Hello community, here is the log from the commit of package shorewall for openSUSE:Factory checked in at 2014-07-21 10:35:45 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/shorewall (Old) and /work/SRC/openSUSE:Factory/.shorewall.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "shorewall" Changes: -------- --- /work/SRC/openSUSE:Factory/shorewall/shorewall.changes 2014-07-15 08:00:53.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.shorewall.new/shorewall.changes 2014-07-21 10:35:48.000000000 +0200 @@ -1,0 +2,26 @@ +Sun Jul 20 22:28:42 UTC 2014 - toganm@opensuse.org + +- Update to version 4.6.2.1 For more details see changelog.txt and + releasenotes.txt + + * Two issues with tcrules processing have been corrected: + + SAVE and RESTORE generated fatal compilation errors. + + '|' and '&' were ignored. That issue is also present in the + processing of the mangle file + * Version 4.6.2 changes + + The DSCP match in the mangle and tcrules files didn't work + with service class names such as EF, BE, CS1, ... + + The SAVE and RESTORE actions were disallowed in the OUTPUT + chain in tcrules and mangle; this was a regression from 4.5.21. + + Additional ports required by Asus, Supermicro and Dell have + beenadded to the IPMI macro (Tuomo Soini). + + Some issues regarding install under Cygwin64 have been + addressed. + - configure.pl did not understand CYGWIN returned from `uname` + - Shorewall-core install.sh did not understand CYGWIN returned + from `uname`. + - The Shorewall and Shorewall6 installers tried to run the + command 'mkdir -p //etc/shorewall[6]' which is broken in the + current Cygwin64. + +------------------------------------------------------------------- Old: ---- shorewall-4.6.1.4.tar.bz2 shorewall-core-4.6.1.4.tar.bz2 shorewall-docs-html-4.6.1.4.tar.bz2 shorewall-init-4.6.1.4.tar.bz2 shorewall-lite-4.6.1.4.tar.bz2 shorewall6-4.6.1.4.tar.bz2 shorewall6-lite-4.6.1.4.tar.bz2 New: ---- shorewall-4.6.2.1.tar.bz2 shorewall-core-4.6.2.1.tar.bz2 shorewall-docs-html-4.6.2.1.tar.bz2 shorewall-init-4.6.2.1.tar.bz2 shorewall-lite-4.6.2.1.tar.bz2 shorewall6-4.6.2.1.tar.bz2 shorewall6-lite-4.6.2.1.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shorewall.spec ++++++ --- /var/tmp/diff_new_pack.2HPGKh/_old 2014-07-21 10:35:50.000000000 +0200 +++ /var/tmp/diff_new_pack.2HPGKh/_new 2014-07-21 10:35:50.000000000 +0200 @@ -20,19 +20,19 @@ %define have_systemd 1 Name: shorewall -Version: 4.6.1.4 +Version: 4.6.2.1 Release: 0 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems License: GPL-2.0 Group: Productivity/Networking/Security Url: http://www.shorewall.net/ -Source: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.1/%name-%version.ta... -Source1: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.1/%name-core-%versi... -Source2: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.1/%name-lite-%versi... -Source3: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.1/%name-init-%versi... -Source4: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.1/%{name}6-lite-%version.tar.bz2 -Source5: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.1/%{name}6-%version.tar.bz2 -Source6: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.1/%name-docs-html-%... +Source: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.2/%name-%version.ta... +Source1: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.2/%name-core-%versi... +Source2: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.2/%name-lite-%versi... +Source3: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.2/%name-init-%versi... +Source4: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.2/%{name}6-lite-%version.tar.bz2 +Source5: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.2/%{name}6-%version.tar.bz2 +Source6: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.2/%name-docs-html-%... Source7: %name-4.4.22.rpmlintrc Source8: README.openSUSE # PATCH-FIX-UPSTREAM toganm@opensuse.org Shorewall-lite init.suse.sh Required Stop ++++++ shorewall-4.6.1.4.tar.bz2 -> shorewall-4.6.2.1.tar.bz2 ++++++ ++++ 2186 lines of diff (skipped) ++++++ shorewall-core-4.6.1.4.tar.bz2 -> shorewall-core-4.6.2.1.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.1.4/changelog.txt new/shorewall-core-4.6.2.1/changelog.txt --- old/shorewall-core-4.6.1.4/changelog.txt 2014-07-04 19:27:04.000000000 +0200 +++ new/shorewall-core-4.6.2.1/changelog.txt 2014-07-18 17:56:13.000000000 +0200 @@ -1,3 +1,46 @@ +Changes in 4.6.2.1 + +1) Update release documents. + +2) Two issues with tcrules processing were corrected. + +Changes in 4.6.2 Final + +1) Update release documents. + +Changes in 4.6.2 RC 1 + +1) Update release documents. + +2) Allow specification of the GATEWAY MAC address. + +3) Fix some brokenness in installation under Cygwin. + +Changes in 4.6.2 Beta 2 + +1) Update release documents. + +2) Update Events.xml with a stateful port knocking example. + +3) Apply Thibaut Chèze's patch for DSCP names. + +4) Allow SAVE/RESTORE rules in the OUTPUT chain. + +5) Add ILO macro from Tuomo Soini. + +6) Apply Tuomo Soini's patch to add additional ports to the IPMI + macro. + +Changes in 4.6.2 Beta 1 + +1) Update release documents. + +2) Implement 'status -i' + +3) Implement 'show bl' + +4) Add TIME column to the mangle file + Changes in 4.6.1.3 1) Update release documents. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.1.4/configure new/shorewall-core-4.6.2.1/configure --- old/shorewall-core-4.6.1.4/configure 2014-07-04 19:27:04.000000000 +0200 +++ new/shorewall-core-4.6.2.1/configure 2014-07-18 17:56:12.000000000 +0200 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=4.6.1.4 +VERSION=4.6.2.1 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.1.4/configure.pl new/shorewall-core-4.6.2.1/configure.pl --- old/shorewall-core-4.6.1.4/configure.pl 2014-07-04 19:27:04.000000000 +0200 +++ new/shorewall-core-4.6.2.1/configure.pl 2014-07-18 17:56:12.000000000 +0200 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '4.6.1.4' + VERSION => '4.6.2.1' }; my %params; @@ -100,7 +100,7 @@ } elsif ( `uname` =~ '^Darwin' ) { $vendor = 'apple'; $rcfilename = 'shorewallrc.apple'; - } elsif ( `uname` =~ '^Cygwin' ) { + } elsif ( `uname` =~ /^Cygwin/i ) { $vendor = 'cygwin'; $rcfilename = 'shorewallrc.cygwin'; } else { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.1.4/install.sh new/shorewall-core-4.6.2.1/install.sh --- old/shorewall-core-4.6.1.4/install.sh 2014-07-04 19:27:04.000000000 +0200 +++ new/shorewall-core-4.6.2.1/install.sh 2014-07-18 17:56:12.000000000 +0200 @@ -22,7 +22,7 @@ # along with this program; if not, see http://www.gnu.org/licenses/. # -VERSION=4.6.1.4 +VERSION=4.6.2.1 usage() # $1 = exit status { @@ -187,7 +187,7 @@ if [ -z "$BUILD" ]; then case $(uname) in - cygwin*) + cygwin*|CYGWIN*) BUILD=cygwin ;; Darwin) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.1.4/known_problems.txt new/shorewall-core-4.6.2.1/known_problems.txt --- old/shorewall-core-4.6.1.4/known_problems.txt 2014-07-04 19:27:04.000000000 +0200 +++ new/shorewall-core-4.6.2.1/known_problems.txt 2014-07-18 17:56:13.000000000 +0200 @@ -1,34 +1,15 @@ 1) On systems running Upstart, shorewall-init cannot reliably secure the firewall before interfaces are brought up. -2) When INLINE_MATCHES=Yes and AUTOHELPERS=No, start or restart can - fail during script execution with this diagnostic: +2) In the tcrules file: - Running /sbin/iptables-restore... - Bad argument `helper=netbios-ns' - Error occurred at line: 228 - Try `iptables-restore -h' or 'iptables-restore --help' for more - information. - ERROR: iptables-restore Failed. Input is in - /var/lib/shorewall/.iptables-restore-input + - SAVE and RESTORE generate fatal compilation errors. + - '|' and '&' are ignored. - Corrected in Shorewall 4.6.1.2 + Corrected in 4.6.2.1. -3) Use of the 'IfEvent' action results in a compilation failure: +3) In the mangle file: - ERROR: -j is only allowed when the ACTION is INLINE with no - parameter /usr/share/shorewall/action.IfEvent (line 139) - from /etc/shorewall/action.SSHKnock (line 8) - from /etc/shorewall/rules (line 31) + - '|' and '&' are ignored in MARK ACTIONS. - Corrected in Shorewall 4.6.1.3. - -4) The DSCP match in the mangle and tcrles files doesn't work with - service class names such as EF, BE, CS1, ... - - Corrected in Shorewall 4.6.1.4. - -5) The SAVE and RESTORE actions are disallowed in the OUTPUT chain in - tcrules and mangle; this is a regression from 4.6.21. - - Corrected in Shorewall 4.6.1.4. + Corrected in 4.6.2.1. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.1.4/lib.cli new/shorewall-core-4.6.2.1/lib.cli --- old/shorewall-core-4.6.1.4/lib.cli 2014-07-03 01:35:13.000000000 +0200 +++ new/shorewall-core-4.6.2.1/lib.cli 2014-07-18 17:45:06.000000000 +0200 @@ -272,6 +272,19 @@ } # +# Display blacklist chains +# +show_bl() { + $g_tool -L $g_ipt_options | \ + awk 'BEGIN {prnt=0; }; + /^$/ {if (prnt == 1) print ""; prnt=0; }; + /Chain .*~ / {prnt=1; }; + /Chain dynamic / {prnt=1; }; + {if (prnt == 1) print; }; + END {if (prnt == 1 ) print "" };' +} + +# # Watch the Firewall Log # logwatch() # $1 = timeout -- if negative, prompt each time that @@ -1189,7 +1202,13 @@ echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)" echo show_events - ;; + ;; + bl|blacklists) + [ $# -gt 1 ] && usage 1 + echo "$g_product $SHOREWALL_VERSION blacklist chains at $g_hostname - $(date)" + echo + show_bl; + ;; *) case "$g_program" in *-lite) @@ -2952,9 +2971,74 @@ } +interface_status() { + case $(cat $1) in + 0) + echo Enabled + ;; + 1) + echo Disabled + ;; + *) + echo Unknown + ;; + esac +} + +show_interfaces() { + local f + local interface + local printed + + for f in ${VARDIR}/*.status; do + interface=$(basename $f) + echo " Interface ${interface%.status} is $(interface_status $f)" + printed=Yes + done + + [ -n "$printed" ] && echo +} + status_command() { + local finished + finished=0 + local option + local interfaces + + while [ $finished -eq 0 -a $# -gt 0 ]; do + option=$1 + case $option in + -*) + option=${option#-} + + while [ -n "$option" ]; do + case $option in + -) + finished=1 + option= + ;; + i*) + interfaces=Yes + option=${option#i} + ;; + *) + usage 1 + ;; + esac + done + shift + ;; + *) + finished=1 + ;; + esac + done + + [ $# -eq 0 ] || usage 1 + [ $VERBOSITY -ge 1 ] && echo "${g_product}-$SHOREWALL_VERSION Status at $g_hostname - $(date)" && echo show_status + [ -n "$interfaces" ] && show_interfaces exit $status } @@ -3466,6 +3550,7 @@ echo " [ show | list | ls ] [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]" echo " [ show | list | ls ] [ -f ] capabilities" echo " [ show | list | ls ] arptables" + echo " [ show | list | ls ] [ -x ] {bl|blacklists}" echo " [ show | list | ls ] classifiers" echo " [ show | list | ls ] config" echo " [ show | list | ls ] connections" @@ -3488,7 +3573,7 @@ echo " [ show | list | ls ] zones" echo " start [ -f ] [ -p ] [ <directory> ]" echo " stop" - echo " status" + echo " status [ -i ]" echo " version [ -a ]" echo exit $1 @@ -3739,10 +3824,10 @@ show_command $@ ;; status) - [ $# -eq 1 ] || usage 1 [ "$(id -u)" != 0 ] && fatal_error "The status command may only be run by root" get_config - status_command + shift + status_command $@ ;; dump) get_config Yes No Yes diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.1.4/releasenotes.txt new/shorewall-core-4.6.2.1/releasenotes.txt --- old/shorewall-core-4.6.1.4/releasenotes.txt 2014-07-04 19:27:04.000000000 +0200 +++ new/shorewall-core-4.6.2.1/releasenotes.txt 2014-07-18 17:56:13.000000000 +0200 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 6 . 1 . 4 + S H O R E W A L L 4 . 6 . 2 . 1 ------------------------------------ - J u l y 0 4 , 2 0 1 4 + J u l y 1 9 , 2 0 1 4 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,91 +14,84 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -4.6.1.4 +4.6.2.1 -1) The DSCP match in the mangle and tcrles files didn't work with - service class names such as EF, BE, CS1, ... +1) Two issues with tcrules processing have been corrected: -2) The SAVE and RESTORE actions were disallowed in the OUTPUT chain in - tcrules and mangle; this was a regression from 4.6.21. + - SAVE and RESTORE generated fatal compilation errors. + - '|' and '&' were ignored. -4.6.1.3 +4.6.2 -1) Use of the 'IfEvent' action resulted in a compilation failure: +1) The DSCP match in the mangle and tcrules files didn't work with + service class names such as EF, BE, CS1, ... (Thibaut Chèze) - ERROR: -j is only allowed when the ACTION is INLINE with no - parameter /usr/share/shorewall/action.IfEvent (line 139) - from /etc/shorewall/action.SSHKnock (line 8) - from /etc/shorewall/rules (line 31) - -4.6.1.2 - -1) The shorewall-masq(5) and shorewall6-masq(5) manpages had a mangled - heading for the description of the SOURCE column, leading some - readers to assert the that description was missing. +2) The SAVE and RESTORE actions were disallowed in the OUTPUT chain in + tcrules and mangle; this was a regression from 4.5.21. -2) When INLINE_MATCHES=Yes and AUTOHELPERS=No, start or restart could - fail during script execution with this diagnostic: +3) Additional ports required by Asus, Supermicro and Dell have been + added to the IPMI macro (Tuomo Soini). - Running /sbin/iptables-restore... - Bad argument `helper=netbios-ns' - Error occurred at line: nnn - Try `iptables-restore -h' or 'iptables-restore --help' for more - information. - ERROR: iptables-restore Failed. Input is in - /var/lib/shorewall/.iptables-restore-input +4) Some issues regarding install under Cygwin64 have been addressed. -4.6.1.1 + - configure.pl did not understand CYGWIN returned from `uname` + - Shorewall-core install.sh did not understand CYGWIN returned from + `uname`. + - The Shorewall and Shorewall6 installers tried to run the command + 'mkdir -p //etc/shorewall[6]' which is broken in the current + Cygwin64. -1) An improved error message is generatred when a server address list - is specified in the DEST colume of a DNAT or REDIRECT - rule. At one time, iptables supported such lists, but now only a - single address or an address range is supported. +---------------------------------------------------------------------------- + I I. K N O W N P R O B L E M S R E M A I N I N G +---------------------------------------------------------------------------- - The previous error message was: +1) On systems running Upstart, shorewall-init cannot reliably secure + the firewall before interfaces are brought up. - ERROR: Unkknown Host (192.168.1.4,192.168.1.22) +---------------------------------------------------------------------------- + I I I. N E W F E A T U R E S I N T H I S R E L E A S E +---------------------------------------------------------------------------- - The new error message is: +1) The 'status' command now allows a -i option which causes the state + of all optional and provider interfaces to be displayed. - ERROR: An address list (192.168.1.4,192.168.1.22) is not - allowed in the DEST column of a xxx RULE + Example: - where xxx is DNAT or REDIRECT as appropriate. + root@gateway:/etc/shorewall# shorewall status -i + Shorewall-4.6.1 Status at gateway - Wed Jun 18 14:27:19 PDT 2014 -2) Two problems have been corrected in the Shorewall-init Debian init - script. + Shorewall is running + State:Started (Wed Jun 18 09:50:01 PDT 2014) from /etc/shorewall/ + (/var/lib/shorewall/firewall compiled by Shorewall version 4.6.1) - a) A cosmetic problem which resulted in 'echo_notdone' being - displayed on failure rather than 'not done'. + Interface eth0 is Enabled + Interface eth1 is Enabled + Interface lo is Enabled - b) More seriously, the test for the existance of compiled - firewall scripts was incorrect, with the result that the - firewall scripts were not executed. +2) A 'shorewall show blacklists' command has been + implemented. The abbreviation 'bl' may be used in place of + 'blacklists'. - These defects, introduced in Shorewall 4.5.17, have now been - corrected. + The command displays the output of the 'dynamic' chain together + with the chains created by entries in the blrules file. -4.6.1 +3) A TIME column has been added to the mangle file. It has the same + use in that file as the corresponding column in the rules file. -1) When the 'rpfilter' option is specified on all interfaces, no - references to the 'dynamic' chain were created and that chain was - optimized away. +4) A stateful port knocking example has been added to the Events + article (http://www.shorewall.net/Events.html). This example allows + a sequence of knocking ports to be defined (Gerhard Weisinger). ----------------------------------------------------------------------------- - I I. K N O W N P R O B L E M S R E M A I N I N G ----------------------------------------------------------------------------- +5) A macro supporting HP's Integrated Lights Out (ILO) has been added + (Tuomo Soini). -1) On systems running Upstart, shorewall-init cannot reliably secure - the firewall before interfaces are brought up. +6) It is now possible to specify the MAC address of a provider + GATEWAY. This is useful when there are multiple providers serviced + by a single interface as it avoids the need for the generated + script to detect the MAC during start/restart. ----------------------------------------------------------------------------- - I I I. N E W F E A T U R E S I N T H I S R E L E A S E ----------------------------------------------------------------------------- +7) The copyrights in the sample configuration files have been updated. -1) Tuomo Soini has provided new macros for AMOP, MongoDB, Redis, Sieve - and IPMI (RMCP). - ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S ---------------------------------------------------------------------------- @@ -371,7 +364,89 @@ ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 4 . 6 R E L E A S E S ---------------------------------------------------------------------------- - P R O B L E M S C O R R E C T E D I N 4.6.0 + P R O B L E M S C O R R E C T E D I N 4 . 6 . 0 +---------------------------------------------------------------------------- + +4.6.1.4 + +1) The DSCP match in the mangle and tcrles files didn't work with + service class names such as EF, BE, CS1, ... + +2) The SAVE and RESTORE actions were disallowed in the OUTPUT chain in + tcrules and mangle; this was a regression from 4.6.21. + +4.6.1.3 + +1) Use of the 'IfEvent' action resulted in a compilation failure: + + ERROR: -j is only allowed when the ACTION is INLINE with no + parameter /usr/share/shorewall/action.IfEvent (line 139) + from /etc/shorewall/action.SSHKnock (line 8) + from /etc/shorewall/rules (line 31) + +4.6.1.2 + +1) The shorewall-masq(5) and shorewall6-masq(5) manpages had a mangled + heading for the description of the SOURCE column, leading some + readers to assert the that description was missing. + +2) When INLINE_MATCHES=Yes and AUTOHELPERS=No, start or restart could + fail during script execution with this diagnostic: + + Running /sbin/iptables-restore... + Bad argument `helper=netbios-ns' + Error occurred at line: nnn + Try `iptables-restore -h' or 'iptables-restore --help' for more + information. + ERROR: iptables-restore Failed. Input is in + /var/lib/shorewall/.iptables-restore-input + +4.6.1.1 + +1) An improved error message is generatred when a server address list + is specified in the DEST colume of a DNAT or REDIRECT + rule. At one time, iptables supported such lists, but now only a + single address or an address range is supported. + + The previous error message was: + + ERROR: Unkknown Host (192.168.1.4,192.168.1.22) + + The new error message is: + + ERROR: An address list (192.168.1.4,192.168.1.22) is not + allowed in the DEST column of a xxx RULE + + where xxx is DNAT or REDIRECT as appropriate. + +2) Two problems have been corrected in the Shorewall-init Debian init + script. + + a) A cosmetic problem which resulted in 'echo_notdone' being + displayed on failure rather than 'not done'. + + b) More seriously, the test for the existance of compiled + firewall scripts was incorrect, with the result that the + firewall scripts were not executed. + + These defects, introduced in Shorewall 4.5.17, have now been + corrected. + +4.6.1 + +1) When the 'rpfilter' option is specified on all interfaces, no + references to the 'dynamic' chain were created and that chain was + optimized away. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 6 . 0 +---------------------------------------------------------------------------- + +1) Tuomo Soini has provided new macros for AMOP, MongoDB, Redis, Sieve + and IPMI (RMCP). + +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 6 . 0 ---------------------------------------------------------------------------- 4.6.0.3 @@ -438,6 +513,7 @@ 1) The tarball installers, now install .service files with mode 644 rather than mode 600. + ---------------------------------------------------------------------------- N E W F E A T U R E S I N 4 . 6 . 0 ---------------------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.1.4/shorewall-core.spec new/shorewall-core-4.6.2.1/shorewall-core.spec --- old/shorewall-core-4.6.1.4/shorewall-core.spec 2014-07-04 19:27:04.000000000 +0200 +++ new/shorewall-core-4.6.2.1/shorewall-core.spec 2014-07-18 17:56:13.000000000 +0200 @@ -1,6 +1,6 @@ %define name shorewall-core -%define version 4.6.1 -%define release 4 +%define version 4.6.2 +%define release 1 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. Name: %{name} @@ -62,12 +62,16 @@ %doc COPYING INSTALL changelog.txt releasenotes.txt %changelog +* Fri Jul 18 2014 Tom Eastep tom@shorewall.net +- Updated to 4.6.2-1 +* Sun Jul 13 2014 Tom Eastep tom@shorewall.net +- Updated to 4.6.2-0base +* Fri Jul 04 2014 Tom Eastep tom@shorewall.net +- Updated to 4.6.2-0RC1 * Wed Jul 02 2014 Tom Eastep tom@shorewall.net -- Updated to 4.6.1-4 -* Sat Jun 21 2014 Tom Eastep tom@shorewall.net -- Updated to 4.6.1-3 -* Fri Jun 20 2014 Tom Eastep tom@shorewall.net -- Updated to 4.6.1-2 +- Updated to 4.6.2-0Beta2 +* Wed Jun 18 2014 Tom Eastep tom@shorewall.net +- Updated to 4.6.2-0Beta1 * Sun Jun 08 2014 Tom Eastep tom@shorewall.net - Updated to 4.6.1-1 * Wed Jun 04 2014 Tom Eastep tom@shorewall.net diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.1.4/uninstall.sh new/shorewall-core-4.6.2.1/uninstall.sh --- old/shorewall-core-4.6.1.4/uninstall.sh 2014-07-04 19:27:04.000000000 +0200 +++ new/shorewall-core-4.6.2.1/uninstall.sh 2014-07-18 17:56:12.000000000 +0200 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.6.1.4 +VERSION=4.6.2.1 usage() # $1 = exit status { ++++++ shorewall-docs-html-4.6.1.4.tar.bz2 -> shorewall-docs-html-4.6.2.1.tar.bz2 ++++++ ++++ 6952 lines of diff (skipped) ++++++ shorewall-init-4.6.1.4.tar.bz2 -> shorewall-init-4.6.2.1.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.1.4/changelog.txt new/shorewall-init-4.6.2.1/changelog.txt --- old/shorewall-init-4.6.1.4/changelog.txt 2014-07-04 19:27:05.000000000 +0200 +++ new/shorewall-init-4.6.2.1/changelog.txt 2014-07-18 17:56:13.000000000 +0200 @@ -1,3 +1,46 @@ +Changes in 4.6.2.1 + +1) Update release documents. + +2) Two issues with tcrules processing were corrected. + +Changes in 4.6.2 Final + +1) Update release documents. + +Changes in 4.6.2 RC 1 + +1) Update release documents. + +2) Allow specification of the GATEWAY MAC address. + +3) Fix some brokenness in installation under Cygwin. + +Changes in 4.6.2 Beta 2 + +1) Update release documents. + +2) Update Events.xml with a stateful port knocking example. + +3) Apply Thibaut Chèze's patch for DSCP names. + +4) Allow SAVE/RESTORE rules in the OUTPUT chain. + +5) Add ILO macro from Tuomo Soini. + +6) Apply Tuomo Soini's patch to add additional ports to the IPMI + macro. + +Changes in 4.6.2 Beta 1 + +1) Update release documents. + +2) Implement 'status -i' + +3) Implement 'show bl' + +4) Add TIME column to the mangle file + Changes in 4.6.1.3 1) Update release documents. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.1.4/configure new/shorewall-init-4.6.2.1/configure --- old/shorewall-init-4.6.1.4/configure 2014-07-04 19:27:05.000000000 +0200 +++ new/shorewall-init-4.6.2.1/configure 2014-07-18 17:56:13.000000000 +0200 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=4.6.1.4 +VERSION=4.6.2.1 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.1.4/configure.pl new/shorewall-init-4.6.2.1/configure.pl --- old/shorewall-init-4.6.1.4/configure.pl 2014-07-04 19:27:05.000000000 +0200 +++ new/shorewall-init-4.6.2.1/configure.pl 2014-07-18 17:56:13.000000000 +0200 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '4.6.1.4' + VERSION => '4.6.2.1' }; my %params; @@ -100,7 +100,7 @@ } elsif ( `uname` =~ '^Darwin' ) { $vendor = 'apple'; $rcfilename = 'shorewallrc.apple'; - } elsif ( `uname` =~ '^Cygwin' ) { + } elsif ( `uname` =~ /^Cygwin/i ) { $vendor = 'cygwin'; $rcfilename = 'shorewallrc.cygwin'; } else { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.1.4/install.sh new/shorewall-init-4.6.2.1/install.sh --- old/shorewall-init-4.6.1.4/install.sh 2014-07-04 19:27:05.000000000 +0200 +++ new/shorewall-init-4.6.2.1/install.sh 2014-07-18 17:56:13.000000000 +0200 @@ -27,7 +27,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.6.1.4 +VERSION=4.6.2.1 usage() # $1 = exit status { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.1.4/releasenotes.txt new/shorewall-init-4.6.2.1/releasenotes.txt --- old/shorewall-init-4.6.1.4/releasenotes.txt 2014-07-04 19:27:05.000000000 +0200 +++ new/shorewall-init-4.6.2.1/releasenotes.txt 2014-07-18 17:56:13.000000000 +0200 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 6 . 1 . 4 + S H O R E W A L L 4 . 6 . 2 . 1 ------------------------------------ - J u l y 0 4 , 2 0 1 4 + J u l y 1 9 , 2 0 1 4 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,91 +14,84 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -4.6.1.4 +4.6.2.1 -1) The DSCP match in the mangle and tcrles files didn't work with - service class names such as EF, BE, CS1, ... +1) Two issues with tcrules processing have been corrected: -2) The SAVE and RESTORE actions were disallowed in the OUTPUT chain in - tcrules and mangle; this was a regression from 4.6.21. + - SAVE and RESTORE generated fatal compilation errors. + - '|' and '&' were ignored. -4.6.1.3 +4.6.2 -1) Use of the 'IfEvent' action resulted in a compilation failure: +1) The DSCP match in the mangle and tcrules files didn't work with + service class names such as EF, BE, CS1, ... (Thibaut Chèze) - ERROR: -j is only allowed when the ACTION is INLINE with no - parameter /usr/share/shorewall/action.IfEvent (line 139) - from /etc/shorewall/action.SSHKnock (line 8) - from /etc/shorewall/rules (line 31) - -4.6.1.2 - -1) The shorewall-masq(5) and shorewall6-masq(5) manpages had a mangled - heading for the description of the SOURCE column, leading some - readers to assert the that description was missing. +2) The SAVE and RESTORE actions were disallowed in the OUTPUT chain in + tcrules and mangle; this was a regression from 4.5.21. -2) When INLINE_MATCHES=Yes and AUTOHELPERS=No, start or restart could - fail during script execution with this diagnostic: +3) Additional ports required by Asus, Supermicro and Dell have been + added to the IPMI macro (Tuomo Soini). - Running /sbin/iptables-restore... - Bad argument `helper=netbios-ns' - Error occurred at line: nnn - Try `iptables-restore -h' or 'iptables-restore --help' for more - information. - ERROR: iptables-restore Failed. Input is in - /var/lib/shorewall/.iptables-restore-input +4) Some issues regarding install under Cygwin64 have been addressed. -4.6.1.1 + - configure.pl did not understand CYGWIN returned from `uname` + - Shorewall-core install.sh did not understand CYGWIN returned from + `uname`. + - The Shorewall and Shorewall6 installers tried to run the command + 'mkdir -p //etc/shorewall[6]' which is broken in the current + Cygwin64. -1) An improved error message is generatred when a server address list - is specified in the DEST colume of a DNAT or REDIRECT - rule. At one time, iptables supported such lists, but now only a - single address or an address range is supported. +---------------------------------------------------------------------------- + I I. K N O W N P R O B L E M S R E M A I N I N G +---------------------------------------------------------------------------- - The previous error message was: +1) On systems running Upstart, shorewall-init cannot reliably secure + the firewall before interfaces are brought up. - ERROR: Unkknown Host (192.168.1.4,192.168.1.22) +---------------------------------------------------------------------------- + I I I. N E W F E A T U R E S I N T H I S R E L E A S E +---------------------------------------------------------------------------- - The new error message is: +1) The 'status' command now allows a -i option which causes the state + of all optional and provider interfaces to be displayed. - ERROR: An address list (192.168.1.4,192.168.1.22) is not - allowed in the DEST column of a xxx RULE + Example: - where xxx is DNAT or REDIRECT as appropriate. + root@gateway:/etc/shorewall# shorewall status -i + Shorewall-4.6.1 Status at gateway - Wed Jun 18 14:27:19 PDT 2014 -2) Two problems have been corrected in the Shorewall-init Debian init - script. + Shorewall is running + State:Started (Wed Jun 18 09:50:01 PDT 2014) from /etc/shorewall/ + (/var/lib/shorewall/firewall compiled by Shorewall version 4.6.1) - a) A cosmetic problem which resulted in 'echo_notdone' being - displayed on failure rather than 'not done'. + Interface eth0 is Enabled + Interface eth1 is Enabled + Interface lo is Enabled - b) More seriously, the test for the existance of compiled - firewall scripts was incorrect, with the result that the - firewall scripts were not executed. +2) A 'shorewall show blacklists' command has been + implemented. The abbreviation 'bl' may be used in place of + 'blacklists'. - These defects, introduced in Shorewall 4.5.17, have now been - corrected. + The command displays the output of the 'dynamic' chain together + with the chains created by entries in the blrules file. -4.6.1 +3) A TIME column has been added to the mangle file. It has the same + use in that file as the corresponding column in the rules file. -1) When the 'rpfilter' option is specified on all interfaces, no - references to the 'dynamic' chain were created and that chain was - optimized away. +4) A stateful port knocking example has been added to the Events + article (http://www.shorewall.net/Events.html). This example allows + a sequence of knocking ports to be defined (Gerhard Weisinger). ----------------------------------------------------------------------------- - I I. K N O W N P R O B L E M S R E M A I N I N G ----------------------------------------------------------------------------- +5) A macro supporting HP's Integrated Lights Out (ILO) has been added + (Tuomo Soini). -1) On systems running Upstart, shorewall-init cannot reliably secure - the firewall before interfaces are brought up. +6) It is now possible to specify the MAC address of a provider + GATEWAY. This is useful when there are multiple providers serviced + by a single interface as it avoids the need for the generated + script to detect the MAC during start/restart. ----------------------------------------------------------------------------- - I I I. N E W F E A T U R E S I N T H I S R E L E A S E ----------------------------------------------------------------------------- +7) The copyrights in the sample configuration files have been updated. -1) Tuomo Soini has provided new macros for AMOP, MongoDB, Redis, Sieve - and IPMI (RMCP). - ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S ---------------------------------------------------------------------------- @@ -371,7 +364,89 @@ ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 4 . 6 R E L E A S E S ---------------------------------------------------------------------------- - P R O B L E M S C O R R E C T E D I N 4.6.0 + P R O B L E M S C O R R E C T E D I N 4 . 6 . 0 +---------------------------------------------------------------------------- + +4.6.1.4 + +1) The DSCP match in the mangle and tcrles files didn't work with + service class names such as EF, BE, CS1, ... + +2) The SAVE and RESTORE actions were disallowed in the OUTPUT chain in + tcrules and mangle; this was a regression from 4.6.21. + +4.6.1.3 + +1) Use of the 'IfEvent' action resulted in a compilation failure: + + ERROR: -j is only allowed when the ACTION is INLINE with no + parameter /usr/share/shorewall/action.IfEvent (line 139) + from /etc/shorewall/action.SSHKnock (line 8) + from /etc/shorewall/rules (line 31) + +4.6.1.2 + +1) The shorewall-masq(5) and shorewall6-masq(5) manpages had a mangled + heading for the description of the SOURCE column, leading some + readers to assert the that description was missing. + +2) When INLINE_MATCHES=Yes and AUTOHELPERS=No, start or restart could + fail during script execution with this diagnostic: + + Running /sbin/iptables-restore... + Bad argument `helper=netbios-ns' + Error occurred at line: nnn + Try `iptables-restore -h' or 'iptables-restore --help' for more + information. + ERROR: iptables-restore Failed. Input is in + /var/lib/shorewall/.iptables-restore-input + +4.6.1.1 + +1) An improved error message is generatred when a server address list + is specified in the DEST colume of a DNAT or REDIRECT + rule. At one time, iptables supported such lists, but now only a + single address or an address range is supported. + + The previous error message was: + + ERROR: Unkknown Host (192.168.1.4,192.168.1.22) + + The new error message is: + + ERROR: An address list (192.168.1.4,192.168.1.22) is not + allowed in the DEST column of a xxx RULE + + where xxx is DNAT or REDIRECT as appropriate. + +2) Two problems have been corrected in the Shorewall-init Debian init + script. + + a) A cosmetic problem which resulted in 'echo_notdone' being + displayed on failure rather than 'not done'. + + b) More seriously, the test for the existance of compiled + firewall scripts was incorrect, with the result that the + firewall scripts were not executed. + + These defects, introduced in Shorewall 4.5.17, have now been + corrected. + +4.6.1 + +1) When the 'rpfilter' option is specified on all interfaces, no + references to the 'dynamic' chain were created and that chain was + optimized away. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 6 . 0 +---------------------------------------------------------------------------- + +1) Tuomo Soini has provided new macros for AMOP, MongoDB, Redis, Sieve + and IPMI (RMCP). + +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 6 . 0 ---------------------------------------------------------------------------- 4.6.0.3 @@ -438,6 +513,7 @@ 1) The tarball installers, now install .service files with mode 644 rather than mode 600. + ---------------------------------------------------------------------------- N E W F E A T U R E S I N 4 . 6 . 0 ---------------------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.1.4/shorewall-init.spec new/shorewall-init-4.6.2.1/shorewall-init.spec --- old/shorewall-init-4.6.1.4/shorewall-init.spec 2014-07-04 19:27:05.000000000 +0200 +++ new/shorewall-init-4.6.2.1/shorewall-init.spec 2014-07-18 17:56:13.000000000 +0200 @@ -1,6 +1,6 @@ %define name shorewall-init -%define version 4.6.1 -%define release 4 +%define version 4.6.2 +%define release 1 Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall). Name: %{name} @@ -125,12 +125,16 @@ %doc COPYING changelog.txt releasenotes.txt %changelog +* Fri Jul 18 2014 Tom Eastep tom@shorewall.net +- Updated to 4.6.2-1 +* Sun Jul 13 2014 Tom Eastep tom@shorewall.net +- Updated to 4.6.2-0base +* Fri Jul 04 2014 Tom Eastep tom@shorewall.net +- Updated to 4.6.2-0RC1 * Wed Jul 02 2014 Tom Eastep tom@shorewall.net -- Updated to 4.6.1-4 -* Sat Jun 21 2014 Tom Eastep tom@shorewall.net -- Updated to 4.6.1-3 -* Fri Jun 20 2014 Tom Eastep tom@shorewall.net -- Updated to 4.6.1-2 +- Updated to 4.6.2-0Beta2 +* Wed Jun 18 2014 Tom Eastep tom@shorewall.net +- Updated to 4.6.2-0Beta1 * Sun Jun 08 2014 Tom Eastep tom@shorewall.net - Updated to 4.6.1-1 * Wed Jun 04 2014 Tom Eastep tom@shorewall.net diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.1.4/uninstall.sh new/shorewall-init-4.6.2.1/uninstall.sh --- old/shorewall-init-4.6.1.4/uninstall.sh 2014-07-04 19:27:05.000000000 +0200 +++ new/shorewall-init-4.6.2.1/uninstall.sh 2014-07-18 17:56:13.000000000 +0200 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.6.1.4 +VERSION=4.6.2.1 usage() # $1 = exit status { ++++++ shorewall-lite-4.6.1.4.tar.bz2 -> shorewall-lite-4.6.2.1.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.1.4/changelog.txt new/shorewall-lite-4.6.2.1/changelog.txt --- old/shorewall-lite-4.6.1.4/changelog.txt 2014-07-04 19:27:05.000000000 +0200 +++ new/shorewall-lite-4.6.2.1/changelog.txt 2014-07-18 17:56:13.000000000 +0200 @@ -1,3 +1,46 @@ +Changes in 4.6.2.1 + +1) Update release documents. + +2) Two issues with tcrules processing were corrected. + +Changes in 4.6.2 Final + +1) Update release documents. + +Changes in 4.6.2 RC 1 + +1) Update release documents. + +2) Allow specification of the GATEWAY MAC address. + +3) Fix some brokenness in installation under Cygwin. + +Changes in 4.6.2 Beta 2 + +1) Update release documents. + +2) Update Events.xml with a stateful port knocking example. + +3) Apply Thibaut Chèze's patch for DSCP names. + +4) Allow SAVE/RESTORE rules in the OUTPUT chain. + +5) Add ILO macro from Tuomo Soini. + +6) Apply Tuomo Soini's patch to add additional ports to the IPMI + macro. + +Changes in 4.6.2 Beta 1 + +1) Update release documents. + +2) Implement 'status -i' + +3) Implement 'show bl' + +4) Add TIME column to the mangle file + Changes in 4.6.1.3 1) Update release documents. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.1.4/configure new/shorewall-lite-4.6.2.1/configure --- old/shorewall-lite-4.6.1.4/configure 2014-07-04 19:27:05.000000000 +0200 +++ new/shorewall-lite-4.6.2.1/configure 2014-07-18 17:56:13.000000000 +0200 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=4.6.1.4 +VERSION=4.6.2.1 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.1.4/configure.pl new/shorewall-lite-4.6.2.1/configure.pl --- old/shorewall-lite-4.6.1.4/configure.pl 2014-07-04 19:27:05.000000000 +0200 +++ new/shorewall-lite-4.6.2.1/configure.pl 2014-07-18 17:56:13.000000000 +0200 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '4.6.1.4' + VERSION => '4.6.2.1' }; my %params; @@ -100,7 +100,7 @@ } elsif ( `uname` =~ '^Darwin' ) { $vendor = 'apple'; $rcfilename = 'shorewallrc.apple'; - } elsif ( `uname` =~ '^Cygwin' ) { + } elsif ( `uname` =~ /^Cygwin/i ) { $vendor = 'cygwin'; $rcfilename = 'shorewallrc.cygwin'; } else { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.1.4/install.sh new/shorewall-lite-4.6.2.1/install.sh --- old/shorewall-lite-4.6.1.4/install.sh 2014-07-04 19:27:05.000000000 +0200 +++ new/shorewall-lite-4.6.2.1/install.sh 2014-07-18 17:56:13.000000000 +0200 @@ -22,7 +22,7 @@ # along with this program; if not, see http://www.gnu.org/licenses/. # -VERSION=4.6.1.4 +VERSION=4.6.2.1 usage() # $1 = exit status { @@ -195,7 +195,7 @@ if [ -z "$BUILD" ]; then case $(uname) in - cygwin*) + cygwin*|CYGWIN*) BUILD=cygwin ;; Darwin) @@ -242,7 +242,7 @@ fi case $BUILD in - cygwin*) + cygwin*|CYGWIN*) OWNER=$(id -un) GROUP=$(id -gn) ;; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.1.4/manpages/shorewall-lite-vardir.5 new/shorewall-lite-4.6.2.1/manpages/shorewall-lite-vardir.5 --- old/shorewall-lite-4.6.1.4/manpages/shorewall-lite-vardir.5 2014-07-04 19:30:25.000000000 +0200 +++ new/shorewall-lite-4.6.2.1/manpages/shorewall-lite-vardir.5 2014-07-18 17:59:30.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite-vardir .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 http://docbook.sf.net/ -.\" Date: 07/04/2014 +.\" Date: 07/18/2014 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-LITE\-VAR" "5" "07/04/2014" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-LITE\-VAR" "5" "07/18/2014" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.1.4/manpages/shorewall-lite.8 new/shorewall-lite-4.6.2.1/manpages/shorewall-lite.8 --- old/shorewall-lite-4.6.1.4/manpages/shorewall-lite.8 2014-07-04 19:30:27.000000000 +0200 +++ new/shorewall-lite-4.6.2.1/manpages/shorewall-lite.8 2014-07-18 17:59:32.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 http://docbook.sf.net/ -.\" Date: 07/04/2014 +.\" Date: 07/18/2014 .\" Manual: Administrative Commands .\" Source: Administrative Commands .\" Language: English .\" -.TH "SHOREWALL\-LITE" "8" "07/04/2014" "Administrative Commands" "Administrative Commands" +.TH "SHOREWALL\-LITE" "8" "07/18/2014" "Administrative Commands" "Administrative Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.1.4/manpages/shorewall-lite.conf.5 new/shorewall-lite-4.6.2.1/manpages/shorewall-lite.conf.5 --- old/shorewall-lite-4.6.1.4/manpages/shorewall-lite.conf.5 2014-07-04 19:30:24.000000000 +0200 +++ new/shorewall-lite-4.6.2.1/manpages/shorewall-lite.conf.5 2014-07-18 17:59:29.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite.conf .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 http://docbook.sf.net/ -.\" Date: 07/04/2014 +.\" Date: 07/18/2014 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-LITE\&.CO" "5" "07/04/2014" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-LITE\&.CO" "5" "07/18/2014" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.1.4/releasenotes.txt new/shorewall-lite-4.6.2.1/releasenotes.txt --- old/shorewall-lite-4.6.1.4/releasenotes.txt 2014-07-04 19:27:05.000000000 +0200 +++ new/shorewall-lite-4.6.2.1/releasenotes.txt 2014-07-18 17:56:13.000000000 +0200 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 6 . 1 . 4 + S H O R E W A L L 4 . 6 . 2 . 1 ------------------------------------ - J u l y 0 4 , 2 0 1 4 + J u l y 1 9 , 2 0 1 4 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,91 +14,84 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -4.6.1.4 +4.6.2.1 -1) The DSCP match in the mangle and tcrles files didn't work with - service class names such as EF, BE, CS1, ... +1) Two issues with tcrules processing have been corrected: -2) The SAVE and RESTORE actions were disallowed in the OUTPUT chain in - tcrules and mangle; this was a regression from 4.6.21. + - SAVE and RESTORE generated fatal compilation errors. + - '|' and '&' were ignored. -4.6.1.3 +4.6.2 -1) Use of the 'IfEvent' action resulted in a compilation failure: +1) The DSCP match in the mangle and tcrules files didn't work with + service class names such as EF, BE, CS1, ... (Thibaut Chèze) - ERROR: -j is only allowed when the ACTION is INLINE with no - parameter /usr/share/shorewall/action.IfEvent (line 139) - from /etc/shorewall/action.SSHKnock (line 8) - from /etc/shorewall/rules (line 31) - -4.6.1.2 - -1) The shorewall-masq(5) and shorewall6-masq(5) manpages had a mangled - heading for the description of the SOURCE column, leading some - readers to assert the that description was missing. +2) The SAVE and RESTORE actions were disallowed in the OUTPUT chain in + tcrules and mangle; this was a regression from 4.5.21. -2) When INLINE_MATCHES=Yes and AUTOHELPERS=No, start or restart could - fail during script execution with this diagnostic: +3) Additional ports required by Asus, Supermicro and Dell have been + added to the IPMI macro (Tuomo Soini). - Running /sbin/iptables-restore... - Bad argument `helper=netbios-ns' - Error occurred at line: nnn - Try `iptables-restore -h' or 'iptables-restore --help' for more - information. - ERROR: iptables-restore Failed. Input is in - /var/lib/shorewall/.iptables-restore-input +4) Some issues regarding install under Cygwin64 have been addressed. -4.6.1.1 + - configure.pl did not understand CYGWIN returned from `uname` + - Shorewall-core install.sh did not understand CYGWIN returned from + `uname`. + - The Shorewall and Shorewall6 installers tried to run the command + 'mkdir -p //etc/shorewall[6]' which is broken in the current + Cygwin64. -1) An improved error message is generatred when a server address list - is specified in the DEST colume of a DNAT or REDIRECT - rule. At one time, iptables supported such lists, but now only a - single address or an address range is supported. +---------------------------------------------------------------------------- + I I. K N O W N P R O B L E M S R E M A I N I N G +---------------------------------------------------------------------------- - The previous error message was: +1) On systems running Upstart, shorewall-init cannot reliably secure + the firewall before interfaces are brought up. - ERROR: Unkknown Host (192.168.1.4,192.168.1.22) +---------------------------------------------------------------------------- + I I I. N E W F E A T U R E S I N T H I S R E L E A S E +---------------------------------------------------------------------------- - The new error message is: +1) The 'status' command now allows a -i option which causes the state + of all optional and provider interfaces to be displayed. - ERROR: An address list (192.168.1.4,192.168.1.22) is not - allowed in the DEST column of a xxx RULE + Example: - where xxx is DNAT or REDIRECT as appropriate. + root@gateway:/etc/shorewall# shorewall status -i + Shorewall-4.6.1 Status at gateway - Wed Jun 18 14:27:19 PDT 2014 -2) Two problems have been corrected in the Shorewall-init Debian init - script. + Shorewall is running + State:Started (Wed Jun 18 09:50:01 PDT 2014) from /etc/shorewall/ + (/var/lib/shorewall/firewall compiled by Shorewall version 4.6.1) - a) A cosmetic problem which resulted in 'echo_notdone' being - displayed on failure rather than 'not done'. + Interface eth0 is Enabled + Interface eth1 is Enabled + Interface lo is Enabled - b) More seriously, the test for the existance of compiled - firewall scripts was incorrect, with the result that the - firewall scripts were not executed. +2) A 'shorewall show blacklists' command has been + implemented. The abbreviation 'bl' may be used in place of + 'blacklists'. - These defects, introduced in Shorewall 4.5.17, have now been - corrected. + The command displays the output of the 'dynamic' chain together + with the chains created by entries in the blrules file. -4.6.1 +3) A TIME column has been added to the mangle file. It has the same + use in that file as the corresponding column in the rules file. -1) When the 'rpfilter' option is specified on all interfaces, no - references to the 'dynamic' chain were created and that chain was - optimized away. +4) A stateful port knocking example has been added to the Events + article (http://www.shorewall.net/Events.html). This example allows + a sequence of knocking ports to be defined (Gerhard Weisinger). ----------------------------------------------------------------------------- - I I. K N O W N P R O B L E M S R E M A I N I N G ----------------------------------------------------------------------------- +5) A macro supporting HP's Integrated Lights Out (ILO) has been added + (Tuomo Soini). -1) On systems running Upstart, shorewall-init cannot reliably secure - the firewall before interfaces are brought up. +6) It is now possible to specify the MAC address of a provider + GATEWAY. This is useful when there are multiple providers serviced + by a single interface as it avoids the need for the generated + script to detect the MAC during start/restart. ----------------------------------------------------------------------------- - I I I. N E W F E A T U R E S I N T H I S R E L E A S E ----------------------------------------------------------------------------- +7) The copyrights in the sample configuration files have been updated. -1) Tuomo Soini has provided new macros for AMOP, MongoDB, Redis, Sieve - and IPMI (RMCP). - ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S ---------------------------------------------------------------------------- @@ -371,7 +364,89 @@ ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 4 . 6 R E L E A S E S ---------------------------------------------------------------------------- - P R O B L E M S C O R R E C T E D I N 4.6.0 + P R O B L E M S C O R R E C T E D I N 4 . 6 . 0 +---------------------------------------------------------------------------- + +4.6.1.4 + +1) The DSCP match in the mangle and tcrles files didn't work with + service class names such as EF, BE, CS1, ... + +2) The SAVE and RESTORE actions were disallowed in the OUTPUT chain in + tcrules and mangle; this was a regression from 4.6.21. + +4.6.1.3 + +1) Use of the 'IfEvent' action resulted in a compilation failure: + + ERROR: -j is only allowed when the ACTION is INLINE with no + parameter /usr/share/shorewall/action.IfEvent (line 139) + from /etc/shorewall/action.SSHKnock (line 8) + from /etc/shorewall/rules (line 31) + +4.6.1.2 + +1) The shorewall-masq(5) and shorewall6-masq(5) manpages had a mangled + heading for the description of the SOURCE column, leading some + readers to assert the that description was missing. + +2) When INLINE_MATCHES=Yes and AUTOHELPERS=No, start or restart could + fail during script execution with this diagnostic: + + Running /sbin/iptables-restore... + Bad argument `helper=netbios-ns' + Error occurred at line: nnn + Try `iptables-restore -h' or 'iptables-restore --help' for more + information. + ERROR: iptables-restore Failed. Input is in + /var/lib/shorewall/.iptables-restore-input + +4.6.1.1 + +1) An improved error message is generatred when a server address list + is specified in the DEST colume of a DNAT or REDIRECT + rule. At one time, iptables supported such lists, but now only a + single address or an address range is supported. + + The previous error message was: + + ERROR: Unkknown Host (192.168.1.4,192.168.1.22) + + The new error message is: + + ERROR: An address list (192.168.1.4,192.168.1.22) is not + allowed in the DEST column of a xxx RULE + + where xxx is DNAT or REDIRECT as appropriate. + +2) Two problems have been corrected in the Shorewall-init Debian init + script. + + a) A cosmetic problem which resulted in 'echo_notdone' being + displayed on failure rather than 'not done'. + + b) More seriously, the test for the existance of compiled + firewall scripts was incorrect, with the result that the + firewall scripts were not executed. + + These defects, introduced in Shorewall 4.5.17, have now been + corrected. + +4.6.1 + +1) When the 'rpfilter' option is specified on all interfaces, no + references to the 'dynamic' chain were created and that chain was + optimized away. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 6 . 0 +---------------------------------------------------------------------------- + +1) Tuomo Soini has provided new macros for AMOP, MongoDB, Redis, Sieve + and IPMI (RMCP). + +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 6 . 0 ---------------------------------------------------------------------------- 4.6.0.3 @@ -438,6 +513,7 @@ 1) The tarball installers, now install .service files with mode 644 rather than mode 600. + ---------------------------------------------------------------------------- N E W F E A T U R E S I N 4 . 6 . 0 ---------------------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.1.4/shorewall-lite.spec new/shorewall-lite-4.6.2.1/shorewall-lite.spec --- old/shorewall-lite-4.6.1.4/shorewall-lite.spec 2014-07-04 19:27:05.000000000 +0200 +++ new/shorewall-lite-4.6.2.1/shorewall-lite.spec 2014-07-18 17:56:13.000000000 +0200 @@ -1,6 +1,6 @@ %define name shorewall-lite -%define version 4.6.1 -%define release 4 +%define version 4.6.2 +%define release 1 %define initdir /etc/init.d Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems. @@ -105,12 +105,16 @@ %doc COPYING changelog.txt releasenotes.txt %changelog +* Fri Jul 18 2014 Tom Eastep tom@shorewall.net +- Updated to 4.6.2-1 +* Sun Jul 13 2014 Tom Eastep tom@shorewall.net +- Updated to 4.6.2-0base +* Fri Jul 04 2014 Tom Eastep tom@shorewall.net +- Updated to 4.6.2-0RC1 * Wed Jul 02 2014 Tom Eastep tom@shorewall.net -- Updated to 4.6.1-4 -* Sat Jun 21 2014 Tom Eastep tom@shorewall.net -- Updated to 4.6.1-3 -* Fri Jun 20 2014 Tom Eastep tom@shorewall.net -- Updated to 4.6.1-2 +- Updated to 4.6.2-0Beta2 +* Wed Jun 18 2014 Tom Eastep tom@shorewall.net +- Updated to 4.6.2-0Beta1 * Sun Jun 08 2014 Tom Eastep tom@shorewall.net - Updated to 4.6.1-1 * Wed Jun 04 2014 Tom Eastep tom@shorewall.net diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.1.4/uninstall.sh new/shorewall-lite-4.6.2.1/uninstall.sh --- old/shorewall-lite-4.6.1.4/uninstall.sh 2014-07-04 19:27:05.000000000 +0200 +++ new/shorewall-lite-4.6.2.1/uninstall.sh 2014-07-18 17:56:13.000000000 +0200 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.6.1.4 +VERSION=4.6.2.1 usage() # $1 = exit status { ++++++ shorewall-4.6.1.4.tar.bz2 -> shorewall6-4.6.2.1.tar.bz2 ++++++ ++++ 125109 lines of diff (skipped) ++++++ shorewall-lite-4.6.1.4.tar.bz2 -> shorewall6-lite-4.6.2.1.tar.bz2 ++++++ ++++ 7592 lines of diff (skipped) -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org