl 2015-05-06 18:14:16.000000000 +0200
@@ -31,7 +31,7 @@
# Build updates this
#
use constant {
- VERSION => '4.6.8.1'
+ VERSION => '4.6.9'
};
my %params;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.8.1/install.sh new/shorewall-init-4.6.9/install.sh
--- old/shorewall-init-4.6.8.1/install.sh 2015-04-11 16:50:08.000000000 +0200
+++ new/shorewall-init-4.6.9/install.sh 2015-05-06 18:14:16.000000000 +0200
@@ -27,7 +27,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
-VERSION=4.6.8.1
+VERSION=4.6.9
usage() # $1 = exit status
{
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.8.1/releasenotes.txt new/shorewall-init-4.6.9/releasenotes.txt
--- old/shorewall-init-4.6.8.1/releasenotes.txt 2015-04-11 16:50:08.000000000 +0200
+++ new/shorewall-init-4.6.9/releasenotes.txt 2015-05-06 18:14:16.000000000 +0200
@@ -1,7 +1,7 @@
----------------------------------------------------------------------------
- S H O R E W A L L 4 . 6 . 8 . 1
- ------------------------------------
- A p r i l 1 1 , 2 0 1 5
+ S H O R E W A L L 4 . 6 . 9
+ ----------------------------
+ M a y 0 6 , 2 0 1 5
----------------------------------------------------------------------------
I. PROBLEMS CORRECTED IN THIS RELEASE
@@ -14,36 +14,24 @@
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
-4.6.8.1
-
-1) Previously, when servicd was installed and there were one or more
- required interfaces, the firewall would fail to start at boot. This
- has been corrected by Tuomo Soini.
-
-2) Some startup logic in lib.cli has been deleted. A bug prevented the
- code from working as intended, so there is no loss of functionality
- resulting from deletion of the code.
-
-4.6.8
-
-1) This release includes defect repair from Shorewall 4.6.6.2 and
+1) This release contains defect repair from Shorewall 4.6.8.1 and
earlier releases.
-2) Previously, when the -n option was specified and NetworkManager was
- installed on the target system, the Shorewall-init installer would
- still create
- ${DESTDIR}etc/NetworkManager/dispatcher.d/01-shorewall, regardless
- of the setting of $CONFDIR. That has been corrected such that the
- directory
- ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/01-shorewall is
- created instead.
-
-3) Previously, handling of the IPTABLES and IP6TABLES actions in the
- conntrack file was broken. nfw provided a fix on IRC.
+2) The means for preventing loading of helper modules has been
+ clarified in the documentation.
-4) The Shorewall-core and Shorewall6 installers would previously
- report incorrectly that the product release was not installed. Matt
- Darfeuille provided fixes.
+3) The SetEvent and ResetEvent actions previously set/reset the event
+ even if the packet did not match the other specified columns. This
+ has been corrected.
+
+4) Previously, the 'show capabilities' command was ignoring the
+ HELPERS setting. This resulted in unwanted modules being autoloaded
+ and, when the -f option was given, an incorrect capabilities file
+ was generated.
+
+6) Previously, when 'wait' was specified for an interface, the
+ generated script erroneously checked for required interfaces on all
+ commands rather than just start, restart and restore.
----------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G
@@ -56,63 +44,36 @@
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
-1) The CLI programs (shorewall, shorewall6, etc) now support 'open'
- and 'close' commands. The 'open' command temporarily opens the
- firewall for a specified type of connection; the syntax is:
-
- open <source> <destination> [ <protocol> [ <port> ] ]
-
- The <source> and <destination> may be any of the following:
-
- - a host IP address
- - a network IP address
- - a valid DNS name (usual warnings apply)
- - the word 'all', indicating that the <source> or <destination> is
- not restricted
-
- The protocol may be specified by number or by a name. Same with
- <port>.
-
- Example: Open SSH connections to 1.2.3.4 in Shorewall:
-
- shorewall open all 1.2.3.4 tcp ssh
-
- The 'close' command reverses the effect of an earlier 'open'
- command and has two forms:
-
- close <open-number>
- close <source> <destination> [ shorewall-lite-4.6.9.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.8.1/changelog.txt new/shorewall-lite-4.6.9/changelog.txt
--- old/shorewall-lite-4.6.8.1/changelog.txt 2015-04-11 16:50:08.000000000 +0200
+++ new/shorewall-lite-4.6.9/changelog.txt 2015-05-06 18:14:16.000000000 +0200
@@ -1,9 +1,55 @@
-Changes in 4.6.8.1
+Changes in 4.6.9 Final
1) Update release documents.
-2) Add 'wants=network-online.target' to service files so that the
- firewall will start when there are required interfaces.
+Changes in 4.6.9 RC 2
+
+1) Update release documents.
+
+2) Fix generated code.
+
+ - Eliminate syntax error
+ - Correct handling of required interfaces when 'wait' is specified.
+
+Changes in 4.6.9 RC 1
+
+1) Update release documents.
+
+2) More detect_configuration() optimization.
+
+3) Add 'reenable' command.
+
+4) Fix helper capabilities detection.
+
+Changes in 4.6.9 Beta 3
+
+1) Update release documents.
+
+2) Clarify how to avoid loading helper modules.
+
+3) Merge Tuomo Soini's QUIC macro.
+
+4) Merge Tuomo Soini's deprecation of the JabberSecure macro.
+
+5) Correct rule generated by SetEvent and ResetEvent.
+
+6) Optimize detect_configuration() for enable/disable.
+
+Changes in 4.6.9 Beta 2
+
+1) Update release documents.
+
+2) Add brief mention of 'list' and 'ls' to the CLI manpages.
+
+3) Add complete syntax in the CLI manpages.
+
+4) Add Tuomo Soini's fixes for .service files.
+
+Changes in 4.6.9 Beta 1
+
+1) Update release documents.
+
+2) Implement TCPMSS_TARGET capability.
Changes in 4.6.8 Final
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.8.1/configure new/shorewall-lite-4.6.9/configure
--- old/shorewall-lite-4.6.8.1/configure 2015-04-11 16:50:08.000000000 +0200
+++ new/shorewall-lite-4.6.9/configure 2015-05-06 18:14:16.000000000 +0200
@@ -28,7 +28,7 @@
#
# Build updates this
#
-VERSION=4.6.8.1
+VERSION=4.6.9
case "$BASH_VERSION" in
[4-9].*)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.8.1/configure.pl new/shorewall-lite-4.6.9/configure.pl
--- old/shorewall-lite-4.6.8.1/configure.pl 2015-04-11 16:50:08.000000000 +0200
+++ new/shorewall-lite-4.6.9/configure.pl 2015-05-06 18:14:16.000000000 +0200
@@ -31,7 +31,7 @@
# Build updates this
#
use constant {
- VERSION => '4.6.8.1'
+ VERSION => '4.6.9'
};
my %params;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.8.1/install.sh new/shorewall-lite-4.6.9/install.sh
--- old/shorewall-lite-4.6.8.1/install.sh 2015-04-11 16:50:08.000000000 +0200
+++ new/shorewall-lite-4.6.9/install.sh 2015-05-06 18:14:16.000000000 +0200
@@ -22,7 +22,7 @@
# along with this program; if not, see http://www.gnu.org/licenses/.
#
-VERSION=4.6.8.1
+VERSION=4.6.9
usage() # $1 = exit status
{
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.8.1/manpages/shorewall-lite-vardir.5 new/shorewall-lite-4.6.9/manpages/shorewall-lite-vardir.5
--- old/shorewall-lite-4.6.8.1/manpages/shorewall-lite-vardir.5 2015-04-11 16:53:30.000000000 +0200
+++ new/shorewall-lite-4.6.9/manpages/shorewall-lite-vardir.5 2015-05-06 18:17:38.000000000 +0200
@@ -2,12 +2,12 @@
.\" Title: shorewall-lite-vardir
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.76.1 http://docbook.sf.net/
-.\" Date: 04/11/2015
+.\" Date: 05/06/2015
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-LITE\-VAR" "5" "04/11/2015" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-LITE\-VAR" "5" "05/06/2015" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.8.1/manpages/shorewall-lite.8 new/shorewall-lite-4.6.9/manpages/shorewall-lite.8
--- old/shorewall-lite-4.6.8.1/manpages/shorewall-lite.8 2015-04-11 16:53:32.000000000 +0200
+++ new/shorewall-lite-4.6.9/manpages/shorewall-lite.8 2015-05-06 18:17:40.000000000 +0200
@@ -2,12 +2,12 @@
.\" Title: shorewall-lite
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.76.1 http://docbook.sf.net/
-.\" Date: 04/11/2015
+.\" Date: 05/06/2015
.\" Manual: Administrative Commands
.\" Source: Administrative Commands
.\" Language: English
.\"
-.TH "SHOREWALL\-LITE" "8" "04/11/2015" "Administrative Commands" "Administrative Commands"
+.TH "SHOREWALL\-LITE" "8" "05/06/2015" "Administrative Commands" "Administrative Commands"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -71,11 +71,13 @@
.HP \w'\fBshorewall\-lite\fR\ 'u
\fBshorewall\-lite\fR \fBopen\fR\fI\ source\fR\fI\ dest\fR\ [\ \fIprotocol\fR\ [\ \fIport\fR\ ]\ ]
.HP \w'\fBshorewall\-lite\fR\ 'u
+\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBreenable\fR {\ \fIinterface\fR\ |\ \fIprovider\fR\ }
+.HP \w'\fBshorewall\-lite\fR\ 'u
\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBreject\fR \fIaddress\fR
.HP \w'\fBshorewall\-lite\fR\ 'u
\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBreset\fR
.HP \w'\fBshorewall\-lite\fR\ 'u
-\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBrestart\fR [\fB\-n\fR] [\fB\-p\fR\ [\fB\-C\fR]] [\fIdirectory\fR]
+\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBrestart\fR [\fB\-n\fR] [\fB\-p\fR\ [\fB\-C\fR]]
.HP \w'\fBshorewall\-lite\fR\ 'u
\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBrestore\fR [\fB\-C\fR] [\fIfilename\fR]
.HP \w'\fBshorewall\-lite\fR\ 'u
@@ -155,7 +157,7 @@
.PP
The available commands are listed below\&.
.PP
-\fBadd\fR
+\fBadd \fR{ \fIinterface\fR[:\fIhost\-list\fR]\&.\&.\&. \fIzone\fR | \fIzone\fR \fIhost\-list\fR }
.RS 4
Adds a list of hosts or subnets to a dynamic zone usually used with VPN\*(Aqs\&.
.sp
@@ -191,7 +193,7 @@
.RE
.RE
.PP
-\fBallow\fR
+\fBallow \fR\fIaddress\fR
.RS 4
Re\-enables receipt of packets from hosts previously blacklisted by a
\fBdrop\fR,
@@ -201,7 +203,7 @@
command\&.
.RE
.PP
-\fBclear\fR
+\fBclear \fR[\-\fBf\fR]
.RS 4
Clear will remove all rules and chains installed by Shorewall\-lite\&. The firewall is then wide open and unprotected\&. Existing connections are untouched\&. Clear is often used to see if the firewall is causing connection problems\&.
.sp
@@ -231,7 +233,7 @@
command\&.
.RE
.PP
-\fBdelete\fR
+\fBdelete \fR{ \fIinterface\fR[:\fIhost\-list\fR]\&.\&.\&. \fIzone\fR | \fIzone\fR \fIhost\-list\fR }
.RS 4
The delete command reverses the effect of an earlier
\fBadd\fR
@@ -245,7 +247,7 @@
is comma\-separated list whose elements are a host or network address\&.
.RE
.PP
-\fBdisable\fR
+\fBdisable \fR{ \fIinterface\fR | \fIprovider\fR }
.RS 4
Added in Shorewall 4\&.4\&.26\&. Disables the optional provider associated with the specified
\fIinterface\fR
@@ -255,13 +257,13 @@
name must be given\&.
.RE
.PP
-\fBdrop\fR
+\fBdrop \fR\fIaddress\fR
.RS 4
Causes traffic from the listed
\fIaddress\fRes to be silently dropped\&.
.RE
.PP
-\fBdump\fR
+\fBdump \fR[\-\fBx\fR] [\-\fBl\fR] [\-\fBm\fR] [\-\fBc\fR]
.RS 4
Produces a verbose report about the firewall configuration for the purpose of problem analysis\&.
.sp
@@ -280,7 +282,7 @@
option causes the route cache to be dumped in addition to the other routing information\&.
.RE
.PP
-\fBenable\fR
+\fBenable \fR{ \fIinterface\fR | \fIprovider\fR }
.RS 4
Added in Shorewall 4\&.4\&.26\&. Enables the optional provider associated with the specified
\fIinterface\fR
@@ -290,7 +292,7 @@
name must be given\&.
.RE
.PP
-\fBforget\fR
+\fBforget \fR[ \fIfilename\fR ]
.RS 4
Deletes /var/lib/shorewall\-lite/\fIfilename\fR
and /var/lib/shorewall\-lite/save\&. If no
@@ -304,24 +306,24 @@
Displays a syntax summary\&.
.RE
.PP
-\fBhits\fR
+\fBhits \fR [\-\fBt\fR]
.RS 4
Generates several reports from Shorewall\-lite log messages in the current log file\&. If the
\fB\-t\fR
option is included, the reports are restricted to log messages generated today\&.
.RE
.PP
-\fBipcalc\fR
+\fBipcalc \fR{ address mask | address/vlsm }
.RS 4
Ipcalc displays the network address, broadcast address, network in CIDR notation and netmask corresponding to the input[s]\&.
.RE
.PP
-\fBiprange\fR
+\fBiprange \fR\fIaddress1\fR\-\fIaddress2\fR
.RS 4
Iprange decomposes the specified range of IP addresses into the equivalent list of network/host addresses\&.
.RE
.PP
-\fBiptrace\fR
+\fBiptrace \fR\fIiptables match expression\fR
.RS 4
This is a low\-level debugging command that causes iptables TRACE log records to be created\&. See iptables(8) for details\&.
.sp
@@ -332,7 +334,15 @@
The trace records are written to the kernel\*(Aqs log buffer with facility = kernel and priority = warning, and they are routed from there by your logging daemon (syslogd, rsyslog, syslog\-ng, \&.\&.\&.) \-\- Shorewall\-lite has no control over where the messages go; consult your logging daemon\*(Aqs documentation\&.
.RE
.PP
-\fBlogdrop\fR
+\fBlist\fR
+.RS 4
+\fBlist\fR
+is a synonym for
+\fBshow\fR
+\-\- please see below\&.
+.RE
+.PP
+\fBlogdrop \fR\fIaddress\fR
.RS 4
Causes traffic from the listed
\fIaddress\fRes to be logged then discarded\&. Logging occurs at the log level specified by the BLACKLIST_LOGLEVEL setting in
@@ -340,7 +350,7 @@
(5)\&.
.RE
.PP
-\fBlogwatch\fR
+\fBlogwatch \fR[\-\fBm\fR] [\fIrefresh\-interval\fR]
.RS 4
Monitors the log file specified by the LOGFILE option in
\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[2]\d\s+2(5) and produces an audible alarm when new Shorewall\-lite messages are logged\&. The
@@ -351,7 +361,7 @@
\fBshorewall\-lite logwatch \-\- \-30\fR)\&. In this case, when a packet count changes, you will be prompted to hit any key to resume screen refreshes\&.
.RE
.PP
-\fBlogreject\fR
+\fBlogreject \fR\fIaddress\fR
.RS 4
Causes traffic from the listed
\fIaddress\fRes to be logged then rejected\&. Logging occurs at the log level specified by the BLACKLIST_LOGLEVEL setting in
@@ -359,7 +369,15 @@
(5)\&.
.RE
.PP
-\fBnoiptrace\fR
+\fBls\fR
+.RS 4
+\fBls\fR
+is a synonym for
+\fBshow\fR
+\-\- please see below\&.
+.RE
+.PP
+\fBnoiptrace \fR\fIiptables match expression\fR
.RS 4
This is a low\-level debugging command that cancels a trace started by a preceding
\fBiptrace\fR
@@ -422,12 +440,33 @@
.\}
.RE
.PP
-\fBreset\fR
+\fBreenable\fR{ \fIinterface\fR | \fIprovider\fR }
.RS 4
-All the packet and byte counters in the firewall are reset\&.
+Added in Shorewall 4\&.6\&.9\&. This is equivalent to a
+\fBdisable\fR
+command followed by an
+\fBenable\fR
+command on the specified
+\fIinterface\fR
+or
+\fIprovider\fR\&.
.RE
.PP
-\fBrestart\fR
+\fBreject\fR\fI address\fR
+.RS 4
+Causes traffic from the listed
+\fIaddress\fRes to be silently rejected\&.
+.RE
+.PP
+\fBreset [\fR\fB\fIchain\fR\fR\fB, \&.\&.\&.]\fR
+.RS 4
+Resets the packet and byte counters in the specified
+\fIchain\fR(s)\&. If no
+\fIchain\fR
+is specified, all the packet and byte counters in the firewall are reset\&.
+.RE
+.PP
+\fBrestart \fR[\-n] [\-p] [\-\fBC\fR]
.RS 4
Restart is similar to
\fBshorewall\-lite start\fR
@@ -448,7 +487,7 @@
option was added in Shorewall 4\&.6\&.5\&. If the specified (or implicit) firewall script is the one that generated the current running configuration, then the running netfilter configuration will be reloaded as is so as to preserve the iptables packet and byte counters\&.
.RE
.PP
-\fBrestore\fR
+\fBrestore \fR[\-\fBn\fR] [\-\fBp\fR] [\-\fBC\fR] [ \fIfilename\fR ]
.RS 4
Restore Shorewall\-lite to a state saved using the
\fBshorewall\-lite save\fR
@@ -477,6 +516,16 @@
.sp .5v
.RE
The
+\fB\-n\fR
+option causes Shorewall to avoid updating the routing table(s)\&.
+.sp
+The
+\fB\-p\fR
+option, added in Shorewall 4\&.6\&.5, causes the connection tracking table to be flushed; the
+\fBconntrack\fR
+utility must be installed to use this option\&.
+.sp
+The
\fB\-C\fR
option was added in Shorewall 4\&.6\&.5\&. If the
\fB\-C\fR
@@ -484,7 +533,7 @@
\fBshorewall save\fR, then the counters saved by that operation will be restored\&.
.RE
.PP
-\fBrun\fR
+\fBrun \fR\fIcommand\fR [ \fIparameter\fR \&.\&.\&. ]
.RS 4
Added in Shorewall 4\&.6\&.3\&. Executes
\fIcommand\fR
@@ -500,7 +549,7 @@
extension script with $COMMAND = \*(Aqrun\*(Aq\&.
.RE
.PP
-\fBsave\fR
+\fBsave \fR[\-\fBC\fR] [ \fIfilename\fR ]
.RS 4
The dynamic blacklist is stored in /var/lib/shorewall\-lite/save\&. The state of the firewall is stored in /var/lib/shorewall\-lite/\fIfilename\fR
for use by the
@@ -529,14 +578,14 @@
.RS 4
The show command can have a number of different arguments:
.PP
-\fBbl|blacklists\fR
+\fBbl|blacklists \fR[\-\fBx\fR]
.RS 4
Added in Shorewall 4\&.6\&.2\&. Displays the dynamic chain along with any chains produced by entries in shorewall\-blrules(5)\&.The
\fB\-x\fR
option is passed directly through to iptables and causes actual packet and byte counts to be displayed\&. Without this option, those counts are abbreviated\&.
.RE
.PP
-\fBcapabilities\fR
+[\-\fBf\fR] \fBcapabilities\fR
.RS 4
Displays your kernel/iptables capabilities\&. The
\fB\-f\fR
@@ -544,7 +593,7 @@
\fBcompile \-e\fR\&.
.RE
.PP
-[ [ \fBchain\fR ] \fIchain\fR\&.\&.\&. ]
+[\-\fBb\fR] [\-\fBx\fR] [\-\fBl\fR] [\-\fBt\fR {\fBfilter\fR|\fBmangle\fR|\fBnat\fR|\fBraw\fR|\fBrawpost\fR}] [ \fIchain\fR\&.\&.\&. ]
.RS 4
The rules in each
\fIchain\fR
@@ -613,7 +662,7 @@
(5))\&.
.RE
.PP
-\fBlog\fR
+[\-\fBm\fR] \fBlog\fR
.RS 4
Displays the last 20 Shorewall\-lite messages from the log file specified by the LOGFILE option in
\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[2]\d\s+2(5)\&. The
@@ -621,6 +670,14 @@
option causes the MAC address of each packet source to be displayed if that information is available\&.
.RE
.PP
+[\-\fBx\fR] \fBmangle\fR
+.RS 4
+Displays the Netfilter mangle table using the command
+\fBiptables \-t mangle \-L \-n \-v\fR\&. The
+\fB\-x\fR
+option is passed directly through to iptables and causes actual packet and byte counts to be displayed\&. Without this option, those counts are abbreviated\&.
+.RE
+.PP
\fBmarks\fR
.RS 4
Added in Shorewall 4\&.4\&.26\&. Displays the various fields in packet marks giving the min and max value (in both decimal and hex) and the applicable mask (in hex)\&.
@@ -670,7 +727,7 @@
.RE
.RE
.PP
-\fBstart\fR
+\fBstart\fR [\-\fBp\fR] [\-\fBn\fR] [\fB\-f\fR] [\-\fBC\fR]
.RS 4
Start Shorewall Lite\&. Existing connections through shorewall\-lite managed interfaces are untouched\&. New connections will be allowed only if they are allowed by the firewall rules or policies\&.
.sp
@@ -681,7 +738,7 @@
utility must be installed to use this option\&.
.sp
The
-\fB\-m\fR
+\fB\-n\fR
option prevents the firewall script from modifying the current routing configuration\&.
.sp
The
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.8.1/manpages/shorewall-lite.conf.5 new/shorewall-lite-4.6.9/manpages/shorewall-lite.conf.5
--- old/shorewall-lite-4.6.8.1/manpages/shorewall-lite.conf.5 2015-04-11 16:53:29.000000000 +0200
+++ new/shorewall-lite-4.6.9/manpages/shorewall-lite.conf.5 2015-05-06 18:17:37.000000000 +0200
@@ -2,12 +2,12 @@
.\" Title: shorewall-lite.conf
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.76.1 http://docbook.sf.net/
-.\" Date: 04/11/2015
+.\" Date: 05/06/2015
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-LITE\&.CO" "5" "04/11/2015" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-LITE\&.CO" "5" "05/06/2015" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.8.1/manpages/shorewall-lite.xml new/shorewall-lite-4.6.9/manpages/shorewall-lite.xml
--- old/shorewall-lite-4.6.8.1/manpages/shorewall-lite.xml 2015-04-11 16:53:32.000000000 +0200
+++ new/shorewall-lite-4.6.9/manpages/shorewall-lite.xml 2015-05-06 18:17:40.000000000 +0200
@@ -297,6 +297,20 @@
<arg>-<replaceable>options</replaceable></arg>
+ <arg choice="plain"><option>reenable</option></arg>
+
+ <arg choice="plain">{ <replaceable>interface</replaceable> |
+ <replaceable>provider</replaceable> }</arg>
+ </cmdsynopsis>
+
+ <cmdsynopsis>
+ <command>shorewall-lite</command>
+
+ <option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+ <arg>-<replaceable>options</replaceable></arg>
+
<arg choice="plain"><option>reject</option></arg>
<arg choice="plain"><replaceable>address</replaceable></arg>
@@ -326,8 +340,6 @@
<arg><option>-n</option></arg>
<arg><option>-p</option><arg><option>-C</option></arg></arg>
-
- <arg><replaceable>directory</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
@@ -613,7 +625,10 @@
<variablelist>
<varlistentry>
- <term><emphasis role="bold">add</emphasis></term>
+ <term><emphasis role="bold">add </emphasis>{
+ <replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]...
+ <replaceable>zone</replaceable> | <replaceable>zone</replaceable>
+ <replaceable>host-list</replaceable> }</term>
<listitem>
<para>Adds a list of hosts or subnets to a dynamic zone usually used
@@ -638,7 +653,8 @@
</varlistentry>
<varlistentry>
- <term><emphasis role="bold">allow</emphasis></term>
+ <term><emphasis role="bold">allow
+ </emphasis><replaceable>address</replaceable></term>
<listitem>
<para>Re-enables receipt of packets from hosts previously
@@ -650,7 +666,8 @@
</varlistentry>
<varlistentry>
- <term><emphasis role="bold">clear</emphasis></term>
+ <term><emphasis role="bold">clear
+ </emphasis>[-<option>f</option>]</term>
<listitem>
<para>Clear will remove all rules and chains installed by
@@ -688,7 +705,10 @@
</varlistentry>
<varlistentry>
- <term><emphasis role="bold">delete</emphasis></term>
+ <term><emphasis role="bold">delete </emphasis>{
+ <replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]...
+ <replaceable>zone</replaceable> | <replaceable>zone</replaceable>
+ <replaceable>host-list</replaceable> }</term>
<listitem>
<para>The delete command reverses the effect of an earlier capabilities</emphasis></term>
<listitem>
<para>Displays your kernel/iptables capabilities. The
@@ -1060,8 +1157,10 @@
</varlistentry>
<varlistentry>
- <term>[ [ <option>chain</option> ] <emphasis>chain</emphasis>...
- ]</term>
+ <term>[-<option>b</option>] [-<option>x</option>]
+ [-<option>l</option>] [-<option>t</option>
+ {<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw</option>|<option>rawpost</option>}]
+ [ <emphasis>chain</emphasis>... ]</term>
<listitem>
<para>The rules in each <emphasis>chain</emphasis> are
@@ -1160,7 +1259,8 @@
</varlistentry>
<varlistentry>
- <term><emphasis role="bold">log</emphasis></term>
+ <term>[-<option>m</option>] log</emphasis></term>
<listitem>
<para>Displays the last 20 Shorewall-lite messages from the
@@ -1173,6 +1273,20 @@
</varlistentry>
<varlistentry>
+ <term>[-<option>x</option>] mangle</emphasis></term>
+
+ <listitem>
+ <para>Displays the Netfilter mangle table using the command
+ <emphasis role="bold">iptables -t mangle -L -n -v</emphasis>.
+ The <emphasis role="bold">-x</emphasis> option is passed
+ directly through to iptables and causes actual packet and byte
+ counts to be displayed. Without this option, those counts are
+ abbreviated.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term><emphasis role="bold">marks</emphasis></term>
<listitem>
@@ -1262,7 +1376,9 @@
</varlistentry>
<varlistentry>
- <term><emphasis role="bold">start</emphasis></term>
+ <term><emphasis role="bold">start</emphasis> [-<option>p</option>]
+ [-<option>n</option>] [<option>-f</option>]
+ [-<option>C</option>]</term>
<listitem>
<para>Start Shorewall Lite. Existing connections through
@@ -1274,7 +1390,7 @@
table to be flushed; the <command>conntrack</command> utility must
be installed to use this option.</para>
- <para>The <option>-m</option> option prevents the firewall script
+ <para>The <option>-n</option> option prevents the firewall script
from modifying the current routing configuration.</para>
<para>The <option>-f</option> option was added in Shorewall 4.6.5.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.8.1/releasenotes.txt new/shorewall-lite-4.6.9/releasenotes.txt
--- old/shorewall-lite-4.6.8.1/releasenotes.txt 2015-04-11 16:50:08.000000000 +0200
+++ new/shorewall-lite-4.6.9/releasenotes.txt 2015-05-06 18:14:16.000000000 +0200
@@ -1,7 +1,7 @@
----------------------------------------------------------------------------
- S H O R E W A L L 4 . 6 . 8 . 1
- ------------------------------------
- A p r i l 1 1 , 2 0 1 5
+ S H O R E W A L L 4 . 6 . 9
+ ----------------------------
+ M a y 0 6 , 2 0 1 5
----------------------------------------------------------------------------
I. PROBLEMS CORRECTED IN THIS RELEASE
@@ -14,36 +14,24 @@
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
-4.6.8.1
-
-1) Previously, when servicd was installed and there were one or more
- required interfaces, the firewall would fail to start at boot. This
- has been corrected by Tuomo Soini.
-
-2) Some startup logic in lib.cli has been deleted. A bug prevented the
- code from working as intended, so there is no loss of functionality
- resulting from deletion of the code.
-
-4.6.8
-
-1) This release includes defect repair from Shorewall 4.6.6.2 and
+1) This release contains defect repair from Shorewall 4.6.8.1 and
earlier releases.
-2) Previously, when the -n option was specified and NetworkManager was
- installed on the target system, the Shorewall-init installer would
- still create
- ${DESTDIR}etc/NetworkManager/dispatcher.d/01-shorewall, regardless
- of the setting of $CONFDIR. That has been corrected such that the
- directory
- ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/01-shorewall is
- created instead.
-
-3) Previously, handling of the IPTABLES and IP6TABLES actions in the
- conntrack file was broken. nfw provided a fix on IRC.
+2) The means for preventing loading of helper modules has been
+ clarified in the documentation.
-4) The Shorewall-core and Shorewall6 installers would previously
- report incorrectly that the product release was not installed. Matt
- Darfeuille provided fixes.
+3) The SetEvent and ResetEvent actions previously set/reset the event
+ even if the packet did not match the other specified columns. This
+ has been corrected.
+
+4) Previously, the 'show capabilities' command was ignoring the
+ HELPERS setting. This resulted in unwanted modules being autoloaded
+ and, when the -f option was given, an incorrect capabilities file
+ was generated.
+
+6) Previously, when 'wait' was specified for an interface, the
+ generated script erroneously checked for required interfaces on all
+ commands rather than just start, restart and restore.
----------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G
@@ -56,63 +44,36 @@
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
-1) The CLI programs (shorewall, shorewall6, etc) now support 'open'
- and 'close' commands. The 'open' command temporarily opens the
- firewall for a specified type of connection; the syntax is:
-
- open <source> <destination> [ <protocol> [ <port> ] ]
-
- The <source> and <destination> may be any of the following:
-
- - a host IP address
- - a network IP address
- - a valid DNS name (usual warnings apply)
- - the word 'all', indicating that the <source> or <destination> is
- not restricted
-
- The protocol may be specified by number or by a name. Same with
- <port>.
-
- Example: Open SSH connections to 1.2.3.4 in Shorewall:
-
- shorewall open all 1.2.3.4 tcp ssh
-
- The 'close' command reverses the effect of an earlier 'open'
- command and has two forms:
-
- close <open-number>
- close <source> <destination> [ shorewall6-4.6.9.tar.bz2 ++++++
++++ 128395 lines of diff (skipped)
++++++ shorewall-lite-4.6.8.1.tar.bz2 -> shorewall6-lite-4.6.9.tar.bz2 ++++++
++++ 8834 lines of diff (skipped)