commit shorewall for openSUSE:Factory

Hello community, here is the log from the commit of package shorewall for openSUSE:Factory checked in at 2017-08-28 15:17:53 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/shorewall (Old) and /work/SRC/openSUSE:Factory/.shorewall.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "shorewall" Mon Aug 28 15:17:53 2017 rev:100 rq:518886 version:5.1.5.2 Changes: -------- --- /work/SRC/openSUSE:Factory/shorewall/shorewall.changes 2017-08-16 16:14:31.318576059 +0200 +++ /work/SRC/openSUSE:Factory/.shorewall.new/shorewall.changes 2017-08-28 15:19:18.402670576 +0200 @@ -1,0 +2,14 @@ +Tue Aug 15 09:53:02 UTC 2017 - bruno@ioda-net.ch + +- Update to bugfix release 5.1.5.2 + + Make build reproducible boo#1047218 + + Fix upgrade from 4x version : dropBcast and dropBcasts are now + supported boo#1053650 + + Perl 5.26 support + + Fix for BASIC_FILTERS=Yes and tcfilters + + Fix USER/GROUP messages + + MAC address in OUTPUT col in accounting file error is raised + at compile time + + Fix port number 0 or > 65535 perl execption + +------------------------------------------------------------------- Old: ---- shorewall-5.1.4.4.tar.bz2 shorewall-core-5.1.4.4.tar.bz2 shorewall-docs-html-5.1.4.4.tar.bz2 shorewall-init-5.1.4.4.tar.bz2 shorewall-lite-5.1.4.4.tar.bz2 shorewall6-5.1.4.4.tar.bz2 shorewall6-lite-5.1.4.4.tar.bz2 New: ---- shorewall-5.1.5.2.tar.bz2 shorewall-core-5.1.5.2.tar.bz2 shorewall-docs-html-5.1.5.2.tar.bz2 shorewall-init-5.1.5.2.tar.bz2 shorewall-lite-5.1.5.2.tar.bz2 shorewall6-5.1.5.2.tar.bz2 shorewall6-lite-5.1.5.2.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shorewall.spec ++++++ --- /var/tmp/diff_new_pack.UPVMwr/_old 2017-08-28 15:19:20.826329985 +0200 +++ /var/tmp/diff_new_pack.UPVMwr/_new 2017-08-28 15:19:20.850326613 +0200 @@ -19,9 +19,9 @@ # %define have_systemd 1 %define dmaj 5.1 -%define dmin 5.1.4 +%define dmin 5.1.5 Name: shorewall -Version: 5.1.4.4 +Version: 5.1.5.2 Release: 0 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems License: GPL-2.0 ++++++ shorewall-5.1.4.4.tar.bz2 -> shorewall-5.1.5.2.tar.bz2 ++++++ ++++ 12579 lines of diff (skipped) ++++++ shorewall-core-5.1.4.4.tar.bz2 -> shorewall-core-5.1.5.2.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.1.4.4/changelog.txt new/shorewall-core-5.1.5.2/changelog.txt --- old/shorewall-core-5.1.4.4/changelog.txt 2017-06-23 16:55:40.000000000 +0200 +++ new/shorewall-core-5.1.5.2/changelog.txt 2017-08-02 00:47:07.000000000 +0200 @@ -1,3 +1,52 @@ +Changes in 5.1.5.2 + +1) Update release documents. + +2) Correct source port handling when BASIC_FILTERS=Yes. + +3) Correct handling of USER/GROUP in the OUTPUT section of the + accounting file. + +4) Correct handling of MAC addresses in the accounting file. + +Changes in 5.1.5.1 + +1) Update release documents. + +2) Process the snat file if the masq file is empty. + +Changes in 5.1.5 Final + +1) Update release documents. + +2) Include IPv6 annotated config files. + +3) Add RESTORE_DEFAULT_ROUTE to shorewall6.conf. + +Changes in 5.1.5 RC 1 + +1) Update release documents. + +2) USE_NFLOG_SIZE option. + +3) Improve editing of port numbers/service names. + +4) Add dropBcasts action. + +Changes in 5.1.5 Beta 2 + +1) Update release documents. + +2) Consolidate Shorewall/Shorewall6 manpages. + +Changes in 5.1.5 Beta 1 + +1) Update release documents. + +2) Add defect repair through 5.1.4.2. + +3) Implement runtime port variables. + Changes in 5.1.4.4 1) Update release documents. @@ -32,13 +81,6 @@ 1) Update release documents. -2) Clean up introduction to shorewall-rules(5). - -3) Clarify LOGFORMAT in shorewall[6].conf(5) and - shorewall[6]-zones(5). - -4) Add BLACKLIST to the IPv6 actions.std file. - Changes in 5.1.4 RC 1 1) Update release documents. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.1.4.4/configure new/shorewall-core-5.1.5.2/configure --- old/shorewall-core-5.1.4.4/configure 2017-06-23 16:55:40.000000000 +0200 +++ new/shorewall-core-5.1.5.2/configure 2017-08-02 00:47:06.000000000 +0200 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=5.1.4.4 +VERSION=5.1.5.2 case "$BASH_VERSION" in [4-9].*) @@ -190,7 +190,7 @@ done echo '#' > shorewallrc -echo "# Created by Shorewall Core version $VERSION configure - " `date` >> shorewallrc +echo "# Created by Shorewall Core version $VERSION configure - " `date --utc --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}"` >> shorewallrc echo "# rc file: $rcfile" >> shorewallrc echo '#' >> shorewallrc diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.1.4.4/configure.pl new/shorewall-core-5.1.5.2/configure.pl --- old/shorewall-core-5.1.4.4/configure.pl 2017-06-23 16:55:40.000000000 +0200 +++ new/shorewall-core-5.1.5.2/configure.pl 2017-08-02 00:47:06.000000000 +0200 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '5.1.4.4' + VERSION => '5.1.5.2' }; my %params; @@ -173,7 +173,12 @@ open $outfile, '>', 'shorewallrc' or die "Can't open 'shorewallrc' for output: $!"; -printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d %04d %02d:%02d:%02d\n", VERSION, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0]; +if ( $ENV{SOURCE_DATE_EPOCH} ) { + printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s\n", VERSION, `date --utc --date=\"\@$ENV{SOURCE_DATE_EPOCH}\"`; +} else { + printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d %04d %02d:%02d:%02d\n", VERSION, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0]; +} + print $outfile "# rc file: $rcfilename\n#\n"; print $outfile "# Input: @ARGV\n#\n" if @ARGV; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.1.4.4/install.sh new/shorewall-core-5.1.5.2/install.sh --- old/shorewall-core-5.1.4.4/install.sh 2017-06-23 16:55:40.000000000 +0200 +++ new/shorewall-core-5.1.5.2/install.sh 2017-08-02 00:47:06.000000000 +0200 @@ -22,7 +22,7 @@ # along with this program; if not, see <http://www.gnu.org/licenses/>. # -VERSION=5.1.4.4 +VERSION=5.1.5.2 PRODUCT=shorewall-core Product="Shorewall Core" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.1.4.4/known_problems.txt new/shorewall-core-5.1.5.2/known_problems.txt --- old/shorewall-core-5.1.4.4/known_problems.txt 2017-06-23 16:55:40.000000000 +0200 +++ new/shorewall-core-5.1.5.2/known_problems.txt 2017-08-02 00:47:07.000000000 +0200 @@ -5,32 +5,26 @@ correctly in configurations with USE_DEFAULT_RT=No and optional providers listed in the DUPLICATE column. -3) The BLACKLIST action was inadvertently omitted from Shorewall6 in - Shorewall 5.1.1. +3) If a masq file with no entries is found by the compiler, then the + snat file, if any, is ignored. - Corrected in Shorewall 5.1.4.1. + Corrected in Shorewall 5.1.5.1. -4) Support for the NFQUEUE '--queue-cpu-fanout' option, introduced in - Shorewall 5.1.0, contained a defect which can result in the - following compile-time error: +4) When BASIC_FILTERS=Yes, the compiler generates an invalid tc + command when a source port is specified in a tcfilters entry. - Use of uninitialized value $fanout in concatenation (.) or string - at /usr/share/shorewall/Shorewall/Rules.pm line 643, - <$currentfile> line 2. + Corrected in Shorewall 5.1.5.2. - Corrected in Shorewall 5.1.4.2. +5) Specifying a USER in the OUTPUT section of the accounting file + causes the compilter to incorrectly generate the following error + message: -5) When running on prior-generation distributions such as RHEL6, - IPv6 multi-ISP configurations fail to start due to an error such as - the following: + ERROR: USER/GROUP may only be specified in the OUTPUT section - ERROR: Command "ip -6 -6 route replace default scope global - table 250 nexthop via ::192.88.99.1 dev tun6to4 weight 1" - Failed + Corrected in Shorewall 5.1.5.2. - Corrected in Shorewall 5.1.4.3. +6) If a MAC address is specified in the OUTPUT section of the + accounting file, no error is generated at compile time. A failure + does occur, however, at run-time. -6) A defect in 5.1.4.3 causes a startup failure when two or more - 'fallback' providers are configured. - - Corrected in Shorewall 5.1.4.4. + Corrected in Shorewall 5.1.5.2. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.1.4.4/lib.cli new/shorewall-core-5.1.5.2/lib.cli --- old/shorewall-core-5.1.4.4/lib.cli 2017-06-23 16:55:17.000000000 +0200 +++ new/shorewall-core-5.1.5.2/lib.cli 2017-07-27 23:55:19.000000000 +0200 @@ -25,7 +25,7 @@ # loaded after this one and replaces some of the functions declared here. # -SHOREWALL_CAPVERSION=50100 +SHOREWALL_CAPVERSION=50105 if [ -z "$g_basedir" ]; then # @@ -2803,6 +2803,7 @@ WAIT_OPTION= CPU_FANOUT= NETMAP_TARGET= + NFLOG_SIZE= AMANDA_HELPER= FTP_HELPER= @@ -3136,10 +3137,13 @@ qt $g_tool -A $chain -j LOGMARK && LOGMARK_TARGET=Yes qt $g_tool -A $chain -j LOG || LOG_TARGET= qt $g_tool -A $chain -j ULOG && ULOG_TARGET=Yes - qt $g_tool -A $chain -j NFLOG && NFLOG_TARGET=Yes qt $g_tool -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes qt $g_tool -A $chain -m statistic --mode nth --every 2 --packet 1 && STATISTIC_MATCH=Yes qt $g_tool -A $chain -m geoip --src-cc US && GEOIP_MATCH=Yes + if qt $g_tool -A $chain -j NFLOG; then + NFLOG_TARGET=Yes + qt $g_tool -A $chain -j NFLOG --nflog-size 64 && NFLOG_SIZE=Yes + fi if [ $g_family -eq 4 ]; then qt $g_tool -A $chain -j ACCOUNT --addr 192.168.1.0/29 --tname $chain && ACCOUNT_TARGET=Yes @@ -3305,6 +3309,7 @@ report_capability "CT Target (CT_TARGET)" $CT_TARGET report_capability "NFQUEUE CPU Fanout (CPU_FANOUT)" $CPU_FANOUT report_capability "NETMAP Target (NETMAP_TARGET)" $NETMAP_TARGET + report_capability "--nflog-size support (NFLOG_SIZE)" $NFLOG_SIZE echo " Kernel Version (KERNELVERSION): $KERNELVERSION" echo " Capabilities Version (CAPVERSION): $CAPVERSION" @@ -3411,6 +3416,7 @@ report_capability1 WAIT_OPTION report_capability1 CPU_FANOUT report_capability1 NETMAP_TARGET + report_capability1 NFLOG_SIZE report_capability1 AMANDA_HELPER report_capability1 FTP_HELPER diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.1.4.4/manpages/shorewall.8 new/shorewall-core-5.1.5.2/manpages/shorewall.8 --- old/shorewall-core-5.1.4.4/manpages/shorewall.8 2017-06-23 16:56:39.000000000 +0200 +++ new/shorewall-core-5.1.5.2/manpages/shorewall.8 2017-08-02 00:48:28.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 06/23/2017 +.\" Date: 08/01/2017 .\" Manual: Administrative Commands .\" Source: Administrative Commands .\" Language: English .\" -.TH "SHOREWALL" "8" "06/23/2017" "Administrative Commands" "Administrative Commands" +.TH "SHOREWALL" "8" "08/01/2017" "Administrative Commands" "Administrative Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -2013,11 +2013,13 @@ .SH "FILES" .PP /etc/shorewall/ +.PP +/etc/shorewall6/ .SH "SEE ALSO" .PP \m[blue]\fBhttp://www\&.shorewall\&.net/starting_and_stopping_shorewall\&.htm\fR\m[]\&\s-2\u[17]\d\s+2 .PP -shorewall\-accounting(5), shorewall\-actions(5), shorewall\-blacklist(5), shorewall\-hosts(5), shorewall_interfaces(5), shorewall\-ipsets(5), shorewall\-maclist(5), shorewall\-masq(5), shorewall\-nat(5), shorewall\-netmap(5), shorewall\-params(5), shorewall\-policy(5), shorewall\-providers(5), shorewall\-proxyarp(5), shorewall\-rtrules(5), shorewall\-routestopped(5), shorewall\-rules(5), shorewall\&.conf(5), shorewall\-secmarks(5), shorewall\-tcclasses(5), shorewall\-tcdevices(5), shorewall\-tcrules(5), shorewall\-tos(5), shorewall\-tunnels(5), shorewall\-zones(5) +shorewall\-accounting(5), shorewall\-actions(5), shorewall\-arprules(5), shorewall\-blrules(5), shorewall\&.conf(5), shorewall\-conntrack(5), shorewall\-ecn(5), shorewall\-exclusion(5), shorewall\-hosts(5), shorewall\-init(5), shorewall_interfaces(5), shorewall\-ipsets(5), shorewall\-maclist(5), shorewall\-mangle(5), shorewall\-masq(5), shorewall\-modules(5), shorewall\-nat(5), shorewall\-nesting(5), shorewall\-netmap(5), shorewall\-params(5), shorewall\-policy(5), shorewall\-providers(5), shorewall\-proxyarp(5), shorewall6\-proxyndp(5), shorewall\-routes(5), shorewall\-rtrules(5), shorewall\-rtrules(5), shorewall\-rules(5), shorewall\-secmarks(5), shorewall\-snat(5), shorewall\-tcclasses(5), shorewall\-tcdevices(5), shorewall\-tcfilters(5), shorewall\-tcinterfaces(5), shorewall\-tcpri(5), shorewall\-tunnels(5), shorewall\-vardir(5), shorewall\-zones(5) .SH "NOTES" .IP " 1." 4 http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.1.4.4/manpages/shorewall.xml new/shorewall-core-5.1.5.2/manpages/shorewall.xml --- old/shorewall-core-5.1.4.4/manpages/shorewall.xml 2017-06-23 16:56:40.000000000 +0200 +++ new/shorewall-core-5.1.5.2/manpages/shorewall.xml 2017-08-02 00:48:28.000000000 +0200 @@ -3173,6 +3173,8 @@ <title>FILES</title> <para>/etc/shorewall/</para> + + <para>/etc/shorewall6/</para> </refsect1> <refsect1> @@ -3182,13 +3184,17 @@ url="/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink></para> <para>shorewall-accounting(5), shorewall-actions(5), - shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), - shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5), - shorewall-nat(5), shorewall-netmap(5), shorewall-params(5), + shorewall-arprules(5), shorewall-blrules(5), shorewall.conf(5), + shorewall-conntrack(5), shorewall-ecn(5), shorewall-exclusion(5), + shorewall-hosts(5), shorewall-init(5), shorewall_interfaces(5), + shorewall-ipsets(5), shorewall-maclist(5), shorewall-mangle(5), + shorewall-masq(5), shorewall-modules(5), shorewall-nat(5), + shorewall-nesting(5), shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5), - shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5), - shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5), - shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5), - shorewall-tunnels(5), shorewall-zones(5)</para> + shorewall6-proxyndp(5), shorewall-routes(5), shorewall-rtrules(5), + shorewall-rtrules(5), shorewall-rules(5), shorewall-secmarks(5), + shorewall-snat(5), shorewall-tcclasses(5), shorewall-tcdevices(5), + shorewall-tcfilters(5), shorewall-tcinterfaces(5), shorewall-tcpri(5), + shorewall-tunnels(5), shorewall-vardir(5), shorewall-zones(5)</para> </refsect1> </refentry> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.1.4.4/releasenotes.txt new/shorewall-core-5.1.5.2/releasenotes.txt --- old/shorewall-core-5.1.4.4/releasenotes.txt 2017-06-23 16:55:40.000000000 +0200 +++ new/shorewall-core-5.1.5.2/releasenotes.txt 2017-08-02 00:47:07.000000000 +0200 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 5 . 1 . 4 . 4 + S H O R E W A L L 5 . 1 . 5 . 2 ------------------------------ - J u n e 2 3 , 2 0 1 7 + J u l y 3 1 , 2 0 1 7 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,87 +14,62 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -5.1.4.4 +5.1.5.2 -1) A defect in 5.1.4.3 caused a startup failure when two or more - 'fallback' providers were configured. That has been corrected. +1) Previously, Specifying a USER in the OUTPUT section of the + accounting file caused the compilter to incorrectly generate the + following error message: -5.1.4.3 + ERROR: USER/GROUP may only be specified in the OUTPUT section -1) When running on prior-generation distributions such as RHEL6, - IPv6 multi-ISP configurations failed to start due to an error such as - the following: + That has been corrected, and no error message is generated in this + case. - ERROR: Command "ip -6 -6 route replace default scope global - table 250 nexthop via ::192.88.99.1 dev tun6to4 weight 1" - Failed - - Such configurations now start successfully. +2) When BASIC_FILTERS=Yes, the compiler previously generated an + invalid tc command when when a source port was specified in a + tcfilters entry. The compiler now generates correct input in this + case. -5.1.4.2 +3) Previously, a MAC address could be specified in the OUTPUT + section of the accounting file and no error would be generated at + compile time. A failure would occur, however, at run-time. Now, an + error is raised during compilation. -1) Many broken links in the manpages have been corrected. +5.1.5.1 -2) Support for the NFQUEUE '--queue-cpu-fanout' option, introduced in - Shorewall 5.1.0, contained a defect which could result in the - following compile-time error: - - Use of uninitialized value $fanout in concatenation (.) or string - at /usr/share/shorewall/Shorewall/Rules.pm line 643, - <$currentfile> line 2. - - That has been corrected. - -5.1.4.1 - -1) The introductory material in shorewall-rules(5) has been cleaned - up. - -2) The information about LOGFORMAT in shorewall[6].conf(5) and - shorewall[6]-zones(5) has been expanded. - - In Shorewall 5.1.0, the setting of LOGFORMAT in the default and - sample .conf files was changed to "%s:%s " to enable 10-character - zone names (up from 5 characters using the default - "Shorewall:%s:%s:" setting). As part of this change, if a - shorewall.conf file which did not set LOGFORMAT is updated using - "shorewall update", LOGFORMAT is set to "Shorewall:%s:%s:" to - preserve the existing behavior. +1) To compensate for the presence of a masq file with no entries, + the compiler will now attempt to process the snat file when such a + masq file is found. Previously, if a masq file with no entries was + found, the snat file, if any, was ignored. - This can have an effect on new installations, however in that - scipts or log analyzers can no longer be configured to simply look - for "Shorewall:" in log messages unless the setting of LOGFORMAT is - changed. The manpages (and the Migration Considerations below) have - been updated to describe how to locate these messages using the new - "%s:%s " setting. +2) Previously, maintainers could not create reproducable packages + because the 'configure' and 'configure.pl' scripts inserted the + current date and time into the generated shorewallrc file. -3) The BLACKLIST action was inadvertently omitted from Shorewall6 in - Shorewall 5.1.1. That has been corrected. + To support reproducable package builds, the scripts now recognize + the SOURCE_DATE_EPOCH environmental variable (see + https://reproducible-builds.org/specs/source-date-epoch/). -5.1.4 + The change to 'configure' was supplied by Bernhard M. Wiedemann. -1) This release contains defect repair through Shorewall 5.1.3.1. +5.1.5 -2) Previously, if a Shorewall Variable ( e.g., @chain ) was the target - of a conditional ?RESET directive (one that was enclosed in ?if... - ?else...?endif logic), the compiler could incorrectly use an - existing chain created from the action rather than creating a new - (and different) chain. That has been corrected. +1) This release contains defect repair through Shorewall 5.1.4.4. -3) Previously, if alternate input format specified a column that had - already been specified, the contents of that column were silently - overwritten. Now, a warning message is issued stating that the - prior value has been replaced by the newer value. +2) Previously, when 0 was used as a port number or when a port number + > 65535 was specified, an 'uninitialized variable' Perl exception + occurred when the compiler attempted to issue an error + message. That has been corrected. -4) Previously, a string-valued interface option, such as - 'physical', could be given an empty value (e.g., "physical=,"), and - the compiler would fail to flag it. Now, this usage raises an - error. +3) When running with Perl 5.26, messages such at the following could + be issued: -5) Previously, the 'tunnel-src' and 'tunnel-dst' zone options would - generate an error under Shorewall6. That has been corrected. + Unescaped left brace in regex is deprecated here (and will be + fatal in Perl 5.30), passed through in regex; marked by <-- HERE + in m/^(\s*|.*[^&@%]){ <-- HERE (.*)}\s*$/ at + /usr/share/shorewall/Shorewall/Config.pm line 2343. -6) A number of small documentation corrections have been made. + That problem has been corrected. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -115,48 +90,40 @@ uses a "delete..add.." sequence on these routes rather than a single "replace" command. +4) When the formerly built-in actions were converted to standard + actions in Shorewall 5.1.3, the 'dropBcasts' action was + inadvertently changed to 'dropBcast'. Beginning with this release, + both spellings are accepted. + ---------------------------------------------------------------------------- I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) All IPv6 standard actions have been deleted and their logic - has been added to their IPv4 counterparts who can now handle - both address families. - -2) Previously, ?error and ?require messages as well as verbose ?info - and ?warning messages (those that report the file and line numbers) - generated from an action file would report the action file name and - line number rather than the file and line number where the action - was invoked. The file and line number where the action was invoked - were listed second. Beginning with this release, the invoking file - and line number are listed first and the action file and line number - are not reported. This allows for creation of clearer messages. - - Example: - - Previously, when an invalid value was passed for the 'bricks' - parameter to the GlusterFS action on line 45 of the rules file, a - message such as the following was issued (folded to 76 columns): - - ERROR: Invalid value for Bricks (2000) - /usr/share/shorewall/action.GlusterFS (line 15) - from /etc/shorewall/rules (line 45) - - Note that the message seems to imply that the error is in - action.GlusterFS rather than in the rules file. - - Beginning with this release, the message will be: - - ERROR: Invalid value (2000) for the GlusterFS Bricks argument - /etc/shorewall/rules (line 45) - - Note: This change only affects actions, including inline actions. - Macros will continue to report the old way. +1) Run-time port variables are now supported. See + http://www.shorewall.org/configuration_file_basics.htm#Port_Variables + for details. + +2) The Shorewall and Shorewall6 manpages are now consolidated. Almost + all of the Shorewall6 manpages are manpage aliases for the + corresponding Shorewall manpages which describe the files for both + products. + +3) There is now a FIN standard action which handles TCP packets with + the FIN, ACK and PSH flags set. + +4) According to the Netfilter team (see + https://patchwork.kernel.org/patch/9198133/), the --nflog-range option + of the NFLOG target has never worked correctly, and they have + deprecated that option in favor of the --nflog-size option. To + accomodate this change, there is now an "--nflog-size support" + (NFLOG_SIZE) Shorewall capability and a USE_NFLOG_SIZE option in + shorewall[6].conf. -3) IPv6 UPnP support (including MINIUPNPD) is now available. + For further information, see the Migrations Issues item number 8. -4) A PERL_HASH_SEED option has been added to allow the Perl hash seed - to be specified. See shorewall.conf(5) and perlsec(1) for details. +5) The RESTORE_DEFAULT_ROUTE option has now been added to + shorewall6.conf. Prior to this release, RESTORE_DEFAULT_ROUTE=Yes + has always been assumed for Shorewall6 configurations. ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -276,11 +243,188 @@ Broadcast no longer handle multicast. Multicast is handeled separately in actions allowMcast, dropMcast and Multicast. The now-deprecated Drop and Reject policy actions have been modified so - that they continue to silently drop multicast packets. + that they continue to silently drop multicast packets. + +8) According to the Netfilter team (see + https://patchwork.kernel.org/patch/9198133/), the --nflog-range option + of the NFLOG target has never worked correctly, and they have + deprecated that option in favor of the --nflog-size option. + + To accomodate this change, Shorewall 5.1.5 added an "--nflog-size + support" (NFLOG_SIZE) Shorewall capability and a USE_NFLOG_SIZE + option in shorewall[6].conf. If USE_NFLOG_SIZE=Yes, then if the + capability is present, Shorewall will use '--nflog-size' in place + of '--nflog-range'. If USE_NFLOG_SIZE=Yes and the capability is not + present, an error is raised. + + If you don't use NFLOG or if you use NFLOG with omittted second + parameter or with 0 as the second parameter, and 'shorewall show + capabilities' indicated that --nflog-size support is present, you + may safely set USE_NFLOG_SIZE=Yes. + + If you pass a non-zero value as the second parameter to NFLOG and + the '--nflog-size support' capability is present, you need to + verify that those NFLOG messages are as you expect with + USE_NFLOG_SIZE=Yes. ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 5 . 1 R E L E A S E S ---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 5 . 1 . 4 +---------------------------------------------------------------------------- + +5.1.4.4 + +1) A defect in 5.1.4.3 caused a startup failure when two or more + 'fallback' providers were configured. That has been corrected. + +5.1.4.3 + +1) When running on prior-generation distributions such as RHEL6, + IPv6 multi-ISP configurations failed to start due to an error such as + the following: + + ERROR: Command "ip -6 -6 route replace default scope global + table 250 nexthop via ::192.88.99.1 dev tun6to4 weight 1" + Failed + + Such configurations now start successfully. + +5.1.4.2 + +1) Many broken links in the manpages have been corrected. + +2) Support for the NFQUEUE '--queue-cpu-fanout' option, introduced in + Shorewall 5.1.0, contained a defect which could result in the + following compile-time error: + + Use of uninitialized value $fanout in concatenation (.) or string + at /usr/share/shorewall/Shorewall/Rules.pm line 643, + <$currentfile> line 2. + + That has been corrected. + +5.1.4.1 + +1) The introductory material in shorewall-rules(5) has been cleaned + up. + +2) The information about LOGFORMAT in shorewall[6].conf(5) and + shorewall[6]-zones(5) has been expanded. + + In Shorewall 5.1.0, the setting of LOGFORMAT in the default and + sample .conf files was changed to "%s:%s " to enable 10-character + zone names (up from 5 characters using the default + "Shorewall:%s:%s:" setting). As part of this change, if a + shorewall.conf file which did not set LOGFORMAT is updated using + "shorewall update", LOGFORMAT is set to "Shorewall:%s:%s:" to + preserve the existing behavior. + + This can have an effect on new installations, however in that + scipts or log analyzers can no longer be configured to simply look + for "Shorewall:" in log messages unless the setting of LOGFORMAT is + changed. The manpages (and the Migration Considerations below) have + been updated to describe how to locate these messages using the new + "%s:%s " setting. + +3) The BLACKLIST action was inadvertently omitted from Shorewall6 in + Shorewall 5.1.1. That has been corrected. + +5.1.4.1 + +1) The introductory material in shorewall-rules(5) has been cleaned + up. + +2) The information about LOGFORMAT in shorewall[6].conf(5) and + shorewall[6]-zones(5) has been expanded. + + In Shorewall 5.1.0, the setting of LOGFORMAT in the default and + sample .conf files was changed to "%s:%s " to enable 10-character + zone names (up from 5 characters using the default + "Shorewall:%s:%s:" setting). As part of this change, if a + shorewall.conf file which did not set LOGFORMAT is updated using + "shorewall update", LOGFORMAT is set to "Shorewall:%s:%s:" to + preserve the existing behavior. + + This can have an effect on new installations, however in that + scipts or log analyzers can no longer be configured to simply look + for "Shorewall:" in log messages unless the setting of LOGFORMAT is + changed. The manpages (and the Migration Considerations below) have + been updated to describe how to locate these messages using the new + "%s:%s " setting. + +3) The BLACKLIST action was inadvertently omitted from Shorewall6 in + Shorewall 5.1.1. That has been corrected. + +5.1.4 + +1) This release contains defect repair through Shorewall 5.1.3.1. + +2) Previously, if a Shorewall Variable ( e.g., @chain ) was the target + of a conditional ?RESET directive (one that was enclosed in ?if... + ?else...?endif logic), the compiler could incorrectly use an + existing chain created from the action rather than creating a new + (and different) chain. That has been corrected. + +3) Previously, if alternate input format specified a column that had + already been specified, the contents of that column were silently + overwritten. Now, a warning message is issued stating that the + prior value has been replaced by the newer value. + +4) Previously, a string-valued interface option, such as + 'physical', could be given an empty value (e.g., "physical=,"), and + the compiler would fail to flag it. Now, this usage raises an + error. + +5) Previously, the 'tunnel-src' and 'tunnel-dst' zone options would + generate an error under Shorewall6. That has been corrected. + +6) A number of small documentation corrections have been made. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 5 . 1 . 3 +---------------------------------------------------------------------------- + +1) All IPv6 standard actions have been deleted and their logic + has been added to their IPv4 counterparts who can now handle + both address families. + +2) Previously, ?error and ?require messages as well as verbose ?info + and ?warning messages (those that report the file and line numbers) + generated from an action file would report the action file name and + line number rather than the file and line number where the action + was invoked. The file and line number where the action was invoked + were listed second. Beginning with this release, the invoking file + and line number are listed first and the action file and line number + are not reported. This allows for creation of clearer messages. + + Example: + + Previously, when an invalid value was passed for the 'bricks' + parameter to the GlusterFS action on line 45 of the rules file, a + message such as the following was issued (folded to 76 columns): + + ERROR: Invalid value for Bricks (2000) + /usr/share/shorewall/action.GlusterFS (line 15) + from /etc/shorewall/rules (line 45) + + Note that the message seems to imply that the error is in + action.GlusterFS rather than in the rules file. + + Beginning with this release, the message will be: + + ERROR: Invalid value (2000) for the GlusterFS Bricks argument + /etc/shorewall/rules (line 45) + + Note: This change only affects actions, including inline actions. + Macros will continue to report the old way. + +3) IPv6 UPnP support (including MINIUPNPD) is now available. + +4) A PERL_HASH_SEED option has been added to allow the Perl hash seed + to be specified. See shorewall.conf(5) and perlsec(1) for details. + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 5 . 1 . 3 ---------------------------------------------------------------------------- @@ -311,7 +455,7 @@ sample configuration. ---------------------------------------------------------------------------- - N E W F E A T U R E S I N 5 . 1 . 2 + N E W F E A T U R E S I N 5 . 1 . 3 ---------------------------------------------------------------------------- 1) The tarball installers and uninstallers have been unified and @@ -632,32 +776,9 @@ 2) Several settings in the default/sample .conf files have been modified: - a) In Shorewall 5.1.0, the setting of LOGFORMAT in the default and - sample .conf files was changed to "%s:%s " to enable - 10-character zone names (up from 5 characters using the default - "Shorewall:%s:%s:" setting). As part of this change, if a - shorewall.conf file which did not set LOGFORMAT is updated using - "shorewall update", LOGFORMAT is set to "Shorewall:%s:%s:" to - preserve the existing behavior. - - This can have an effect on new installations, however in that - scipts or log analyzers can no longer be configured to simply look - for "Shorewall:" in log messages unless the setting of LOGFORMAT is - changed. If you use the new "%s:%s " setting then - Shorewall-generated Netfilter messages may be matched using - this regular expression: - - 'IN=.* OUT=.* SRC=.*\..* DST=' - - Shorewall6-generated Netfilter messages may be matched using: - - 'IN=.* OUT=.* SRC=.*:.* DST=' - - And all Netfilter messages (IPv4 and IPv6) are matched using: - - 'IN=.* OUT=.* SRC=.* DST=' + a) The LOGFORMAT setting has been changed from "Shorewall:%s:%s:" + to "%s %s " to enable longer zone names. - Shorewall6-generated Netfilter messages may be idd b) The LOGLIMIT setting has been changed from empty to "s:1/sec:10", to enable log trottling by default. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.1.4.4/shorewall-core.spec new/shorewall-core-5.1.5.2/shorewall-core.spec --- old/shorewall-core-5.1.4.4/shorewall-core.spec 2017-06-23 16:55:40.000000000 +0200 +++ new/shorewall-core-5.1.5.2/shorewall-core.spec 2017-08-02 00:47:07.000000000 +0200 @@ -1,6 +1,6 @@ %define name shorewall-core -%define version 5.1.4 -%define release 4 +%define version 5.1.5 +%define release 2 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. Name: %{name} @@ -69,14 +69,18 @@ %doc COPYING INSTALL changelog.txt releasenotes.txt %changelog -* Fri Jun 23 2017 Tom Eastep tom@shorewall.net -- Updated to 5.1.4-4 -* Sun Jun 18 2017 Tom Eastep tom@shorewall.net -- Updated to 5.1.4-3 -* Mon Jun 12 2017 Tom Eastep tom@shorewall.net -- Updated to 5.1.4-2 -* Fri May 19 2017 Tom Eastep tom@shorewall.net -- Updated to 5.1.4-1 +* Thu Jul 27 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.5-2 +* Thu Jul 06 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.5-1 +* Mon Jun 26 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.5-0base +* Wed Jun 21 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.5-0RC1 +* Fri Jun 16 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.5-0Beta2 +* Thu May 11 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.5-0Beta1 * Fri May 05 2017 Tom Eastep tom@shorewall.net - Updated to 5.1.4-0base * Mon Apr 24 2017 Tom Eastep tom@shorewall.net diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.1.4.4/uninstall.sh new/shorewall-core-5.1.5.2/uninstall.sh --- old/shorewall-core-5.1.4.4/uninstall.sh 2017-06-23 16:55:40.000000000 +0200 +++ new/shorewall-core-5.1.5.2/uninstall.sh 2017-08-02 00:47:06.000000000 +0200 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=5.1.4.4 +VERSION=5.1.5.2 PRODUCT=shorewall-core Product="Shorewall Core" ++++++ shorewall-docs-html-5.1.4.4.tar.bz2 -> shorewall-docs-html-5.1.5.2.tar.bz2 ++++++ ++++ 9482 lines of diff (skipped) ++++++ shorewall-init-5.1.4.4.tar.bz2 -> shorewall-init-5.1.5.2.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.1.4.4/changelog.txt new/shorewall-init-5.1.5.2/changelog.txt --- old/shorewall-init-5.1.4.4/changelog.txt 2017-06-23 16:45:30.000000000 +0200 +++ new/shorewall-init-5.1.5.2/changelog.txt 2017-08-02 00:47:07.000000000 +0200 @@ -1,3 +1,52 @@ +Changes in 5.1.5.2 + +1) Update release documents. + +2) Correct source port handling when BASIC_FILTERS=Yes. + +3) Correct handling of USER/GROUP in the OUTPUT section of the + accounting file. + +4) Correct handling of MAC addresses in the accounting file. + +Changes in 5.1.5.1 + +1) Update release documents. + +2) Process the snat file if the masq file is empty. + +Changes in 5.1.5 Final + +1) Update release documents. + +2) Include IPv6 annotated config files. + +3) Add RESTORE_DEFAULT_ROUTE to shorewall6.conf. + +Changes in 5.1.5 RC 1 + +1) Update release documents. + +2) USE_NFLOG_SIZE option. + +3) Improve editing of port numbers/service names. + +4) Add dropBcasts action. + +Changes in 5.1.5 Beta 2 + +1) Update release documents. + +2) Consolidate Shorewall/Shorewall6 manpages. + +Changes in 5.1.5 Beta 1 + +1) Update release documents. + +2) Add defect repair through 5.1.4.2. + +3) Implement runtime port variables. + Changes in 5.1.4.4 1) Update release documents. @@ -32,13 +81,6 @@ 1) Update release documents. -2) Clean up introduction to shorewall-rules(5). - -3) Clarify LOGFORMAT in shorewall[6].conf(5) and - shorewall[6]-zones(5). - -4) Add BLACKLIST to the IPv6 actions.std file. - Changes in 5.1.4 RC 1 1) Update release documents. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.1.4.4/configure new/shorewall-init-5.1.5.2/configure --- old/shorewall-init-5.1.4.4/configure 2017-06-23 16:45:30.000000000 +0200 +++ new/shorewall-init-5.1.5.2/configure 2017-08-02 00:47:07.000000000 +0200 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=5.1.4.4 +VERSION=5.1.5.2 case "$BASH_VERSION" in [4-9].*) @@ -190,7 +190,7 @@ done echo '#' > shorewallrc -echo "# Created by Shorewall Core version $VERSION configure - " `date` >> shorewallrc +echo "# Created by Shorewall Core version $VERSION configure - " `date --utc --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}"` >> shorewallrc echo "# rc file: $rcfile" >> shorewallrc echo '#' >> shorewallrc diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.1.4.4/configure.pl new/shorewall-init-5.1.5.2/configure.pl --- old/shorewall-init-5.1.4.4/configure.pl 2017-06-23 16:45:30.000000000 +0200 +++ new/shorewall-init-5.1.5.2/configure.pl 2017-08-02 00:47:07.000000000 +0200 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '5.1.4.4' + VERSION => '5.1.5.2' }; my %params; @@ -173,7 +173,12 @@ open $outfile, '>', 'shorewallrc' or die "Can't open 'shorewallrc' for output: $!"; -printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d %04d %02d:%02d:%02d\n", VERSION, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0]; +if ( $ENV{SOURCE_DATE_EPOCH} ) { + printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s\n", VERSION, `date --utc --date=\"\@$ENV{SOURCE_DATE_EPOCH}\"`; +} else { + printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d %04d %02d:%02d:%02d\n", VERSION, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0]; +} + print $outfile "# rc file: $rcfilename\n#\n"; print $outfile "# Input: @ARGV\n#\n" if @ARGV; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.1.4.4/install.sh new/shorewall-init-5.1.5.2/install.sh --- old/shorewall-init-5.1.4.4/install.sh 2017-06-23 16:45:30.000000000 +0200 +++ new/shorewall-init-5.1.5.2/install.sh 2017-08-02 00:47:07.000000000 +0200 @@ -27,7 +27,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=5.1.4.4 +VERSION=5.1.5.2 PRODUCT=shorewall-init Product="Shorewall Init" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.1.4.4/releasenotes.txt new/shorewall-init-5.1.5.2/releasenotes.txt --- old/shorewall-init-5.1.4.4/releasenotes.txt 2017-06-23 16:45:30.000000000 +0200 +++ new/shorewall-init-5.1.5.2/releasenotes.txt 2017-08-02 00:47:07.000000000 +0200 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 5 . 1 . 4 . 4 + S H O R E W A L L 5 . 1 . 5 . 2 ------------------------------ - J u n e 2 3 , 2 0 1 7 + J u l y 3 1 , 2 0 1 7 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,87 +14,62 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -5.1.4.4 +5.1.5.2 -1) A defect in 5.1.4.3 caused a startup failure when two or more - 'fallback' providers were configured. That has been corrected. +1) Previously, Specifying a USER in the OUTPUT section of the + accounting file caused the compilter to incorrectly generate the + following error message: -5.1.4.3 + ERROR: USER/GROUP may only be specified in the OUTPUT section -1) When running on prior-generation distributions such as RHEL6, - IPv6 multi-ISP configurations failed to start due to an error such as - the following: + That has been corrected, and no error message is generated in this + case. - ERROR: Command "ip -6 -6 route replace default scope global - table 250 nexthop via ::192.88.99.1 dev tun6to4 weight 1" - Failed - - Such configurations now start successfully. +2) When BASIC_FILTERS=Yes, the compiler previously generated an + invalid tc command when when a source port was specified in a + tcfilters entry. The compiler now generates correct input in this + case. -5.1.4.2 +3) Previously, a MAC address could be specified in the OUTPUT + section of the accounting file and no error would be generated at + compile time. A failure would occur, however, at run-time. Now, an + error is raised during compilation. -1) Many broken links in the manpages have been corrected. +5.1.5.1 -2) Support for the NFQUEUE '--queue-cpu-fanout' option, introduced in - Shorewall 5.1.0, contained a defect which could result in the - following compile-time error: - - Use of uninitialized value $fanout in concatenation (.) or string - at /usr/share/shorewall/Shorewall/Rules.pm line 643, - <$currentfile> line 2. - - That has been corrected. - -5.1.4.1 - -1) The introductory material in shorewall-rules(5) has been cleaned - up. - -2) The information about LOGFORMAT in shorewall[6].conf(5) and - shorewall[6]-zones(5) has been expanded. - - In Shorewall 5.1.0, the setting of LOGFORMAT in the default and - sample .conf files was changed to "%s:%s " to enable 10-character - zone names (up from 5 characters using the default - "Shorewall:%s:%s:" setting). As part of this change, if a - shorewall.conf file which did not set LOGFORMAT is updated using - "shorewall update", LOGFORMAT is set to "Shorewall:%s:%s:" to - preserve the existing behavior. +1) To compensate for the presence of a masq file with no entries, + the compiler will now attempt to process the snat file when such a + masq file is found. Previously, if a masq file with no entries was + found, the snat file, if any, was ignored. - This can have an effect on new installations, however in that - scipts or log analyzers can no longer be configured to simply look - for "Shorewall:" in log messages unless the setting of LOGFORMAT is - changed. The manpages (and the Migration Considerations below) have - been updated to describe how to locate these messages using the new - "%s:%s " setting. +2) Previously, maintainers could not create reproducable packages + because the 'configure' and 'configure.pl' scripts inserted the + current date and time into the generated shorewallrc file. -3) The BLACKLIST action was inadvertently omitted from Shorewall6 in - Shorewall 5.1.1. That has been corrected. + To support reproducable package builds, the scripts now recognize + the SOURCE_DATE_EPOCH environmental variable (see + https://reproducible-builds.org/specs/source-date-epoch/). -5.1.4 + The change to 'configure' was supplied by Bernhard M. Wiedemann. -1) This release contains defect repair through Shorewall 5.1.3.1. +5.1.5 -2) Previously, if a Shorewall Variable ( e.g., @chain ) was the target - of a conditional ?RESET directive (one that was enclosed in ?if... - ?else...?endif logic), the compiler could incorrectly use an - existing chain created from the action rather than creating a new - (and different) chain. That has been corrected. +1) This release contains defect repair through Shorewall 5.1.4.4. -3) Previously, if alternate input format specified a column that had - already been specified, the contents of that column were silently - overwritten. Now, a warning message is issued stating that the - prior value has been replaced by the newer value. +2) Previously, when 0 was used as a port number or when a port number + > 65535 was specified, an 'uninitialized variable' Perl exception + occurred when the compiler attempted to issue an error + message. That has been corrected. -4) Previously, a string-valued interface option, such as - 'physical', could be given an empty value (e.g., "physical=,"), and - the compiler would fail to flag it. Now, this usage raises an - error. +3) When running with Perl 5.26, messages such at the following could + be issued: -5) Previously, the 'tunnel-src' and 'tunnel-dst' zone options would - generate an error under Shorewall6. That has been corrected. + Unescaped left brace in regex is deprecated here (and will be + fatal in Perl 5.30), passed through in regex; marked by <-- HERE + in m/^(\s*|.*[^&@%]){ <-- HERE (.*)}\s*$/ at + /usr/share/shorewall/Shorewall/Config.pm line 2343. -6) A number of small documentation corrections have been made. + That problem has been corrected. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -115,48 +90,40 @@ uses a "delete..add.." sequence on these routes rather than a single "replace" command. +4) When the formerly built-in actions were converted to standard + actions in Shorewall 5.1.3, the 'dropBcasts' action was + inadvertently changed to 'dropBcast'. Beginning with this release, + both spellings are accepted. + ---------------------------------------------------------------------------- I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) All IPv6 standard actions have been deleted and their logic - has been added to their IPv4 counterparts who can now handle - both address families. - -2) Previously, ?error and ?require messages as well as verbose ?info - and ?warning messages (those that report the file and line numbers) - generated from an action file would report the action file name and - line number rather than the file and line number where the action - was invoked. The file and line number where the action was invoked - were listed second. Beginning with this release, the invoking file - and line number are listed first and the action file and line number - are not reported. This allows for creation of clearer messages. - - Example: - - Previously, when an invalid value was passed for the 'bricks' - parameter to the GlusterFS action on line 45 of the rules file, a - message such as the following was issued (folded to 76 columns): - - ERROR: Invalid value for Bricks (2000) - /usr/share/shorewall/action.GlusterFS (line 15) - from /etc/shorewall/rules (line 45) - - Note that the message seems to imply that the error is in - action.GlusterFS rather than in the rules file. - - Beginning with this release, the message will be: - - ERROR: Invalid value (2000) for the GlusterFS Bricks argument - /etc/shorewall/rules (line 45) - - Note: This change only affects actions, including inline actions. - Macros will continue to report the old way. +1) Run-time port variables are now supported. See + http://www.shorewall.org/configuration_file_basics.htm#Port_Variables + for details. + +2) The Shorewall and Shorewall6 manpages are now consolidated. Almost + all of the Shorewall6 manpages are manpage aliases for the + corresponding Shorewall manpages which describe the files for both + products. + +3) There is now a FIN standard action which handles TCP packets with + the FIN, ACK and PSH flags set. + +4) According to the Netfilter team (see + https://patchwork.kernel.org/patch/9198133/), the --nflog-range option + of the NFLOG target has never worked correctly, and they have + deprecated that option in favor of the --nflog-size option. To + accomodate this change, there is now an "--nflog-size support" + (NFLOG_SIZE) Shorewall capability and a USE_NFLOG_SIZE option in + shorewall[6].conf. -3) IPv6 UPnP support (including MINIUPNPD) is now available. + For further information, see the Migrations Issues item number 8. -4) A PERL_HASH_SEED option has been added to allow the Perl hash seed - to be specified. See shorewall.conf(5) and perlsec(1) for details. +5) The RESTORE_DEFAULT_ROUTE option has now been added to + shorewall6.conf. Prior to this release, RESTORE_DEFAULT_ROUTE=Yes + has always been assumed for Shorewall6 configurations. ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -276,11 +243,188 @@ Broadcast no longer handle multicast. Multicast is handeled separately in actions allowMcast, dropMcast and Multicast. The now-deprecated Drop and Reject policy actions have been modified so - that they continue to silently drop multicast packets. + that they continue to silently drop multicast packets. + +8) According to the Netfilter team (see + https://patchwork.kernel.org/patch/9198133/), the --nflog-range option + of the NFLOG target has never worked correctly, and they have + deprecated that option in favor of the --nflog-size option. + + To accomodate this change, Shorewall 5.1.5 added an "--nflog-size + support" (NFLOG_SIZE) Shorewall capability and a USE_NFLOG_SIZE + option in shorewall[6].conf. If USE_NFLOG_SIZE=Yes, then if the + capability is present, Shorewall will use '--nflog-size' in place + of '--nflog-range'. If USE_NFLOG_SIZE=Yes and the capability is not + present, an error is raised. + + If you don't use NFLOG or if you use NFLOG with omittted second + parameter or with 0 as the second parameter, and 'shorewall show + capabilities' indicated that --nflog-size support is present, you + may safely set USE_NFLOG_SIZE=Yes. + + If you pass a non-zero value as the second parameter to NFLOG and + the '--nflog-size support' capability is present, you need to + verify that those NFLOG messages are as you expect with + USE_NFLOG_SIZE=Yes. ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 5 . 1 R E L E A S E S ---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 5 . 1 . 4 +---------------------------------------------------------------------------- + +5.1.4.4 + +1) A defect in 5.1.4.3 caused a startup failure when two or more + 'fallback' providers were configured. That has been corrected. + +5.1.4.3 + +1) When running on prior-generation distributions such as RHEL6, + IPv6 multi-ISP configurations failed to start due to an error such as + the following: + + ERROR: Command "ip -6 -6 route replace default scope global + table 250 nexthop via ::192.88.99.1 dev tun6to4 weight 1" + Failed + + Such configurations now start successfully. + +5.1.4.2 + +1) Many broken links in the manpages have been corrected. + +2) Support for the NFQUEUE '--queue-cpu-fanout' option, introduced in + Shorewall 5.1.0, contained a defect which could result in the + following compile-time error: + + Use of uninitialized value $fanout in concatenation (.) or string + at /usr/share/shorewall/Shorewall/Rules.pm line 643, + <$currentfile> line 2. + + That has been corrected. + +5.1.4.1 + +1) The introductory material in shorewall-rules(5) has been cleaned + up. + +2) The information about LOGFORMAT in shorewall[6].conf(5) and + shorewall[6]-zones(5) has been expanded. + + In Shorewall 5.1.0, the setting of LOGFORMAT in the default and + sample .conf files was changed to "%s:%s " to enable 10-character + zone names (up from 5 characters using the default + "Shorewall:%s:%s:" setting). As part of this change, if a + shorewall.conf file which did not set LOGFORMAT is updated using + "shorewall update", LOGFORMAT is set to "Shorewall:%s:%s:" to + preserve the existing behavior. + + This can have an effect on new installations, however in that + scipts or log analyzers can no longer be configured to simply look + for "Shorewall:" in log messages unless the setting of LOGFORMAT is + changed. The manpages (and the Migration Considerations below) have + been updated to describe how to locate these messages using the new + "%s:%s " setting. + +3) The BLACKLIST action was inadvertently omitted from Shorewall6 in + Shorewall 5.1.1. That has been corrected. + +5.1.4.1 + +1) The introductory material in shorewall-rules(5) has been cleaned + up. + +2) The information about LOGFORMAT in shorewall[6].conf(5) and + shorewall[6]-zones(5) has been expanded. + + In Shorewall 5.1.0, the setting of LOGFORMAT in the default and + sample .conf files was changed to "%s:%s " to enable 10-character + zone names (up from 5 characters using the default + "Shorewall:%s:%s:" setting). As part of this change, if a + shorewall.conf file which did not set LOGFORMAT is updated using + "shorewall update", LOGFORMAT is set to "Shorewall:%s:%s:" to + preserve the existing behavior. + + This can have an effect on new installations, however in that + scipts or log analyzers can no longer be configured to simply look + for "Shorewall:" in log messages unless the setting of LOGFORMAT is + changed. The manpages (and the Migration Considerations below) have + been updated to describe how to locate these messages using the new + "%s:%s " setting. + +3) The BLACKLIST action was inadvertently omitted from Shorewall6 in + Shorewall 5.1.1. That has been corrected. + +5.1.4 + +1) This release contains defect repair through Shorewall 5.1.3.1. + +2) Previously, if a Shorewall Variable ( e.g., @chain ) was the target + of a conditional ?RESET directive (one that was enclosed in ?if... + ?else...?endif logic), the compiler could incorrectly use an + existing chain created from the action rather than creating a new + (and different) chain. That has been corrected. + +3) Previously, if alternate input format specified a column that had + already been specified, the contents of that column were silently + overwritten. Now, a warning message is issued stating that the + prior value has been replaced by the newer value. + +4) Previously, a string-valued interface option, such as + 'physical', could be given an empty value (e.g., "physical=,"), and + the compiler would fail to flag it. Now, this usage raises an + error. + +5) Previously, the 'tunnel-src' and 'tunnel-dst' zone options would + generate an error under Shorewall6. That has been corrected. + +6) A number of small documentation corrections have been made. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 5 . 1 . 3 +---------------------------------------------------------------------------- + +1) All IPv6 standard actions have been deleted and their logic + has been added to their IPv4 counterparts who can now handle + both address families. + +2) Previously, ?error and ?require messages as well as verbose ?info + and ?warning messages (those that report the file and line numbers) + generated from an action file would report the action file name and + line number rather than the file and line number where the action + was invoked. The file and line number where the action was invoked + were listed second. Beginning with this release, the invoking file + and line number are listed first and the action file and line number + are not reported. This allows for creation of clearer messages. + + Example: + + Previously, when an invalid value was passed for the 'bricks' + parameter to the GlusterFS action on line 45 of the rules file, a + message such as the following was issued (folded to 76 columns): + + ERROR: Invalid value for Bricks (2000) + /usr/share/shorewall/action.GlusterFS (line 15) + from /etc/shorewall/rules (line 45) + + Note that the message seems to imply that the error is in + action.GlusterFS rather than in the rules file. + + Beginning with this release, the message will be: + + ERROR: Invalid value (2000) for the GlusterFS Bricks argument + /etc/shorewall/rules (line 45) + + Note: This change only affects actions, including inline actions. + Macros will continue to report the old way. + +3) IPv6 UPnP support (including MINIUPNPD) is now available. + +4) A PERL_HASH_SEED option has been added to allow the Perl hash seed + to be specified. See shorewall.conf(5) and perlsec(1) for details. + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 5 . 1 . 3 ---------------------------------------------------------------------------- @@ -311,7 +455,7 @@ sample configuration. ---------------------------------------------------------------------------- - N E W F E A T U R E S I N 5 . 1 . 2 + N E W F E A T U R E S I N 5 . 1 . 3 ---------------------------------------------------------------------------- 1) The tarball installers and uninstallers have been unified and @@ -632,32 +776,9 @@ 2) Several settings in the default/sample .conf files have been modified: - a) In Shorewall 5.1.0, the setting of LOGFORMAT in the default and - sample .conf files was changed to "%s:%s " to enable - 10-character zone names (up from 5 characters using the default - "Shorewall:%s:%s:" setting). As part of this change, if a - shorewall.conf file which did not set LOGFORMAT is updated using - "shorewall update", LOGFORMAT is set to "Shorewall:%s:%s:" to - preserve the existing behavior. - - This can have an effect on new installations, however in that - scipts or log analyzers can no longer be configured to simply look - for "Shorewall:" in log messages unless the setting of LOGFORMAT is - changed. If you use the new "%s:%s " setting then - Shorewall-generated Netfilter messages may be matched using - this regular expression: - - 'IN=.* OUT=.* SRC=.*\..* DST=' - - Shorewall6-generated Netfilter messages may be matched using: - - 'IN=.* OUT=.* SRC=.*:.* DST=' - - And all Netfilter messages (IPv4 and IPv6) are matched using: - - 'IN=.* OUT=.* SRC=.* DST=' + a) The LOGFORMAT setting has been changed from "Shorewall:%s:%s:" + to "%s %s " to enable longer zone names. - Shorewall6-generated Netfilter messages may be idd b) The LOGLIMIT setting has been changed from empty to "s:1/sec:10", to enable log trottling by default. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.1.4.4/shorewall-init.spec new/shorewall-init-5.1.5.2/shorewall-init.spec --- old/shorewall-init-5.1.4.4/shorewall-init.spec 2017-06-23 16:45:30.000000000 +0200 +++ new/shorewall-init-5.1.5.2/shorewall-init.spec 2017-08-02 00:47:07.000000000 +0200 @@ -1,6 +1,6 @@ %define name shorewall-init -%define version 5.1.4 -%define release 4 +%define version 5.1.5 +%define release 2 Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall). Name: %{name} @@ -135,14 +135,18 @@ %doc COPYING changelog.txt releasenotes.txt %changelog -* Fri Jun 23 2017 Tom Eastep tom@shorewall.net -- Updated to 5.1.4-4 -* Sun Jun 18 2017 Tom Eastep tom@shorewall.net -- Updated to 5.1.4-3 -* Mon Jun 12 2017 Tom Eastep tom@shorewall.net -- Updated to 5.1.4-2 -* Fri May 19 2017 Tom Eastep tom@shorewall.net -- Updated to 5.1.4-1 +* Thu Jul 27 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.5-2 +* Thu Jul 06 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.5-1 +* Mon Jun 26 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.5-0base +* Wed Jun 21 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.5-0RC1 +* Fri Jun 16 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.5-0Beta2 +* Thu May 11 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.5-0Beta1 * Fri May 05 2017 Tom Eastep tom@shorewall.net - Updated to 5.1.4-0base * Mon Apr 24 2017 Tom Eastep tom@shorewall.net diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.1.4.4/uninstall.sh new/shorewall-init-5.1.5.2/uninstall.sh --- old/shorewall-init-5.1.4.4/uninstall.sh 2017-06-23 16:45:30.000000000 +0200 +++ new/shorewall-init-5.1.5.2/uninstall.sh 2017-08-02 00:47:07.000000000 +0200 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=5.1.4.4 +VERSION=5.1.5.2 PRODUCT=shorewall-init Product="Shorewall Init" ++++++ shorewall-lite-5.1.4.4.tar.bz2 -> shorewall-lite-5.1.5.2.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.1.4.4/changelog.txt new/shorewall-lite-5.1.5.2/changelog.txt --- old/shorewall-lite-5.1.4.4/changelog.txt 2017-06-23 16:45:31.000000000 +0200 +++ new/shorewall-lite-5.1.5.2/changelog.txt 2017-08-02 00:47:07.000000000 +0200 @@ -1,3 +1,52 @@ +Changes in 5.1.5.2 + +1) Update release documents. + +2) Correct source port handling when BASIC_FILTERS=Yes. + +3) Correct handling of USER/GROUP in the OUTPUT section of the + accounting file. + +4) Correct handling of MAC addresses in the accounting file. + +Changes in 5.1.5.1 + +1) Update release documents. + +2) Process the snat file if the masq file is empty. + +Changes in 5.1.5 Final + +1) Update release documents. + +2) Include IPv6 annotated config files. + +3) Add RESTORE_DEFAULT_ROUTE to shorewall6.conf. + +Changes in 5.1.5 RC 1 + +1) Update release documents. + +2) USE_NFLOG_SIZE option. + +3) Improve editing of port numbers/service names. + +4) Add dropBcasts action. + +Changes in 5.1.5 Beta 2 + +1) Update release documents. + +2) Consolidate Shorewall/Shorewall6 manpages. + +Changes in 5.1.5 Beta 1 + +1) Update release documents. + +2) Add defect repair through 5.1.4.2. + +3) Implement runtime port variables. + Changes in 5.1.4.4 1) Update release documents. @@ -32,13 +81,6 @@ 1) Update release documents. -2) Clean up introduction to shorewall-rules(5). - -3) Clarify LOGFORMAT in shorewall[6].conf(5) and - shorewall[6]-zones(5). - -4) Add BLACKLIST to the IPv6 actions.std file. - Changes in 5.1.4 RC 1 1) Update release documents. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.1.4.4/configure new/shorewall-lite-5.1.5.2/configure --- old/shorewall-lite-5.1.4.4/configure 2017-06-23 16:45:31.000000000 +0200 +++ new/shorewall-lite-5.1.5.2/configure 2017-08-02 00:47:07.000000000 +0200 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=5.1.4.4 +VERSION=5.1.5.2 case "$BASH_VERSION" in [4-9].*) @@ -190,7 +190,7 @@ done echo '#' > shorewallrc -echo "# Created by Shorewall Core version $VERSION configure - " `date` >> shorewallrc +echo "# Created by Shorewall Core version $VERSION configure - " `date --utc --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}"` >> shorewallrc echo "# rc file: $rcfile" >> shorewallrc echo '#' >> shorewallrc diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.1.4.4/configure.pl new/shorewall-lite-5.1.5.2/configure.pl --- old/shorewall-lite-5.1.4.4/configure.pl 2017-06-23 16:45:31.000000000 +0200 +++ new/shorewall-lite-5.1.5.2/configure.pl 2017-08-02 00:47:07.000000000 +0200 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '5.1.4.4' + VERSION => '5.1.5.2' }; my %params; @@ -173,7 +173,12 @@ open $outfile, '>', 'shorewallrc' or die "Can't open 'shorewallrc' for output: $!"; -printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d %04d %02d:%02d:%02d\n", VERSION, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0]; +if ( $ENV{SOURCE_DATE_EPOCH} ) { + printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s\n", VERSION, `date --utc --date=\"\@$ENV{SOURCE_DATE_EPOCH}\"`; +} else { + printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d %04d %02d:%02d:%02d\n", VERSION, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0]; +} + print $outfile "# rc file: $rcfilename\n#\n"; print $outfile "# Input: @ARGV\n#\n" if @ARGV; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.1.4.4/install.sh new/shorewall-lite-5.1.5.2/install.sh --- old/shorewall-lite-5.1.4.4/install.sh 2017-06-23 16:45:31.000000000 +0200 +++ new/shorewall-lite-5.1.5.2/install.sh 2017-08-02 00:47:07.000000000 +0200 @@ -22,7 +22,7 @@ # along with this program; if not, see <http://www.gnu.org/licenses/>. # -VERSION=5.1.4.4 +VERSION=5.1.5.2 usage() # $1 = exit status { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.1.4.4/manpages/shorewall-lite-vardir.5 new/shorewall-lite-5.1.5.2/manpages/shorewall-lite-vardir.5 --- old/shorewall-lite-5.1.4.4/manpages/shorewall-lite-vardir.5 2017-06-23 16:47:25.000000000 +0200 +++ new/shorewall-lite-5.1.5.2/manpages/shorewall-lite-vardir.5 2017-08-02 00:48:20.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite-vardir .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 06/23/2017 +.\" Date: 08/01/2017 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-LITE\-VAR" "5" "06/23/2017" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-LITE\-VAR" "5" "08/01/2017" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.1.4.4/manpages/shorewall-lite.8 new/shorewall-lite-5.1.5.2/manpages/shorewall-lite.8 --- old/shorewall-lite-5.1.4.4/manpages/shorewall-lite.8 2017-06-23 16:47:25.000000000 +0200 +++ new/shorewall-lite-5.1.5.2/manpages/shorewall-lite.8 2017-08-02 00:48:21.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 06/23/2017 +.\" Date: 08/01/2017 .\" Manual: Administrative Commands .\" Source: Administrative Commands .\" Language: English .\" -.TH "SHOREWALL\-LITE" "8" "06/23/2017" "Administrative Commands" "Administrative Commands" +.TH "SHOREWALL\-LITE" "8" "08/01/2017" "Administrative Commands" "Administrative Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.1.4.4/manpages/shorewall-lite.conf.5 new/shorewall-lite-5.1.5.2/manpages/shorewall-lite.conf.5 --- old/shorewall-lite-5.1.4.4/manpages/shorewall-lite.conf.5 2017-06-23 16:47:24.000000000 +0200 +++ new/shorewall-lite-5.1.5.2/manpages/shorewall-lite.conf.5 2017-08-02 00:48:19.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite.conf .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 06/23/2017 +.\" Date: 08/01/2017 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-LITE\&.CO" "5" "06/23/2017" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-LITE\&.CO" "5" "08/01/2017" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.1.4.4/releasenotes.txt new/shorewall-lite-5.1.5.2/releasenotes.txt --- old/shorewall-lite-5.1.4.4/releasenotes.txt 2017-06-23 16:45:31.000000000 +0200 +++ new/shorewall-lite-5.1.5.2/releasenotes.txt 2017-08-02 00:47:07.000000000 +0200 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 5 . 1 . 4 . 4 + S H O R E W A L L 5 . 1 . 5 . 2 ------------------------------ - J u n e 2 3 , 2 0 1 7 + J u l y 3 1 , 2 0 1 7 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,87 +14,62 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -5.1.4.4 +5.1.5.2 -1) A defect in 5.1.4.3 caused a startup failure when two or more - 'fallback' providers were configured. That has been corrected. +1) Previously, Specifying a USER in the OUTPUT section of the + accounting file caused the compilter to incorrectly generate the + following error message: -5.1.4.3 + ERROR: USER/GROUP may only be specified in the OUTPUT section -1) When running on prior-generation distributions such as RHEL6, - IPv6 multi-ISP configurations failed to start due to an error such as - the following: + That has been corrected, and no error message is generated in this + case. - ERROR: Command "ip -6 -6 route replace default scope global - table 250 nexthop via ::192.88.99.1 dev tun6to4 weight 1" - Failed - - Such configurations now start successfully. +2) When BASIC_FILTERS=Yes, the compiler previously generated an + invalid tc command when when a source port was specified in a + tcfilters entry. The compiler now generates correct input in this + case. -5.1.4.2 +3) Previously, a MAC address could be specified in the OUTPUT + section of the accounting file and no error would be generated at + compile time. A failure would occur, however, at run-time. Now, an + error is raised during compilation. -1) Many broken links in the manpages have been corrected. +5.1.5.1 -2) Support for the NFQUEUE '--queue-cpu-fanout' option, introduced in - Shorewall 5.1.0, contained a defect which could result in the - following compile-time error: - - Use of uninitialized value $fanout in concatenation (.) or string - at /usr/share/shorewall/Shorewall/Rules.pm line 643, - <$currentfile> line 2. - - That has been corrected. - -5.1.4.1 - -1) The introductory material in shorewall-rules(5) has been cleaned - up. - -2) The information about LOGFORMAT in shorewall[6].conf(5) and - shorewall[6]-zones(5) has been expanded. - - In Shorewall 5.1.0, the setting of LOGFORMAT in the default and - sample .conf files was changed to "%s:%s " to enable 10-character - zone names (up from 5 characters using the default - "Shorewall:%s:%s:" setting). As part of this change, if a - shorewall.conf file which did not set LOGFORMAT is updated using - "shorewall update", LOGFORMAT is set to "Shorewall:%s:%s:" to - preserve the existing behavior. +1) To compensate for the presence of a masq file with no entries, + the compiler will now attempt to process the snat file when such a + masq file is found. Previously, if a masq file with no entries was + found, the snat file, if any, was ignored. - This can have an effect on new installations, however in that - scipts or log analyzers can no longer be configured to simply look - for "Shorewall:" in log messages unless the setting of LOGFORMAT is - changed. The manpages (and the Migration Considerations below) have - been updated to describe how to locate these messages using the new - "%s:%s " setting. +2) Previously, maintainers could not create reproducable packages + because the 'configure' and 'configure.pl' scripts inserted the + current date and time into the generated shorewallrc file. -3) The BLACKLIST action was inadvertently omitted from Shorewall6 in - Shorewall 5.1.1. That has been corrected. + To support reproducable package builds, the scripts now recognize + the SOURCE_DATE_EPOCH environmental variable (see + https://reproducible-builds.org/specs/source-date-epoch/). -5.1.4 + The change to 'configure' was supplied by Bernhard M. Wiedemann. -1) This release contains defect repair through Shorewall 5.1.3.1. +5.1.5 -2) Previously, if a Shorewall Variable ( e.g., @chain ) was the target - of a conditional ?RESET directive (one that was enclosed in ?if... - ?else...?endif logic), the compiler could incorrectly use an - existing chain created from the action rather than creating a new - (and different) chain. That has been corrected. +1) This release contains defect repair through Shorewall 5.1.4.4. -3) Previously, if alternate input format specified a column that had - already been specified, the contents of that column were silently - overwritten. Now, a warning message is issued stating that the - prior value has been replaced by the newer value. +2) Previously, when 0 was used as a port number or when a port number + > 65535 was specified, an 'uninitialized variable' Perl exception + occurred when the compiler attempted to issue an error + message. That has been corrected. -4) Previously, a string-valued interface option, such as - 'physical', could be given an empty value (e.g., "physical=,"), and - the compiler would fail to flag it. Now, this usage raises an - error. +3) When running with Perl 5.26, messages such at the following could + be issued: -5) Previously, the 'tunnel-src' and 'tunnel-dst' zone options would - generate an error under Shorewall6. That has been corrected. + Unescaped left brace in regex is deprecated here (and will be + fatal in Perl 5.30), passed through in regex; marked by <-- HERE + in m/^(\s*|.*[^&@%]){ <-- HERE (.*)}\s*$/ at + /usr/share/shorewall/Shorewall/Config.pm line 2343. -6) A number of small documentation corrections have been made. + That problem has been corrected. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -115,48 +90,40 @@ uses a "delete..add.." sequence on these routes rather than a single "replace" command. +4) When the formerly built-in actions were converted to standard + actions in Shorewall 5.1.3, the 'dropBcasts' action was + inadvertently changed to 'dropBcast'. Beginning with this release, + both spellings are accepted. + ---------------------------------------------------------------------------- I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) All IPv6 standard actions have been deleted and their logic - has been added to their IPv4 counterparts who can now handle - both address families. - -2) Previously, ?error and ?require messages as well as verbose ?info - and ?warning messages (those that report the file and line numbers) - generated from an action file would report the action file name and - line number rather than the file and line number where the action - was invoked. The file and line number where the action was invoked - were listed second. Beginning with this release, the invoking file - and line number are listed first and the action file and line number - are not reported. This allows for creation of clearer messages. - - Example: - - Previously, when an invalid value was passed for the 'bricks' - parameter to the GlusterFS action on line 45 of the rules file, a - message such as the following was issued (folded to 76 columns): - - ERROR: Invalid value for Bricks (2000) - /usr/share/shorewall/action.GlusterFS (line 15) - from /etc/shorewall/rules (line 45) - - Note that the message seems to imply that the error is in - action.GlusterFS rather than in the rules file. - - Beginning with this release, the message will be: - - ERROR: Invalid value (2000) for the GlusterFS Bricks argument - /etc/shorewall/rules (line 45) - - Note: This change only affects actions, including inline actions. - Macros will continue to report the old way. +1) Run-time port variables are now supported. See + http://www.shorewall.org/configuration_file_basics.htm#Port_Variables + for details. + +2) The Shorewall and Shorewall6 manpages are now consolidated. Almost + all of the Shorewall6 manpages are manpage aliases for the + corresponding Shorewall manpages which describe the files for both + products. + +3) There is now a FIN standard action which handles TCP packets with + the FIN, ACK and PSH flags set. + +4) According to the Netfilter team (see + https://patchwork.kernel.org/patch/9198133/), the --nflog-range option + of the NFLOG target has never worked correctly, and they have + deprecated that option in favor of the --nflog-size option. To + accomodate this change, there is now an "--nflog-size support" + (NFLOG_SIZE) Shorewall capability and a USE_NFLOG_SIZE option in + shorewall[6].conf. -3) IPv6 UPnP support (including MINIUPNPD) is now available. + For further information, see the Migrations Issues item number 8. -4) A PERL_HASH_SEED option has been added to allow the Perl hash seed - to be specified. See shorewall.conf(5) and perlsec(1) for details. +5) The RESTORE_DEFAULT_ROUTE option has now been added to + shorewall6.conf. Prior to this release, RESTORE_DEFAULT_ROUTE=Yes + has always been assumed for Shorewall6 configurations. ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -276,11 +243,188 @@ Broadcast no longer handle multicast. Multicast is handeled separately in actions allowMcast, dropMcast and Multicast. The now-deprecated Drop and Reject policy actions have been modified so - that they continue to silently drop multicast packets. + that they continue to silently drop multicast packets. + +8) According to the Netfilter team (see + https://patchwork.kernel.org/patch/9198133/), the --nflog-range option + of the NFLOG target has never worked correctly, and they have + deprecated that option in favor of the --nflog-size option. + + To accomodate this change, Shorewall 5.1.5 added an "--nflog-size + support" (NFLOG_SIZE) Shorewall capability and a USE_NFLOG_SIZE + option in shorewall[6].conf. If USE_NFLOG_SIZE=Yes, then if the + capability is present, Shorewall will use '--nflog-size' in place + of '--nflog-range'. If USE_NFLOG_SIZE=Yes and the capability is not + present, an error is raised. + + If you don't use NFLOG or if you use NFLOG with omittted second + parameter or with 0 as the second parameter, and 'shorewall show + capabilities' indicated that --nflog-size support is present, you + may safely set USE_NFLOG_SIZE=Yes. + + If you pass a non-zero value as the second parameter to NFLOG and + the '--nflog-size support' capability is present, you need to + verify that those NFLOG messages are as you expect with + USE_NFLOG_SIZE=Yes. ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 5 . 1 R E L E A S E S ---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 5 . 1 . 4 +---------------------------------------------------------------------------- + +5.1.4.4 + +1) A defect in 5.1.4.3 caused a startup failure when two or more + 'fallback' providers were configured. That has been corrected. + +5.1.4.3 + +1) When running on prior-generation distributions such as RHEL6, + IPv6 multi-ISP configurations failed to start due to an error such as + the following: + + ERROR: Command "ip -6 -6 route replace default scope global + table 250 nexthop via ::192.88.99.1 dev tun6to4 weight 1" + Failed + + Such configurations now start successfully. + +5.1.4.2 + +1) Many broken links in the manpages have been corrected. + +2) Support for the NFQUEUE '--queue-cpu-fanout' option, introduced in + Shorewall 5.1.0, contained a defect which could result in the + following compile-time error: + + Use of uninitialized value $fanout in concatenation (.) or string + at /usr/share/shorewall/Shorewall/Rules.pm line 643, + <$currentfile> line 2. + + That has been corrected. + +5.1.4.1 + +1) The introductory material in shorewall-rules(5) has been cleaned + up. + +2) The information about LOGFORMAT in shorewall[6].conf(5) and + shorewall[6]-zones(5) has been expanded. + + In Shorewall 5.1.0, the setting of LOGFORMAT in the default and + sample .conf files was changed to "%s:%s " to enable 10-character + zone names (up from 5 characters using the default + "Shorewall:%s:%s:" setting). As part of this change, if a + shorewall.conf file which did not set LOGFORMAT is updated using + "shorewall update", LOGFORMAT is set to "Shorewall:%s:%s:" to + preserve the existing behavior. + + This can have an effect on new installations, however in that + scipts or log analyzers can no longer be configured to simply look + for "Shorewall:" in log messages unless the setting of LOGFORMAT is + changed. The manpages (and the Migration Considerations below) have + been updated to describe how to locate these messages using the new + "%s:%s " setting. + +3) The BLACKLIST action was inadvertently omitted from Shorewall6 in + Shorewall 5.1.1. That has been corrected. + +5.1.4.1 + +1) The introductory material in shorewall-rules(5) has been cleaned + up. + +2) The information about LOGFORMAT in shorewall[6].conf(5) and + shorewall[6]-zones(5) has been expanded. + + In Shorewall 5.1.0, the setting of LOGFORMAT in the default and + sample .conf files was changed to "%s:%s " to enable 10-character + zone names (up from 5 characters using the default + "Shorewall:%s:%s:" setting). As part of this change, if a + shorewall.conf file which did not set LOGFORMAT is updated using + "shorewall update", LOGFORMAT is set to "Shorewall:%s:%s:" to + preserve the existing behavior. + + This can have an effect on new installations, however in that + scipts or log analyzers can no longer be configured to simply look + for "Shorewall:" in log messages unless the setting of LOGFORMAT is + changed. The manpages (and the Migration Considerations below) have + been updated to describe how to locate these messages using the new + "%s:%s " setting. + +3) The BLACKLIST action was inadvertently omitted from Shorewall6 in + Shorewall 5.1.1. That has been corrected. + +5.1.4 + +1) This release contains defect repair through Shorewall 5.1.3.1. + +2) Previously, if a Shorewall Variable ( e.g., @chain ) was the target + of a conditional ?RESET directive (one that was enclosed in ?if... + ?else...?endif logic), the compiler could incorrectly use an + existing chain created from the action rather than creating a new + (and different) chain. That has been corrected. + +3) Previously, if alternate input format specified a column that had + already been specified, the contents of that column were silently + overwritten. Now, a warning message is issued stating that the + prior value has been replaced by the newer value. + +4) Previously, a string-valued interface option, such as + 'physical', could be given an empty value (e.g., "physical=,"), and + the compiler would fail to flag it. Now, this usage raises an + error. + +5) Previously, the 'tunnel-src' and 'tunnel-dst' zone options would + generate an error under Shorewall6. That has been corrected. + +6) A number of small documentation corrections have been made. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 5 . 1 . 3 +---------------------------------------------------------------------------- + +1) All IPv6 standard actions have been deleted and their logic + has been added to their IPv4 counterparts who can now handle + both address families. + +2) Previously, ?error and ?require messages as well as verbose ?info + and ?warning messages (those that report the file and line numbers) + generated from an action file would report the action file name and + line number rather than the file and line number where the action + was invoked. The file and line number where the action was invoked + were listed second. Beginning with this release, the invoking file + and line number are listed first and the action file and line number + are not reported. This allows for creation of clearer messages. + + Example: + + Previously, when an invalid value was passed for the 'bricks' + parameter to the GlusterFS action on line 45 of the rules file, a + message such as the following was issued (folded to 76 columns): + + ERROR: Invalid value for Bricks (2000) + /usr/share/shorewall/action.GlusterFS (line 15) + from /etc/shorewall/rules (line 45) + + Note that the message seems to imply that the error is in + action.GlusterFS rather than in the rules file. + + Beginning with this release, the message will be: + + ERROR: Invalid value (2000) for the GlusterFS Bricks argument + /etc/shorewall/rules (line 45) + + Note: This change only affects actions, including inline actions. + Macros will continue to report the old way. + +3) IPv6 UPnP support (including MINIUPNPD) is now available. + +4) A PERL_HASH_SEED option has been added to allow the Perl hash seed + to be specified. See shorewall.conf(5) and perlsec(1) for details. + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 5 . 1 . 3 ---------------------------------------------------------------------------- @@ -311,7 +455,7 @@ sample configuration. ---------------------------------------------------------------------------- - N E W F E A T U R E S I N 5 . 1 . 2 + N E W F E A T U R E S I N 5 . 1 . 3 ---------------------------------------------------------------------------- 1) The tarball installers and uninstallers have been unified and @@ -632,32 +776,9 @@ 2) Several settings in the default/sample .conf files have been modified: - a) In Shorewall 5.1.0, the setting of LOGFORMAT in the default and - sample .conf files was changed to "%s:%s " to enable - 10-character zone names (up from 5 characters using the default - "Shorewall:%s:%s:" setting). As part of this change, if a - shorewall.conf file which did not set LOGFORMAT is updated using - "shorewall update", LOGFORMAT is set to "Shorewall:%s:%s:" to - preserve the existing behavior. - - This can have an effect on new installations, however in that - scipts or log analyzers can no longer be configured to simply look - for "Shorewall:" in log messages unless the setting of LOGFORMAT is - changed. If you use the new "%s:%s " setting then - Shorewall-generated Netfilter messages may be matched using - this regular expression: - - 'IN=.* OUT=.* SRC=.*\..* DST=' - - Shorewall6-generated Netfilter messages may be matched using: - - 'IN=.* OUT=.* SRC=.*:.* DST=' - - And all Netfilter messages (IPv4 and IPv6) are matched using: - - 'IN=.* OUT=.* SRC=.* DST=' + a) The LOGFORMAT setting has been changed from "Shorewall:%s:%s:" + to "%s %s " to enable longer zone names. - Shorewall6-generated Netfilter messages may be idd b) The LOGLIMIT setting has been changed from empty to "s:1/sec:10", to enable log trottling by default. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.1.4.4/shorewall-lite.spec new/shorewall-lite-5.1.5.2/shorewall-lite.spec --- old/shorewall-lite-5.1.4.4/shorewall-lite.spec 2017-06-23 16:45:31.000000000 +0200 +++ new/shorewall-lite-5.1.5.2/shorewall-lite.spec 2017-08-02 00:47:07.000000000 +0200 @@ -1,6 +1,6 @@ %define name shorewall-lite -%define version 5.1.4 -%define release 4 +%define version 5.1.5 +%define release 2 %define initdir /etc/init.d Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems. @@ -115,14 +115,18 @@ %doc COPYING changelog.txt releasenotes.txt %changelog -* Fri Jun 23 2017 Tom Eastep tom@shorewall.net -- Updated to 5.1.4-4 -* Sun Jun 18 2017 Tom Eastep tom@shorewall.net -- Updated to 5.1.4-3 -* Mon Jun 12 2017 Tom Eastep tom@shorewall.net -- Updated to 5.1.4-2 -* Fri May 19 2017 Tom Eastep tom@shorewall.net -- Updated to 5.1.4-1 +* Thu Jul 27 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.5-2 +* Thu Jul 06 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.5-1 +* Mon Jun 26 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.5-0base +* Wed Jun 21 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.5-0RC1 +* Fri Jun 16 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.5-0Beta2 +* Thu May 11 2017 Tom Eastep tom@shorewall.net +- Updated to 5.1.5-0Beta1 * Fri May 05 2017 Tom Eastep tom@shorewall.net - Updated to 5.1.4-0base * Mon Apr 24 2017 Tom Eastep tom@shorewall.net diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.1.4.4/uninstall.sh new/shorewall-lite-5.1.5.2/uninstall.sh --- old/shorewall-lite-5.1.4.4/uninstall.sh 2017-06-23 16:45:31.000000000 +0200 +++ new/shorewall-lite-5.1.5.2/uninstall.sh 2017-08-02 00:47:07.000000000 +0200 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=5.1.4.4 +VERSION=5.1.5.2 usage() # $1 = exit status { ++++++ shorewall-5.1.4.4.tar.bz2 -> shorewall6-5.1.5.2.tar.bz2 ++++++ ++++ 116895 lines of diff (skipped) ++++++ shorewall-lite-5.1.4.4.tar.bz2 -> shorewall6-lite-5.1.5.2.tar.bz2 ++++++ ++++ 3464 lines of diff (skipped)