Hello community, here is the log from the commit of package shorewall for openSUSE:Factory checked in at 2017-11-20 17:04:52 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/shorewall (Old) and /work/SRC/openSUSE:Factory/.shorewall.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "shorewall" Mon Nov 20 17:04:52 2017 rev:101 rq:542468 version:5.1.8.1 Changes: -------- --- /work/SRC/openSUSE:Factory/shorewall/shorewall.changes 2017-08-28 15:19:18.402670576 +0200 +++ /work/SRC/openSUSE:Factory/.shorewall.new/shorewall.changes 2017-11-20 17:06:10.228102321 +0100 @@ -1,0 +2,62 @@ +Sun Nov 12 16:19:38 UTC 2017 - bruno@ioda-net.ch + +- spec : + + use new %_fillupdir macro with env DIRFILLUP in build + * Redone patches *-fillup-install.patch to use ${DIRFILLUP} + * use new %_fillupdir macro in files + + change require perl to perl-base + + Added conflict with firewalld + + Refresh list of files and modules + +- Run shorewall(6) update -A to update your configurations + Check and adapt them before restarting. + +- 5.1.8.1 release - Recommended action : + + Update release documents + + Make persistent routes and rules independent of 'autosrc' + + Correct 'delete_default_routes()' + + Delete default routes from 'main' when a fallback provider is + successfully enabled + + Don't restore default route when a fallback provider is enabled + + Issue a warning when 'persistent' is used with + RESTORE_DEFAULT_ROUTE=Yes + + Don't dump SPD entries for the other address family + + Fix 'persistent' provider issues + + Treat LOG_TARGET the same as all other capabilities + + Allow merging of rules with IPSEC policies + +- 5.1.7.2 release + Please refer to releasenote.txt for a detailled description. + As always use shorewall [-6] update and revise your configuration + + Features summary + * Module loading streamlined, shorewall [-6] update will remove + MODULE_SUFFIX configuration + * Check route if detect is used in gateway column (dhcpd5 has + now binary encoded .lease) + * DNAT and REDIRECT support in ShorewallActions + * Docker configuration support: DOCKER-INGRESS chain. + + Fixes summary + * Fix shorewall-snat(5) man page example, DEST column has to be + read eth0:+myset[dst] + * Fix invalid vlsm to ipcalc message + * ADD_IP_ALIASES is set to NO for ipv6 while yes for ipv4 + * Cleanup .tmp in save ipset operations. + * Command reenable fix for persistent and non-persistent + interfaces + * Warn if getattr failed (SeLinux) + +- 5.1.6 release + + Fixes summary + * $SHAREDIR $CONFIGDIR available again + * Fix compilation with optimize level 8 + * Be consistant with Netfilter interpretation of 'eth'='eth+' + * RESTORE_WAIT_OPTION serialize start of ipv4/ipv6 with -w option + * RDP macros handle also UDP part + + Features summary + * Sparse option (not implemented in our spec) + * Add enable / disable runtime extension script + * Check zone and subzone to share at least one interface + * Runtime address and port variables + * Iptables --wait option used for serialization + +------------------------------------------------------------------- Old: ---- shorewall-5.1.5.2.tar.bz2 shorewall-core-5.1.5.2.tar.bz2 shorewall-docs-html-5.1.5.2.tar.bz2 shorewall-init-5.1.5.2.tar.bz2 shorewall-lite-5.1.5.2.tar.bz2 shorewall6-5.1.5.2.tar.bz2 shorewall6-lite-5.1.5.2.tar.bz2 New: ---- shorewall-5.1.8.1.tar.bz2 shorewall-core-5.1.8.1.tar.bz2 shorewall-docs-html-5.1.8.1.tar.bz2 shorewall-init-5.1.8.1.tar.bz2 shorewall-lite-5.1.8.1.tar.bz2 shorewall6-5.1.8.1.tar.bz2 shorewall6-lite-5.1.8.1.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shorewall.spec ++++++ --- /var/tmp/diff_new_pack.ZtqdLA/_old 2017-11-20 17:06:11.080071476 +0100 +++ /var/tmp/diff_new_pack.ZtqdLA/_new 2017-11-20 17:06:11.080071476 +0100 @@ -16,12 +16,15 @@ # -# +#2017+ New fillup location +%if ! %{defined _fillupdir} + %define _fillupdir /var/adm/fillup-templates +%endif %define have_systemd 1 %define dmaj 5.1 -%define dmin 5.1.5 +%define dmin 5.1.8 Name: shorewall -Version: 5.1.5.2 +Version: 5.1.8.1 Release: 0 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems License: GPL-2.0 @@ -50,9 +53,10 @@ Requires: iproute2 Requires: iptables Requires: logrotate +Requires: perl-base Suggests: xtables-addons PreReq: %fillup_prereq -Conflicts: SuSEfirewall2 +Conflicts: SuSEfirewall2 firewalld Provides: shoreline_firewall = %{version}-%{release} BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch @@ -75,7 +79,7 @@ Requires: iptables Requires: logrotate PreReq: %fillup_prereq -Conflicts: SuSEfirewall2 +Conflicts: SuSEfirewall2 firewalld Provides: shoreline_firewall = %{version}-%{release} %{?systemd_requires} @@ -94,8 +98,9 @@ Requires: %{_sbindir}/service Requires: %{name}-core = %{version}-%{release} Requires: logrotate +Requires: perl-base PreReq: %fillup_prereq -Conflicts: SuSEfirewall2 +Conflicts: SuSEfirewall2 firewalld Provides: shoreline_firewall = %{version}-%{release} %{?systemd_requires} @@ -112,7 +117,7 @@ Requires: %{name}-core Requires: logrotate PreReq: %fillup_prereq -Conflicts: SuSEfirewall2 +Conflicts: SuSEfirewall2 firewalld Provides: shoreline_firewall = %{version}-%{release} %{?systemd_requires} @@ -132,7 +137,7 @@ Requires: %{name} >= 5.0 Requires: logrotate PreReq: %fillup_prereq -Conflicts: SuSEfirewall2 +Conflicts: SuSEfirewall2 firewalld %{?systemd_requires} %description init @@ -158,8 +163,8 @@ License: GPL-2.0 Group: Productivity/Networking/Security Requires: iptables -Requires: perl -Conflicts: SuSEfirewall2 +Requires: perl-base +Conflicts: SuSEfirewall2 firewalld %description core This package contains the core libraries for Shorewall. @@ -228,13 +233,13 @@ sharedir=%{_datadir} if [ $i != shorewall-init ];then - DESTDIR=%buildroot ./install.sh shorewallrc + DESTDIR=%{buildroot} FILLUPDIR=%{_fillupdir} ./install.sh shorewallrc else install -d %buildroot/%{_sysconfdir}/NetworkManager/dispatcher.d %if 0%{?suse_version} BUILD=suse \ %endif - DESTDIR=%buildroot ./install.sh shorewallrc + DESTDIR=%{buildroot} FILLUPDIR=%{_fillupdir} ./install.sh shorewallrc if [ -f ${DESTDIR}%{_sysconfdir}/ppp ]; then for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do @@ -257,8 +262,8 @@ # starting with 12.3 drop sysv-init support fedora already did rm -rf %buildroot%_initddir -touch %{buildroot}/%{_sysconfdir}/%{name}/isusable -touch %{buildroot}/%{_sysconfdir}/%{name}6/isusable +#touch %%{buildroot}/%%{_sysconfdir}/%%{name}/isusable +#touch %%{buildroot}/%%{_sysconfdir}/%%{name}6/isusable touch %{buildroot}%{_sysconfdir}/%{name}/notrack touch %{buildroot}%{_sysconfdir}/%{name}6/notrack @@ -376,9 +381,10 @@ %doc %{name}-%version/{COPYING,changelog.txt,releasenotes.txt,README.openSUSE} %{_sbindir}/rc%{name} %{_sbindir}/%{name} -%{_localstatedir}/adm/fillup-templates/sysconfig.%{name} +%{_fillupdir}/sysconfig.%{name} %dir %{_sysconfdir}/%{name} -# FIXME +%ghost %{_sysconfdir}/%{name}/isusable +%ghost %{_sysconfdir}/%{name}/masq %config(noreplace) %{_sysconfdir}/%{name}/* %dir %{_datadir}/%{name} %dir %{_libexecdir}/%{name} @@ -390,19 +396,19 @@ %{_datadir}/%{name}/version %{_datadir}/%{name}/actions.std %{_datadir}/%{name}/action.* -%{_datadir}/%{name}/lib.cli-std +%{_datadir}/%{name}/lib.base %{_datadir}/%{name}/macro.* -%{_datadir}/%{name}/modules -%{_datadir}/%{name}/modules.* +%{_datadir}/%{name}/modules* +%{_datadir}/%{name}/prog.* %{_datadir}/%{name}/helpers %{_datadir}/%{name}/configpath -%{_libexecdir}/%{name}/getparams -%attr(755,root,root) %{_libexecdir}/%{name}/compiler.pl -%{_datadir}/%{name}/prog.* -%dir %perl_vendorlib/Shorewall -%perl_vendorlib/Shorewall/*.pm %{_datadir}/%{name}/configfiles/* -%{_datadir}/%{name}/deprecated/* +%{_datadir}/%{name}/deprecated/action.* +%{_datadir}/%{name}/deprecated/macro.* +%attr(755,root,root) %{_libexecdir}/%{name}/getparams +%attr(755,root,root) %{_libexecdir}/%{name}/compiler.pl +%dir %{perl_vendorlib}/Shorewall +%{perl_vendorlib}/Shorewall/*.pm %{_mandir}/man5/%{name}-[a-k,m-z]*.5* %{_mandir}/man5/%{name}.conf.5* %{_mandir}/man8/%{name}.8* @@ -412,7 +418,7 @@ %defattr(-,root,root,-) %doc %{name}-lite-%version/{COPYING,changelog.txt,releasenotes.txt} # FIXME -%{_localstatedir}/adm/fillup-templates/sysconfig.%{name}-lite +%{_fillupdir}/sysconfig.%{name}-lite %dir %{_sysconfdir}/%{name}-lite %config(noreplace) %{_sysconfdir}/%{name}-lite/%{name}-lite.conf # FIXME @@ -438,22 +444,24 @@ %doc %{name}6-%version/{COPYING,changelog.txt,releasenotes.txt,tunnel,ipv6,ipsecvpn} %{_sbindir}/rc%{name}6 %{_sbindir}/%{name}6 -%{_localstatedir}/adm/fillup-templates/sysconfig.%{name}6 +%{_fillupdir}/sysconfig.%{name}6 %dir %{_sysconfdir}/%{name}6 +%ghost %{_sysconfdir}/%{name}6/isusable +%ghost %{_sysconfdir}/%{name}6/masq %config(noreplace) %{_sysconfdir}/%{name}6/* -%config(noreplace) %{_sysconfdir}/logrotate.d/%{name}6 %dir %{_datadir}/%{name}6 %dir %{_libexecdir}/%{name}6 %dir %{_datadir}/%{name}6/configfiles +%dir %{_datadir}/%{name}6/deprecated %attr(0700,root,root) %dir %{_localstatedir}/lib/%{name}6 +%config(noreplace) %{_sysconfdir}/logrotate.d/%{name}6 %{_datadir}/%{name}6/version %{_datadir}/%{name}6/actions.std %{_datadir}/%{name}6/action.* -%attr(- ,root,root) %{_datadir}/%{name}6/functions +%{_datadir}/%{name}6/functions %{_datadir}/%{name}6/lib.base %{_datadir}/%{name}6/macro.* -%{_datadir}/%{name}6/modules -%{_datadir}/%{name}6/modules.* +%{_datadir}/%{name}6/modules* %{_datadir}/%{name}6/helpers %{_datadir}/%{name}6/configpath %{_datadir}/%{name}6/configfiles/* @@ -467,7 +475,7 @@ %{_mandir}/man5/%{name}6-lite*.5* %{_mandir}/man8/%{name}6-lite.8* %doc %{name}6-lite-%version/{COPYING,changelog.txt,releasenotes.txt} -%{_localstatedir}/adm/fillup-templates/sysconfig.%{name}6-lite +%{_fillupdir}/sysconfig.%{name}6-lite %dir %{_sysconfdir}/%{name}6-lite %config(noreplace) %{_sysconfdir}/%{name}6-lite/%{name}6-lite.conf %{_sbindir}/rc%{name}6-lite @@ -489,7 +497,7 @@ %defattr(-,root,root,-) %doc %{name}-init-%version/{COPYING,changelog.txt,releasenotes.txt} %{_sbindir}/rc%{name}-init -%{_localstatedir}/adm/fillup-templates/sysconfig.%{name}-init +%{_fillupdir}/sysconfig.%{name}-init %attr(0755,root,root) %{_sbindir}/shorewall-init %dir %{_datadir}/%{name}-init %dir %{_libexecdir}/%{name}-init @@ -510,8 +518,8 @@ %dir %{_datadir}/shorewall/ %{_datadir}/shorewall/coreversion %{_datadir}/shorewall/functions -%{_datadir}/shorewall/lib.base %{_datadir}/shorewall/lib.cli +%{_datadir}/shorewall/lib.cli-std %{_datadir}/shorewall/lib.common %{_datadir}/shorewall/lib.core %{_datadir}/shorewall/lib.runtime ++++++ shorewall-5.1.5.2.tar.bz2 -> shorewall-5.1.8.1.tar.bz2 ++++++ ++++ 4055 lines of diff (skipped) ++++++ shorewall-core-5.1.5.2.tar.bz2 -> shorewall-core-5.1.8.1.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.1.5.2/changelog.txt new/shorewall-core-5.1.8.1/changelog.txt --- old/shorewall-core-5.1.5.2/changelog.txt 2017-08-02 00:47:07.000000000 +0200 +++ new/shorewall-core-5.1.8.1/changelog.txt 2017-11-08 19:50:08.000000000 +0100 @@ -1,3 +1,144 @@ +Changes in 5.1.8.1 + +1) Update release documents. + +2) Make persistent routes and rules independent of 'autosrc'. + +Changes in 5.1.8 + +1) Update release documents. + +Changes in 5.1.8 RC 1 + +1) Update release documents. + +2) Correct 'delete_default_routes()'. + +3) Delete default routes from 'main' when a fallback provider is + successfully enabled. + +4) Don't restore default route when a fallback provider is enabled. + +5) Issue a warning when 'persistent' is used with + RESTORE_DEFAULT_ROUTE=Yes. + +6) Don't dump SPD entries for the other address family. + +Changes in 5.1.8 Beta 2 + +1) Update release documents. + +2) Fix 'persistent' provider issues. + +Changes in 5.1.8 Beta 1 + +1) Update release documents. + +2) Treat LOG_TARGET the same as all other capabilities. + +3) Allow merging of rules with IPSEC policies + +Changes in 5.1.7.1 + +1) Update release documents. + +2) Correct 'reenable' logic for persistent providers. + +3) Align progress messages produced by 'reenable'. + +Changes in 5.1.7 Final + +1) Update release documents. + +Changes in 5.1.7 RC 2 + +1) Update release documents. + +2) Correct module loading. + +3) Add DOCKER-INGRESS support. + +Changes in 5.1.7 RC 1 + +1) Update release documents. + +2) Correct handling of ipsets in the DEST column of the snat file. + +3) Allow NAT rules to be passed to perl_action_helper() + +4) Split NAT and ACCEPT rules in the Event actions. + +5) Correct VLSM verification logic in the 'ipcalc' command. + +6) Fix ADD_IP_ALIASES default. + +7) Remove empty/useless .tmp files created during shorewall-init stop. + +Changes in 5.1.7 Beta 2 + +1) Update release documents. + +2) Improve dynamic gateway detection. + +Changes in 5.1.7 Beta 1 + +1) Update release documents. + +2) Simplify Module Loading (Tuomo Soini) + +3) Eliminate MODULE_SUFFIX. + +Changes in 5.1.6 Final + +1) Update release documents. + +2) Allow port variables as server port in DNAT rules. + +3) Change MODULE_SUFFIX standard default to "ko ko.xz" + +4) Added UDP rule to macro.RDP. + +Changes in 5.1.6 RC 2 + +1) Update release documents. + +2) Use MUTEX_TIMEOUT for ip[6]tables-restore --wait interval + +Changes in 5.1.6 RC 1 + +1) Update release documents. + +2) Make Shorewall's handling of '+' consistent with Netfilter's. + +3) Verify that parent and child zones have an interface in common. + +4) Allow runtime address variables as the DNAT server address. + +5) Prevent IPv4 and IPv6 firewalls from starting simultaneously under + systemd. + +6) Use the ip[6]-tables --wait option, if available. + +Changes in 5.1.6 Beta 2 + +1) Update release documents. + +2) Pass arguments to the enable and disable user exit functions + +3) Export CONFDIR and SHAREDIR to the generated script. + +4) Correct handling of combining a policy chain with a normal chain. + +Changes in 5.1.6 Beta 1 + +1) Update release documents. + +2) Apply Bernhard M. Wiedemann's patch for reproducible builds. + +3) Patch configure.pl to support reproducible builds. + +4) Merge content from 5.1.5.1. + Changes in 5.1.5.2 1) Update release documents. @@ -15,6 +156,10 @@ 2) Process the snat file if the masq file is empty. +3) Apply Bernhard Wiedemann's configure change. + +4) Make a similar change to configure.pl. + Changes in 5.1.5 Final 1) Update release documents. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.1.5.2/configure new/shorewall-core-5.1.8.1/configure --- old/shorewall-core-5.1.5.2/configure 2017-08-02 00:47:06.000000000 +0200 +++ new/shorewall-core-5.1.8.1/configure 2017-11-08 19:50:08.000000000 +0100 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=5.1.5.2 +VERSION=5.1.8.1 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.1.5.2/configure.pl new/shorewall-core-5.1.8.1/configure.pl --- old/shorewall-core-5.1.5.2/configure.pl 2017-08-02 00:47:06.000000000 +0200 +++ new/shorewall-core-5.1.8.1/configure.pl 2017-11-08 19:50:08.000000000 +0100 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '5.1.5.2' + VERSION => '5.1.8.1' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.1.5.2/install.sh new/shorewall-core-5.1.8.1/install.sh --- old/shorewall-core-5.1.5.2/install.sh 2017-08-02 00:47:06.000000000 +0200 +++ new/shorewall-core-5.1.8.1/install.sh 2017-11-08 19:50:08.000000000 +0100 @@ -22,7 +22,7 @@ # along with this program; if not, see http://www.gnu.org/licenses/. # -VERSION=5.1.5.2 +VERSION=5.1.8.1 PRODUCT=shorewall-core Product="Shorewall Core" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.1.5.2/known_problems.txt new/shorewall-core-5.1.8.1/known_problems.txt --- old/shorewall-core-5.1.5.2/known_problems.txt 2017-08-02 00:47:07.000000000 +0200 +++ new/shorewall-core-5.1.8.1/known_problems.txt 2017-11-08 19:50:08.000000000 +0100 @@ -5,26 +5,10 @@ correctly in configurations with USE_DEFAULT_RT=No and optional providers listed in the DUPLICATE column. -3) If a masq file with no entries is found by the compiler, then the - snat file, if any, is ignored. +3) If 'noautosrc' 1s specified on a provider, then persistent routes + and rules for that provider are treated as ordinary routes and + rules (they are removed when the provider is enabled). - Corrected in Shorewall 5.1.5.1. + Corrected in Shorewall 5.1.8.1. -4) When BASIC_FILTERS=Yes, the compiler generates an invalid tc - command when a source port is specified in a tcfilters entry. - Corrected in Shorewall 5.1.5.2. - -5) Specifying a USER in the OUTPUT section of the accounting file - causes the compilter to incorrectly generate the following error - message: - - ERROR: USER/GROUP may only be specified in the OUTPUT section - - Corrected in Shorewall 5.1.5.2. - -6) If a MAC address is specified in the OUTPUT section of the - accounting file, no error is generated at compile time. A failure - does occur, however, at run-time. - - Corrected in Shorewall 5.1.5.2. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.1.5.2/lib.base new/shorewall-core-5.1.8.1/lib.base --- old/shorewall-core-5.1.5.2/lib.base 2017-07-27 23:55:19.000000000 +0200 +++ new/shorewall-core-5.1.8.1/lib.base 2017-11-08 18:46:25.000000000 +0100 @@ -1,7 +1,7 @@ # -# Shorewall 5.0 -- /usr/share/shorewall/lib.base +# Shorewall 5.1 -- /usr/share/shorewall/lib.base # -# (c) 1999-2015 - Tom Eastep (teastep@shorewall.net) +# (c) 1999-2017 - Tom Eastep (teastep@shorewall.net) # # Complete documentation is available at http://shorewall.net # diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.1.5.2/lib.cli new/shorewall-core-5.1.8.1/lib.cli --- old/shorewall-core-5.1.5.2/lib.cli 2017-07-27 23:55:19.000000000 +0200 +++ new/shorewall-core-5.1.8.1/lib.cli 2017-11-08 18:46:25.000000000 +0100 @@ -25,7 +25,7 @@ # loaded after this one and replaces some of the functions declared here. # -SHOREWALL_CAPVERSION=50105 +SHOREWALL_CAPVERSION=50106 if [ -z "$g_basedir" ]; then # @@ -1137,16 +1137,31 @@ cat ${directory}/macro.$1 } # -# Don't dump empty SPD entries +# Don't dump empty SPD entries or entries from the other address family # -spd_filter() -{ - awk \ - 'BEGIN { skip=0; }; \ - /^src/ { skip=0; }; \ - /^src 0.0.0.0\/0/ { skip=1; }; \ - /^src ::\/0/ { skip=1; }; \ - { if ( skip == 0 ) print; };' +spd_filter() { + # + # af = Address Family (4 or 6) + # afok = Address Family of entry matches af + # p = print the contents of A (entry is not empty) + # i = Number of lines stored in A + # + awk -v af=$g_family \ + 'function prnt(A,i, j) { while ( j < i ) print A[j++]; };\ +\ + /^src / { if (p) prnt( A, i );\ + afok = 1;\ + p = 0;\ + i = 0;\ + if ( af == 4 )\ + { if ( /:/ ) afok = 0; }\ + else\ + { if ( /\./ ) afok = 0; }\ + };\ + { if ( afok ) A[i++] = $0; };\ + /tmpl/ { p = afok; };\ +\ + END { if (p) prnt( A, i ); }' } # # Print a heading with leading and trailing black lines @@ -1159,7 +1174,8 @@ show_ipsec() { heading "PFKEY SPD" - $IP -s xfrm policy | spd_filter + $IP -s -$g_family xfrm policy | spd_filter + heading "PFKEY SAD" $IP -s -$g_family xfrm state | egrep -v '[[:space:]]+(auth-trunc|enc )' # Don't divulge the keys } @@ -2770,7 +2786,7 @@ GOTO_TARGET= LOGMARK_TARGET= IPMARK_TARGET= - LOG_TARGET=Yes + LOG_TARGET= ULOG_TARGET= NFLOG_TARGET= PERSISTENT_SNAT= @@ -2804,6 +2820,7 @@ CPU_FANOUT= NETMAP_TARGET= NFLOG_SIZE= + RESTORE_WAIT_OPTION= AMANDA_HELPER= FTP_HELPER= @@ -2827,9 +2844,11 @@ qt $arptables -L OUT && ARPTABLESJF=Yes fi + [ -z "$(${g_tool}-restore --wait < /dev/null 2>&1)" ] && RESTORE_WAIT_OPTION=Yes + if qt $g_tool --wait -t filter -L INPUT -n -v; then WAIT_OPTION=Yes - tool="$tool --wait" + g_tool="$g_tool --wait" fi chain=fooX$$ @@ -3135,7 +3154,7 @@ qt $g_tool -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes qt $g_tool -A $chain -g $chain1 && GOTO_TARGET=Yes qt $g_tool -A $chain -j LOGMARK && LOGMARK_TARGET=Yes - qt $g_tool -A $chain -j LOG || LOG_TARGET= + qt $g_tool -A $chain -j LOG && LOG_TARGET=Yes qt $g_tool -A $chain -j ULOG && ULOG_TARGET=Yes qt $g_tool -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes qt $g_tool -A $chain -m statistic --mode nth --every 2 --packet 1 && STATISTIC_MATCH=Yes @@ -3299,9 +3318,11 @@ if [ $g_family -eq 4 ]; then report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S report_capability "iptables --wait option (WAIT_OPTION)" $WAIT_OPTION + report_capability "iptables-restore --wait option (RESTORE_WAIT_OPTION)" $RESTORE_WAIT_OPTION else report_capability "ip6tables -S (IPTABLES_S)" $IPTABLES_S report_capability "ip6tables --wait option (WAIT_OPTION)" $WAIT_OPTION + report_capability "ip6tables-restore --wait option (RESTORE_WAIT_OPTION)" $RESTORE_WAIT_OPTION fi report_capability "Basic Filter (BASIC_FILTER)" $BASIC_FILTER @@ -3417,6 +3438,7 @@ report_capability1 CPU_FANOUT report_capability1 NETMAP_TARGET report_capability1 NFLOG_SIZE + report_capability1 RESTORE_WAIT_OPTION report_capability1 AMANDA_HELPER report_capability1 FTP_HELPER @@ -3721,7 +3743,7 @@ valid_address $address || fatal_error "Invalid IP address: $address" [ -z "$vlsm" ] && fatal_error "Missing VLSM" - [ "x$address" = "x$vlsm" ] && "Invalid VLSM" + [ "x$address" = "x$vlsm" ] && fatal_error "Invalid VLSM" [ $vlsm -gt 32 ] && fatal_error "Invalid VLSM: /$vlsm" address=$address/$vlsm diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.1.5.2/lib.common new/shorewall-core-5.1.8.1/lib.common --- old/shorewall-core-5.1.5.2/lib.common 2017-07-27 23:55:19.000000000 +0200 +++ new/shorewall-core-5.1.8.1/lib.common 2017-11-08 18:46:25.000000000 +0100 @@ -1,7 +1,7 @@ # -# Shorewall 5.0 -- /usr/share/shorewall/lib.common. +# Shorewall 5.1 -- /usr/share/shorewall/lib.common. # -# (c) 2010-2015 - Tom Eastep (teastep@shorewall.net) +# (c) 2010-2017 - Tom Eastep (teastep@shorewall.net) # # Complete documentation is available at http://shorewall.net # @@ -269,53 +269,48 @@ { local modulename modulename=$1 + shift + local moduleoptions + moduleoptions=$* local modulefile local suffix if [ -d /sys/module/ ]; then if ! list_search $modulename $DONT_LOAD; then if [ ! -d /sys/module/$modulename ]; then - shift - - for suffix in $MODULE_SUFFIX ; do - for directory in $moduledirectories; do - modulefile=$directory/${modulename}.${suffix} - + case $moduleloader in + insmod) + for directory in $moduledirectories; do + for modulefile in $directory/${modulename}.*; do + if [ -f $modulefile ]; then + insmod $modulefile $moduleoptions + return + fi + done + done + ;; + *) + modprobe -q $modulename $moduleoptions + ;; + esac + fi + fi + elif ! list_search $modulename $DONT_LOAD $MODULES; then + case $moduleloader in + insmod) + for directory in $moduledirectories; do + for modulefile in $directory/${modulename}.*; do if [ -f $modulefile ]; then - case $moduleloader in - insmod) - insmod $modulefile $* - ;; - *) - modprobe $modulename $* - ;; - esac - break 2 + insmod $modulefile $moduleoptions + return fi done done - fi - fi - elif ! list_search $modulename $DONT_LOAD $MODULES; then - shift - - for suffix in $MODULE_SUFFIX ; do - for directory in $moduledirectories; do - modulefile=$directory/${modulename}.${suffix} - - if [ -f $modulefile ]; then - case $moduleloader in - insmod) - insmod $modulefile $* - ;; - *) - modprobe $modulename $* - ;; - esac - break 2 - fi - done - done + ;; + *) + modprobe -q $modulename $moduleoptions + ;; + esac fi } @@ -338,8 +333,6 @@ moduleloader=insmod fi - [ -n "${MODULE_SUFFIX:=ko ko.gz ko.xz o o.gz o.xz gz xz}" ] - if [ -n "$MODULESDIR" ]; then case "$MODULESDIR" in +*) @@ -394,8 +387,6 @@ moduleloader=insmod fi - [ -n "${MODULE_SUFFIX:=o gz xz ko o.gz o.xz ko.gz ko.xz}" ] - if [ -n "$MODULESDIR" ]; then case "$MODULESDIR" in +*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.1.5.2/lib.core new/shorewall-core-5.1.8.1/lib.core --- old/shorewall-core-5.1.5.2/lib.core 2017-07-27 23:55:19.000000000 +0200 +++ new/shorewall-core-5.1.8.1/lib.core 2017-11-08 18:46:25.000000000 +0100 @@ -1,7 +1,7 @@ # -# Shorewall 5.0 -- /usr/share/shorewall/lib.core +# Shorewall 5.1 -- /usr/share/shorewall/lib.core # -# (c) 1999-2015 - Tom Eastep (teastep@shorewall.net) +# (c) 1999-2017 - Tom Eastep (teastep@shorewall.net) # # Complete documentation is available at http://shorewall.net # @@ -24,7 +24,7 @@ # generated scripts. # -SHOREWALL_LIBVERSION=50100 +SHOREWALL_LIBVERSION=50108 # # Fatal Error diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.1.5.2/lib.installer new/shorewall-core-5.1.8.1/lib.installer --- old/shorewall-core-5.1.5.2/lib.installer 2017-07-27 23:55:19.000000000 +0200 +++ new/shorewall-core-5.1.8.1/lib.installer 2017-11-08 18:46:25.000000000 +0100 @@ -1,6 +1,6 @@ # # -# Shorewall 5.0 -- /usr/share/shorewall/lib.installer. +# Shorewall 5.1 -- /usr/share/shorewall/lib.installer. # # (c) 2017 - Tom Eastep (teastep@shorewall.net) # (c) 2017 - Matt Darfeuille (matdarf@gmail.com) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.1.5.2/lib.uninstaller new/shorewall-core-5.1.8.1/lib.uninstaller --- old/shorewall-core-5.1.5.2/lib.uninstaller 2017-07-27 23:55:19.000000000 +0200 +++ new/shorewall-core-5.1.8.1/lib.uninstaller 2017-11-08 18:46:25.000000000 +0100 @@ -1,6 +1,6 @@ # # -# Shorewall 5.0 -- /usr/share/shorewall/lib.installer. +# Shorewall 5.1 -- /usr/share/shorewall/lib.installer. # # (c) 2017 - Tom Eastep (teastep@shorewall.net) # (c) 2017 - Matt Darfeuille (matdarf@gmail.com) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.1.5.2/manpages/shorewall.8 new/shorewall-core-5.1.8.1/manpages/shorewall.8 --- old/shorewall-core-5.1.5.2/manpages/shorewall.8 2017-08-02 00:48:28.000000000 +0200 +++ new/shorewall-core-5.1.8.1/manpages/shorewall.8 2017-11-08 19:51:41.000000000 +0100 @@ -2,12 +2,12 @@ .\" Title: shorewall .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 http://docbook.sf.net/ -.\" Date: 08/01/2017 +.\" Date: 11/08/2017 .\" Manual: Administrative Commands .\" Source: Administrative Commands .\" Language: English .\" -.TH "SHOREWALL" "8" "08/01/2017" "Administrative Commands" "Administrative Commands" +.TH "SHOREWALL" "8" "11/08/2017" "Administrative Commands" "Administrative Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.1.5.2/releasenotes.txt new/shorewall-core-5.1.8.1/releasenotes.txt --- old/shorewall-core-5.1.5.2/releasenotes.txt 2017-08-02 00:47:07.000000000 +0200 +++ new/shorewall-core-5.1.8.1/releasenotes.txt 2017-11-08 19:50:08.000000000 +0100 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 5 . 1 . 5 . 2 - ------------------------------ - J u l y 3 1 , 2 0 1 7 + S H O R E W A L L 5 . 1 . 8 . 1 + ------------------------------- + N o v e m b e r 0 8 , 2 0 1 7 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,62 +14,42 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -5.1.5.2 - -1) Previously, Specifying a USER in the OUTPUT section of the - accounting file caused the compilter to incorrectly generate the - following error message: - - ERROR: USER/GROUP may only be specified in the OUTPUT section - - That has been corrected, and no error message is generated in this - case. +5.1.8.1 -2) When BASIC_FILTERS=Yes, the compiler previously generated an - invalid tc command when when a source port was specified in a - tcfilters entry. The compiler now generates correct input in this - case. - -3) Previously, a MAC address could be specified in the OUTPUT - section of the accounting file and no error would be generated at - compile time. A failure would occur, however, at run-time. Now, an - error is raised during compilation. - -5.1.5.1 - -1) To compensate for the presence of a masq file with no entries, - the compiler will now attempt to process the snat file when such a - masq file is found. Previously, if a masq file with no entries was - found, the snat file, if any, was ignored. - -2) Previously, maintainers could not create reproducable packages - because the 'configure' and 'configure.pl' scripts inserted the - current date and time into the generated shorewallrc file. - - To support reproducable package builds, the scripts now recognize - the SOURCE_DATE_EPOCH environmental variable (see - https://reproducible-builds.org/specs/source-date-epoch/). - - The change to 'configure' was supplied by Bernhard M. Wiedemann. - -5.1.5 - -1) This release contains defect repair through Shorewall 5.1.4.4. - -2) Previously, when 0 was used as a port number or when a port number - > 65535 was specified, an 'uninitialized variable' Perl exception - occurred when the compiler attempted to issue an error - message. That has been corrected. - -3) When running with Perl 5.26, messages such at the following could - be issued: - - Unescaped left brace in regex is deprecated here (and will be - fatal in Perl 5.30), passed through in regex; marked by <-- HERE - in m/^(\s*|.*[^&@%]){ <-- HERE (.*)}\s*$/ at - /usr/share/shorewall/Shorewall/Config.pm line 2343. - - That problem has been corrected. +1) Previously, if 'noautosrc' was specified on a provider, then + persistent routes and rules for that provider were treated as + ordinary routes and rules (not persistent). That has been corrected + so that persistent routes and rules are retained when the provider + is disabled. + +5.1.8 + +1) This release includes defect repair through Shorewall 5.1.7.2. + +2) The copyright dates and product version comments have been updated + in a number of files. + +3) The undocumented and unmaintained Makefile files for Shorewall-lite + and Shorewall6-lite have been removed from Shorewall and Shorewall6 + respectively. + +4) The 'dump' command logic now does a better job of detecting + and suppressing the printing of empty IPSec SPD entries. + +5) A number of issues with persistent providers that resulted in + 'ip rule add' and 'ip route add' failures have been corrected. The + most common senario involved a 'reload' while a persistent + interface was disabled. + +6) Previously, the generated script contained incorrect logic for + deleting default routes with metric zero ('balanced' routes and + routes generated by 'fallback=nn'); the logic only worked correctly + when applied to the 'main' routing table. It now works correctly + for all routing tables. + +7) The 'ip xfrm policy' command ignores the -4 and -6 options and + dumps the policies for both address families. This release contains + a workaround that suppresses entries for the other family. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -90,40 +70,41 @@ uses a "delete..add.." sequence on these routes rather than a single "replace" command. -4) When the formerly built-in actions were converted to standard - actions in Shorewall 5.1.3, the 'dropBcasts' action was - inadvertently changed to 'dropBcast'. Beginning with this release, - both spellings are accepted. - ---------------------------------------------------------------------------- I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) Run-time port variables are now supported. See - http://www.shorewall.org/configuration_file_basics.htm#Port_Variables - for details. +1) For historical reasons, Shorewall has always assumed that LOG target + support is present unless proven otherwise. While this has worked + correctly when a capabilities file is used and when + LOAD_HELPERS_ONLY=No, it can generate an unworkable firewall + script when LOAD_HELPERS_ONLY=Yes. + + Beginning with this release, Shorewall will treat LOG target like + any other capability and will verify its presense in all cases + where the target is used. + +2) The level 4 optimizer now does a better job of handling small + chains with rules specifying an IPSEC policy. This can result in + elimination of these chains. + +3) Beginning with this release, when RESTORE_DEFAULT_ROUTE=Yes the + default route is only restored when there are no enabled + 'balance/primary' providers and no enabled fallback providers. + + Also beginning with this release, if the default route(s) have been + restored to the 'main' table, and a fallback provider is + successfully enabled, the default route(s) are removed from the + main table. + +4) Because restoring default routes to the main routing table can + break the ability of Foolsm and other link status monitors to + properly detect non-functioning provider links, a warning message + is now issued when the 'persistent' provider option is specified + and RESTORE_DEFAULT_ROUTE=Yes. -2) The Shorewall and Shorewall6 manpages are now consolidated. Almost - all of the Shorewall6 manpages are manpage aliases for the - corresponding Shorewall manpages which describe the files for both - products. - -3) There is now a FIN standard action which handles TCP packets with - the FIN, ACK and PSH flags set. - -4) According to the Netfilter team (see - https://patchwork.kernel.org/patch/9198133/), the --nflog-range option - of the NFLOG target has never worked correctly, and they have - deprecated that option in favor of the --nflog-size option. To - accomodate this change, there is now an "--nflog-size support" - (NFLOG_SIZE) Shorewall capability and a USE_NFLOG_SIZE option in - shorewall[6].conf. - - For further information, see the Migrations Issues item number 8. - -5) The RESTORE_DEFAULT_ROUTE option has now been added to - shorewall6.conf. Prior to this release, RESTORE_DEFAULT_ROUTE=Yes - has always been assumed for Shorewall6 configurations. + WARNING: When RESTORE_DEFAULT_ROUTE=Yes, the 'persistent' option + may not work as expected ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -267,9 +248,355 @@ verify that those NFLOG messages are as you expect with USE_NFLOG_SIZE=Yes. +9) The MODULE_SUFFIX option in shorewall[6].conf was eliminated in + Shorewall 5.1.7. Shorewall now finds modules, independent of their + filename suffix. + + 'shorewall [-6] update' will automatically remove any MODULE_SUFFIX + setting. + +10) Beginning with Shorewall 5.1.8, when RESTORE_DEFAULT_ROUTE=Yes the + default route is only restored when there are no enabled + 'balance/primary' providers and no enabled fallback providers. + + Also beginning with Shorewall 5.1.8, if the default route(s) have + been restored to the 'main' table, and a fallback provider is + successfully enabled, the default route(s) are removed from the + main table. + +11) Because restoring default routes to the main routing table can + break the ability of Foolsm and other link status monitors to + properly detect non-functioning provider links, a warning message + is issued when the 'persistent' provider option is specified and + RESTORE_DEFAULT_ROUTE=Yes. + + WARNING: When RESTORE_DEFAULT_ROUTE=Yes, the 'persistent' option + may not work as expected + + This change was released in Shorewall 5.1.8. + ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 5 . 1 R E L E A S E S ---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 5 . 1 . 7 +---------------------------------------------------------------------------- + +5.1.7.2 + +1) Previously during the opening of a configuration file, if SELinux + denied the "getattr" (stat) request, then the compiler would skip + processing of the file as if it did not exist. Now, if "getattr" + fails for any reason other than that the file does not exist, an + error is raised. + + ERROR: Unable to access <filename>: <reason for denial> + +2) Previously, when a range was passed to the MARK() action (mangle + file), any specified protocol, port and time restrictions were + ignored. Now these elements are included in the rule. + +5.1.7.1 + +1) Previously, the 'reenable' command failed on a persistent provider + interface with a message similar to the following: + + RTNETLINK answers: File exists + ERROR: Command "/sbin/ip -4 rule add from 10.2.10.2 pref 20000 + table IPv6Beta" Failed + + That problem has been corrected and the 'reenable' command now + works properly on both persistant and non-persistant interfaces. + + Note: The firewall script must be recompiled in order for this + change to become effective. + +5.1.7 + +1) This release includes defect repair through Shorewall 5.1.6.1. + +2) Previously, there was a typo in IPv4 Example 5 in the + shorewall-snat(5) manpage. The DEST column contained + + eth0+myset[dst] + + which should have been + + eth0:+myset[dst] + + That has been corrected. + +3) Previously, specifying an ipset name in the DEST column of the IPv4 + snat file had no effect. That has been corrected so that only + connections whose destination matches the ipset are affected by the + rule. + +4) Previously, passing an invalid vlsm to the 'ipcalc' command coult + result in a series of shell diagnostics beginning with: + + shorewall: 3730: /home/teastep/bin/shorewall: Invalid VLSM: not + found + + That has been corrected so that the correct message is issued: + + ERROR: Invalid VLSM + + (Tuomo Soini) + +5) ADD_IP_ALIASES has defaulted to Yes for both Shorewall and + Shorewall6, leading to 'not found' errors during + start/reload/restart. Now, ADD_IP_ALIASES=No is the default for + IPv6 and may not be changed. + +6) When Shorewall-init was configured to save ipsets, it could leave + behind an empty or useless .tmp file if no ipsets were saved. Now + that file is removed automatically. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 5 . 1 . 7 +---------------------------------------------------------------------------- + +1) Loading of kernel modules has been streamlined (Tuomo Soini). + +2) The MODULE_SUFFIX option in shorewall[6].conf has been + eliminated. Shorewall now finds modules, independent of their + filename suffix. + + 'shorewall [-6] update' will automatically remove any MODULE_SUFFIX + setting. + +3) When 'detect' is specified in the GATEWAY column for a provider, + the generated script now looks for an existing default route in + the provider's routing table to obtain the provider's default + gateway. This is useful when dhcpcd5 is installed, since the .lease + files created by dhcpcd5 are binary coded and are hence not usable + for learning the configured gateway. + +4) The Shorewall Event actions (IfEvent, SetEvent and ResetEvent) now + accept DNAT and REDIRECT as the <action> argument. For DNAT, a + server address must be specified in the DEST column. A server port + may NOT be specified in the DEST column, so the port number cannot + be changed by the action. + +5) Shorewall now supports Docker configuration that create the + DOCKER-INGRESS chain in the filter table. + +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 5 . 1 . 6 +---------------------------------------------------------------------------- + +1) This release contains defect repair through Shorewall 5.1.5.2. + +2) http://www.shorewall.net/shorewall_extension_scripts.htm states + that $SHAREDIR and $CONFDIR can be used in extension scripts, that + has not been true for some time. Beginning with this release, those + variables are once again available in the generated script. + +3) Under very rare circumstances, when OPTIMIZE level 8 was used, + messages such as the following could be issued during compilation: + + Use of uninitialized value in hash element at + /usr/share/shorewall/Shorewall/Rules.pm line 818. + Use of uninitialized value in concatenation (.) or string at + /usr/share/shorewall/Shorewall/Rules.pm line 823. + + That has been corrected. + +4) Previously, Shorewall's treatment of wildcard interfaces differed + from Netfilter's. Shorewall did not consider 'eth' to match 'eth+' + while Netfilter did. Beginning with this release, Shorewall is + consistent with Netfilter. + +5) Previously, systemd could attempt to start the IPv4 and IPv6 + firewalls simultaneously, which might lead to iptables-restore and + ip6tables-restore being run at the same time resulting in a failure + to start one of the firewalls. + + Beginning with this release, Shorewall and Shorwall6 will be + started serially as will Shorewall-lite and Shorewall6-lite. + +6) To prevent other init systems from starting the IPv4 and IPv6 + firewalls in parallel, the ip[6]-tables-restore '--wait' option, if + available, is used. This change introduces a new + RESTORE_WAIT_OPTION capability. + + Note: If the new capability is not available on your system, and + you don't run systemd, you can still avoid the parallel start + problem by configuring the same LOCKFILE in both your + shorewall.conf and shorewall6.conf files. + +7) Previously, the RDP macro only allowed TCP traffic, even though RDP + also requires UDP. That has been corrected so that both protocols + are allowed. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 5 . 1 . 6 +---------------------------------------------------------------------------- + +1) The SPARSE option in shorewallrc originally caused only + shorewall[6].conf to be installed in /etc/shorewall[6], but later + the conntrack and params files were also installed. To prevent + these additional files from being installed, SPARSE may now be set + to 'Very', either by editing the file directly or by using the + configure or configure.pl scripts. + + This setting is recommended if you wish to use a single set of + configuration files for both IPv4 and IPv6 as described at + http://www.shorewall.org/SharedConfig.html. + +2) Two new run-time extensions scripts have been added: + + - enabled + + Invoked when an optional interface has been successfully enabled + using the 'enable' command. + + - disabled + + Invoked when an optional interface has been successfully disabled + using the 'disable' command. + + Like all run-time extension scripts, the contents of each script + are placed in a function body. In the case of these new scripts, + the function is passed arguments: + + $1 = the physical name of the interface + $2 = the logical name of the interface + $3 = the name of the Provider, if any, associated with the + interface. + +3) When a zone (z1) is defined to be a sub-zone of another zone (z2), + the compiler now verifies that the two zones have at least one + interface in common. If they do not, a warning message is + generated: + + WARNING: Zone z1 is defined to be a sub-zone of z2, yet the two + zones have no interface in common + +4) Runtime address variables may now be used as the server IP address + and Runtime port variables may be used as the server port in DNAT + rules. + + Example: + + DNAT net $FW:ð1:%{PORT} tcp 9999 + +5) Previously, systemd could attempt to start the IPv4 and IPv6 + firewalls simultaneously, which might lead to iptables-restore and + ip6tables-restore being run at the same time resulting in a failure + to start one of the firewalls. + + Beginning with this release, Shorewall and Shorwall6 will be + started serially as will Shorewall-lite and Shorewall6-lite. + +6) To prevent problems when other init systems start the IPv4 and IPv6 + firewalls in parallel, the ip[6]-tables '--wait' option, if + available, is used. The amount of time to wait is determined by the + setting of MUTEX_TIMEOUT (default 60 seconds). This change + introduces a new RESTORE_WAIT_OPTION capability. + + Note: If the new capability is not available on your system, and + you don't run systemd, you can still avoid the parallel start + problem by configuring the same LOCKFILE in both your + shorewall.conf and shorewall6.conf files. + +7) Previously, the sample configuration files specified + MODULE_SUFFIX="ko ko.xz", whereas the default .conf files specified + MODULE_SUFFIX=ko. The latter no longer works on RHEL7-based + systems. Beginning with this release, the default .conf files also + specify MODULE_SUFFIX="ko ko.xz". + +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 5 . 1 . 5 +---------------------------------------------------------------------------- + +5.1.5.2 + +1) Previously, Specifying a USER in the OUTPUT section of the + accounting file caused the compilter to incorrectly generate the + following error message: + + ERROR: USER/GROUP may only be specified in the OUTPUT section + + That has been corrected, and no error message is generated in this + case. + +2) When BASIC_FILTERS=Yes, the compiler previously generated an + invalid tc command when when a source port was specified in a + tcfilters entry. The compiler now generates correct input in this + case. + +3) Previously, a MAC address could be specified in the OUTPUT + section of the accounting file and no error would be generated at + compile time. A failure would occur, however, at run-time. Now, an + error is raised during compilation. + +5.1.5.1 + +1) To compensate for the presence of a masq file with no entries, + the compiler will now attempt to process the snat file when such a + masq file is found. Previously, if a masq file with no entries was + found, the snat file, if any, was ignored. + +2) Previously, maintainers could not create reproducible packages + because the 'configure' and 'configure.pl' scripts inserted the + current date and time into the generated shorewallrc file. + + To support reproducible package builds, the scripts now recognize + the SOURCE_DATE_EPOCH environmental variable (see + https://reproducible-builds.org/specs/source-date-epoch/). + + The change to 'configure' was supplied by Bernhard M. Wiedemann. + +5.1.5 + +1) This release contains defect repair through Shorewall 5.1.4.4. + +2) Previously, when 0 was used as a port number or when a port number + > 65535 was specified, an 'uninitialized variable' Perl exception + occurred when the compiler attempted to issue an error + message. That has been corrected. + +3) When running with Perl 5.26, messages such at the following could + be issued: + + Unescaped left brace in regex is deprecated here (and will be + fatal in Perl 5.30), passed through in regex; marked by <-- HERE + in m/^(\s*|.*[^&@%]){ <-- HERE (.*)}\s*$/ at + /usr/share/shorewall/Shorewall/Config.pm line 2343. + + That problem has been corrected. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 5 . 1 . 5 +---------------------------------------------------------------------------- + +1) Run-time port variables are now supported. See + http://www.shorewall.org/configuration_file_basics.htm#Port_Variables + for details. + +2) The Shorewall and Shorewall6 manpages are now consolidated. Almost + all of the Shorewall6 manpages are manpage aliases for the + corresponding Shorewall manpages which describe the files for both + products. + +3) There is now a FIN standard action which handles TCP packets with + the FIN, ACK and PSH flags set. + +4) According to the Netfilter team (see + https://patchwork.kernel.org/patch/9198133/), the --nflog-range option + of the NFLOG target has never worked correctly, and they have + deprecated that option in favor of the --nflog-size option. To + accomodate this change, there is now an "--nflog-size support" + (NFLOG_SIZE) Shorewall capability and a USE_NFLOG_SIZE option in + shorewall[6].conf. + + For further information, see the Migrations Issues item number 8. + +5) The RESTORE_DEFAULT_ROUTE option has now been added to + shorewall6.conf. Prior to this release, RESTORE_DEFAULT_ROUTE=Yes + has always been assumed for Shorewall6 configurations. + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 5 . 1 . 4 ---------------------------------------------------------------------------- @@ -382,7 +709,7 @@ 6) A number of small documentation corrections have been made. ---------------------------------------------------------------------------- - N E W F E A T U R E S I N 5 . 1 . 3 + N E W F E A T U R E S I N 5 . 1 . 4 ---------------------------------------------------------------------------- 1) All IPv6 standard actions have been deleted and their logic diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.1.5.2/shorewall new/shorewall-core-5.1.8.1/shorewall --- old/shorewall-core-5.1.5.2/shorewall 2017-07-27 23:55:19.000000000 +0200 +++ new/shorewall-core-5.1.8.1/shorewall 2017-11-08 18:46:25.000000000 +0100 @@ -1,8 +1,8 @@ #!/bin/sh # -# Shorewall Packet Filtering Firewall Control Program - V5.0 +# Shorewall Packet Filtering Firewall Control Program - V5.1 # -# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014,2015 - +# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014,2015-2017 # Tom Eastep (teastep@shorewall.net) # # Shorewall documentation is available at http://www.shorewall.net @@ -25,6 +25,10 @@ # For a list of supported commands, type 'shorewall help' or 'shorewall6 help' # ################################################################################################ +# +# Default product is Shorewall. PRODUCT will be set based on $0 and on passed -[46] and -l +# options +# PRODUCT=shorewall # diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.1.5.2/shorewall-core.spec new/shorewall-core-5.1.8.1/shorewall-core.spec --- old/shorewall-core-5.1.5.2/shorewall-core.spec 2017-08-02 00:47:07.000000000 +0200 +++ new/shorewall-core-5.1.8.1/shorewall-core.spec 2017-11-08 19:50:08.000000000 +0100 @@ -1,6 +1,6 @@ %define name shorewall-core -%define version 5.1.5 -%define release 2 +%define version 5.1.8 +%define release 1 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. Name: %{name} @@ -69,10 +69,38 @@ %doc COPYING INSTALL changelog.txt releasenotes.txt %changelog -* Thu Jul 27 2017 Tom Eastep tom@shorewall.net -- Updated to 5.1.5-2 -* Thu Jul 06 2017 Tom Eastep tom@shorewall.net -- Updated to 5.1.5-1 +* Wed Nov 08 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.8-1 +* Sun Oct 15 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.8-0base +* Tue Oct 10 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.8-0RC1 +* Sat Oct 07 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.8-0Beta2 +* Mon Sep 18 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.8-0Beta1 +* Mon Sep 18 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.7-0base +* Sun Sep 17 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.7-0RC2 +* Fri Sep 01 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.7-0RC1 +* Wed Aug 23 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.7-0Beta2 +* Tue Aug 22 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.7-0Beta1 +* Wed Aug 16 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.6-0base +* Tue Aug 15 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.6-0RC2 +* Tue Aug 15 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.6-0RC1 +* Wed Aug 09 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.6-0RC1 +* Thu Aug 03 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.6-0Beta2 +* Thu Jul 20 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.6-0Beta1 * Mon Jun 26 2017 Tom Eastep tom@shorewall.net - Updated to 5.1.5-0base * Wed Jun 21 2017 Tom Eastep tom@shorewall.net diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.1.5.2/uninstall.sh new/shorewall-core-5.1.8.1/uninstall.sh --- old/shorewall-core-5.1.5.2/uninstall.sh 2017-08-02 00:47:06.000000000 +0200 +++ new/shorewall-core-5.1.8.1/uninstall.sh 2017-11-08 19:50:08.000000000 +0100 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=5.1.5.2 +VERSION=5.1.8.1 PRODUCT=shorewall-core Product="Shorewall Core" ++++++ shorewall-docs-html-5.1.5.2.tar.bz2 -> shorewall-docs-html-5.1.8.1.tar.bz2 ++++++ ++++ 2514 lines of diff (skipped) ++++++ shorewall-fillup-install.patch ++++++ --- /var/tmp/diff_new_pack.ZtqdLA/_old 2017-11-20 17:06:12.924004717 +0100 +++ /var/tmp/diff_new_pack.ZtqdLA/_new 2017-11-20 17:06:12.924004717 +0100 @@ -6,8 +6,8 @@ fi + if [ $HOST = suse ]; then -+ mkdir -p ${DESTDIR}/var/adm/fillup-templates -+ run_install $OWNERSHIP -m 0644 ${SYSCONFFILE} ${DESTDIR}/var/adm/fillup-templates/sysconfig.${PRODUCT} ++ mkdir -p ${DESTDIR}/${FILLUPDIR} ++ run_install $OWNERSHIP -m 0644 ${SYSCONFFILE} ${DESTDIR}/${FILLUPDIR}/sysconfig.${PRODUCT} + else run_install $OWNERSHIP -m 0644 ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/$PRODUCT + fi ++++++ shorewall-init-5.1.5.2.tar.bz2 -> shorewall-init-5.1.8.1.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.1.5.2/changelog.txt new/shorewall-init-5.1.8.1/changelog.txt --- old/shorewall-init-5.1.5.2/changelog.txt 2017-08-02 00:47:07.000000000 +0200 +++ new/shorewall-init-5.1.8.1/changelog.txt 2017-11-08 19:50:09.000000000 +0100 @@ -1,3 +1,144 @@ +Changes in 5.1.8.1 + +1) Update release documents. + +2) Make persistent routes and rules independent of 'autosrc'. + +Changes in 5.1.8 + +1) Update release documents. + +Changes in 5.1.8 RC 1 + +1) Update release documents. + +2) Correct 'delete_default_routes()'. + +3) Delete default routes from 'main' when a fallback provider is + successfully enabled. + +4) Don't restore default route when a fallback provider is enabled. + +5) Issue a warning when 'persistent' is used with + RESTORE_DEFAULT_ROUTE=Yes. + +6) Don't dump SPD entries for the other address family. + +Changes in 5.1.8 Beta 2 + +1) Update release documents. + +2) Fix 'persistent' provider issues. + +Changes in 5.1.8 Beta 1 + +1) Update release documents. + +2) Treat LOG_TARGET the same as all other capabilities. + +3) Allow merging of rules with IPSEC policies + +Changes in 5.1.7.1 + +1) Update release documents. + +2) Correct 'reenable' logic for persistent providers. + +3) Align progress messages produced by 'reenable'. + +Changes in 5.1.7 Final + +1) Update release documents. + +Changes in 5.1.7 RC 2 + +1) Update release documents. + +2) Correct module loading. + +3) Add DOCKER-INGRESS support. + +Changes in 5.1.7 RC 1 + +1) Update release documents. + +2) Correct handling of ipsets in the DEST column of the snat file. + +3) Allow NAT rules to be passed to perl_action_helper() + +4) Split NAT and ACCEPT rules in the Event actions. + +5) Correct VLSM verification logic in the 'ipcalc' command. + +6) Fix ADD_IP_ALIASES default. + +7) Remove empty/useless .tmp files created during shorewall-init stop. + +Changes in 5.1.7 Beta 2 + +1) Update release documents. + +2) Improve dynamic gateway detection. + +Changes in 5.1.7 Beta 1 + +1) Update release documents. + +2) Simplify Module Loading (Tuomo Soini) + +3) Eliminate MODULE_SUFFIX. + +Changes in 5.1.6 Final + +1) Update release documents. + +2) Allow port variables as server port in DNAT rules. + +3) Change MODULE_SUFFIX standard default to "ko ko.xz" + +4) Added UDP rule to macro.RDP. + +Changes in 5.1.6 RC 2 + +1) Update release documents. + +2) Use MUTEX_TIMEOUT for ip[6]tables-restore --wait interval + +Changes in 5.1.6 RC 1 + +1) Update release documents. + +2) Make Shorewall's handling of '+' consistent with Netfilter's. + +3) Verify that parent and child zones have an interface in common. + +4) Allow runtime address variables as the DNAT server address. + +5) Prevent IPv4 and IPv6 firewalls from starting simultaneously under + systemd. + +6) Use the ip[6]-tables --wait option, if available. + +Changes in 5.1.6 Beta 2 + +1) Update release documents. + +2) Pass arguments to the enable and disable user exit functions + +3) Export CONFDIR and SHAREDIR to the generated script. + +4) Correct handling of combining a policy chain with a normal chain. + +Changes in 5.1.6 Beta 1 + +1) Update release documents. + +2) Apply Bernhard M. Wiedemann's patch for reproducible builds. + +3) Patch configure.pl to support reproducible builds. + +4) Merge content from 5.1.5.1. + Changes in 5.1.5.2 1) Update release documents. @@ -15,6 +156,10 @@ 2) Process the snat file if the masq file is empty. +3) Apply Bernhard Wiedemann's configure change. + +4) Make a similar change to configure.pl. + Changes in 5.1.5 Final 1) Update release documents. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.1.5.2/configure new/shorewall-init-5.1.8.1/configure --- old/shorewall-init-5.1.5.2/configure 2017-08-02 00:47:07.000000000 +0200 +++ new/shorewall-init-5.1.8.1/configure 2017-11-08 19:50:09.000000000 +0100 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=5.1.5.2 +VERSION=5.1.8.1 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.1.5.2/configure.pl new/shorewall-init-5.1.8.1/configure.pl --- old/shorewall-init-5.1.5.2/configure.pl 2017-08-02 00:47:07.000000000 +0200 +++ new/shorewall-init-5.1.8.1/configure.pl 2017-11-08 19:50:09.000000000 +0100 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '5.1.5.2' + VERSION => '5.1.8.1' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.1.5.2/init.debian.sh new/shorewall-init-5.1.8.1/init.debian.sh --- old/shorewall-init-5.1.5.2/init.debian.sh 2017-07-27 23:55:19.000000000 +0200 +++ new/shorewall-init-5.1.8.1/init.debian.sh 2017-11-08 18:46:25.000000000 +0100 @@ -159,8 +159,9 @@ mkdir -p $(dirname "$SAVE_IPSETS") if ipset -S > "${SAVE_IPSETS}.tmp"; then - grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" + grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp" else + rm -f "${SAVE_IPSETS}.tmp" echo_notdone fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.1.5.2/init.fedora.sh new/shorewall-init-5.1.8.1/init.fedora.sh --- old/shorewall-init-5.1.5.2/init.fedora.sh 2017-07-27 23:55:19.000000000 +0200 +++ new/shorewall-init-5.1.8.1/init.fedora.sh 2017-11-08 18:46:25.000000000 +0100 @@ -66,6 +66,10 @@ printf "Initializing \"Shorewall-based firewalls\": " + if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then + ipset -R < "$SAVE_IPSETS" + fi + for PRODUCT in $PRODUCTS; do setstatedir retval=$? @@ -120,6 +124,15 @@ done if [ $retval -eq 0 ]; then + if [ -n "$SAVE_IPSETS" ]; then + mkdir -p $(dirname "$SAVE_IPSETS") + if ipset -S > "${SAVE_IPSETS}.tmp"; then + grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp" + else + rm -f "${SAVE_IPSETS}.tmp" + fi + fi + rm -f $lockfile success else diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.1.5.2/init.openwrt.sh new/shorewall-init-5.1.8.1/init.openwrt.sh --- old/shorewall-init-5.1.5.2/init.openwrt.sh 2017-07-27 23:55:19.000000000 +0200 +++ new/shorewall-init-5.1.8.1/init.openwrt.sh 2017-11-08 18:46:25.000000000 +0100 @@ -126,7 +126,9 @@ if [ -n "$SAVE_IPSETS" ]; then mkdir -p $(dirname "$SAVE_IPSETS") if ipset -S > "${SAVE_IPSETS}.tmp"; then - grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" + grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp" + else + rm -f "${SAVE_IPSETS}.tmp" fi fi } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.1.5.2/init.sh new/shorewall-init-5.1.8.1/init.sh --- old/shorewall-init-5.1.5.2/init.sh 2017-07-27 23:55:19.000000000 +0200 +++ new/shorewall-init-5.1.8.1/init.sh 2017-11-08 18:46:25.000000000 +0100 @@ -116,7 +116,9 @@ if [ -n "$SAVE_IPSETS" ]; then mkdir -p $(dirname "$SAVE_IPSETS") if ipset -S > "${SAVE_IPSETS}.tmp"; then - grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" + grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp" + else + rm -f "${SAVE_IPSETS}.tmp" fi fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.1.5.2/init.suse.sh new/shorewall-init-5.1.8.1/init.suse.sh --- old/shorewall-init-5.1.5.2/init.suse.sh 2017-07-27 23:55:19.000000000 +0200 +++ new/shorewall-init-5.1.8.1/init.suse.sh 2017-11-08 18:46:25.000000000 +0100 @@ -126,7 +126,9 @@ if [ -n "$SAVE_IPSETS" ]; then mkdir -p $(dirname "$SAVE_IPSETS") if ipset -S > "${SAVE_IPSETS}.tmp"; then - grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" + grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp" + else + rm -f "${SAVE_IPSETS}.tmp" fi fi } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.1.5.2/install.sh new/shorewall-init-5.1.8.1/install.sh --- old/shorewall-init-5.1.5.2/install.sh 2017-08-02 00:47:07.000000000 +0200 +++ new/shorewall-init-5.1.8.1/install.sh 2017-11-08 19:50:09.000000000 +0100 @@ -27,7 +27,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=5.1.5.2 +VERSION=5.1.8.1 PRODUCT=shorewall-init Product="Shorewall Init" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.1.5.2/lib.installer new/shorewall-init-5.1.8.1/lib.installer --- old/shorewall-init-5.1.5.2/lib.installer 2017-08-02 00:47:07.000000000 +0200 +++ new/shorewall-init-5.1.8.1/lib.installer 2017-11-08 19:50:09.000000000 +0100 @@ -1,6 +1,6 @@ # # -# Shorewall 5.0 -- /usr/share/shorewall/lib.installer. +# Shorewall 5.1 -- /usr/share/shorewall/lib.installer. # # (c) 2017 - Tom Eastep (teastep@shorewall.net) # (c) 2017 - Matt Darfeuille (matdarf@gmail.com) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.1.5.2/lib.uninstaller new/shorewall-init-5.1.8.1/lib.uninstaller --- old/shorewall-init-5.1.5.2/lib.uninstaller 2017-08-02 00:47:07.000000000 +0200 +++ new/shorewall-init-5.1.8.1/lib.uninstaller 2017-11-08 19:50:09.000000000 +0100 @@ -1,6 +1,6 @@ # # -# Shorewall 5.0 -- /usr/share/shorewall/lib.installer. +# Shorewall 5.1 -- /usr/share/shorewall/lib.installer. # # (c) 2017 - Tom Eastep (teastep@shorewall.net) # (c) 2017 - Matt Darfeuille (matdarf@gmail.com) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.1.5.2/releasenotes.txt new/shorewall-init-5.1.8.1/releasenotes.txt --- old/shorewall-init-5.1.5.2/releasenotes.txt 2017-08-02 00:47:07.000000000 +0200 +++ new/shorewall-init-5.1.8.1/releasenotes.txt 2017-11-08 19:50:09.000000000 +0100 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 5 . 1 . 5 . 2 - ------------------------------ - J u l y 3 1 , 2 0 1 7 + S H O R E W A L L 5 . 1 . 8 . 1 + ------------------------------- + N o v e m b e r 0 8 , 2 0 1 7 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,62 +14,42 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -5.1.5.2 - -1) Previously, Specifying a USER in the OUTPUT section of the - accounting file caused the compilter to incorrectly generate the - following error message: - - ERROR: USER/GROUP may only be specified in the OUTPUT section - - That has been corrected, and no error message is generated in this - case. +5.1.8.1 -2) When BASIC_FILTERS=Yes, the compiler previously generated an - invalid tc command when when a source port was specified in a - tcfilters entry. The compiler now generates correct input in this - case. - -3) Previously, a MAC address could be specified in the OUTPUT - section of the accounting file and no error would be generated at - compile time. A failure would occur, however, at run-time. Now, an - error is raised during compilation. - -5.1.5.1 - -1) To compensate for the presence of a masq file with no entries, - the compiler will now attempt to process the snat file when such a - masq file is found. Previously, if a masq file with no entries was - found, the snat file, if any, was ignored. - -2) Previously, maintainers could not create reproducable packages - because the 'configure' and 'configure.pl' scripts inserted the - current date and time into the generated shorewallrc file. - - To support reproducable package builds, the scripts now recognize - the SOURCE_DATE_EPOCH environmental variable (see - https://reproducible-builds.org/specs/source-date-epoch/). - - The change to 'configure' was supplied by Bernhard M. Wiedemann. - -5.1.5 - -1) This release contains defect repair through Shorewall 5.1.4.4. - -2) Previously, when 0 was used as a port number or when a port number - > 65535 was specified, an 'uninitialized variable' Perl exception - occurred when the compiler attempted to issue an error - message. That has been corrected. - -3) When running with Perl 5.26, messages such at the following could - be issued: - - Unescaped left brace in regex is deprecated here (and will be - fatal in Perl 5.30), passed through in regex; marked by <-- HERE - in m/^(\s*|.*[^&@%]){ <-- HERE (.*)}\s*$/ at - /usr/share/shorewall/Shorewall/Config.pm line 2343. - - That problem has been corrected. +1) Previously, if 'noautosrc' was specified on a provider, then + persistent routes and rules for that provider were treated as + ordinary routes and rules (not persistent). That has been corrected + so that persistent routes and rules are retained when the provider + is disabled. + +5.1.8 + +1) This release includes defect repair through Shorewall 5.1.7.2. + +2) The copyright dates and product version comments have been updated + in a number of files. + +3) The undocumented and unmaintained Makefile files for Shorewall-lite + and Shorewall6-lite have been removed from Shorewall and Shorewall6 + respectively. + +4) The 'dump' command logic now does a better job of detecting + and suppressing the printing of empty IPSec SPD entries. + +5) A number of issues with persistent providers that resulted in + 'ip rule add' and 'ip route add' failures have been corrected. The + most common senario involved a 'reload' while a persistent + interface was disabled. + +6) Previously, the generated script contained incorrect logic for + deleting default routes with metric zero ('balanced' routes and + routes generated by 'fallback=nn'); the logic only worked correctly + when applied to the 'main' routing table. It now works correctly + for all routing tables. + +7) The 'ip xfrm policy' command ignores the -4 and -6 options and + dumps the policies for both address families. This release contains + a workaround that suppresses entries for the other family. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -90,40 +70,41 @@ uses a "delete..add.." sequence on these routes rather than a single "replace" command. -4) When the formerly built-in actions were converted to standard - actions in Shorewall 5.1.3, the 'dropBcasts' action was - inadvertently changed to 'dropBcast'. Beginning with this release, - both spellings are accepted. - ---------------------------------------------------------------------------- I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) Run-time port variables are now supported. See - http://www.shorewall.org/configuration_file_basics.htm#Port_Variables - for details. +1) For historical reasons, Shorewall has always assumed that LOG target + support is present unless proven otherwise. While this has worked + correctly when a capabilities file is used and when + LOAD_HELPERS_ONLY=No, it can generate an unworkable firewall + script when LOAD_HELPERS_ONLY=Yes. + + Beginning with this release, Shorewall will treat LOG target like + any other capability and will verify its presense in all cases + where the target is used. + +2) The level 4 optimizer now does a better job of handling small + chains with rules specifying an IPSEC policy. This can result in + elimination of these chains. + +3) Beginning with this release, when RESTORE_DEFAULT_ROUTE=Yes the + default route is only restored when there are no enabled + 'balance/primary' providers and no enabled fallback providers. + + Also beginning with this release, if the default route(s) have been + restored to the 'main' table, and a fallback provider is + successfully enabled, the default route(s) are removed from the + main table. + +4) Because restoring default routes to the main routing table can + break the ability of Foolsm and other link status monitors to + properly detect non-functioning provider links, a warning message + is now issued when the 'persistent' provider option is specified + and RESTORE_DEFAULT_ROUTE=Yes. -2) The Shorewall and Shorewall6 manpages are now consolidated. Almost - all of the Shorewall6 manpages are manpage aliases for the - corresponding Shorewall manpages which describe the files for both - products. - -3) There is now a FIN standard action which handles TCP packets with - the FIN, ACK and PSH flags set. - -4) According to the Netfilter team (see - https://patchwork.kernel.org/patch/9198133/), the --nflog-range option - of the NFLOG target has never worked correctly, and they have - deprecated that option in favor of the --nflog-size option. To - accomodate this change, there is now an "--nflog-size support" - (NFLOG_SIZE) Shorewall capability and a USE_NFLOG_SIZE option in - shorewall[6].conf. - - For further information, see the Migrations Issues item number 8. - -5) The RESTORE_DEFAULT_ROUTE option has now been added to - shorewall6.conf. Prior to this release, RESTORE_DEFAULT_ROUTE=Yes - has always been assumed for Shorewall6 configurations. + WARNING: When RESTORE_DEFAULT_ROUTE=Yes, the 'persistent' option + may not work as expected ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -267,9 +248,355 @@ verify that those NFLOG messages are as you expect with USE_NFLOG_SIZE=Yes. +9) The MODULE_SUFFIX option in shorewall[6].conf was eliminated in + Shorewall 5.1.7. Shorewall now finds modules, independent of their + filename suffix. + + 'shorewall [-6] update' will automatically remove any MODULE_SUFFIX + setting. + +10) Beginning with Shorewall 5.1.8, when RESTORE_DEFAULT_ROUTE=Yes the + default route is only restored when there are no enabled + 'balance/primary' providers and no enabled fallback providers. + + Also beginning with Shorewall 5.1.8, if the default route(s) have + been restored to the 'main' table, and a fallback provider is + successfully enabled, the default route(s) are removed from the + main table. + +11) Because restoring default routes to the main routing table can + break the ability of Foolsm and other link status monitors to + properly detect non-functioning provider links, a warning message + is issued when the 'persistent' provider option is specified and + RESTORE_DEFAULT_ROUTE=Yes. + + WARNING: When RESTORE_DEFAULT_ROUTE=Yes, the 'persistent' option + may not work as expected + + This change was released in Shorewall 5.1.8. + ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 5 . 1 R E L E A S E S ---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 5 . 1 . 7 +---------------------------------------------------------------------------- + +5.1.7.2 + +1) Previously during the opening of a configuration file, if SELinux + denied the "getattr" (stat) request, then the compiler would skip + processing of the file as if it did not exist. Now, if "getattr" + fails for any reason other than that the file does not exist, an + error is raised. + + ERROR: Unable to access <filename>: <reason for denial> + +2) Previously, when a range was passed to the MARK() action (mangle + file), any specified protocol, port and time restrictions were + ignored. Now these elements are included in the rule. + +5.1.7.1 + +1) Previously, the 'reenable' command failed on a persistent provider + interface with a message similar to the following: + + RTNETLINK answers: File exists + ERROR: Command "/sbin/ip -4 rule add from 10.2.10.2 pref 20000 + table IPv6Beta" Failed + + That problem has been corrected and the 'reenable' command now + works properly on both persistant and non-persistant interfaces. + + Note: The firewall script must be recompiled in order for this + change to become effective. + +5.1.7 + +1) This release includes defect repair through Shorewall 5.1.6.1. + +2) Previously, there was a typo in IPv4 Example 5 in the + shorewall-snat(5) manpage. The DEST column contained + + eth0+myset[dst] + + which should have been + + eth0:+myset[dst] + + That has been corrected. + +3) Previously, specifying an ipset name in the DEST column of the IPv4 + snat file had no effect. That has been corrected so that only + connections whose destination matches the ipset are affected by the + rule. + +4) Previously, passing an invalid vlsm to the 'ipcalc' command coult + result in a series of shell diagnostics beginning with: + + shorewall: 3730: /home/teastep/bin/shorewall: Invalid VLSM: not + found + + That has been corrected so that the correct message is issued: + + ERROR: Invalid VLSM + + (Tuomo Soini) + +5) ADD_IP_ALIASES has defaulted to Yes for both Shorewall and + Shorewall6, leading to 'not found' errors during + start/reload/restart. Now, ADD_IP_ALIASES=No is the default for + IPv6 and may not be changed. + +6) When Shorewall-init was configured to save ipsets, it could leave + behind an empty or useless .tmp file if no ipsets were saved. Now + that file is removed automatically. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 5 . 1 . 7 +---------------------------------------------------------------------------- + +1) Loading of kernel modules has been streamlined (Tuomo Soini). + +2) The MODULE_SUFFIX option in shorewall[6].conf has been + eliminated. Shorewall now finds modules, independent of their + filename suffix. + + 'shorewall [-6] update' will automatically remove any MODULE_SUFFIX + setting. + +3) When 'detect' is specified in the GATEWAY column for a provider, + the generated script now looks for an existing default route in + the provider's routing table to obtain the provider's default + gateway. This is useful when dhcpcd5 is installed, since the .lease + files created by dhcpcd5 are binary coded and are hence not usable + for learning the configured gateway. + +4) The Shorewall Event actions (IfEvent, SetEvent and ResetEvent) now + accept DNAT and REDIRECT as the <action> argument. For DNAT, a + server address must be specified in the DEST column. A server port + may NOT be specified in the DEST column, so the port number cannot + be changed by the action. + +5) Shorewall now supports Docker configuration that create the + DOCKER-INGRESS chain in the filter table. + +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 5 . 1 . 6 +---------------------------------------------------------------------------- + +1) This release contains defect repair through Shorewall 5.1.5.2. + +2) http://www.shorewall.net/shorewall_extension_scripts.htm states + that $SHAREDIR and $CONFDIR can be used in extension scripts, that + has not been true for some time. Beginning with this release, those + variables are once again available in the generated script. + +3) Under very rare circumstances, when OPTIMIZE level 8 was used, + messages such as the following could be issued during compilation: + + Use of uninitialized value in hash element at + /usr/share/shorewall/Shorewall/Rules.pm line 818. + Use of uninitialized value in concatenation (.) or string at + /usr/share/shorewall/Shorewall/Rules.pm line 823. + + That has been corrected. + +4) Previously, Shorewall's treatment of wildcard interfaces differed + from Netfilter's. Shorewall did not consider 'eth' to match 'eth+' + while Netfilter did. Beginning with this release, Shorewall is + consistent with Netfilter. + +5) Previously, systemd could attempt to start the IPv4 and IPv6 + firewalls simultaneously, which might lead to iptables-restore and + ip6tables-restore being run at the same time resulting in a failure + to start one of the firewalls. + + Beginning with this release, Shorewall and Shorwall6 will be + started serially as will Shorewall-lite and Shorewall6-lite. + +6) To prevent other init systems from starting the IPv4 and IPv6 + firewalls in parallel, the ip[6]-tables-restore '--wait' option, if + available, is used. This change introduces a new + RESTORE_WAIT_OPTION capability. + + Note: If the new capability is not available on your system, and + you don't run systemd, you can still avoid the parallel start + problem by configuring the same LOCKFILE in both your + shorewall.conf and shorewall6.conf files. + +7) Previously, the RDP macro only allowed TCP traffic, even though RDP + also requires UDP. That has been corrected so that both protocols + are allowed. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 5 . 1 . 6 +---------------------------------------------------------------------------- + +1) The SPARSE option in shorewallrc originally caused only + shorewall[6].conf to be installed in /etc/shorewall[6], but later + the conntrack and params files were also installed. To prevent + these additional files from being installed, SPARSE may now be set + to 'Very', either by editing the file directly or by using the + configure or configure.pl scripts. + + This setting is recommended if you wish to use a single set of + configuration files for both IPv4 and IPv6 as described at + http://www.shorewall.org/SharedConfig.html. + +2) Two new run-time extensions scripts have been added: + + - enabled + + Invoked when an optional interface has been successfully enabled + using the 'enable' command. + + - disabled + + Invoked when an optional interface has been successfully disabled + using the 'disable' command. + + Like all run-time extension scripts, the contents of each script + are placed in a function body. In the case of these new scripts, + the function is passed arguments: + + $1 = the physical name of the interface + $2 = the logical name of the interface + $3 = the name of the Provider, if any, associated with the + interface. + +3) When a zone (z1) is defined to be a sub-zone of another zone (z2), + the compiler now verifies that the two zones have at least one + interface in common. If they do not, a warning message is + generated: + + WARNING: Zone z1 is defined to be a sub-zone of z2, yet the two + zones have no interface in common + +4) Runtime address variables may now be used as the server IP address + and Runtime port variables may be used as the server port in DNAT + rules. + + Example: + + DNAT net $FW:ð1:%{PORT} tcp 9999 + +5) Previously, systemd could attempt to start the IPv4 and IPv6 + firewalls simultaneously, which might lead to iptables-restore and + ip6tables-restore being run at the same time resulting in a failure + to start one of the firewalls. + + Beginning with this release, Shorewall and Shorwall6 will be + started serially as will Shorewall-lite and Shorewall6-lite. + +6) To prevent problems when other init systems start the IPv4 and IPv6 + firewalls in parallel, the ip[6]-tables '--wait' option, if + available, is used. The amount of time to wait is determined by the + setting of MUTEX_TIMEOUT (default 60 seconds). This change + introduces a new RESTORE_WAIT_OPTION capability. + + Note: If the new capability is not available on your system, and + you don't run systemd, you can still avoid the parallel start + problem by configuring the same LOCKFILE in both your + shorewall.conf and shorewall6.conf files. + +7) Previously, the sample configuration files specified + MODULE_SUFFIX="ko ko.xz", whereas the default .conf files specified + MODULE_SUFFIX=ko. The latter no longer works on RHEL7-based + systems. Beginning with this release, the default .conf files also + specify MODULE_SUFFIX="ko ko.xz". + +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 5 . 1 . 5 +---------------------------------------------------------------------------- + +5.1.5.2 + +1) Previously, Specifying a USER in the OUTPUT section of the + accounting file caused the compilter to incorrectly generate the + following error message: + + ERROR: USER/GROUP may only be specified in the OUTPUT section + + That has been corrected, and no error message is generated in this + case. + +2) When BASIC_FILTERS=Yes, the compiler previously generated an + invalid tc command when when a source port was specified in a + tcfilters entry. The compiler now generates correct input in this + case. + +3) Previously, a MAC address could be specified in the OUTPUT + section of the accounting file and no error would be generated at + compile time. A failure would occur, however, at run-time. Now, an + error is raised during compilation. + +5.1.5.1 + +1) To compensate for the presence of a masq file with no entries, + the compiler will now attempt to process the snat file when such a + masq file is found. Previously, if a masq file with no entries was + found, the snat file, if any, was ignored. + +2) Previously, maintainers could not create reproducible packages + because the 'configure' and 'configure.pl' scripts inserted the + current date and time into the generated shorewallrc file. + + To support reproducible package builds, the scripts now recognize + the SOURCE_DATE_EPOCH environmental variable (see + https://reproducible-builds.org/specs/source-date-epoch/). + + The change to 'configure' was supplied by Bernhard M. Wiedemann. + +5.1.5 + +1) This release contains defect repair through Shorewall 5.1.4.4. + +2) Previously, when 0 was used as a port number or when a port number + > 65535 was specified, an 'uninitialized variable' Perl exception + occurred when the compiler attempted to issue an error + message. That has been corrected. + +3) When running with Perl 5.26, messages such at the following could + be issued: + + Unescaped left brace in regex is deprecated here (and will be + fatal in Perl 5.30), passed through in regex; marked by <-- HERE + in m/^(\s*|.*[^&@%]){ <-- HERE (.*)}\s*$/ at + /usr/share/shorewall/Shorewall/Config.pm line 2343. + + That problem has been corrected. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 5 . 1 . 5 +---------------------------------------------------------------------------- + +1) Run-time port variables are now supported. See + http://www.shorewall.org/configuration_file_basics.htm#Port_Variables + for details. + +2) The Shorewall and Shorewall6 manpages are now consolidated. Almost + all of the Shorewall6 manpages are manpage aliases for the + corresponding Shorewall manpages which describe the files for both + products. + +3) There is now a FIN standard action which handles TCP packets with + the FIN, ACK and PSH flags set. + +4) According to the Netfilter team (see + https://patchwork.kernel.org/patch/9198133/), the --nflog-range option + of the NFLOG target has never worked correctly, and they have + deprecated that option in favor of the --nflog-size option. To + accomodate this change, there is now an "--nflog-size support" + (NFLOG_SIZE) Shorewall capability and a USE_NFLOG_SIZE option in + shorewall[6].conf. + + For further information, see the Migrations Issues item number 8. + +5) The RESTORE_DEFAULT_ROUTE option has now been added to + shorewall6.conf. Prior to this release, RESTORE_DEFAULT_ROUTE=Yes + has always been assumed for Shorewall6 configurations. + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 5 . 1 . 4 ---------------------------------------------------------------------------- @@ -382,7 +709,7 @@ 6) A number of small documentation corrections have been made. ---------------------------------------------------------------------------- - N E W F E A T U R E S I N 5 . 1 . 3 + N E W F E A T U R E S I N 5 . 1 . 4 ---------------------------------------------------------------------------- 1) All IPv6 standard actions have been deleted and their logic diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.1.5.2/shorewall-init new/shorewall-init-5.1.8.1/shorewall-init --- old/shorewall-init-5.1.5.2/shorewall-init 2017-07-27 23:55:19.000000000 +0200 +++ new/shorewall-init-5.1.8.1/shorewall-init 2017-11-08 18:46:25.000000000 +0100 @@ -104,7 +104,9 @@ if [ -n "$SAVE_IPSETS" ]; then mkdir -p $(dirname "$SAVE_IPSETS") if ipset -S > "${SAVE_IPSETS}.tmp"; then - grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" + grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp" + else + rm -f "${SAVE_IPSETS}.tmp" fi fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.1.5.2/shorewall-init.spec new/shorewall-init-5.1.8.1/shorewall-init.spec --- old/shorewall-init-5.1.5.2/shorewall-init.spec 2017-08-02 00:47:07.000000000 +0200 +++ new/shorewall-init-5.1.8.1/shorewall-init.spec 2017-11-08 19:50:09.000000000 +0100 @@ -1,6 +1,6 @@ %define name shorewall-init -%define version 5.1.5 -%define release 2 +%define version 5.1.8 +%define release 1 Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall). Name: %{name} @@ -135,10 +135,38 @@ %doc COPYING changelog.txt releasenotes.txt %changelog -* Thu Jul 27 2017 Tom Eastep tom@shorewall.net -- Updated to 5.1.5-2 -* Thu Jul 06 2017 Tom Eastep tom@shorewall.net -- Updated to 5.1.5-1 +* Wed Nov 08 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.8-1 +* Sun Oct 15 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.8-0base +* Tue Oct 10 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.8-0RC1 +* Sat Oct 07 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.8-0Beta2 +* Mon Sep 18 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.8-0Beta1 +* Mon Sep 18 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.7-0base +* Sun Sep 17 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.7-0RC2 +* Fri Sep 01 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.7-0RC1 +* Wed Aug 23 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.7-0Beta2 +* Tue Aug 22 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.7-0Beta1 +* Wed Aug 16 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.6-0base +* Tue Aug 15 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.6-0RC2 +* Tue Aug 15 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.6-0RC1 +* Wed Aug 09 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.6-0RC1 +* Thu Aug 03 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.6-0Beta2 +* Thu Jul 20 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.6-0Beta1 * Mon Jun 26 2017 Tom Eastep tom@shorewall.net - Updated to 5.1.5-0base * Wed Jun 21 2017 Tom Eastep tom@shorewall.net diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.1.5.2/uninstall.sh new/shorewall-init-5.1.8.1/uninstall.sh --- old/shorewall-init-5.1.5.2/uninstall.sh 2017-08-02 00:47:07.000000000 +0200 +++ new/shorewall-init-5.1.8.1/uninstall.sh 2017-11-08 19:50:09.000000000 +0100 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=5.1.5.2 +VERSION=5.1.8.1 PRODUCT=shorewall-init Product="Shorewall Init" ++++++ shorewall-init-fillup-install.patch ++++++ --- /var/tmp/diff_new_pack.ZtqdLA/_old 2017-11-20 17:06:12.992002255 +0100 +++ /var/tmp/diff_new_pack.ZtqdLA/_new 2017-11-20 17:06:12.996002110 +0100 @@ -9,8 +9,8 @@ - install_file ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/$PRODUCT 0644 - echo "${SYSCONFFILE} file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}" + if [ $HOST = suse ]; then -+ mkdir -p ${DESTDIR}/var/adm/fillup-templates -+ install_file sysconfig ${DESTDIR}/var/adm/fillup-templates/sysconfig.shorewall-init 0644 ++ mkdir -p ${DESTDIR}/${FILLUPDIR} ++ install_file sysconfig ${DESTDIR}/${FILLUPDIR}/sysconfig.shorewall-init 0644 + else + if [ -n "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PRODUCT} ]; then + install_file ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/$PRODUCT 0644 ++++++ shorewall-lite-5.1.5.2.tar.bz2 -> shorewall-lite-5.1.8.1.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.1.5.2/changelog.txt new/shorewall-lite-5.1.8.1/changelog.txt --- old/shorewall-lite-5.1.5.2/changelog.txt 2017-08-02 00:47:07.000000000 +0200 +++ new/shorewall-lite-5.1.8.1/changelog.txt 2017-11-08 19:50:09.000000000 +0100 @@ -1,3 +1,144 @@ +Changes in 5.1.8.1 + +1) Update release documents. + +2) Make persistent routes and rules independent of 'autosrc'. + +Changes in 5.1.8 + +1) Update release documents. + +Changes in 5.1.8 RC 1 + +1) Update release documents. + +2) Correct 'delete_default_routes()'. + +3) Delete default routes from 'main' when a fallback provider is + successfully enabled. + +4) Don't restore default route when a fallback provider is enabled. + +5) Issue a warning when 'persistent' is used with + RESTORE_DEFAULT_ROUTE=Yes. + +6) Don't dump SPD entries for the other address family. + +Changes in 5.1.8 Beta 2 + +1) Update release documents. + +2) Fix 'persistent' provider issues. + +Changes in 5.1.8 Beta 1 + +1) Update release documents. + +2) Treat LOG_TARGET the same as all other capabilities. + +3) Allow merging of rules with IPSEC policies + +Changes in 5.1.7.1 + +1) Update release documents. + +2) Correct 'reenable' logic for persistent providers. + +3) Align progress messages produced by 'reenable'. + +Changes in 5.1.7 Final + +1) Update release documents. + +Changes in 5.1.7 RC 2 + +1) Update release documents. + +2) Correct module loading. + +3) Add DOCKER-INGRESS support. + +Changes in 5.1.7 RC 1 + +1) Update release documents. + +2) Correct handling of ipsets in the DEST column of the snat file. + +3) Allow NAT rules to be passed to perl_action_helper() + +4) Split NAT and ACCEPT rules in the Event actions. + +5) Correct VLSM verification logic in the 'ipcalc' command. + +6) Fix ADD_IP_ALIASES default. + +7) Remove empty/useless .tmp files created during shorewall-init stop. + +Changes in 5.1.7 Beta 2 + +1) Update release documents. + +2) Improve dynamic gateway detection. + +Changes in 5.1.7 Beta 1 + +1) Update release documents. + +2) Simplify Module Loading (Tuomo Soini) + +3) Eliminate MODULE_SUFFIX. + +Changes in 5.1.6 Final + +1) Update release documents. + +2) Allow port variables as server port in DNAT rules. + +3) Change MODULE_SUFFIX standard default to "ko ko.xz" + +4) Added UDP rule to macro.RDP. + +Changes in 5.1.6 RC 2 + +1) Update release documents. + +2) Use MUTEX_TIMEOUT for ip[6]tables-restore --wait interval + +Changes in 5.1.6 RC 1 + +1) Update release documents. + +2) Make Shorewall's handling of '+' consistent with Netfilter's. + +3) Verify that parent and child zones have an interface in common. + +4) Allow runtime address variables as the DNAT server address. + +5) Prevent IPv4 and IPv6 firewalls from starting simultaneously under + systemd. + +6) Use the ip[6]-tables --wait option, if available. + +Changes in 5.1.6 Beta 2 + +1) Update release documents. + +2) Pass arguments to the enable and disable user exit functions + +3) Export CONFDIR and SHAREDIR to the generated script. + +4) Correct handling of combining a policy chain with a normal chain. + +Changes in 5.1.6 Beta 1 + +1) Update release documents. + +2) Apply Bernhard M. Wiedemann's patch for reproducible builds. + +3) Patch configure.pl to support reproducible builds. + +4) Merge content from 5.1.5.1. + Changes in 5.1.5.2 1) Update release documents. @@ -15,6 +156,10 @@ 2) Process the snat file if the masq file is empty. +3) Apply Bernhard Wiedemann's configure change. + +4) Make a similar change to configure.pl. + Changes in 5.1.5 Final 1) Update release documents. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.1.5.2/configure new/shorewall-lite-5.1.8.1/configure --- old/shorewall-lite-5.1.5.2/configure 2017-08-02 00:47:07.000000000 +0200 +++ new/shorewall-lite-5.1.8.1/configure 2017-11-08 19:50:09.000000000 +0100 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=5.1.5.2 +VERSION=5.1.8.1 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.1.5.2/configure.pl new/shorewall-lite-5.1.8.1/configure.pl --- old/shorewall-lite-5.1.5.2/configure.pl 2017-08-02 00:47:07.000000000 +0200 +++ new/shorewall-lite-5.1.8.1/configure.pl 2017-11-08 19:50:09.000000000 +0100 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '5.1.5.2' + VERSION => '5.1.8.1' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.1.5.2/install.sh new/shorewall-lite-5.1.8.1/install.sh --- old/shorewall-lite-5.1.5.2/install.sh 2017-08-02 00:47:07.000000000 +0200 +++ new/shorewall-lite-5.1.8.1/install.sh 2017-11-08 19:50:09.000000000 +0100 @@ -22,7 +22,7 @@ # along with this program; if not, see http://www.gnu.org/licenses/. # -VERSION=5.1.5.2 +VERSION=5.1.8.1 usage() # $1 = exit status { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.1.5.2/lib.installer new/shorewall-lite-5.1.8.1/lib.installer --- old/shorewall-lite-5.1.5.2/lib.installer 2017-08-02 00:47:07.000000000 +0200 +++ new/shorewall-lite-5.1.8.1/lib.installer 2017-11-08 19:50:09.000000000 +0100 @@ -1,6 +1,6 @@ # # -# Shorewall 5.0 -- /usr/share/shorewall/lib.installer. +# Shorewall 5.1 -- /usr/share/shorewall/lib.installer. # # (c) 2017 - Tom Eastep (teastep@shorewall.net) # (c) 2017 - Matt Darfeuille (matdarf@gmail.com) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.1.5.2/lib.uninstaller new/shorewall-lite-5.1.8.1/lib.uninstaller --- old/shorewall-lite-5.1.5.2/lib.uninstaller 2017-08-02 00:47:07.000000000 +0200 +++ new/shorewall-lite-5.1.8.1/lib.uninstaller 2017-11-08 19:50:09.000000000 +0100 @@ -1,6 +1,6 @@ # # -# Shorewall 5.0 -- /usr/share/shorewall/lib.installer. +# Shorewall 5.1 -- /usr/share/shorewall/lib.installer. # # (c) 2017 - Tom Eastep (teastep@shorewall.net) # (c) 2017 - Matt Darfeuille (matdarf@gmail.com) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.1.5.2/manpages/shorewall-lite-vardir.5 new/shorewall-lite-5.1.8.1/manpages/shorewall-lite-vardir.5 --- old/shorewall-lite-5.1.5.2/manpages/shorewall-lite-vardir.5 2017-08-02 00:48:20.000000000 +0200 +++ new/shorewall-lite-5.1.8.1/manpages/shorewall-lite-vardir.5 2017-11-08 19:51:33.000000000 +0100 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite-vardir .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 http://docbook.sf.net/ -.\" Date: 08/01/2017 +.\" Date: 11/08/2017 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-LITE\-VAR" "5" "08/01/2017" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-LITE\-VAR" "5" "11/08/2017" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.1.5.2/manpages/shorewall-lite.8 new/shorewall-lite-5.1.8.1/manpages/shorewall-lite.8 --- old/shorewall-lite-5.1.5.2/manpages/shorewall-lite.8 2017-08-02 00:48:21.000000000 +0200 +++ new/shorewall-lite-5.1.8.1/manpages/shorewall-lite.8 2017-11-08 19:51:34.000000000 +0100 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 http://docbook.sf.net/ -.\" Date: 08/01/2017 +.\" Date: 11/08/2017 .\" Manual: Administrative Commands .\" Source: Administrative Commands .\" Language: English .\" -.TH "SHOREWALL\-LITE" "8" "08/01/2017" "Administrative Commands" "Administrative Commands" +.TH "SHOREWALL\-LITE" "8" "11/08/2017" "Administrative Commands" "Administrative Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.1.5.2/manpages/shorewall-lite.conf.5 new/shorewall-lite-5.1.8.1/manpages/shorewall-lite.conf.5 --- old/shorewall-lite-5.1.5.2/manpages/shorewall-lite.conf.5 2017-08-02 00:48:19.000000000 +0200 +++ new/shorewall-lite-5.1.8.1/manpages/shorewall-lite.conf.5 2017-11-08 19:51:32.000000000 +0100 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite.conf .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 http://docbook.sf.net/ -.\" Date: 08/01/2017 +.\" Date: 11/08/2017 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-LITE\&.CO" "5" "08/01/2017" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-LITE\&.CO" "5" "11/08/2017" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.1.5.2/releasenotes.txt new/shorewall-lite-5.1.8.1/releasenotes.txt --- old/shorewall-lite-5.1.5.2/releasenotes.txt 2017-08-02 00:47:07.000000000 +0200 +++ new/shorewall-lite-5.1.8.1/releasenotes.txt 2017-11-08 19:50:09.000000000 +0100 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 5 . 1 . 5 . 2 - ------------------------------ - J u l y 3 1 , 2 0 1 7 + S H O R E W A L L 5 . 1 . 8 . 1 + ------------------------------- + N o v e m b e r 0 8 , 2 0 1 7 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,62 +14,42 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -5.1.5.2 - -1) Previously, Specifying a USER in the OUTPUT section of the - accounting file caused the compilter to incorrectly generate the - following error message: - - ERROR: USER/GROUP may only be specified in the OUTPUT section - - That has been corrected, and no error message is generated in this - case. +5.1.8.1 -2) When BASIC_FILTERS=Yes, the compiler previously generated an - invalid tc command when when a source port was specified in a - tcfilters entry. The compiler now generates correct input in this - case. - -3) Previously, a MAC address could be specified in the OUTPUT - section of the accounting file and no error would be generated at - compile time. A failure would occur, however, at run-time. Now, an - error is raised during compilation. - -5.1.5.1 - -1) To compensate for the presence of a masq file with no entries, - the compiler will now attempt to process the snat file when such a - masq file is found. Previously, if a masq file with no entries was - found, the snat file, if any, was ignored. - -2) Previously, maintainers could not create reproducable packages - because the 'configure' and 'configure.pl' scripts inserted the - current date and time into the generated shorewallrc file. - - To support reproducable package builds, the scripts now recognize - the SOURCE_DATE_EPOCH environmental variable (see - https://reproducible-builds.org/specs/source-date-epoch/). - - The change to 'configure' was supplied by Bernhard M. Wiedemann. - -5.1.5 - -1) This release contains defect repair through Shorewall 5.1.4.4. - -2) Previously, when 0 was used as a port number or when a port number - > 65535 was specified, an 'uninitialized variable' Perl exception - occurred when the compiler attempted to issue an error - message. That has been corrected. - -3) When running with Perl 5.26, messages such at the following could - be issued: - - Unescaped left brace in regex is deprecated here (and will be - fatal in Perl 5.30), passed through in regex; marked by <-- HERE - in m/^(\s*|.*[^&@%]){ <-- HERE (.*)}\s*$/ at - /usr/share/shorewall/Shorewall/Config.pm line 2343. - - That problem has been corrected. +1) Previously, if 'noautosrc' was specified on a provider, then + persistent routes and rules for that provider were treated as + ordinary routes and rules (not persistent). That has been corrected + so that persistent routes and rules are retained when the provider + is disabled. + +5.1.8 + +1) This release includes defect repair through Shorewall 5.1.7.2. + +2) The copyright dates and product version comments have been updated + in a number of files. + +3) The undocumented and unmaintained Makefile files for Shorewall-lite + and Shorewall6-lite have been removed from Shorewall and Shorewall6 + respectively. + +4) The 'dump' command logic now does a better job of detecting + and suppressing the printing of empty IPSec SPD entries. + +5) A number of issues with persistent providers that resulted in + 'ip rule add' and 'ip route add' failures have been corrected. The + most common senario involved a 'reload' while a persistent + interface was disabled. + +6) Previously, the generated script contained incorrect logic for + deleting default routes with metric zero ('balanced' routes and + routes generated by 'fallback=nn'); the logic only worked correctly + when applied to the 'main' routing table. It now works correctly + for all routing tables. + +7) The 'ip xfrm policy' command ignores the -4 and -6 options and + dumps the policies for both address families. This release contains + a workaround that suppresses entries for the other family. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -90,40 +70,41 @@ uses a "delete..add.." sequence on these routes rather than a single "replace" command. -4) When the formerly built-in actions were converted to standard - actions in Shorewall 5.1.3, the 'dropBcasts' action was - inadvertently changed to 'dropBcast'. Beginning with this release, - both spellings are accepted. - ---------------------------------------------------------------------------- I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) Run-time port variables are now supported. See - http://www.shorewall.org/configuration_file_basics.htm#Port_Variables - for details. +1) For historical reasons, Shorewall has always assumed that LOG target + support is present unless proven otherwise. While this has worked + correctly when a capabilities file is used and when + LOAD_HELPERS_ONLY=No, it can generate an unworkable firewall + script when LOAD_HELPERS_ONLY=Yes. + + Beginning with this release, Shorewall will treat LOG target like + any other capability and will verify its presense in all cases + where the target is used. + +2) The level 4 optimizer now does a better job of handling small + chains with rules specifying an IPSEC policy. This can result in + elimination of these chains. + +3) Beginning with this release, when RESTORE_DEFAULT_ROUTE=Yes the + default route is only restored when there are no enabled + 'balance/primary' providers and no enabled fallback providers. + + Also beginning with this release, if the default route(s) have been + restored to the 'main' table, and a fallback provider is + successfully enabled, the default route(s) are removed from the + main table. + +4) Because restoring default routes to the main routing table can + break the ability of Foolsm and other link status monitors to + properly detect non-functioning provider links, a warning message + is now issued when the 'persistent' provider option is specified + and RESTORE_DEFAULT_ROUTE=Yes. -2) The Shorewall and Shorewall6 manpages are now consolidated. Almost - all of the Shorewall6 manpages are manpage aliases for the - corresponding Shorewall manpages which describe the files for both - products. - -3) There is now a FIN standard action which handles TCP packets with - the FIN, ACK and PSH flags set. - -4) According to the Netfilter team (see - https://patchwork.kernel.org/patch/9198133/), the --nflog-range option - of the NFLOG target has never worked correctly, and they have - deprecated that option in favor of the --nflog-size option. To - accomodate this change, there is now an "--nflog-size support" - (NFLOG_SIZE) Shorewall capability and a USE_NFLOG_SIZE option in - shorewall[6].conf. - - For further information, see the Migrations Issues item number 8. - -5) The RESTORE_DEFAULT_ROUTE option has now been added to - shorewall6.conf. Prior to this release, RESTORE_DEFAULT_ROUTE=Yes - has always been assumed for Shorewall6 configurations. + WARNING: When RESTORE_DEFAULT_ROUTE=Yes, the 'persistent' option + may not work as expected ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -267,9 +248,355 @@ verify that those NFLOG messages are as you expect with USE_NFLOG_SIZE=Yes. +9) The MODULE_SUFFIX option in shorewall[6].conf was eliminated in + Shorewall 5.1.7. Shorewall now finds modules, independent of their + filename suffix. + + 'shorewall [-6] update' will automatically remove any MODULE_SUFFIX + setting. + +10) Beginning with Shorewall 5.1.8, when RESTORE_DEFAULT_ROUTE=Yes the + default route is only restored when there are no enabled + 'balance/primary' providers and no enabled fallback providers. + + Also beginning with Shorewall 5.1.8, if the default route(s) have + been restored to the 'main' table, and a fallback provider is + successfully enabled, the default route(s) are removed from the + main table. + +11) Because restoring default routes to the main routing table can + break the ability of Foolsm and other link status monitors to + properly detect non-functioning provider links, a warning message + is issued when the 'persistent' provider option is specified and + RESTORE_DEFAULT_ROUTE=Yes. + + WARNING: When RESTORE_DEFAULT_ROUTE=Yes, the 'persistent' option + may not work as expected + + This change was released in Shorewall 5.1.8. + ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 5 . 1 R E L E A S E S ---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 5 . 1 . 7 +---------------------------------------------------------------------------- + +5.1.7.2 + +1) Previously during the opening of a configuration file, if SELinux + denied the "getattr" (stat) request, then the compiler would skip + processing of the file as if it did not exist. Now, if "getattr" + fails for any reason other than that the file does not exist, an + error is raised. + + ERROR: Unable to access <filename>: <reason for denial> + +2) Previously, when a range was passed to the MARK() action (mangle + file), any specified protocol, port and time restrictions were + ignored. Now these elements are included in the rule. + +5.1.7.1 + +1) Previously, the 'reenable' command failed on a persistent provider + interface with a message similar to the following: + + RTNETLINK answers: File exists + ERROR: Command "/sbin/ip -4 rule add from 10.2.10.2 pref 20000 + table IPv6Beta" Failed + + That problem has been corrected and the 'reenable' command now + works properly on both persistant and non-persistant interfaces. + + Note: The firewall script must be recompiled in order for this + change to become effective. + +5.1.7 + +1) This release includes defect repair through Shorewall 5.1.6.1. + +2) Previously, there was a typo in IPv4 Example 5 in the + shorewall-snat(5) manpage. The DEST column contained + + eth0+myset[dst] + + which should have been + + eth0:+myset[dst] + + That has been corrected. + +3) Previously, specifying an ipset name in the DEST column of the IPv4 + snat file had no effect. That has been corrected so that only + connections whose destination matches the ipset are affected by the + rule. + +4) Previously, passing an invalid vlsm to the 'ipcalc' command coult + result in a series of shell diagnostics beginning with: + + shorewall: 3730: /home/teastep/bin/shorewall: Invalid VLSM: not + found + + That has been corrected so that the correct message is issued: + + ERROR: Invalid VLSM + + (Tuomo Soini) + +5) ADD_IP_ALIASES has defaulted to Yes for both Shorewall and + Shorewall6, leading to 'not found' errors during + start/reload/restart. Now, ADD_IP_ALIASES=No is the default for + IPv6 and may not be changed. + +6) When Shorewall-init was configured to save ipsets, it could leave + behind an empty or useless .tmp file if no ipsets were saved. Now + that file is removed automatically. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 5 . 1 . 7 +---------------------------------------------------------------------------- + +1) Loading of kernel modules has been streamlined (Tuomo Soini). + +2) The MODULE_SUFFIX option in shorewall[6].conf has been + eliminated. Shorewall now finds modules, independent of their + filename suffix. + + 'shorewall [-6] update' will automatically remove any MODULE_SUFFIX + setting. + +3) When 'detect' is specified in the GATEWAY column for a provider, + the generated script now looks for an existing default route in + the provider's routing table to obtain the provider's default + gateway. This is useful when dhcpcd5 is installed, since the .lease + files created by dhcpcd5 are binary coded and are hence not usable + for learning the configured gateway. + +4) The Shorewall Event actions (IfEvent, SetEvent and ResetEvent) now + accept DNAT and REDIRECT as the <action> argument. For DNAT, a + server address must be specified in the DEST column. A server port + may NOT be specified in the DEST column, so the port number cannot + be changed by the action. + +5) Shorewall now supports Docker configuration that create the + DOCKER-INGRESS chain in the filter table. + +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 5 . 1 . 6 +---------------------------------------------------------------------------- + +1) This release contains defect repair through Shorewall 5.1.5.2. + +2) http://www.shorewall.net/shorewall_extension_scripts.htm states + that $SHAREDIR and $CONFDIR can be used in extension scripts, that + has not been true for some time. Beginning with this release, those + variables are once again available in the generated script. + +3) Under very rare circumstances, when OPTIMIZE level 8 was used, + messages such as the following could be issued during compilation: + + Use of uninitialized value in hash element at + /usr/share/shorewall/Shorewall/Rules.pm line 818. + Use of uninitialized value in concatenation (.) or string at + /usr/share/shorewall/Shorewall/Rules.pm line 823. + + That has been corrected. + +4) Previously, Shorewall's treatment of wildcard interfaces differed + from Netfilter's. Shorewall did not consider 'eth' to match 'eth+' + while Netfilter did. Beginning with this release, Shorewall is + consistent with Netfilter. + +5) Previously, systemd could attempt to start the IPv4 and IPv6 + firewalls simultaneously, which might lead to iptables-restore and + ip6tables-restore being run at the same time resulting in a failure + to start one of the firewalls. + + Beginning with this release, Shorewall and Shorwall6 will be + started serially as will Shorewall-lite and Shorewall6-lite. + +6) To prevent other init systems from starting the IPv4 and IPv6 + firewalls in parallel, the ip[6]-tables-restore '--wait' option, if + available, is used. This change introduces a new + RESTORE_WAIT_OPTION capability. + + Note: If the new capability is not available on your system, and + you don't run systemd, you can still avoid the parallel start + problem by configuring the same LOCKFILE in both your + shorewall.conf and shorewall6.conf files. + +7) Previously, the RDP macro only allowed TCP traffic, even though RDP + also requires UDP. That has been corrected so that both protocols + are allowed. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 5 . 1 . 6 +---------------------------------------------------------------------------- + +1) The SPARSE option in shorewallrc originally caused only + shorewall[6].conf to be installed in /etc/shorewall[6], but later + the conntrack and params files were also installed. To prevent + these additional files from being installed, SPARSE may now be set + to 'Very', either by editing the file directly or by using the + configure or configure.pl scripts. + + This setting is recommended if you wish to use a single set of + configuration files for both IPv4 and IPv6 as described at + http://www.shorewall.org/SharedConfig.html. + +2) Two new run-time extensions scripts have been added: + + - enabled + + Invoked when an optional interface has been successfully enabled + using the 'enable' command. + + - disabled + + Invoked when an optional interface has been successfully disabled + using the 'disable' command. + + Like all run-time extension scripts, the contents of each script + are placed in a function body. In the case of these new scripts, + the function is passed arguments: + + $1 = the physical name of the interface + $2 = the logical name of the interface + $3 = the name of the Provider, if any, associated with the + interface. + +3) When a zone (z1) is defined to be a sub-zone of another zone (z2), + the compiler now verifies that the two zones have at least one + interface in common. If they do not, a warning message is + generated: + + WARNING: Zone z1 is defined to be a sub-zone of z2, yet the two + zones have no interface in common + +4) Runtime address variables may now be used as the server IP address + and Runtime port variables may be used as the server port in DNAT + rules. + + Example: + + DNAT net $FW:ð1:%{PORT} tcp 9999 + +5) Previously, systemd could attempt to start the IPv4 and IPv6 + firewalls simultaneously, which might lead to iptables-restore and + ip6tables-restore being run at the same time resulting in a failure + to start one of the firewalls. + + Beginning with this release, Shorewall and Shorwall6 will be + started serially as will Shorewall-lite and Shorewall6-lite. + +6) To prevent problems when other init systems start the IPv4 and IPv6 + firewalls in parallel, the ip[6]-tables '--wait' option, if + available, is used. The amount of time to wait is determined by the + setting of MUTEX_TIMEOUT (default 60 seconds). This change + introduces a new RESTORE_WAIT_OPTION capability. + + Note: If the new capability is not available on your system, and + you don't run systemd, you can still avoid the parallel start + problem by configuring the same LOCKFILE in both your + shorewall.conf and shorewall6.conf files. + +7) Previously, the sample configuration files specified + MODULE_SUFFIX="ko ko.xz", whereas the default .conf files specified + MODULE_SUFFIX=ko. The latter no longer works on RHEL7-based + systems. Beginning with this release, the default .conf files also + specify MODULE_SUFFIX="ko ko.xz". + +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 5 . 1 . 5 +---------------------------------------------------------------------------- + +5.1.5.2 + +1) Previously, Specifying a USER in the OUTPUT section of the + accounting file caused the compilter to incorrectly generate the + following error message: + + ERROR: USER/GROUP may only be specified in the OUTPUT section + + That has been corrected, and no error message is generated in this + case. + +2) When BASIC_FILTERS=Yes, the compiler previously generated an + invalid tc command when when a source port was specified in a + tcfilters entry. The compiler now generates correct input in this + case. + +3) Previously, a MAC address could be specified in the OUTPUT + section of the accounting file and no error would be generated at + compile time. A failure would occur, however, at run-time. Now, an + error is raised during compilation. + +5.1.5.1 + +1) To compensate for the presence of a masq file with no entries, + the compiler will now attempt to process the snat file when such a + masq file is found. Previously, if a masq file with no entries was + found, the snat file, if any, was ignored. + +2) Previously, maintainers could not create reproducible packages + because the 'configure' and 'configure.pl' scripts inserted the + current date and time into the generated shorewallrc file. + + To support reproducible package builds, the scripts now recognize + the SOURCE_DATE_EPOCH environmental variable (see + https://reproducible-builds.org/specs/source-date-epoch/). + + The change to 'configure' was supplied by Bernhard M. Wiedemann. + +5.1.5 + +1) This release contains defect repair through Shorewall 5.1.4.4. + +2) Previously, when 0 was used as a port number or when a port number + > 65535 was specified, an 'uninitialized variable' Perl exception + occurred when the compiler attempted to issue an error + message. That has been corrected. + +3) When running with Perl 5.26, messages such at the following could + be issued: + + Unescaped left brace in regex is deprecated here (and will be + fatal in Perl 5.30), passed through in regex; marked by <-- HERE + in m/^(\s*|.*[^&@%]){ <-- HERE (.*)}\s*$/ at + /usr/share/shorewall/Shorewall/Config.pm line 2343. + + That problem has been corrected. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 5 . 1 . 5 +---------------------------------------------------------------------------- + +1) Run-time port variables are now supported. See + http://www.shorewall.org/configuration_file_basics.htm#Port_Variables + for details. + +2) The Shorewall and Shorewall6 manpages are now consolidated. Almost + all of the Shorewall6 manpages are manpage aliases for the + corresponding Shorewall manpages which describe the files for both + products. + +3) There is now a FIN standard action which handles TCP packets with + the FIN, ACK and PSH flags set. + +4) According to the Netfilter team (see + https://patchwork.kernel.org/patch/9198133/), the --nflog-range option + of the NFLOG target has never worked correctly, and they have + deprecated that option in favor of the --nflog-size option. To + accomodate this change, there is now an "--nflog-size support" + (NFLOG_SIZE) Shorewall capability and a USE_NFLOG_SIZE option in + shorewall[6].conf. + + For further information, see the Migrations Issues item number 8. + +5) The RESTORE_DEFAULT_ROUTE option has now been added to + shorewall6.conf. Prior to this release, RESTORE_DEFAULT_ROUTE=Yes + has always been assumed for Shorewall6 configurations. + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 5 . 1 . 4 ---------------------------------------------------------------------------- @@ -382,7 +709,7 @@ 6) A number of small documentation corrections have been made. ---------------------------------------------------------------------------- - N E W F E A T U R E S I N 5 . 1 . 3 + N E W F E A T U R E S I N 5 . 1 . 4 ---------------------------------------------------------------------------- 1) All IPv6 standard actions have been deleted and their logic diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.1.5.2/shorecap new/shorewall-lite-5.1.8.1/shorecap --- old/shorewall-lite-5.1.5.2/shorecap 2017-07-27 23:55:19.000000000 +0200 +++ new/shorewall-lite-5.1.8.1/shorecap 2017-11-08 18:46:25.000000000 +0100 @@ -28,7 +28,7 @@ # # On the target system (the system where the firewall program is to run): # -# [ IPTABLES=<iptables binary> ] [ MODULESDIR=<kernel modules directory> ] [ MODULE_SUFFIX="<module suffix list>" ] shorecap > capabilities +# [ IPTABLES=<iptables binary> ] [ MODULESDIR=<kernel modules directory> ] shorecap > capabilities # # Now move the capabilities file to the compilation system. The file must # be placed in a directory on the CONFIG_PATH to be used when compiling firewalls @@ -38,7 +38,6 @@ # # IPTABLES - iptables # MODULESDIR - /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter -# MODULE_SUFFIX - "o gz xz ko o.gz o.xz ko.gz ko.xz" # # Shorewall need not be installed on the target system to run shorecap. If the '-e' flag is # used during firewall compilation, then the generated firewall program will likewise not diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.1.5.2/shorewall-lite.spec new/shorewall-lite-5.1.8.1/shorewall-lite.spec --- old/shorewall-lite-5.1.5.2/shorewall-lite.spec 2017-08-02 00:47:07.000000000 +0200 +++ new/shorewall-lite-5.1.8.1/shorewall-lite.spec 2017-11-08 19:50:09.000000000 +0100 @@ -1,6 +1,6 @@ %define name shorewall-lite -%define version 5.1.5 -%define release 2 +%define version 5.1.8 +%define release 1 %define initdir /etc/init.d Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems. @@ -115,10 +115,38 @@ %doc COPYING changelog.txt releasenotes.txt %changelog -* Thu Jul 27 2017 Tom Eastep tom@shorewall.net -- Updated to 5.1.5-2 -* Thu Jul 06 2017 Tom Eastep tom@shorewall.net -- Updated to 5.1.5-1 +* Wed Nov 08 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.8-1 +* Sun Oct 15 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.8-0base +* Tue Oct 10 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.8-0RC1 +* Sat Oct 07 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.8-0Beta2 +* Mon Sep 18 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.8-0Beta1 +* Mon Sep 18 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.7-0base +* Sun Sep 17 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.7-0RC2 +* Fri Sep 01 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.7-0RC1 +* Wed Aug 23 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.7-0Beta2 +* Tue Aug 22 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.7-0Beta1 +* Wed Aug 16 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.6-0base +* Tue Aug 15 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.6-0RC2 +* Tue Aug 15 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.6-0RC1 +* Wed Aug 09 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.6-0RC1 +* Thu Aug 03 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.6-0Beta2 +* Thu Jul 20 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.6-0Beta1 * Mon Jun 26 2017 Tom Eastep tom@shorewall.net - Updated to 5.1.5-0base * Wed Jun 21 2017 Tom Eastep tom@shorewall.net diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.1.5.2/uninstall.sh new/shorewall-lite-5.1.8.1/uninstall.sh --- old/shorewall-lite-5.1.5.2/uninstall.sh 2017-08-02 00:47:07.000000000 +0200 +++ new/shorewall-lite-5.1.8.1/uninstall.sh 2017-11-08 19:50:09.000000000 +0100 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=5.1.5.2 +VERSION=5.1.8.1 usage() # $1 = exit status { ++++++ shorewall-lite-fillup-install.patch ++++++ --- /var/tmp/diff_new_pack.ZtqdLA/_old 2017-11-20 17:06:13.083998925 +0100 +++ /var/tmp/diff_new_pack.ZtqdLA/_new 2017-11-20 17:06:13.087998780 +0100 @@ -8,8 +8,8 @@ - install_file ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/${PRODUCT} 0640 - echo "$SYSCONFFILE file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}" + if [ $HOST = suse ]; then -+ mkdir -p ${DESTDIR}/var/adm/fillup-templates -+ install_file ${SYSCONFFILE} ${DESTDIR}/var/adm/fillup-templates/sysconfig.${PRODUCT} 0644 ++ mkdir -p ${DESTDIR}/${FILLUPDIR} ++ install_file ${SYSCONFFILE} ${DESTDIR}/${FILLUPDIR}/sysconfig.${PRODUCT} 0644 + else + install_file ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/$PRODUCT 0644 + fi ++++++ shorewall-5.1.5.2.tar.bz2 -> shorewall6-5.1.8.1.tar.bz2 ++++++ ++++ 117986 lines of diff (skipped) ++++++ shorewall-lite-5.1.5.2.tar.bz2 -> shorewall6-lite-5.1.8.1.tar.bz2 ++++++ ++++ 3697 lines of diff (skipped)