commit shorewall for openSUSE:Factory
Hello community, here is the log from the commit of package shorewall for openSUSE:Factory checked in at 2013-01-17 10:43:34 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/shorewall (Old) and /work/SRC/openSUSE:Factory/.shorewall.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "shorewall", Maintainer is "" Changes: -------- --- /work/SRC/openSUSE:Factory/shorewall/shorewall.changes 2012-12-19 13:24:28.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.shorewall.new/shorewall.changes 2013-01-17 10:43:36.000000000 +0100 @@ -1,0 +2,26 @@ +Tue Jan 15 15:52:36 UTC 2013 - toganm@opensuse.org + +- Added systemd.patch to fix the exec path (bnc# 798525) + +------------------------------------------------------------------- +Sat Jan 12 21:11:11 UTC 2013 - toganm@opensuse.org + +- Update to 4.5.11.2 For more details see changelog.txt and + releasenotes.txt + + * Corrected fix 2 from 4.5.11.1. + + * 4.5.11.1 + + Beginning with Shorewall 4.5.10, if the name of an optional + interface contained one or more characters that are not valid + in a shell function name, then the generated script would fail with + a "syntax error: bad function name" shell diagnostic. + + That problem has been corrected so that a valid function name + is generated. + + * The kernel modules supplied by xtables-addons are now listed in + the modules.xtables files. They were previously omitted. + +------------------------------------------------------------------- Old: ---- shorewall-4.5.10.1.tar.bz2 shorewall-core-4.5.10.1.tar.bz2 shorewall-docs-html-4.5.10.1.tar.bz2 shorewall-init-4.5.10.1.tar.bz2 shorewall-lite-4.5.10.1.tar.bz2 shorewall6-4.5.10.1.tar.bz2 shorewall6-lite-4.5.10.1.tar.bz2 New: ---- shorewall-4.5.11.2.tar.bz2 shorewall-core-4.5.11.2.tar.bz2 shorewall-docs-html-4.5.11.2.tar.bz2 shorewall-init-4.5.11.2.tar.bz2 shorewall-lite-4.5.11.2.tar.bz2 shorewall6-4.5.11.2.tar.bz2 shorewall6-lite-4.5.11.2.tar.bz2 systemd.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shorewall.spec ++++++ --- /var/tmp/diff_new_pack.jEFeqg/_old 2013-01-17 10:43:38.000000000 +0100 +++ /var/tmp/diff_new_pack.jEFeqg/_new 2013-01-17 10:43:38.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package shorewall # -# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -20,19 +20,19 @@ %define have_systemd 1 Name: shorewall -Version: 4.5.10.1 +Version: 4.5.11.2 Release: 0 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems License: GPL-2.0 Group: Productivity/Networking/Security Url: http://www.shorewall.net/ -Source: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.10/%name-%version.t... -Source1: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.10/%name-core-%vers... -Source2: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.10/%name-lite-%vers... -Source3: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.10/%name-init-%vers... -Source4: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.10/%{name}6-lite-%version.tar.bz2 -Source5: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.10/%{name}6-%version.tar.bz2 -Source6: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.10/%name-docs-html-... +Source: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.11/%name-%version.t... +Source1: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.11/%name-core-%vers... +Source2: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.11/%name-lite-%vers... +Source3: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.11/%name-init-%vers... +Source4: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.11/%{name}6-lite-%version.tar.bz2 +Source5: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.11/%{name}6-%version.tar.bz2 +Source6: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.11/%name-docs-html-... Source7: %name-4.4.22.rpmlintrc Source8: README.openSUSE # PATCH-FIX-UPSTREAM toganm@opensuse.org Shorewall-lite init.suse.sh Required Stop @@ -41,6 +41,9 @@ Patch1: shorewall-init-4.5.2-install.patch # PATCH-FIX-UPSTREAM toganm@opensuse.org Shorewall-init init.suse.sh Required Start Patch2: 0001-remote_fs.patch +# PATCH-FIX-UPSTREAM toganm@opensuse.org systemd.patch correct path for /usr/sbin [bnc#798525] +Patch3: systemd.patch + %if 0%{?suse_version} >= 1210 || 0%{?fedora_version} BuildRequires: systemd %{?systemd_requires} @@ -307,6 +310,7 @@ # we need the patches for suse only %if 0%{?suse_version} +%patch3 -p1 # apply patches to shorewall pushd %name-%version ++++++ shorewall-4.5.10.1.tar.bz2 -> shorewall-4.5.11.2.tar.bz2 ++++++ ++++ 6097 lines of diff (skipped) ++++++ shorewall-core-4.5.10.1.tar.bz2 -> shorewall-core-4.5.11.2.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.10.1/changelog.txt new/shorewall-core-4.5.11.2/changelog.txt --- old/shorewall-core-4.5.10.1/changelog.txt 2012-12-14 15:37:23.000000000 +0100 +++ new/shorewall-core-4.5.11.2/changelog.txt 2012-12-31 17:28:59.000000000 +0100 @@ -1,16 +1,60 @@ -Changes in 4.5.10.1 +Changes in 4.5.11.2 1) Update release documents. -2) Correct type on the 'conntrack' file. +2) Correct modules.xtables. -Changes in 4.5.10 Final +Changes in 4.5.11.1 + +1) Update release documents + +2) Avoid invalid function name to start optional interface. + +3) Add modules from xtables-addons to modules.xtables + +Changes in 4.5.11 Final + +1) Update release documents + +2) Update Perl module versions. + +3) Make all module-global variables 'our' to aid debugging. + +Changes in 4.5.11 RC 1 + +1) update -D + +Changes in 4.5.11 Beta 3 + +1) Implement user-defined address variables. + +2) Sort output of 'show capabilities'. + +3) ?FORMAT and ?COMMENT + +Changes in 4.5.11 Beta 2 1) Update release documents. -2) Correct pushing of parameters with nested parens. +2) Implement @-variables. + +3) Rename ALLOWUNKNOWNVARIABLES to IGNOREUNKNOWNVARIABLES. + +4) Make $chain (@chain) a synonym for $0 ($0). + +Changes in 4.5.11 Beta 1 + +1) Add ${loglevel} and ${logtag} as variables visible within actions. -3) Remove extraneous ',' from the rule generated by action.RST. +2) Add 'nolog' action option. + +3) Create a symbol table to hold all non-action shell variables. + +4) Implement ?set and ?reset + +Changes in 4.5.10 Final + +1) Update release documents. Changes in 4.5.10 RC 1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.10.1/configure new/shorewall-core-4.5.11.2/configure --- old/shorewall-core-4.5.10.1/configure 2012-12-14 15:37:23.000000000 +0100 +++ new/shorewall-core-4.5.11.2/configure 2012-12-31 17:28:59.000000000 +0100 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=4.5.10.1 +VERSION=4.5.11.2 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.10.1/configure.pl new/shorewall-core-4.5.11.2/configure.pl --- old/shorewall-core-4.5.10.1/configure.pl 2012-12-14 15:37:23.000000000 +0100 +++ new/shorewall-core-4.5.11.2/configure.pl 2012-12-31 17:28:59.000000000 +0100 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '4.5.10.1' + VERSION => '4.5.11.2' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.10.1/install.sh new/shorewall-core-4.5.11.2/install.sh --- old/shorewall-core-4.5.10.1/install.sh 2012-12-14 15:37:23.000000000 +0100 +++ new/shorewall-core-4.5.11.2/install.sh 2012-12-31 17:28:59.000000000 +0100 @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.5.10.1 +VERSION=4.5.11.2 usage() # $1 = exit status { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.10.1/known_problems.txt new/shorewall-core-4.5.11.2/known_problems.txt --- old/shorewall-core-4.5.10.1/known_problems.txt 2012-12-14 15:37:23.000000000 +0100 +++ new/shorewall-core-4.5.11.2/known_problems.txt 2012-12-31 17:28:59.000000000 +0100 @@ -1,9 +1,41 @@ 1) On systems running Upstart, shorewall-init cannot reliably secure the firewall before interfaces are brought up. -2) There is a typo on line 21 of the conntrack file released with - Shorewall 4.5.10. +2) Beginning with Shorewall 4.5.10, if the name of an optional + interface contains one or more characters that are not valid in a + shell function name, then the generated script will fail with a + "syntax error: bad function name" shell diagnostic. + + Workaround: + + Rename the interface so that its name is a valid shell + identifier. + + Corrected in 4.5.11.2. + +3) The following type of configuration resulted in an incorrect + ruleset: + + /etc/shorewall/zones + + ... + bar + foo:bar + + /etc/shorewall/interfaces + + ... + bar xyz+ + foo xyz + ... + + Workaround: + + Reverse the order of the two entries in the interfaces file. + +4) The kernel modules supplied by xtables-addons are not listed in the + modules.xtables files. + + Corrected in 4.5.11.2. - CT:helper:RAS;PO - The semi-colon (';') before 'PO' should be a colon (':'). diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.10.1/lib.cli new/shorewall-core-4.5.11.2/lib.cli --- old/shorewall-core-4.5.10.1/lib.cli 2012-12-14 15:33:54.000000000 +0100 +++ new/shorewall-core-4.5.11.2/lib.cli 2012-12-31 17:00:04.000000000 +0100 @@ -2442,7 +2442,7 @@ esac } -report_capabilities() { +report_capabilities_unsorted() { report_capability() # $1 = Capability Description , $2 Capability Setting (if any) { local setting @@ -2453,122 +2453,124 @@ echo " " $1: $setting } - if [ $VERBOSITY -gt 1 ]; then - echo "$g_product has detected the following iptables/netfilter capabilities:" - report_capability "NAT (NAT_ENABLED)" $NAT_ENABLED - report_capability "Packet Mangling (MANGLE_ENABLED)" $MANGLE_ENABLED - report_capability "Multi-port Match (MULTIPORT)" $MULTIPORT - [ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match (XMULIPORT)" $XMULTIPORT - report_capability "Connection Tracking Match (CONNTRACK_MATCH)" $CONNTRACK_MATCH - if [ -n "$CONNTRACK_MATCH" ]; then - report_capability "Extended Connection Tracking Match Support (NEW_CONNTRACK_MATCH)" $NEW_CONNTRACK_MATCH - [ -n "$OLD_CONNTRACK_MATCH" ] && report_capability "Old Connection Tracking Match Syntax (OLD_CONNTRACK_MATCH)" $OLD_CONNTRACK_MATCH - fi - report_capability "Packet Type Match (USEPKTTYPE)" $USEPKTTYPE - report_capability "Policy Match (POLICY_MATCH)" $POLICY_MATCH - report_capability "Physdev Match (PHYSDEV_MATCH)" $PHYSDEV_MATCH - report_capability "Physdev-is-bridged Support (PHYSDEV_BRIDGE)" $PHYSDEV_BRIDGE - report_capability "Packet length Match (LENGTH_MATCH)" $LENGTH_MATCH - report_capability "IP range Match(IPRANGE_MATCH)" $IPRANGE_MATCH - report_capability "Recent Match (RECENT_MATCH)" $RECENT_MATCH - report_capability "Owner Match (OWNER_MATCH)" $OWNER_MATCH - report_capability "Owner Name Match (OWNER_NAME_MATCH)" $OWNER_NAME_MATCH - if [ -n "$IPSET_MATCH" ]; then - report_capability "Ipset Match (IPSET_MATCH)" $IPSET_MATCH - [ -n "$OLD_IPSET_MATCH" ] && report_capability "OLD_Ipset Match (OLD_IPSET_MATCH)" $OLD_IPSET_MATCH - fi - report_capability "CONNMARK Target (CONNMARK)" $CONNMARK - [ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target (XCONNMARK)" $XCONNMARK - report_capability "Connmark Match (CONNMARK_MATCH)" $CONNMARK_MATCH - [ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match (XCONNMARK_MATCH)" $XCONNMARK_MATCH - report_capability "Raw Table (RAW_TABLE)" $RAW_TABLE - report_capability "Rawpost Table (RAWPOST_TABLE)" $RAWPOST_TABLE - report_capability "IPP2P Match (IPP2P_MATCH)" $IPP2P_MATCH - [ -n "$OLD_IPP2P_MATCH" ] && report_capability "Old IPP2P Match Syntax (OLD_IPP2P_MATCH)" $OLD_IPP2P_MATCH - report_capability "CLASSIFY Target (CLASSIFY_TARGET)" $CLASSIFY_TARGET - report_capability "Extended REJECT (ENHANCED_REJECT)" $ENHANCED_REJECT - report_capability "Repeat match (KLUDGEFREE)" $KLUDGEFREE - report_capability "MARK Target (MARK)" $MARK - [ -n "$MARK" ] && report_capability "Extended MARK Target (XMARK)" $XMARK - [ -n "$XMARK" ] && report_capability "Extended MARK Target 2 (EXMARK)" $EXMARK - report_capability "Mangle FORWARD Chain (MANGLE_FORWARD)" $MANGLE_FORWARD - report_capability "Comments (COMMENTS)" $COMMENTS - report_capability "Address Type Match (ADDRTYPE)" $ADDRTYPE - report_capability "TCPMSS Match (TCPMSS_MATCH)" $TCPMSS_MATCH - report_capability "Hashlimit Match (HASHLIMIT_MATCH)" $HASHLIMIT_MATCH - [ -n "$OLD_HL_MATCH" ] && report_capability "Old Hashlimit Match (OLD_HL_MATCH)" $OLD_HL_MATCH - report_capability "NFQUEUE Target (NFQUEUE_TARGET)" $NFQUEUE_TARGET - report_capability "Realm Match (REALM_MATCH)" $REALM_MATCH - report_capability "Helper Match (HELPER_MATCH)" $HELPER_MATCH - report_capability "Connlimit Match (CONNLIMIT_MATCH)" $CONNLIMIT_MATCH - report_capability "Time Match (TIME_MATCH)" $TIME_MATCH - report_capability "Goto Support (GOTO_TARGET)" $GOTO_TARGET - report_capability "LOGMARK Target (LOGMARK_TARGET)" $LOGMARK_TARGET - report_capability "IPMARK Target (IPMARK_TARGET)" $IPMARK_TARGET - report_capability "LOG Target (LOG_TARGET)" $LOG_TARGET - report_capability "ULOG Target (ULOG_TARGET)" $ULOG_TARGET - report_capability "NFLOG Target (NFLOG_TARGET)" $NFLOG_TARGET - report_capability "Persistent SNAT (PERSISTENT_SNAT)" $PERSISTENT_SNAT - report_capability "TPROXY Target (TPROXY_TARGET)" $TPROXY_TARGET - report_capability "FLOW Classifier (FLOW_FILTER)" $FLOW_FILTER - report_capability "fwmark route mask (FWMARK_RT_MASK)" $FWMARK_RT_MASK - report_capability "Mark in any table (MARK_ANYWHERE)" $MARK_ANYWHERE - report_capability "Header Match (HEADER_MATCH)" $HEADER_MATCH - report_capability "ACCOUNT Target (ACCOUNT_TARGET)" $ACCOUNT_TARGET - report_capability "AUDIT Target (AUDIT_TARGET)" $AUDIT_TARGET - report_capability "ipset V5 (IPSET_V5)" $IPSET_V5 - report_capability "Condition Match (CONDITION_MATCH)" $CONDITION_MATCH - report_capability "Statistic Match (STATISTIC_MATCH)" $STATISTIC_MATCH - report_capability "IMQ Target (IMQ_TARGET)" $IMQ_TARGET - report_capability "DSCP Match (DSCP_MATCH)" $DSCP_MATCH - report_capability "DSCP Target (DSCP_TARGET)" $DSCP_TARGET - report_capability "Geo IP match" $GEOIP_MATCH - report_capability "RPFilter match" $RPFILTER_MATCH - report_capability "NFAcct match" $NFACCT_MATCH - report_capability "Checksum Target" $CHECKSUM_TARGET - - report_capability "Amanda Helper" $AMANDA_HELPER - report_capability "FTP Helper" $FTP_HELPER - report_capability "FTP-0 Helper" $FTP0_HELPER - report_capability "IRC Helper" $IRC_HELPER - report_capability "IRC-0 Helper" $IRC0_HELPER - report_capability "Netbios_ns Helper" $NETBIOS_NS_HELPER - report_capability "H323 Helper" $H323_HELPER - report_capability "PPTP Helper" $PPTP_HELPER - report_capability "SANE Helper" $SANE_HELPER - report_capability "SANE-0 Helper" $SANE0_HELPER - report_capability "SIP Helper" $SIP_HELPER - report_capability "SIP-0 Helper" $SIP0_HELPER - report_capability "SNMP Helper" $SNMP_HELPER - report_capability "TFTP Helper" $TFTP_HELPER - report_capability "TFTP-0 Helper" $TFTP0_HELPER - - if [ $g_family -eq 4 ]; then - report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S - else - report_capability "ip6tables -S (IPTABLES_S)" $IPTABLES_S - fi + report_capability "NAT (NAT_ENABLED)" $NAT_ENABLED + report_capability "Packet Mangling (MANGLE_ENABLED)" $MANGLE_ENABLED + report_capability "Multi-port Match (MULTIPORT)" $MULTIPORT + [ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match (XMULIPORT)" $XMULTIPORT + report_capability "Connection Tracking Match (CONNTRACK_MATCH)" $CONNTRACK_MATCH + if [ -n "$CONNTRACK_MATCH" ]; then + report_capability "Extended Connection Tracking Match Support (NEW_CONNTRACK_MATCH)" $NEW_CONNTRACK_MATCH + [ -n "$OLD_CONNTRACK_MATCH" ] && report_capability "Old Connection Tracking Match Syntax (OLD_CONNTRACK_MATCH)" $OLD_CONNTRACK_MATCH + fi + report_capability "Packet Type Match (USEPKTTYPE)" $USEPKTTYPE + report_capability "Policy Match (POLICY_MATCH)" $POLICY_MATCH + report_capability "Physdev Match (PHYSDEV_MATCH)" $PHYSDEV_MATCH + report_capability "Physdev-is-bridged Support (PHYSDEV_BRIDGE)" $PHYSDEV_BRIDGE + report_capability "Packet length Match (LENGTH_MATCH)" $LENGTH_MATCH + report_capability "IP range Match(IPRANGE_MATCH)" $IPRANGE_MATCH + report_capability "Recent Match (RECENT_MATCH)" $RECENT_MATCH + report_capability "Owner Match (OWNER_MATCH)" $OWNER_MATCH + report_capability "Owner Name Match (OWNER_NAME_MATCH)" $OWNER_NAME_MATCH + if [ -n "$IPSET_MATCH" ]; then + report_capability "Ipset Match (IPSET_MATCH)" $IPSET_MATCH + [ -n "$OLD_IPSET_MATCH" ] && report_capability "OLD_Ipset Match (OLD_IPSET_MATCH)" $OLD_IPSET_MATCH + fi + report_capability "CONNMARK Target (CONNMARK)" $CONNMARK + [ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target (XCONNMARK)" $XCONNMARK + report_capability "Connmark Match (CONNMARK_MATCH)" $CONNMARK_MATCH + [ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match (XCONNMARK_MATCH)" $XCONNMARK_MATCH + report_capability "Raw Table (RAW_TABLE)" $RAW_TABLE + report_capability "Rawpost Table (RAWPOST_TABLE)" $RAWPOST_TABLE + report_capability "IPP2P Match (IPP2P_MATCH)" $IPP2P_MATCH + [ -n "$OLD_IPP2P_MATCH" ] && report_capability "Old IPP2P Match Syntax (OLD_IPP2P_MATCH)" $OLD_IPP2P_MATCH + report_capability "CLASSIFY Target (CLASSIFY_TARGET)" $CLASSIFY_TARGET + report_capability "Extended REJECT (ENHANCED_REJECT)" $ENHANCED_REJECT + report_capability "Repeat match (KLUDGEFREE)" $KLUDGEFREE + report_capability "MARK Target (MARK)" $MARK + [ -n "$MARK" ] && report_capability "Extended MARK Target (XMARK)" $XMARK + [ -n "$XMARK" ] && report_capability "Extended MARK Target 2 (EXMARK)" $EXMARK + report_capability "Mangle FORWARD Chain (MANGLE_FORWARD)" $MANGLE_FORWARD + report_capability "Comments (COMMENTS)" $COMMENTS + report_capability "Address Type Match (ADDRTYPE)" $ADDRTYPE + report_capability "TCPMSS Match (TCPMSS_MATCH)" $TCPMSS_MATCH + report_capability "Hashlimit Match (HASHLIMIT_MATCH)" $HASHLIMIT_MATCH + [ -n "$OLD_HL_MATCH" ] && report_capability "Old Hashlimit Match (OLD_HL_MATCH)" $OLD_HL_MATCH + report_capability "NFQUEUE Target (NFQUEUE_TARGET)" $NFQUEUE_TARGET + report_capability "Realm Match (REALM_MATCH)" $REALM_MATCH + report_capability "Helper Match (HELPER_MATCH)" $HELPER_MATCH + report_capability "Connlimit Match (CONNLIMIT_MATCH)" $CONNLIMIT_MATCH + report_capability "Time Match (TIME_MATCH)" $TIME_MATCH + report_capability "Goto Support (GOTO_TARGET)" $GOTO_TARGET + report_capability "LOGMARK Target (LOGMARK_TARGET)" $LOGMARK_TARGET + report_capability "IPMARK Target (IPMARK_TARGET)" $IPMARK_TARGET + report_capability "LOG Target (LOG_TARGET)" $LOG_TARGET + report_capability "ULOG Target (ULOG_TARGET)" $ULOG_TARGET + report_capability "NFLOG Target (NFLOG_TARGET)" $NFLOG_TARGET + report_capability "Persistent SNAT (PERSISTENT_SNAT)" $PERSISTENT_SNAT + report_capability "TPROXY Target (TPROXY_TARGET)" $TPROXY_TARGET + report_capability "FLOW Classifier (FLOW_FILTER)" $FLOW_FILTER + report_capability "fwmark route mask (FWMARK_RT_MASK)" $FWMARK_RT_MASK + report_capability "Mark in any table (MARK_ANYWHERE)" $MARK_ANYWHERE + report_capability "Header Match (HEADER_MATCH)" $HEADER_MATCH + report_capability "ACCOUNT Target (ACCOUNT_TARGET)" $ACCOUNT_TARGET + report_capability "AUDIT Target (AUDIT_TARGET)" $AUDIT_TARGET + report_capability "ipset V5 (IPSET_V5)" $IPSET_V5 + report_capability "Condition Match (CONDITION_MATCH)" $CONDITION_MATCH + report_capability "Statistic Match (STATISTIC_MATCH)" $STATISTIC_MATCH + report_capability "IMQ Target (IMQ_TARGET)" $IMQ_TARGET + report_capability "DSCP Match (DSCP_MATCH)" $DSCP_MATCH + report_capability "DSCP Target (DSCP_TARGET)" $DSCP_TARGET + report_capability "Geo IP match" $GEOIP_MATCH + report_capability "RPFilter match" $RPFILTER_MATCH + report_capability "NFAcct match" $NFACCT_MATCH + report_capability "Checksum Target" $CHECKSUM_TARGET + + report_capability "Amanda Helper" $AMANDA_HELPER + report_capability "FTP Helper" $FTP_HELPER + report_capability "FTP-0 Helper" $FTP0_HELPER + report_capability "IRC Helper" $IRC_HELPER + report_capability "IRC-0 Helper" $IRC0_HELPER + report_capability "Netbios_ns Helper" $NETBIOS_NS_HELPER + report_capability "H323 Helper" $H323_HELPER + report_capability "PPTP Helper" $PPTP_HELPER + report_capability "SANE Helper" $SANE_HELPER + report_capability "SANE-0 Helper" $SANE0_HELPER + report_capability "SIP Helper" $SIP_HELPER + report_capability "SIP-0 Helper" $SIP0_HELPER + report_capability "SNMP Helper" $SNMP_HELPER + report_capability "TFTP Helper" $TFTP_HELPER + report_capability "TFTP-0 Helper" $TFTP0_HELPER + + if [ $g_family -eq 4 ]; then + report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S + else + report_capability "ip6tables -S (IPTABLES_S)" $IPTABLES_S + fi - report_capability "Basic Filter (BASIC_FILTER)" $BASIC_FILTER - report_capability "CT Target (CT_TARGET)" $CT_TARGET + report_capability "Basic Filter (BASIC_FILTER)" $BASIC_FILTER + report_capability "CT Target (CT_TARGET)" $CT_TARGET - echo " Kernel Version (KERNELVERSION): $KERNELVERSION" - echo " Capabilities Version (CAPVERSION): $CAPVERSION" + echo " Kernel Version (KERNELVERSION): $KERNELVERSION" + echo " Capabilities Version (CAPVERSION): $CAPVERSION" +} + +report_capabilities() { + + if [ $VERBOSITY -gt 1 ]; then + echo "$g_product has detected the following iptables/netfilter capabilities:" + report_capabilities_unsorted | sort fi [ -n "$PKTTYPE" ] || USEPKTTYPE= } -report_capabilities1() { +report_capabilities_unsorted1() { report_capability1() # $1 = Capability { eval echo $1=\$$1 } - echo "#" - echo "# $g_product $SHOREWALL_VERSION detected the following iptables/netfilter capabilities - $(date)" - echo "#" report_capability1 NAT_ENABLED report_capability1 MANGLE_ENABLED report_capability1 MULTIPORT @@ -2660,6 +2662,13 @@ echo KERNELVERSION=$KERNELVERSION } +report_capabilities1() { + echo "#" + echo "# $g_product $SHOREWALL_VERSION detected the following iptables/netfilter capabilities - $(date)" + echo "#" + report_capabilities_unsorted1 | sort +} + show_status() { if product_is_started ; then echo "$g_product is running" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.10.1/releasenotes.txt new/shorewall-core-4.5.11.2/releasenotes.txt --- old/shorewall-core-4.5.10.1/releasenotes.txt 2012-12-14 15:37:23.000000000 +0100 +++ new/shorewall-core-4.5.11.2/releasenotes.txt 2012-12-31 17:28:59.000000000 +0100 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 5 . 1 0 . 1 + S H O R E W A L L 4 . 5 . 1 1 . 2 ------------------------------------ - D e c e m b e r 1 5 , 2 0 1 2 + D e c e m b e r 3 1 , 2 0 1 2 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -15,11 +15,373 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -4.5.10.1 +4.5.11.2 -1) A typo on line 10 of the IPv4 conntrack file has been corrected. +1) Corrected fix 2 from 4.5.11.1. -4.5.10 +4.5.11.1 + +1) Beginning with Shorewall 4.5.10, if the name of an optional + interface contained one or more characters that are not valid in a + shell function name, then the generated script would fail with a + "syntax error: bad function name" shell diagnostic. + + That problem has been corrected so that a valid function name is + generated. + +2) The kernel modules supplied by xtables-addons are now listed in the + modules.xtables files. They were previously omitted. + +4.5.11 + +1) This release includes the defect repair from Shorewall 4.5.10.1. + +---------------------------------------------------------------------------- + I I. K N O W N P R O B L E M S R E M A I N I N G +---------------------------------------------------------------------------- + +1) On systems running Upstart, shorewall-init cannot reliably secure + the firewall before interfaces are brought up. + +---------------------------------------------------------------------------- + I I I. N E W F E A T U R E S I N T H I S R E L E A S E +---------------------------------------------------------------------------- + +1) This release expands upon the concept of 'Shorewall Variables' + that was introduced in 4.5.10 with the creation of '@0' in SWITCH + columns. Beginning with 4.5.10, '@0' (or '@{0}') in a SWITCH column + expands to the name of the current chain. + + In this release, the Shorewall variables @loglevel and @logtag + are added. These variables are only available within action bodies + (both regular and in-line). + + Their contents are: + + @loglevel + + The log level specified when the action was invoked. If no + level was specified, @loglevel expands to 'none'. + + @logtag + + The log tag specified when the action was invoked. If no tag + was specified, @logtag expands to an empty string. + + @1, @2, ... + + Same as $1, $2, ... + + Additionally, @chain has been added as a synonym for @0. Remember + that, unlike $0, non-alphanumeric charaters other than '_' have + been removed from @0. + +2) Action variables ($0, $1,...$n) and Shorewall variables are now + available in ?IF and ?ELSIF directives. + +3) A 'nolog' option has been added to /etc/shorewall[6]/actions. This + option causes the compiler to forego adding the log level and log + tag from the action invocation to those rules within the body that + do not specify a tag and/or level. + +3) An 'IGNOREUNKNOWNVARIABLES' option has been added to + /etc/shorewall[6]/shorewall[6].conf. When set to 'Yes', this option + instructs the compiler to expand unknown shell variables and + action parameters to an empty string rather than raising an error. + +4) ?SET and ?RESET directives are now available: + + ?SET <variable> <value> + ?RESET <variable> + + To cater to both Shell and Perl programmers, the <variable> may + be entered with or without leading '$'. + + The ?SET command sets the named <variable> to the specified + <value> where <value> is a Perl-compatible expression. + + The ?RESET command deletes the named <variable> from the compiler's + variable table. + + Shorewall variables (@chain, @loglevel,...) and action parameters + ($1, $2,...) are read-only and their values may not be changed + (although action parameter values may be changed using Embedded + Perl). + +5) This release introduces user-defined address variables. Address + variables are used at run-time rather than at compile-time. Prior + to this release, two types of address variables were available: + + &<interface> Expands to the primary IP address of + <interface> + + %<interface> Expands to the IP address of the default + gateway out of <interface> + + The two new types added in this release are distinguished by the + use of "{....}". + + &{<variable>} Address contained in run-time variable + <variable>. The named shell variable must + contain a valid IP address, either from the + generated script's environment or from having + been set in the generated script's 'init' + extension script. If the variable is empty or + if its contents are not a valid IP address, an + error is raised and the state of the firewall + is not changed. + + %{<variable>} Address contained in run-time variable + <variable>. If the named variable is empty, + the generated script sets it to the all-zeros + address (0.0.0.0 in IPv4 and :: in IPv6). When + this variable appears in a SOURCE or + DESTINATION column of any configuration file, + or if it appears in the ADDRESSES column of + the masq file, then no rule is generated when + the address variable is empty. Otherwise, the + rule is generated with the all-zeros address + replacing the variable. As above, if the + variable is non-empty and if it does not + contain a valid IP address, an error is raised + and the firewall state is unchanged. + +6) The output of 'show [-f] capabities' is now sorted to make + individual capabities easier to find. + +7) Beginning with this release, ?FORMAT is preferred over FORMAT for + specifying the format of records in these configuration files: + + action.* files + conntrack + interface + macro.* files + tcrules + + While deprecated, FORMAT (without the '?') is still supported. + + Also, ?COMMENT is preferred over COMMENT for attaching comments to + generated netfilter rules in the following files. + + accounting + action.* files + blrules files + conntrack + macro.* files + masq + nat + rules + secmarks + tcrules + tunnels + + When one of the deprecated forms is encountered, a warning message + is issued. + + Example: + + WARNING: 'FORMAT' is deprecated in favor of '?FORMAT' - + consider running 'shorewall update -D'. + + As the warning indicates, 'update -D' will traverse the CONFIG_PATH + replacing FORMAT and COMMENT lines with ?FORMAT and ?COMMENT + directives respectively. The original version of modified files + will be saved with a .bak suffix. + + During the update, .bak files are skipped as are files in + ${SHAREDIR}/shorewall and ${SHAREDIR}/shorewall6. + +---------------------------------------------------------------------------- + V. M I G R A T I O N I S S U E S +---------------------------------------------------------------------------- + +1) If you are migrating from Shorewall 4.2.x or earlier, please see + http://www.shorewall.net/pub/shorewall/4.4/shorewall-4.4.27/releasenotes.txt + +2) The BLACKLIST section of the rules file has been eliminated. + If you have entries in that file section, you must move them to the + blrules file. + +3) This version of Shorewall requires either the Digest::SHA1 or + Digest::SHA Perl module. + + Debian: libdigest-sha1-perl or libdigest-sha-perl + Fedora: perl-Digest-SHA1 or perl-Digest-SHA + OpenSuSE: perl-Digest-SHA1 or perl-Digest-SHA + +4) The generated firewall script now maintains the + /var/lib/shorewall[6][-lite]/interface.status files used by SWPING + and by LSM. + + If you have optional providers and do not run a link monitor like + SWPING or LSM that updates these files, then you should remove + /etc/shorewall[6]/isusable if it is installed. + + Beginning with Shorewall 4.5.3.1: + + - The 'disable' command stores a 1 in the interface's .status file. + - The .status file is ignored on 'enable' but not on 'start', + 'restart', 'restore' and 'refresh'. + + This means that a disabled interface can only be re-enabled using + the 'enable' command. + +5) The /etc/shorewall[6]/tos file is now deprecated in favor of the + TOS() action in /etc/shorewall[6]/tcrules. + +6) The MARK/CLASSIFY column in /etc/shorewall[6]/tcrules has been + renamed ACTION to reflect the expanded set of actions that can be + specified in the column. There is no change to existing + functionality. + +7) Beginning with Shorewall 4.5.2, using /etc/shorewall-lite/vardir + and /etc/shorewall6-lite/vardir to specify VARDIR is deprecated in + favor of the VARDIR setting in shorewallrc. + + NOTE: While the name of the variable remains VARDIR, the + meaning is slightly different. When set in shorewallrc, + each product (shorewall-lite, and shorewall6-lite) will + create a directory under the specified path name to + hold state information. + + Example: + + VARDIR=/opt/var/ + + The state directory for shorewall-lite will be + /opt/var/shorewall-lite/ and the directory for + shorewall6-lite will be /opt/var/shorewall6-lite. + + When VARDIR is set in /etc/shorewall[6]/vardir, the + product will save its state directly in the specified + directory. + + In Shorewall 4.5.8, a VARLIB variable was added to the shorewallrc + file and the meaning of VARDIR is once again consistent. The + default setting of VARDIR for a particular product is + ${VARLIB}/$product. There is an entry of that form in the + shorewallrc file. Because there is a single shorewallrc file for + all installed products, the /etc/shorewall[6]-lite/vardir file + provides the only means for overriding this default. + +8) Begining with Shorewall 4.5.6, the tcrules file is processed if + MANGLE_ENABLED=Yes, independent of the setting of TC_ENABLED. This + allows actions like TTL and TPROXY to be used without enabling + traffic shaping. + + If you have rules in your tcrules file that you only want processed + when TC_ENABLED is other than 'No', then enclose them in + + ?IF $TC_ENABLED + ... + ?ENDIF + + If they are to be processed only if TC_ENABLED=Internal, then enclose + them in + + ?IF TC_ENABLED eq 'Internal' + ... + ?ENDIF + +9) Beginning with Shorewall 4.5.7, the deprecated + /etc/shorewall[6]/blacklist files are no longer installed. Existing + files are still processed by the compiler. Note that blacklist + files may be converted to equivalent blrules files using + 'shorewall[6] update -b'. + +10) In Shorewall 4.5.7, the /etc/shorewall[6]/notrack file was renamed + /etc/shorewall[6]/conntrack. When upgrading to a release >= 4.5.7, + the conntrack file will be installed along side of an existing + notrack file. When both files exist, a compiler warning is + generated: + + WARNING: Both notrack and conntrack exist; conntrack is ignored + + This warning may be eliminated by moving any entries in the notrack + file to the conntrack file and removing the notrack file. + +11) In Shorewall 4.5.8, the /etc/shorewall[6]/routestopped files were + deprecated if favor of new /etc/shorewall[6]/stoppedrules + counterparts. The new files have much more familiar and + straightforward semantics. Once a stoppedrules file is populated, + the compiler will process that file and will ignore the + corresponding routestopped file. + +12) In Shorewall 4.5.8, a new variable (VARLIB) was added to the + shorewallrc file. This variable assumes the role formerly played by + VARDIR, and VARDIR now designates the configuration directory for a + particular product. + + This change should be transparent to all users: + + a) If VARDIR is set in an existing shorewallrc file and VARLIB is + not, then VARLIB is set to ${VARDIR} and VARDIR is set to + ${VARLIB}/${PRODUCT}. + + b) If VARLIB is set in a shorewallrc file and VARDIR is not, then + VARDIR is set to ${VARLIB}/${PRODUCT}. + + The Shorewall-core installer will automatically update + ~/.shorewallrc and save the original in ~/.shorewallrc.bak + +13) Previously, the macro.SNMP macro opened both UDP ports 161 and 162 + from SOURCE to DEST. This is against the usual practice of opening + these ports in the opposite direction. Beginning with Shorewall + 4.5.8, the SNMP macro opens port 161 from SOURCE to DEST as before, + and a new SNMPTrap macro is added that opens port 162 (from SOURCE + to DEST). + +14) Beginning with Shorewall 4.5.11, ?FORMAT is preferred over FORMAT + for specifying the format of records in these configuration files: + + action.* files + conntrack + interface + macro.* files + tcrules + + While deprecated, FORMAT (without the '?') is still supported. + + Also, ?COMMENT is preferred over COMMENT for attaching comments to + generated netfilter rules in the following files. + + accounting + action.* files + blrules files + conntrack + macro.* files + masq + nat + rules + secmarks + tcrules + tunnels + + When one of the deprecated forms is encountered, a warning message + is issued. + + Examples: + + WARNING: 'FORMAT' is deprecated in favor of '?FORMAT' - + consider running 'shorewall update -D'. + + WARNING: 'COMMENT' is deprecated in favor of '?COMMENT' - + consider running 'shorewall update -D'. + + As the warnings indicate, 'update -D' will traverse the CONFIG_PATH + replacing FORMAT and COMMENT lines with ?FORMAT and ?COMMENT + directives respectively. The original version of modified files + will be saved with a .bak suffix. + + + During the update, .bak files are skipped as are files in + ${SHAREDIR}/shorewall and ${SHAREDIR}/shorewall6. + +---------------------------------------------------------------------------- + V I. N O T E S F R O M O T H E R 4 . 5 R E L E A S E S +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 5 . 1 0 +---------------------------------------------------------------------------- 1) This release includes all defect repair included in 4.5.9.1-4.5.9.3. @@ -42,18 +404,8 @@ 4) AUTOCOMMENT=No now works correctly; previously, it behaved the same as AUTOCOMMENT=Yes. -5) A harmless extraneous comma has been deleted from the rule - generated by action.RST. - ----------------------------------------------------------------------------- - I I. K N O W N P R O B L E M S R E M A I N I N G ----------------------------------------------------------------------------- - -1) On systems running Upstart, shorewall-init cannot reliably secure - the firewall before interfaces are brought up. - ---------------------------------------------------------------------------- - I I I. N E W F E A T U R E S I N T H I S R E L E A S E + N E W F E A T U R E S I N 4 . 5 . 1 0 ---------------------------------------------------------------------------- 1) Shorewall now treats optional non-provider interfaces in a manner @@ -202,148 +554,6 @@ 'set', 'tos' or 'u32' matches are not suppressed: ---------------------------------------------------------------------------- - V. M I G R A T I O N I S S U E S ----------------------------------------------------------------------------- - -1) If you are migrating from Shorewall 4.2.x or earlier, please see - http://www.shorewall.net/pub/shorewall/4.4/shorewall-4.4.27/releasenotes.txt - -2) The BLACKLIST section of the rules file has been eliminated. - If you have entries in that file section, you must move them to the - blrules file. - -3) This version of Shorewall requires either the Digest::SHA1 or - Digest::SHA Perl module. - - Debian: libdigest-sha1-perl or libdigest-sha-perl - Fedora: perl-Digest-SHA1 or perl-Digest-SHA - OpenSuSE: perl-Digest-SHA1 or perl-Digest-SHA - -4) The generated firewall script now maintains the - /var/lib/shorewall[6][-lite]/interface.status files used by SWPING - and by LSM. - - If you have optional providers and do not run a link monitor like - SWPING or LSM that updates these files, then you should remove - /etc/shorewall[6]/isusable if it is installed. - - Beginning with Shorewall 4.5.3.1: - - - The 'disable' command stores a 1 in the interface's .status file. - - The .status file is ignored on 'enable' but not on 'start', - 'restart', 'restore' and 'refresh'. - - This means that a disabled interface can only be re-enabled using - the 'enable' command. - -5) The /etc/shorewall[6]/tos file is now deprecated in favor of the - TOS() action in /etc/shorewall[6]/tcrules. - -6) The MARK/CLASSIFY column in /etc/shorewall[6]/tcrules has been - renamed ACTION to reflect the expanded set of actions that can be - specified in the column. There is no change to existing - functionality. - -7) Beginning with Shorewall 4.5.2, using /etc/shorewall-lite/vardir - and /etc/shorewall6-lite/vardir to specify VARDIR is deprecated in - favor of the VARDIR setting in shorewallrc. - - NOTE: While the name of the variable remains VARDIR, the - meaning is slightly different. When set in shorewallrc, - each product (shorewall-lite, and shorewall6-lite) will - create a directory under the specified path name to - hold state information. - - Example: - - VARDIR=/opt/var/ - - The state directory for shorewall-lite will be - /opt/var/shorewall-lite/ and the directory for - shorewall6-lite will be /opt/var/shorewall6-lite. - - When VARDIR is set in /etc/shorewall[6]/vardir, the - product will save its state directly in the specified - directory. - - In Shorewall 4.5.8, a VARLIB variable was added to the shorewallrc - file and the meaning of VARDIR is once again consistent. The - default setting of VARDIR for a particular product is - ${VARLIB}/$product. There is an entry of that form in the - shorewallrc file. Because there is a single shorewallrc file for - all installed products, the /etc/shorewall[6]-lite/vardir file - provides the only means for overriding this default. - -8) Begining with Shorewall 4.5.6, the tcrules file is processed if - MANGLE_ENABLED=Yes, independent of the setting of TC_ENABLED. This - allows actions like TTL and TPROXY to be used without enabling - traffic shaping. - - If you have rules in your tcrules file that you only want processed - when TC_ENABLED is other than 'No', then enclose them in - - ?IF $TC_ENABLED - ... - ?ENDIF - - If they are to be processed only if TC_ENABLED=Internal, then enclose - them in - - ?IF TC_ENABLED eq 'Internal' - ... - ?ENDIF - -9) Beginning with Shorewall 4.5.7, the deprecated - /etc/shorewall[6]/blacklist files are no longer installed. Existing - files are still processed by the compiler. Note that blacklist - files may be converted to equivalent blrules files using - 'shorewall[6] update -b'. - -10) In Shorewall 4.5.7, the /etc/shorewall[6]/notrack file was renamed - /etc/shorewall[6]/conntrack. When upgrading to a release >= 4.5.7, - the conntrack file will be installed along side of an existing - notrack file. When both files exist, a compiler warning is - generated: - - WARNING: Both notrack and conntrack exist; conntrack is ignored - - This warning may be eliminated by moving any entries in the notrack - file to the conntrack file and removing the notrack file. - -11) In Shorewall 4.5.8, the /etc/shorewall[6]/routestopped files were - deprecated if favor of new /etc/shorewall[6]/stoppedrules - counterparts. The new files have much more familiar and - straightforward semantics. Once a stoppedrules file is populated, - the compiler will process that file and will ignore the - corresponding routestopped file. - -12) In Shorewall 4.5.8, a new variable (VARLIB) was added to the - shorewallrc file. This variable assumes the role formerly played by - VARDIR, and VARDIR now designates the configuration directory for a - particular product. - - This change should be transparent to all users: - - a) If VARDIR is set in an existing shorewallrc file and VARLIB is - not, then VARLIB is set to ${VARDIR} and VARDIR is set to - ${VARLIB}/${PRODUCT}. - - b) If VARLIB is set in a shorewallrc file and VARDIR is not, then - VARDIR is set to ${VARLIB}/${PRODUCT}. - - The Shorewall-core installer will automatically update - ~/.shorewallrc and save the original in ~/.shorewallrc.bak - -13) Previously, the macro.SNMP macro opened both UDP ports 161 and 162 - from SOURCE to DEST. This is against the usual practice of opening - these ports in the opposite direction. Beginning with Shorewall - 4.5.8, the SNMP macro opens port 161 from SOURCE to DEST as before, - and a new SNMPTrap macro is added that opens port 162 (from SOURCE - to DEST). - ----------------------------------------------------------------------------- - V I. N O T E S F R O M O T H E R 4 . 5 R E L E A S E S ----------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 5 . 9 ---------------------------------------------------------------------------- 4.5.9.3 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.10.1/shorewall-core.spec new/shorewall-core-4.5.11.2/shorewall-core.spec --- old/shorewall-core-4.5.10.1/shorewall-core.spec 2012-12-14 15:37:23.000000000 +0100 +++ new/shorewall-core-4.5.11.2/shorewall-core.spec 2012-12-31 17:28:59.000000000 +0100 @@ -1,6 +1,6 @@ %define name shorewall-core -%define version 4.5.10 -%define release 1 +%define version 4.5.11 +%define release 2 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. Name: %{name} @@ -62,8 +62,20 @@ %doc COPYING INSTALL changelog.txt releasenotes.txt %changelog -* Fri Dec 14 2012 Tom Eastep tom@shorewall.net -- Updated to 4.5.10-1 +* Mon Dec 31 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.11-2 +* Fri Dec 28 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.11-1 +* Wed Dec 26 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.11-0base +* Wed Dec 19 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.11-0RC1 +* Thu Dec 13 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.11-0Beta3 +* Sun Dec 09 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.11-0Beta2 +* Mon Dec 03 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.11-0Beta1 * Sun Dec 02 2012 Tom Eastep tom@shorewall.net - Updated to 4.5.10-0base * Wed Nov 28 2012 Tom Eastep tom@shorewall.net diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.10.1/uninstall.sh new/shorewall-core-4.5.11.2/uninstall.sh --- old/shorewall-core-4.5.10.1/uninstall.sh 2012-12-14 15:37:23.000000000 +0100 +++ new/shorewall-core-4.5.11.2/uninstall.sh 2012-12-31 17:28:59.000000000 +0100 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.5.10.1 +VERSION=4.5.11.2 usage() # $1 = exit status { ++++++ shorewall-docs-html-4.5.10.1.tar.bz2 -> shorewall-docs-html-4.5.11.2.tar.bz2 ++++++ ++++ 7360 lines of diff (skipped) ++++++ shorewall-init-4.5.10.1.tar.bz2 -> shorewall-init-4.5.11.2.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.10.1/changelog.txt new/shorewall-init-4.5.11.2/changelog.txt --- old/shorewall-init-4.5.10.1/changelog.txt 2012-12-14 15:37:23.000000000 +0100 +++ new/shorewall-init-4.5.11.2/changelog.txt 2012-12-31 17:29:00.000000000 +0100 @@ -1,16 +1,60 @@ -Changes in 4.5.10.1 +Changes in 4.5.11.2 1) Update release documents. -2) Correct type on the 'conntrack' file. +2) Correct modules.xtables. -Changes in 4.5.10 Final +Changes in 4.5.11.1 + +1) Update release documents + +2) Avoid invalid function name to start optional interface. + +3) Add modules from xtables-addons to modules.xtables + +Changes in 4.5.11 Final + +1) Update release documents + +2) Update Perl module versions. + +3) Make all module-global variables 'our' to aid debugging. + +Changes in 4.5.11 RC 1 + +1) update -D + +Changes in 4.5.11 Beta 3 + +1) Implement user-defined address variables. + +2) Sort output of 'show capabilities'. + +3) ?FORMAT and ?COMMENT + +Changes in 4.5.11 Beta 2 1) Update release documents. -2) Correct pushing of parameters with nested parens. +2) Implement @-variables. + +3) Rename ALLOWUNKNOWNVARIABLES to IGNOREUNKNOWNVARIABLES. + +4) Make $chain (@chain) a synonym for $0 ($0). + +Changes in 4.5.11 Beta 1 + +1) Add ${loglevel} and ${logtag} as variables visible within actions. -3) Remove extraneous ',' from the rule generated by action.RST. +2) Add 'nolog' action option. + +3) Create a symbol table to hold all non-action shell variables. + +4) Implement ?set and ?reset + +Changes in 4.5.10 Final + +1) Update release documents. Changes in 4.5.10 RC 1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.10.1/configure new/shorewall-init-4.5.11.2/configure --- old/shorewall-init-4.5.10.1/configure 2012-12-14 15:37:23.000000000 +0100 +++ new/shorewall-init-4.5.11.2/configure 2012-12-31 17:29:00.000000000 +0100 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=4.5.10.1 +VERSION=4.5.11.2 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.10.1/configure.pl new/shorewall-init-4.5.11.2/configure.pl --- old/shorewall-init-4.5.10.1/configure.pl 2012-12-14 15:37:23.000000000 +0100 +++ new/shorewall-init-4.5.11.2/configure.pl 2012-12-31 17:29:00.000000000 +0100 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '4.5.10.1' + VERSION => '4.5.11.2' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.10.1/install.sh new/shorewall-init-4.5.11.2/install.sh --- old/shorewall-init-4.5.10.1/install.sh 2012-12-14 15:37:23.000000000 +0100 +++ new/shorewall-init-4.5.11.2/install.sh 2012-12-31 17:29:00.000000000 +0100 @@ -23,7 +23,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.5.10.1 +VERSION=4.5.11.2 usage() # $1 = exit status { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.10.1/releasenotes.txt new/shorewall-init-4.5.11.2/releasenotes.txt --- old/shorewall-init-4.5.10.1/releasenotes.txt 2012-12-14 15:37:23.000000000 +0100 +++ new/shorewall-init-4.5.11.2/releasenotes.txt 2012-12-31 17:29:00.000000000 +0100 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 5 . 1 0 . 1 + S H O R E W A L L 4 . 5 . 1 1 . 2 ------------------------------------ - D e c e m b e r 1 5 , 2 0 1 2 + D e c e m b e r 3 1 , 2 0 1 2 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -15,11 +15,373 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -4.5.10.1 +4.5.11.2 -1) A typo on line 10 of the IPv4 conntrack file has been corrected. +1) Corrected fix 2 from 4.5.11.1. -4.5.10 +4.5.11.1 + +1) Beginning with Shorewall 4.5.10, if the name of an optional + interface contained one or more characters that are not valid in a + shell function name, then the generated script would fail with a + "syntax error: bad function name" shell diagnostic. + + That problem has been corrected so that a valid function name is + generated. + +2) The kernel modules supplied by xtables-addons are now listed in the + modules.xtables files. They were previously omitted. + +4.5.11 + +1) This release includes the defect repair from Shorewall 4.5.10.1. + +---------------------------------------------------------------------------- + I I. K N O W N P R O B L E M S R E M A I N I N G +---------------------------------------------------------------------------- + +1) On systems running Upstart, shorewall-init cannot reliably secure + the firewall before interfaces are brought up. + +---------------------------------------------------------------------------- + I I I. N E W F E A T U R E S I N T H I S R E L E A S E +---------------------------------------------------------------------------- + +1) This release expands upon the concept of 'Shorewall Variables' + that was introduced in 4.5.10 with the creation of '@0' in SWITCH + columns. Beginning with 4.5.10, '@0' (or '@{0}') in a SWITCH column + expands to the name of the current chain. + + In this release, the Shorewall variables @loglevel and @logtag + are added. These variables are only available within action bodies + (both regular and in-line). + + Their contents are: + + @loglevel + + The log level specified when the action was invoked. If no + level was specified, @loglevel expands to 'none'. + + @logtag + + The log tag specified when the action was invoked. If no tag + was specified, @logtag expands to an empty string. + + @1, @2, ... + + Same as $1, $2, ... + + Additionally, @chain has been added as a synonym for @0. Remember + that, unlike $0, non-alphanumeric charaters other than '_' have + been removed from @0. + +2) Action variables ($0, $1,...$n) and Shorewall variables are now + available in ?IF and ?ELSIF directives. + +3) A 'nolog' option has been added to /etc/shorewall[6]/actions. This + option causes the compiler to forego adding the log level and log + tag from the action invocation to those rules within the body that + do not specify a tag and/or level. + +3) An 'IGNOREUNKNOWNVARIABLES' option has been added to + /etc/shorewall[6]/shorewall[6].conf. When set to 'Yes', this option + instructs the compiler to expand unknown shell variables and + action parameters to an empty string rather than raising an error. + +4) ?SET and ?RESET directives are now available: + + ?SET <variable> <value> + ?RESET <variable> + + To cater to both Shell and Perl programmers, the <variable> may + be entered with or without leading '$'. + + The ?SET command sets the named <variable> to the specified + <value> where <value> is a Perl-compatible expression. + + The ?RESET command deletes the named <variable> from the compiler's + variable table. + + Shorewall variables (@chain, @loglevel,...) and action parameters + ($1, $2,...) are read-only and their values may not be changed + (although action parameter values may be changed using Embedded + Perl). + +5) This release introduces user-defined address variables. Address + variables are used at run-time rather than at compile-time. Prior + to this release, two types of address variables were available: + + &<interface> Expands to the primary IP address of + <interface> + + %<interface> Expands to the IP address of the default + gateway out of <interface> + + The two new types added in this release are distinguished by the + use of "{....}". + + &{<variable>} Address contained in run-time variable + <variable>. The named shell variable must + contain a valid IP address, either from the + generated script's environment or from having + been set in the generated script's 'init' + extension script. If the variable is empty or + if its contents are not a valid IP address, an + error is raised and the state of the firewall + is not changed. + + %{<variable>} Address contained in run-time variable + <variable>. If the named variable is empty, + the generated script sets it to the all-zeros + address (0.0.0.0 in IPv4 and :: in IPv6). When + this variable appears in a SOURCE or + DESTINATION column of any configuration file, + or if it appears in the ADDRESSES column of + the masq file, then no rule is generated when + the address variable is empty. Otherwise, the + rule is generated with the all-zeros address + replacing the variable. As above, if the + variable is non-empty and if it does not + contain a valid IP address, an error is raised + and the firewall state is unchanged. + +6) The output of 'show [-f] capabities' is now sorted to make + individual capabities easier to find. + +7) Beginning with this release, ?FORMAT is preferred over FORMAT for + specifying the format of records in these configuration files: + + action.* files + conntrack + interface + macro.* files + tcrules + + While deprecated, FORMAT (without the '?') is still supported. + + Also, ?COMMENT is preferred over COMMENT for attaching comments to + generated netfilter rules in the following files. + + accounting + action.* files + blrules files + conntrack + macro.* files + masq + nat + rules + secmarks + tcrules + tunnels + + When one of the deprecated forms is encountered, a warning message + is issued. + + Example: + + WARNING: 'FORMAT' is deprecated in favor of '?FORMAT' - + consider running 'shorewall update -D'. + + As the warning indicates, 'update -D' will traverse the CONFIG_PATH + replacing FORMAT and COMMENT lines with ?FORMAT and ?COMMENT + directives respectively. The original version of modified files + will be saved with a .bak suffix. + + During the update, .bak files are skipped as are files in + ${SHAREDIR}/shorewall and ${SHAREDIR}/shorewall6. + +---------------------------------------------------------------------------- + V. M I G R A T I O N I S S U E S +---------------------------------------------------------------------------- + +1) If you are migrating from Shorewall 4.2.x or earlier, please see + http://www.shorewall.net/pub/shorewall/4.4/shorewall-4.4.27/releasenotes.txt + +2) The BLACKLIST section of the rules file has been eliminated. + If you have entries in that file section, you must move them to the + blrules file. + +3) This version of Shorewall requires either the Digest::SHA1 or + Digest::SHA Perl module. + + Debian: libdigest-sha1-perl or libdigest-sha-perl + Fedora: perl-Digest-SHA1 or perl-Digest-SHA + OpenSuSE: perl-Digest-SHA1 or perl-Digest-SHA + +4) The generated firewall script now maintains the + /var/lib/shorewall[6][-lite]/interface.status files used by SWPING + and by LSM. + + If you have optional providers and do not run a link monitor like + SWPING or LSM that updates these files, then you should remove + /etc/shorewall[6]/isusable if it is installed. + + Beginning with Shorewall 4.5.3.1: + + - The 'disable' command stores a 1 in the interface's .status file. + - The .status file is ignored on 'enable' but not on 'start', + 'restart', 'restore' and 'refresh'. + + This means that a disabled interface can only be re-enabled using + the 'enable' command. + +5) The /etc/shorewall[6]/tos file is now deprecated in favor of the + TOS() action in /etc/shorewall[6]/tcrules. + +6) The MARK/CLASSIFY column in /etc/shorewall[6]/tcrules has been + renamed ACTION to reflect the expanded set of actions that can be + specified in the column. There is no change to existing + functionality. + +7) Beginning with Shorewall 4.5.2, using /etc/shorewall-lite/vardir + and /etc/shorewall6-lite/vardir to specify VARDIR is deprecated in + favor of the VARDIR setting in shorewallrc. + + NOTE: While the name of the variable remains VARDIR, the + meaning is slightly different. When set in shorewallrc, + each product (shorewall-lite, and shorewall6-lite) will + create a directory under the specified path name to + hold state information. + + Example: + + VARDIR=/opt/var/ + + The state directory for shorewall-lite will be + /opt/var/shorewall-lite/ and the directory for + shorewall6-lite will be /opt/var/shorewall6-lite. + + When VARDIR is set in /etc/shorewall[6]/vardir, the + product will save its state directly in the specified + directory. + + In Shorewall 4.5.8, a VARLIB variable was added to the shorewallrc + file and the meaning of VARDIR is once again consistent. The + default setting of VARDIR for a particular product is + ${VARLIB}/$product. There is an entry of that form in the + shorewallrc file. Because there is a single shorewallrc file for + all installed products, the /etc/shorewall[6]-lite/vardir file + provides the only means for overriding this default. + +8) Begining with Shorewall 4.5.6, the tcrules file is processed if + MANGLE_ENABLED=Yes, independent of the setting of TC_ENABLED. This + allows actions like TTL and TPROXY to be used without enabling + traffic shaping. + + If you have rules in your tcrules file that you only want processed + when TC_ENABLED is other than 'No', then enclose them in + + ?IF $TC_ENABLED + ... + ?ENDIF + + If they are to be processed only if TC_ENABLED=Internal, then enclose + them in + + ?IF TC_ENABLED eq 'Internal' + ... + ?ENDIF + +9) Beginning with Shorewall 4.5.7, the deprecated + /etc/shorewall[6]/blacklist files are no longer installed. Existing + files are still processed by the compiler. Note that blacklist + files may be converted to equivalent blrules files using + 'shorewall[6] update -b'. + +10) In Shorewall 4.5.7, the /etc/shorewall[6]/notrack file was renamed + /etc/shorewall[6]/conntrack. When upgrading to a release >= 4.5.7, + the conntrack file will be installed along side of an existing + notrack file. When both files exist, a compiler warning is + generated: + + WARNING: Both notrack and conntrack exist; conntrack is ignored + + This warning may be eliminated by moving any entries in the notrack + file to the conntrack file and removing the notrack file. + +11) In Shorewall 4.5.8, the /etc/shorewall[6]/routestopped files were + deprecated if favor of new /etc/shorewall[6]/stoppedrules + counterparts. The new files have much more familiar and + straightforward semantics. Once a stoppedrules file is populated, + the compiler will process that file and will ignore the + corresponding routestopped file. + +12) In Shorewall 4.5.8, a new variable (VARLIB) was added to the + shorewallrc file. This variable assumes the role formerly played by + VARDIR, and VARDIR now designates the configuration directory for a + particular product. + + This change should be transparent to all users: + + a) If VARDIR is set in an existing shorewallrc file and VARLIB is + not, then VARLIB is set to ${VARDIR} and VARDIR is set to + ${VARLIB}/${PRODUCT}. + + b) If VARLIB is set in a shorewallrc file and VARDIR is not, then + VARDIR is set to ${VARLIB}/${PRODUCT}. + + The Shorewall-core installer will automatically update + ~/.shorewallrc and save the original in ~/.shorewallrc.bak + +13) Previously, the macro.SNMP macro opened both UDP ports 161 and 162 + from SOURCE to DEST. This is against the usual practice of opening + these ports in the opposite direction. Beginning with Shorewall + 4.5.8, the SNMP macro opens port 161 from SOURCE to DEST as before, + and a new SNMPTrap macro is added that opens port 162 (from SOURCE + to DEST). + +14) Beginning with Shorewall 4.5.11, ?FORMAT is preferred over FORMAT + for specifying the format of records in these configuration files: + + action.* files + conntrack + interface + macro.* files + tcrules + + While deprecated, FORMAT (without the '?') is still supported. + + Also, ?COMMENT is preferred over COMMENT for attaching comments to + generated netfilter rules in the following files. + + accounting + action.* files + blrules files + conntrack + macro.* files + masq + nat + rules + secmarks + tcrules + tunnels + + When one of the deprecated forms is encountered, a warning message + is issued. + + Examples: + + WARNING: 'FORMAT' is deprecated in favor of '?FORMAT' - + consider running 'shorewall update -D'. + + WARNING: 'COMMENT' is deprecated in favor of '?COMMENT' - + consider running 'shorewall update -D'. + + As the warnings indicate, 'update -D' will traverse the CONFIG_PATH + replacing FORMAT and COMMENT lines with ?FORMAT and ?COMMENT + directives respectively. The original version of modified files + will be saved with a .bak suffix. + + + During the update, .bak files are skipped as are files in + ${SHAREDIR}/shorewall and ${SHAREDIR}/shorewall6. + +---------------------------------------------------------------------------- + V I. N O T E S F R O M O T H E R 4 . 5 R E L E A S E S +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 5 . 1 0 +---------------------------------------------------------------------------- 1) This release includes all defect repair included in 4.5.9.1-4.5.9.3. @@ -42,18 +404,8 @@ 4) AUTOCOMMENT=No now works correctly; previously, it behaved the same as AUTOCOMMENT=Yes. -5) A harmless extraneous comma has been deleted from the rule - generated by action.RST. - ----------------------------------------------------------------------------- - I I. K N O W N P R O B L E M S R E M A I N I N G ----------------------------------------------------------------------------- - -1) On systems running Upstart, shorewall-init cannot reliably secure - the firewall before interfaces are brought up. - ---------------------------------------------------------------------------- - I I I. N E W F E A T U R E S I N T H I S R E L E A S E + N E W F E A T U R E S I N 4 . 5 . 1 0 ---------------------------------------------------------------------------- 1) Shorewall now treats optional non-provider interfaces in a manner @@ -202,148 +554,6 @@ 'set', 'tos' or 'u32' matches are not suppressed: ---------------------------------------------------------------------------- - V. M I G R A T I O N I S S U E S ----------------------------------------------------------------------------- - -1) If you are migrating from Shorewall 4.2.x or earlier, please see - http://www.shorewall.net/pub/shorewall/4.4/shorewall-4.4.27/releasenotes.txt - -2) The BLACKLIST section of the rules file has been eliminated. - If you have entries in that file section, you must move them to the - blrules file. - -3) This version of Shorewall requires either the Digest::SHA1 or - Digest::SHA Perl module. - - Debian: libdigest-sha1-perl or libdigest-sha-perl - Fedora: perl-Digest-SHA1 or perl-Digest-SHA - OpenSuSE: perl-Digest-SHA1 or perl-Digest-SHA - -4) The generated firewall script now maintains the - /var/lib/shorewall[6][-lite]/interface.status files used by SWPING - and by LSM. - - If you have optional providers and do not run a link monitor like - SWPING or LSM that updates these files, then you should remove - /etc/shorewall[6]/isusable if it is installed. - - Beginning with Shorewall 4.5.3.1: - - - The 'disable' command stores a 1 in the interface's .status file. - - The .status file is ignored on 'enable' but not on 'start', - 'restart', 'restore' and 'refresh'. - - This means that a disabled interface can only be re-enabled using - the 'enable' command. - -5) The /etc/shorewall[6]/tos file is now deprecated in favor of the - TOS() action in /etc/shorewall[6]/tcrules. - -6) The MARK/CLASSIFY column in /etc/shorewall[6]/tcrules has been - renamed ACTION to reflect the expanded set of actions that can be - specified in the column. There is no change to existing - functionality. - -7) Beginning with Shorewall 4.5.2, using /etc/shorewall-lite/vardir - and /etc/shorewall6-lite/vardir to specify VARDIR is deprecated in - favor of the VARDIR setting in shorewallrc. - - NOTE: While the name of the variable remains VARDIR, the - meaning is slightly different. When set in shorewallrc, - each product (shorewall-lite, and shorewall6-lite) will - create a directory under the specified path name to - hold state information. - - Example: - - VARDIR=/opt/var/ - - The state directory for shorewall-lite will be - /opt/var/shorewall-lite/ and the directory for - shorewall6-lite will be /opt/var/shorewall6-lite. - - When VARDIR is set in /etc/shorewall[6]/vardir, the - product will save its state directly in the specified - directory. - - In Shorewall 4.5.8, a VARLIB variable was added to the shorewallrc - file and the meaning of VARDIR is once again consistent. The - default setting of VARDIR for a particular product is - ${VARLIB}/$product. There is an entry of that form in the - shorewallrc file. Because there is a single shorewallrc file for - all installed products, the /etc/shorewall[6]-lite/vardir file - provides the only means for overriding this default. - -8) Begining with Shorewall 4.5.6, the tcrules file is processed if - MANGLE_ENABLED=Yes, independent of the setting of TC_ENABLED. This - allows actions like TTL and TPROXY to be used without enabling - traffic shaping. - - If you have rules in your tcrules file that you only want processed - when TC_ENABLED is other than 'No', then enclose them in - - ?IF $TC_ENABLED - ... - ?ENDIF - - If they are to be processed only if TC_ENABLED=Internal, then enclose - them in - - ?IF TC_ENABLED eq 'Internal' - ... - ?ENDIF - -9) Beginning with Shorewall 4.5.7, the deprecated - /etc/shorewall[6]/blacklist files are no longer installed. Existing - files are still processed by the compiler. Note that blacklist - files may be converted to equivalent blrules files using - 'shorewall[6] update -b'. - -10) In Shorewall 4.5.7, the /etc/shorewall[6]/notrack file was renamed - /etc/shorewall[6]/conntrack. When upgrading to a release >= 4.5.7, - the conntrack file will be installed along side of an existing - notrack file. When both files exist, a compiler warning is - generated: - - WARNING: Both notrack and conntrack exist; conntrack is ignored - - This warning may be eliminated by moving any entries in the notrack - file to the conntrack file and removing the notrack file. - -11) In Shorewall 4.5.8, the /etc/shorewall[6]/routestopped files were - deprecated if favor of new /etc/shorewall[6]/stoppedrules - counterparts. The new files have much more familiar and - straightforward semantics. Once a stoppedrules file is populated, - the compiler will process that file and will ignore the - corresponding routestopped file. - -12) In Shorewall 4.5.8, a new variable (VARLIB) was added to the - shorewallrc file. This variable assumes the role formerly played by - VARDIR, and VARDIR now designates the configuration directory for a - particular product. - - This change should be transparent to all users: - - a) If VARDIR is set in an existing shorewallrc file and VARLIB is - not, then VARLIB is set to ${VARDIR} and VARDIR is set to - ${VARLIB}/${PRODUCT}. - - b) If VARLIB is set in a shorewallrc file and VARDIR is not, then - VARDIR is set to ${VARLIB}/${PRODUCT}. - - The Shorewall-core installer will automatically update - ~/.shorewallrc and save the original in ~/.shorewallrc.bak - -13) Previously, the macro.SNMP macro opened both UDP ports 161 and 162 - from SOURCE to DEST. This is against the usual practice of opening - these ports in the opposite direction. Beginning with Shorewall - 4.5.8, the SNMP macro opens port 161 from SOURCE to DEST as before, - and a new SNMPTrap macro is added that opens port 162 (from SOURCE - to DEST). - ----------------------------------------------------------------------------- - V I. N O T E S F R O M O T H E R 4 . 5 R E L E A S E S ----------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 5 . 9 ---------------------------------------------------------------------------- 4.5.9.3 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.10.1/shorewall-init.spec new/shorewall-init-4.5.11.2/shorewall-init.spec --- old/shorewall-init-4.5.10.1/shorewall-init.spec 2012-12-14 15:37:23.000000000 +0100 +++ new/shorewall-init-4.5.11.2/shorewall-init.spec 2012-12-31 17:29:00.000000000 +0100 @@ -1,6 +1,6 @@ %define name shorewall-init -%define version 4.5.10 -%define release 1 +%define version 4.5.11 +%define release 2 Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall). Name: %{name} @@ -125,8 +125,22 @@ %doc COPYING changelog.txt releasenotes.txt %changelog -* Fri Dec 14 2012 Tom Eastep tom@shorewall.net -- Updated to 4.5.10-1 +* Mon Dec 31 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.11-2 +* Fri Dec 28 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.11-1 +* Wed Dec 26 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.11-0base +* Wed Dec 19 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.11-0RC1 +* Thu Dec 13 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.11-0Beta3 +* Thu Dec 13 2012 Tom Eastep tom@shorewall.net +- Updated to 4.4.11-0Beta3 +* Sun Dec 09 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.11-0Beta2 +* Mon Dec 03 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.11-0Beta1 * Sun Dec 02 2012 Tom Eastep tom@shorewall.net - Updated to 4.5.10-0base * Wed Nov 28 2012 Tom Eastep tom@shorewall.net diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.10.1/uninstall.sh new/shorewall-init-4.5.11.2/uninstall.sh --- old/shorewall-init-4.5.10.1/uninstall.sh 2012-12-14 15:37:23.000000000 +0100 +++ new/shorewall-init-4.5.11.2/uninstall.sh 2012-12-31 17:29:00.000000000 +0100 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.5.10.1 +VERSION=4.5.11.2 usage() # $1 = exit status { ++++++ shorewall-lite-4.5.10.1.tar.bz2 -> shorewall-lite-4.5.11.2.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.10.1/changelog.txt new/shorewall-lite-4.5.11.2/changelog.txt --- old/shorewall-lite-4.5.10.1/changelog.txt 2012-12-14 15:37:23.000000000 +0100 +++ new/shorewall-lite-4.5.11.2/changelog.txt 2012-12-31 17:29:00.000000000 +0100 @@ -1,16 +1,60 @@ -Changes in 4.5.10.1 +Changes in 4.5.11.2 1) Update release documents. -2) Correct type on the 'conntrack' file. +2) Correct modules.xtables. -Changes in 4.5.10 Final +Changes in 4.5.11.1 + +1) Update release documents + +2) Avoid invalid function name to start optional interface. + +3) Add modules from xtables-addons to modules.xtables + +Changes in 4.5.11 Final + +1) Update release documents + +2) Update Perl module versions. + +3) Make all module-global variables 'our' to aid debugging. + +Changes in 4.5.11 RC 1 + +1) update -D + +Changes in 4.5.11 Beta 3 + +1) Implement user-defined address variables. + +2) Sort output of 'show capabilities'. + +3) ?FORMAT and ?COMMENT + +Changes in 4.5.11 Beta 2 1) Update release documents. -2) Correct pushing of parameters with nested parens. +2) Implement @-variables. + +3) Rename ALLOWUNKNOWNVARIABLES to IGNOREUNKNOWNVARIABLES. + +4) Make $chain (@chain) a synonym for $0 ($0). + +Changes in 4.5.11 Beta 1 + +1) Add ${loglevel} and ${logtag} as variables visible within actions. -3) Remove extraneous ',' from the rule generated by action.RST. +2) Add 'nolog' action option. + +3) Create a symbol table to hold all non-action shell variables. + +4) Implement ?set and ?reset + +Changes in 4.5.10 Final + +1) Update release documents. Changes in 4.5.10 RC 1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.10.1/configure new/shorewall-lite-4.5.11.2/configure --- old/shorewall-lite-4.5.10.1/configure 2012-12-14 15:37:23.000000000 +0100 +++ new/shorewall-lite-4.5.11.2/configure 2012-12-31 17:29:00.000000000 +0100 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=4.5.10.1 +VERSION=4.5.11.2 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.10.1/configure.pl new/shorewall-lite-4.5.11.2/configure.pl --- old/shorewall-lite-4.5.10.1/configure.pl 2012-12-14 15:37:23.000000000 +0100 +++ new/shorewall-lite-4.5.11.2/configure.pl 2012-12-31 17:29:00.000000000 +0100 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '4.5.10.1' + VERSION => '4.5.11.2' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.10.1/install.sh new/shorewall-lite-4.5.11.2/install.sh --- old/shorewall-lite-4.5.10.1/install.sh 2012-12-14 15:37:23.000000000 +0100 +++ new/shorewall-lite-4.5.11.2/install.sh 2012-12-31 17:29:00.000000000 +0100 @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.5.10.1 +VERSION=4.5.11.2 usage() # $1 = exit status { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.10.1/manpages/shorewall-lite-vardir.5 new/shorewall-lite-4.5.11.2/manpages/shorewall-lite-vardir.5 --- old/shorewall-lite-4.5.10.1/manpages/shorewall-lite-vardir.5 2012-12-14 15:43:03.000000000 +0100 +++ new/shorewall-lite-4.5.11.2/manpages/shorewall-lite-vardir.5 2012-12-31 17:34:37.000000000 +0100 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite-vardir .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.75.2 http://docbook.sf.net/ -.\" Date: 12/14/2012 +.\" Date: 12/31/2012 .\" Manual: [FIXME: manual] .\" Source: [FIXME: source] .\" Language: English .\" -.TH "SHOREWALL\-LITE\-VAR" "5" "12/14/2012" "[FIXME: source]" "[FIXME: manual]" +.TH "SHOREWALL\-LITE\-VAR" "5" "12/31/2012" "[FIXME: source]" "[FIXME: manual]" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.10.1/manpages/shorewall-lite.8 new/shorewall-lite-4.5.11.2/manpages/shorewall-lite.8 --- old/shorewall-lite-4.5.10.1/manpages/shorewall-lite.8 2012-12-14 15:43:05.000000000 +0100 +++ new/shorewall-lite-4.5.11.2/manpages/shorewall-lite.8 2012-12-31 17:34:39.000000000 +0100 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.75.2 http://docbook.sf.net/ -.\" Date: 12/14/2012 +.\" Date: 12/31/2012 .\" Manual: [FIXME: manual] .\" Source: [FIXME: source] .\" Language: English .\" -.TH "SHOREWALL\-LITE" "8" "12/14/2012" "[FIXME: source]" "[FIXME: manual]" +.TH "SHOREWALL\-LITE" "8" "12/31/2012" "[FIXME: source]" "[FIXME: manual]" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.10.1/manpages/shorewall-lite.conf.5 new/shorewall-lite-4.5.11.2/manpages/shorewall-lite.conf.5 --- old/shorewall-lite-4.5.10.1/manpages/shorewall-lite.conf.5 2012-12-14 15:43:01.000000000 +0100 +++ new/shorewall-lite-4.5.11.2/manpages/shorewall-lite.conf.5 2012-12-31 17:34:35.000000000 +0100 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite.conf .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.75.2 http://docbook.sf.net/ -.\" Date: 12/14/2012 +.\" Date: 12/31/2012 .\" Manual: [FIXME: manual] .\" Source: [FIXME: source] .\" Language: English .\" -.TH "SHOREWALL\-LITE\&.CO" "5" "12/14/2012" "[FIXME: source]" "[FIXME: manual]" +.TH "SHOREWALL\-LITE\&.CO" "5" "12/31/2012" "[FIXME: source]" "[FIXME: manual]" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.10.1/modules.xtables new/shorewall-lite-4.5.11.2/modules.xtables --- old/shorewall-lite-4.5.10.1/modules.xtables 2012-12-14 15:37:23.000000000 +0100 +++ new/shorewall-lite-4.5.11.2/modules.xtables 2012-12-31 17:29:00.000000000 +0100 @@ -39,3 +39,11 @@ loadmodule xt_tcpmss loadmodule xt_IPMARK loadmodule xt_TPROXY +# +# From xtables-addons +# +loadmodule xt_condition +loadmodule xt_geoip +loadmodule xt_ipp2p +loadmodule xt_LOGMARK +loadmodule xt_RAWNAT diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.10.1/releasenotes.txt new/shorewall-lite-4.5.11.2/releasenotes.txt --- old/shorewall-lite-4.5.10.1/releasenotes.txt 2012-12-14 15:37:23.000000000 +0100 +++ new/shorewall-lite-4.5.11.2/releasenotes.txt 2012-12-31 17:29:00.000000000 +0100 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 5 . 1 0 . 1 + S H O R E W A L L 4 . 5 . 1 1 . 2 ------------------------------------ - D e c e m b e r 1 5 , 2 0 1 2 + D e c e m b e r 3 1 , 2 0 1 2 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -15,11 +15,373 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -4.5.10.1 +4.5.11.2 -1) A typo on line 10 of the IPv4 conntrack file has been corrected. +1) Corrected fix 2 from 4.5.11.1. -4.5.10 +4.5.11.1 + +1) Beginning with Shorewall 4.5.10, if the name of an optional + interface contained one or more characters that are not valid in a + shell function name, then the generated script would fail with a + "syntax error: bad function name" shell diagnostic. + + That problem has been corrected so that a valid function name is + generated. + +2) The kernel modules supplied by xtables-addons are now listed in the + modules.xtables files. They were previously omitted. + +4.5.11 + +1) This release includes the defect repair from Shorewall 4.5.10.1. + +---------------------------------------------------------------------------- + I I. K N O W N P R O B L E M S R E M A I N I N G +---------------------------------------------------------------------------- + +1) On systems running Upstart, shorewall-init cannot reliably secure + the firewall before interfaces are brought up. + +---------------------------------------------------------------------------- + I I I. N E W F E A T U R E S I N T H I S R E L E A S E +---------------------------------------------------------------------------- + +1) This release expands upon the concept of 'Shorewall Variables' + that was introduced in 4.5.10 with the creation of '@0' in SWITCH + columns. Beginning with 4.5.10, '@0' (or '@{0}') in a SWITCH column + expands to the name of the current chain. + + In this release, the Shorewall variables @loglevel and @logtag + are added. These variables are only available within action bodies + (both regular and in-line). + + Their contents are: + + @loglevel + + The log level specified when the action was invoked. If no + level was specified, @loglevel expands to 'none'. + + @logtag + + The log tag specified when the action was invoked. If no tag + was specified, @logtag expands to an empty string. + + @1, @2, ... + + Same as $1, $2, ... + + Additionally, @chain has been added as a synonym for @0. Remember + that, unlike $0, non-alphanumeric charaters other than '_' have + been removed from @0. + +2) Action variables ($0, $1,...$n) and Shorewall variables are now + available in ?IF and ?ELSIF directives. + +3) A 'nolog' option has been added to /etc/shorewall[6]/actions. This + option causes the compiler to forego adding the log level and log + tag from the action invocation to those rules within the body that + do not specify a tag and/or level. + +3) An 'IGNOREUNKNOWNVARIABLES' option has been added to + /etc/shorewall[6]/shorewall[6].conf. When set to 'Yes', this option + instructs the compiler to expand unknown shell variables and + action parameters to an empty string rather than raising an error. + +4) ?SET and ?RESET directives are now available: + + ?SET <variable> <value> + ?RESET <variable> + + To cater to both Shell and Perl programmers, the <variable> may + be entered with or without leading '$'. + + The ?SET command sets the named <variable> to the specified + <value> where <value> is a Perl-compatible expression. + + The ?RESET command deletes the named <variable> from the compiler's + variable table. + + Shorewall variables (@chain, @loglevel,...) and action parameters + ($1, $2,...) are read-only and their values may not be changed + (although action parameter values may be changed using Embedded + Perl). + +5) This release introduces user-defined address variables. Address + variables are used at run-time rather than at compile-time. Prior + to this release, two types of address variables were available: + + &<interface> Expands to the primary IP address of + <interface> + + %<interface> Expands to the IP address of the default + gateway out of <interface> + + The two new types added in this release are distinguished by the + use of "{....}". + + &{<variable>} Address contained in run-time variable + <variable>. The named shell variable must + contain a valid IP address, either from the + generated script's environment or from having + been set in the generated script's 'init' + extension script. If the variable is empty or + if its contents are not a valid IP address, an + error is raised and the state of the firewall + is not changed. + + %{<variable>} Address contained in run-time variable + <variable>. If the named variable is empty, + the generated script sets it to the all-zeros + address (0.0.0.0 in IPv4 and :: in IPv6). When + this variable appears in a SOURCE or + DESTINATION column of any configuration file, + or if it appears in the ADDRESSES column of + the masq file, then no rule is generated when + the address variable is empty. Otherwise, the + rule is generated with the all-zeros address + replacing the variable. As above, if the + variable is non-empty and if it does not + contain a valid IP address, an error is raised + and the firewall state is unchanged. + +6) The output of 'show [-f] capabities' is now sorted to make + individual capabities easier to find. + +7) Beginning with this release, ?FORMAT is preferred over FORMAT for + specifying the format of records in these configuration files: + + action.* files + conntrack + interface + macro.* files + tcrules + + While deprecated, FORMAT (without the '?') is still supported. + + Also, ?COMMENT is preferred over COMMENT for attaching comments to + generated netfilter rules in the following files. + + accounting + action.* files + blrules files + conntrack + macro.* files + masq + nat + rules + secmarks + tcrules + tunnels + + When one of the deprecated forms is encountered, a warning message + is issued. + + Example: + + WARNING: 'FORMAT' is deprecated in favor of '?FORMAT' - + consider running 'shorewall update -D'. + + As the warning indicates, 'update -D' will traverse the CONFIG_PATH + replacing FORMAT and COMMENT lines with ?FORMAT and ?COMMENT + directives respectively. The original version of modified files + will be saved with a .bak suffix. + + During the update, .bak files are skipped as are files in + ${SHAREDIR}/shorewall and ${SHAREDIR}/shorewall6. + +---------------------------------------------------------------------------- + V. M I G R A T I O N I S S U E S +---------------------------------------------------------------------------- + +1) If you are migrating from Shorewall 4.2.x or earlier, please see + http://www.shorewall.net/pub/shorewall/4.4/shorewall-4.4.27/releasenotes.txt + +2) The BLACKLIST section of the rules file has been eliminated. + If you have entries in that file section, you must move them to the + blrules file. + +3) This version of Shorewall requires either the Digest::SHA1 or + Digest::SHA Perl module. + + Debian: libdigest-sha1-perl or libdigest-sha-perl + Fedora: perl-Digest-SHA1 or perl-Digest-SHA + OpenSuSE: perl-Digest-SHA1 or perl-Digest-SHA + +4) The generated firewall script now maintains the + /var/lib/shorewall[6][-lite]/interface.status files used by SWPING + and by LSM. + + If you have optional providers and do not run a link monitor like + SWPING or LSM that updates these files, then you should remove + /etc/shorewall[6]/isusable if it is installed. + + Beginning with Shorewall 4.5.3.1: + + - The 'disable' command stores a 1 in the interface's .status file. + - The .status file is ignored on 'enable' but not on 'start', + 'restart', 'restore' and 'refresh'. + + This means that a disabled interface can only be re-enabled using + the 'enable' command. + +5) The /etc/shorewall[6]/tos file is now deprecated in favor of the + TOS() action in /etc/shorewall[6]/tcrules. + +6) The MARK/CLASSIFY column in /etc/shorewall[6]/tcrules has been + renamed ACTION to reflect the expanded set of actions that can be + specified in the column. There is no change to existing + functionality. + +7) Beginning with Shorewall 4.5.2, using /etc/shorewall-lite/vardir + and /etc/shorewall6-lite/vardir to specify VARDIR is deprecated in + favor of the VARDIR setting in shorewallrc. + + NOTE: While the name of the variable remains VARDIR, the + meaning is slightly different. When set in shorewallrc, + each product (shorewall-lite, and shorewall6-lite) will + create a directory under the specified path name to + hold state information. + + Example: + + VARDIR=/opt/var/ + + The state directory for shorewall-lite will be + /opt/var/shorewall-lite/ and the directory for + shorewall6-lite will be /opt/var/shorewall6-lite. + + When VARDIR is set in /etc/shorewall[6]/vardir, the + product will save its state directly in the specified + directory. + + In Shorewall 4.5.8, a VARLIB variable was added to the shorewallrc + file and the meaning of VARDIR is once again consistent. The + default setting of VARDIR for a particular product is + ${VARLIB}/$product. There is an entry of that form in the + shorewallrc file. Because there is a single shorewallrc file for + all installed products, the /etc/shorewall[6]-lite/vardir file + provides the only means for overriding this default. + +8) Begining with Shorewall 4.5.6, the tcrules file is processed if + MANGLE_ENABLED=Yes, independent of the setting of TC_ENABLED. This + allows actions like TTL and TPROXY to be used without enabling + traffic shaping. + + If you have rules in your tcrules file that you only want processed + when TC_ENABLED is other than 'No', then enclose them in + + ?IF $TC_ENABLED + ... + ?ENDIF + + If they are to be processed only if TC_ENABLED=Internal, then enclose + them in + + ?IF TC_ENABLED eq 'Internal' + ... + ?ENDIF + +9) Beginning with Shorewall 4.5.7, the deprecated + /etc/shorewall[6]/blacklist files are no longer installed. Existing + files are still processed by the compiler. Note that blacklist + files may be converted to equivalent blrules files using + 'shorewall[6] update -b'. + +10) In Shorewall 4.5.7, the /etc/shorewall[6]/notrack file was renamed + /etc/shorewall[6]/conntrack. When upgrading to a release >= 4.5.7, + the conntrack file will be installed along side of an existing + notrack file. When both files exist, a compiler warning is + generated: + + WARNING: Both notrack and conntrack exist; conntrack is ignored + + This warning may be eliminated by moving any entries in the notrack + file to the conntrack file and removing the notrack file. + +11) In Shorewall 4.5.8, the /etc/shorewall[6]/routestopped files were + deprecated if favor of new /etc/shorewall[6]/stoppedrules + counterparts. The new files have much more familiar and + straightforward semantics. Once a stoppedrules file is populated, + the compiler will process that file and will ignore the + corresponding routestopped file. + +12) In Shorewall 4.5.8, a new variable (VARLIB) was added to the + shorewallrc file. This variable assumes the role formerly played by + VARDIR, and VARDIR now designates the configuration directory for a + particular product. + + This change should be transparent to all users: + + a) If VARDIR is set in an existing shorewallrc file and VARLIB is + not, then VARLIB is set to ${VARDIR} and VARDIR is set to + ${VARLIB}/${PRODUCT}. + + b) If VARLIB is set in a shorewallrc file and VARDIR is not, then + VARDIR is set to ${VARLIB}/${PRODUCT}. + + The Shorewall-core installer will automatically update + ~/.shorewallrc and save the original in ~/.shorewallrc.bak + +13) Previously, the macro.SNMP macro opened both UDP ports 161 and 162 + from SOURCE to DEST. This is against the usual practice of opening + these ports in the opposite direction. Beginning with Shorewall + 4.5.8, the SNMP macro opens port 161 from SOURCE to DEST as before, + and a new SNMPTrap macro is added that opens port 162 (from SOURCE + to DEST). + +14) Beginning with Shorewall 4.5.11, ?FORMAT is preferred over FORMAT + for specifying the format of records in these configuration files: + + action.* files + conntrack + interface + macro.* files + tcrules + + While deprecated, FORMAT (without the '?') is still supported. + + Also, ?COMMENT is preferred over COMMENT for attaching comments to + generated netfilter rules in the following files. + + accounting + action.* files + blrules files + conntrack + macro.* files + masq + nat + rules + secmarks + tcrules + tunnels + + When one of the deprecated forms is encountered, a warning message + is issued. + + Examples: + + WARNING: 'FORMAT' is deprecated in favor of '?FORMAT' - + consider running 'shorewall update -D'. + + WARNING: 'COMMENT' is deprecated in favor of '?COMMENT' - + consider running 'shorewall update -D'. + + As the warnings indicate, 'update -D' will traverse the CONFIG_PATH + replacing FORMAT and COMMENT lines with ?FORMAT and ?COMMENT + directives respectively. The original version of modified files + will be saved with a .bak suffix. + + + During the update, .bak files are skipped as are files in + ${SHAREDIR}/shorewall and ${SHAREDIR}/shorewall6. + +---------------------------------------------------------------------------- + V I. N O T E S F R O M O T H E R 4 . 5 R E L E A S E S +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 5 . 1 0 +---------------------------------------------------------------------------- 1) This release includes all defect repair included in 4.5.9.1-4.5.9.3. @@ -42,18 +404,8 @@ 4) AUTOCOMMENT=No now works correctly; previously, it behaved the same as AUTOCOMMENT=Yes. -5) A harmless extraneous comma has been deleted from the rule - generated by action.RST. - ----------------------------------------------------------------------------- - I I. K N O W N P R O B L E M S R E M A I N I N G ----------------------------------------------------------------------------- - -1) On systems running Upstart, shorewall-init cannot reliably secure - the firewall before interfaces are brought up. - ---------------------------------------------------------------------------- - I I I. N E W F E A T U R E S I N T H I S R E L E A S E + N E W F E A T U R E S I N 4 . 5 . 1 0 ---------------------------------------------------------------------------- 1) Shorewall now treats optional non-provider interfaces in a manner @@ -202,148 +554,6 @@ 'set', 'tos' or 'u32' matches are not suppressed: ---------------------------------------------------------------------------- - V. M I G R A T I O N I S S U E S ----------------------------------------------------------------------------- - -1) If you are migrating from Shorewall 4.2.x or earlier, please see - http://www.shorewall.net/pub/shorewall/4.4/shorewall-4.4.27/releasenotes.txt - -2) The BLACKLIST section of the rules file has been eliminated. - If you have entries in that file section, you must move them to the - blrules file. - -3) This version of Shorewall requires either the Digest::SHA1 or - Digest::SHA Perl module. - - Debian: libdigest-sha1-perl or libdigest-sha-perl - Fedora: perl-Digest-SHA1 or perl-Digest-SHA - OpenSuSE: perl-Digest-SHA1 or perl-Digest-SHA - -4) The generated firewall script now maintains the - /var/lib/shorewall[6][-lite]/interface.status files used by SWPING - and by LSM. - - If you have optional providers and do not run a link monitor like - SWPING or LSM that updates these files, then you should remove - /etc/shorewall[6]/isusable if it is installed. - - Beginning with Shorewall 4.5.3.1: - - - The 'disable' command stores a 1 in the interface's .status file. - - The .status file is ignored on 'enable' but not on 'start', - 'restart', 'restore' and 'refresh'. - - This means that a disabled interface can only be re-enabled using - the 'enable' command. - -5) The /etc/shorewall[6]/tos file is now deprecated in favor of the - TOS() action in /etc/shorewall[6]/tcrules. - -6) The MARK/CLASSIFY column in /etc/shorewall[6]/tcrules has been - renamed ACTION to reflect the expanded set of actions that can be - specified in the column. There is no change to existing - functionality. - -7) Beginning with Shorewall 4.5.2, using /etc/shorewall-lite/vardir - and /etc/shorewall6-lite/vardir to specify VARDIR is deprecated in - favor of the VARDIR setting in shorewallrc. - - NOTE: While the name of the variable remains VARDIR, the - meaning is slightly different. When set in shorewallrc, - each product (shorewall-lite, and shorewall6-lite) will - create a directory under the specified path name to - hold state information. - - Example: - - VARDIR=/opt/var/ - - The state directory for shorewall-lite will be - /opt/var/shorewall-lite/ and the directory for - shorewall6-lite will be /opt/var/shorewall6-lite. - - When VARDIR is set in /etc/shorewall[6]/vardir, the - product will save its state directly in the specified - directory. - - In Shorewall 4.5.8, a VARLIB variable was added to the shorewallrc - file and the meaning of VARDIR is once again consistent. The - default setting of VARDIR for a particular product is - ${VARLIB}/$product. There is an entry of that form in the - shorewallrc file. Because there is a single shorewallrc file for - all installed products, the /etc/shorewall[6]-lite/vardir file - provides the only means for overriding this default. - -8) Begining with Shorewall 4.5.6, the tcrules file is processed if - MANGLE_ENABLED=Yes, independent of the setting of TC_ENABLED. This - allows actions like TTL and TPROXY to be used without enabling - traffic shaping. - - If you have rules in your tcrules file that you only want processed - when TC_ENABLED is other than 'No', then enclose them in - - ?IF $TC_ENABLED - ... - ?ENDIF - - If they are to be processed only if TC_ENABLED=Internal, then enclose - them in - - ?IF TC_ENABLED eq 'Internal' - ... - ?ENDIF - -9) Beginning with Shorewall 4.5.7, the deprecated - /etc/shorewall[6]/blacklist files are no longer installed. Existing - files are still processed by the compiler. Note that blacklist - files may be converted to equivalent blrules files using - 'shorewall[6] update -b'. - -10) In Shorewall 4.5.7, the /etc/shorewall[6]/notrack file was renamed - /etc/shorewall[6]/conntrack. When upgrading to a release >= 4.5.7, - the conntrack file will be installed along side of an existing - notrack file. When both files exist, a compiler warning is - generated: - - WARNING: Both notrack and conntrack exist; conntrack is ignored - - This warning may be eliminated by moving any entries in the notrack - file to the conntrack file and removing the notrack file. - -11) In Shorewall 4.5.8, the /etc/shorewall[6]/routestopped files were - deprecated if favor of new /etc/shorewall[6]/stoppedrules - counterparts. The new files have much more familiar and - straightforward semantics. Once a stoppedrules file is populated, - the compiler will process that file and will ignore the - corresponding routestopped file. - -12) In Shorewall 4.5.8, a new variable (VARLIB) was added to the - shorewallrc file. This variable assumes the role formerly played by - VARDIR, and VARDIR now designates the configuration directory for a - particular product. - - This change should be transparent to all users: - - a) If VARDIR is set in an existing shorewallrc file and VARLIB is - not, then VARLIB is set to ${VARDIR} and VARDIR is set to - ${VARLIB}/${PRODUCT}. - - b) If VARLIB is set in a shorewallrc file and VARDIR is not, then - VARDIR is set to ${VARLIB}/${PRODUCT}. - - The Shorewall-core installer will automatically update - ~/.shorewallrc and save the original in ~/.shorewallrc.bak - -13) Previously, the macro.SNMP macro opened both UDP ports 161 and 162 - from SOURCE to DEST. This is against the usual practice of opening - these ports in the opposite direction. Beginning with Shorewall - 4.5.8, the SNMP macro opens port 161 from SOURCE to DEST as before, - and a new SNMPTrap macro is added that opens port 162 (from SOURCE - to DEST). - ----------------------------------------------------------------------------- - V I. N O T E S F R O M O T H E R 4 . 5 R E L E A S E S ----------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 5 . 9 ---------------------------------------------------------------------------- 4.5.9.3 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.10.1/shorewall-lite.spec new/shorewall-lite-4.5.11.2/shorewall-lite.spec --- old/shorewall-lite-4.5.10.1/shorewall-lite.spec 2012-12-14 15:37:23.000000000 +0100 +++ new/shorewall-lite-4.5.11.2/shorewall-lite.spec 2012-12-31 17:29:00.000000000 +0100 @@ -1,6 +1,6 @@ %define name shorewall-lite -%define version 4.5.10 -%define release 1 +%define version 4.5.11 +%define release 2 %define initdir /etc/init.d Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems. @@ -105,8 +105,20 @@ %doc COPYING changelog.txt releasenotes.txt %changelog -* Fri Dec 14 2012 Tom Eastep tom@shorewall.net -- Updated to 4.5.10-1 +* Mon Dec 31 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.11-2 +* Fri Dec 28 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.11-1 +* Wed Dec 26 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.11-0base +* Wed Dec 19 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.11-0RC1 +* Thu Dec 13 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.11-0Beta3 +* Sun Dec 09 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.11-0Beta2 +* Mon Dec 03 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.11-0Beta1 * Sun Dec 02 2012 Tom Eastep tom@shorewall.net - Updated to 4.5.10-0base * Wed Nov 28 2012 Tom Eastep tom@shorewall.net diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.10.1/uninstall.sh new/shorewall-lite-4.5.11.2/uninstall.sh --- old/shorewall-lite-4.5.10.1/uninstall.sh 2012-12-14 15:37:23.000000000 +0100 +++ new/shorewall-lite-4.5.11.2/uninstall.sh 2012-12-31 17:29:00.000000000 +0100 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.5.10.1 +VERSION=4.5.11.2 usage() # $1 = exit status { ++++++ shorewall-4.5.10.1.tar.bz2 -> shorewall6-4.5.11.2.tar.bz2 ++++++ ++++ 107587 lines of diff (skipped) ++++++ shorewall-lite-4.5.10.1.tar.bz2 -> shorewall6-lite-4.5.11.2.tar.bz2 ++++++ ++++ 7459 lines of diff (skipped) ++++++ systemd.patch ++++++ Fixes #bnc798525 --- shorewall-4.5.11.2/install.sh | 2 +- shorewall-lite-4.5.11.2/install.sh | 2 +- shorewall6-4.5.11.2/install.sh | 2 +- shorewall6-lite-4.5.11.2/install.sh | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) --- a/shorewall-4.5.11.2/install.sh +++ b/shorewall-4.5.11.2/install.sh @@ -395,7 +395,7 @@ fi if [ -n "$SYSTEMD" ]; then mkdir -p ${DESTDIR}${SYSTEMD} run_install $OWNERSHIP -m 600 $PRODUCT.service ${DESTDIR}${SYSTEMD}/$PRODUCT.service - [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service + [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|^/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service echo "Service file installed as ${DESTDIR}${SYSTEMD}/$PRODUCT.service" fi --- a/shorewall-lite-4.5.11.2/install.sh +++ b/shorewall-lite-4.5.11.2/install.sh @@ -355,7 +355,7 @@ fi if [ -n "$SYSTEMD" ]; then mkdir -p ${DESTDIR}${SYSTEMD} run_install $OWNERSHIP -m 600 $PRODUCT.service ${DESTDIR}/${SYSTEMD}/$PRODUCT.service - [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service + [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/^sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service echo "Service file installed as ${DESTDIR}/lib/systemd/system/$PRODUCT.service" fi --- a/shorewall6-4.5.11.2/install.sh +++ b/shorewall6-4.5.11.2/install.sh @@ -395,7 +395,7 @@ fi if [ -n "$SYSTEMD" ]; then mkdir -p ${DESTDIR}${SYSTEMD} run_install $OWNERSHIP -m 600 $PRODUCT.service ${DESTDIR}${SYSTEMD}/$PRODUCT.service - [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service + [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|^/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service echo "Service file installed as ${DESTDIR}${SYSTEMD}/$PRODUCT.service" fi --- a/shorewall6-lite-4.5.11.2/install.sh +++ b/shorewall6-lite-4.5.11.2/install.sh @@ -355,7 +355,7 @@ fi if [ -n "$SYSTEMD" ]; then mkdir -p ${DESTDIR}${SYSTEMD} run_install $OWNERSHIP -m 600 $PRODUCT.service ${DESTDIR}/${SYSTEMD}/$PRODUCT.service - [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service + [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|^/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service echo "Service file installed as ${DESTDIR}/lib/systemd/system/$PRODUCT.service" fi -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org
participants (1)
-
root@hilbert.suse.de