Hello community, here is the log from the commit of package shorewall for openSUSE:Factory checked in at 2012-12-10 17:19:49 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/shorewall (Old) and /work/SRC/openSUSE:Factory/.shorewall.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "shorewall", Maintainer is "" Changes: -------- --- /work/SRC/openSUSE:Factory/shorewall/shorewall.changes 2012-11-22 14:26:34.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.shorewall.new/shorewall.changes 2012-12-10 17:19:52.000000000 +0100 @@ -1,0 +2,32 @@ +Sun Dec 9 11:07:53 UTC 2012 - toganm@opensuse.org + +- Update to 4.5.10 For more details see changelog.txt and + releasenotes.txt + + * This release includes all defect repair included in + 4.5.9.1-4.5.9.3. + + * Under rare circumstances, optimize level 16 could produce + invalid iptables-restore input which would cause start/restart + to fail. + + * Before this release, the 'started' script was run prior to + copying the temporary script file (e.g., /var/lib/shorewall/.start) + to /var/dir/shorewall/firewall. If the script failed, the copy + would not take place even though the firewall had started + successfully. The script is now copied before running the + 'started' script. + + If you compare the script generated by this release with one + generated by a prior release, We suggest that you ignore + whitespace changes (e.g., use the '-w' option in diff); that way, + you can see the actual change more clearly. + + * AUTOCOMMENT=No now works correctly; previously, it behaved the + same as AUTOCOMMENT=Yes. + + * A harmless extraneous comma has been deleted from the rule + generated by action.RST. + + +------------------------------------------------------------------- Old: ---- shorewall-4.5.9.2.tar.bz2 shorewall-core-4.5.9.2.tar.bz2 shorewall-docs-html-4.5.9.2.tar.bz2 shorewall-init-4.5.9.2.tar.bz2 shorewall-lite-4.5.9.2.tar.bz2 shorewall6-4.5.9.2.tar.bz2 shorewall6-lite-4.5.9.2.tar.bz2 New: ---- shorewall-4.5.10.tar.bz2 shorewall-core-4.5.10.tar.bz2 shorewall-docs-html-4.5.10.tar.bz2 shorewall-init-4.5.10.tar.bz2 shorewall-lite-4.5.10.tar.bz2 shorewall6-4.5.10.tar.bz2 shorewall6-lite-4.5.10.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shorewall.spec ++++++ --- /var/tmp/diff_new_pack.TuDCPG/_old 2012-12-10 17:19:54.000000000 +0100 +++ /var/tmp/diff_new_pack.TuDCPG/_new 2012-12-10 17:19:54.000000000 +0100 @@ -20,19 +20,19 @@ %define have_systemd 1 Name: shorewall -Version: 4.5.9.2 +Version: 4.5.10 Release: 0 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems License: GPL-2.0 Group: Productivity/Networking/Security Url: http://www.shorewall.net/ -Source: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.9/%name-%version.ta... -Source1: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.9/%name-core-%versi... -Source2: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.9/%name-lite-%versi... -Source3: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.9/%name-init-%versi... -Source4: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.9/%{name}6-lite-%version.tar.bz2 -Source5: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.9/%{name}6-%version.tar.bz2 -Source6: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.9/%name-docs-html-%... +Source: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.10/%name-%version.t... +Source1: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.10/%name-core-%vers... +Source2: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.10/%name-lite-%vers... +Source3: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.10/%name-init-%vers... +Source4: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.10/%{name}6-lite-%version.tar.bz2 +Source5: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.10/%{name}6-%version.tar.bz2 +Source6: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.10/%name-docs-html-... Source7: %name-4.4.22.rpmlintrc Source8: README.openSUSE # PATCH-FIX-UPSTREAM toganm@opensuse.org Shorewall-lite init.suse.sh Required Stop ++++++ shorewall-4.5.9.2.tar.bz2 -> shorewall-4.5.10.tar.bz2 ++++++ ++++ 8421 lines of diff (skipped) ++++++ shorewall-core-4.5.9.2.tar.bz2 -> shorewall-core-4.5.10.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.9.2/changelog.txt new/shorewall-core-4.5.10/changelog.txt --- old/shorewall-core-4.5.9.2/changelog.txt 2012-11-17 16:46:47.000000000 +0100 +++ new/shorewall-core-4.5.10/changelog.txt 2012-12-08 01:57:35.000000000 +0100 @@ -1,3 +1,99 @@ +Changes in 4.5.10 Final + +1) Update release documents. + +2) Correct pushing of parameters with nested parens. + +3) Remove extraneous ',' from the rule generated by action.RST. + +Changes in 4.5.10 RC 1 + +1) Change '@' substitution to '@0' (${0}'. + +2) Disallow leading '0' in action parameter numbers. + +3) Eliminate the need for functions called by + Shorewall::Compiler::generate_script_3 to have knowledge of the + current script file indentation. + +4) Copy the temporary script to $VARDIR/$PRODUCT/firewall before + running the 'started' script. + +5) Ignore 'inline' on certain actions. + +6) Only initialize switches that survived optimization. + +7) Be more agressive about detecting action recursion. + +8) Support passing log levels inside parameters. + +9) Fix AUTOCOMMENT=No + +10) Delete duplicate rules in tables + +Changes in 4.5.10 Beta 3 + +1) Update release documents. + +2) Inherit 'tag' from macro/action invocation. + +3) Correct NFLOG/ULOG documentation. + +4) Another optimizer bug fixed. + +5) Multiple parameter support for macros. + +6) $0 expands to current action chain name. + +7) Replace '@' by chain name in SWITCH contents. + +8) Add in-line actions. + +9) Add switch initialization. + +10) Allowing inline override on Standard Actions. + +Changes in 4.5.10 Beta 2 + +1) Update release documents. + +2) New macro expansion capability. + +3) Add NFLOG and ULOG macros. + +4) Add UNTRACKED match to the secmarks file. + +5) Add DROP target to the conntrack file. + +6) Remove references to USE_ACTIONS + +7) Allow macros to be used as default actions. + +8) Correct the compiler's CHECKSUM detection + +9) Don't generate start/stop functions for wildcard optional + interfaces. + +10) Apply Tuomo Soini's fix for RHEL5 + +11) Improve handling of 'all' in the conntrack file. + +12) Add SWITCH column to the conntrack file. + +13) Add AUDIT built-in + +14) Support audited targets on IPv6. + +Changes in 4.5.10 Beta 1 + +1) Update release documents. + +2) Treat optional interfaces as pseudo-providers. + +3) New macro expansion capability. + +4) Add NFLOG and ULOG macros. + Changes in 4.5.9.2 1) Update release documents. @@ -8,8 +104,6 @@ 4) Make exclusion work with TPROXY. -5) Fix 'enable' when interface and provider have same name. - Changes in 4.5.9.1 1) Update release documents. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.9.2/configure new/shorewall-core-4.5.10/configure --- old/shorewall-core-4.5.9.2/configure 2012-11-17 16:46:47.000000000 +0100 +++ new/shorewall-core-4.5.10/configure 2012-12-08 01:57:35.000000000 +0100 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=4.5.9.2 +VERSION=4.5.10 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.9.2/configure.pl new/shorewall-core-4.5.10/configure.pl --- old/shorewall-core-4.5.9.2/configure.pl 2012-11-17 16:46:47.000000000 +0100 +++ new/shorewall-core-4.5.10/configure.pl 2012-12-08 01:57:35.000000000 +0100 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '4.5.9.2' + VERSION => '4.5.10' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.9.2/install.sh new/shorewall-core-4.5.10/install.sh --- old/shorewall-core-4.5.9.2/install.sh 2012-11-17 16:46:47.000000000 +0100 +++ new/shorewall-core-4.5.10/install.sh 2012-12-08 01:57:35.000000000 +0100 @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.5.9.2 +VERSION=4.5.10 usage() # $1 = exit status { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.9.2/known_problems.txt new/shorewall-core-4.5.10/known_problems.txt --- old/shorewall-core-4.5.9.2/known_problems.txt 2012-11-17 16:46:47.000000000 +0100 +++ new/shorewall-core-4.5.10/known_problems.txt 2012-12-08 01:57:35.000000000 +0100 @@ -65,15 +65,4 @@ Corrected in 4.5.9.1 6) If exclusion is used with TPROXY in the tcrules file, an invalid - iptables ruleset is generated, causing 'shorewall start' and - 'shorewall restart' to fail in iptables-restore. - - Corrected in 4.5.9.2. - -7) If a provider and its interface have the same name, then the - 'enable' command fails on that interface. - - Workaround: Give the provider a name that is distinct from its - interface's name. - - Corrected in 4.5.9.2. + iptables ruleset is generated. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.9.2/lib.cli new/shorewall-core-4.5.10/lib.cli --- old/shorewall-core-4.5.9.2/lib.cli 2012-11-16 18:50:36.000000000 +0100 +++ new/shorewall-core-4.5.10/lib.cli 2012-12-08 01:48:55.000000000 +0100 @@ -1007,18 +1007,18 @@ case $1 in actions) [ $# -gt 1 ] && usage 1 - echo "A_ACCEPT # Audit and accept the connection" - echo "A_DROP # Audit and drop the connection" - echo "A_REJECT # Audit and reject the connection " - echo "allowBcast # Silently Allow Broadcast/multicast" - echo "allowInvalid # Accept packets that are in the INVALID conntrack state." - echo "allowinUPnP # Allow UPnP inbound (to firewall) traffic" - echo "allowoutUPnP # Allow traffic from local command 'upnpd' (does not work with kernels after 2.6.13)" - echo "dropBcast # Silently Drop Broadcast/multicast" - echo "dropInvalid # Silently Drop packets that are in the INVALID conntrack state" - echo "dropNotSyn # Silently Drop Non-syn TCP packets" - echo "forwardUPnP # Allow traffic that upnpd has redirected from" - echo "rejNotSyn # Silently Reject Non-syn TCP packets" + echo "A_ACCEPT # Audit and accept the connection" + echo "A_DROP # Audit and drop the connection" + echo "A_REJECT # Audit and reject the connection " + echo "allowBcast # Silently Allow Broadcast/multicast" + echo "allowInvalid # Accept packets that are in the INVALID conntrack state." + echo "allowinUPnP # Allow UPnP inbound (to firewall) traffic" + echo "allowoutUPnP # Allow traffic from local command 'upnpd' (does not work with kernels after 2.6.13)" + echo "dropBcast # Silently Drop Broadcast/multicast" + echo "dropInvalid # Silently Drop packets that are in the INVALID conntrack state" + echo "dropNotSyn # Silently Drop Non-syn TCP packets" + echo "forwardUPnP # Allow traffic that upnpd has redirected from" + echo "rejNotSyn # Silently Reject Non-syn TCP packets" if [ -f ${g_confdir}/actions ]; then cat ${g_sharedir}/actions.std ${g_confdir}/actions | grep -Ev '^\#|^$' @@ -2415,7 +2415,9 @@ fi qt $g_tool -A $chain -j AUDIT --type drop && AUDIT_TARGET=Yes + qt $g_tool -A $chain -m condition --condition foo && CONDITION_MATCH=Yes + qt $g_tool -S INPUT && IPTABLES_S=Yes qt $g_tool -F $chain qt $g_tool -X $chain diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.9.2/releasenotes.txt new/shorewall-core-4.5.10/releasenotes.txt --- old/shorewall-core-4.5.9.2/releasenotes.txt 2012-11-17 16:46:47.000000000 +0100 +++ new/shorewall-core-4.5.10/releasenotes.txt 2012-12-08 01:57:35.000000000 +0100 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 5 . 9 . 2 + S H O R E W A L L 4 . 5 . 1 0 ------------------------------------ - N o v e m b e r 1 7 , 2 0 1 2 + D e c e m b e r 0 2 , 2 0 1 2 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -15,162 +15,186 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -4.5.9.2 +1) This release includes all defect repair included in + 4.5.9.1-4.5.9.3. -1) Previously, the rules in the 'routemark' chain did not specify a - mask in the MARK target. While a mask isn't strictly necessary in - those rules, one has been added to ally fears of those who read the - generated ruleset. +2) Under rare circumstances, optimize level 16 could produce invalid + iptables-restore input which would cause start/restart to fail. - Note: The 'routemark' chain is used to apply provider marks to - packets received from 'track' provider interfaces. It is traversed - early in the mangle PREROUTING chain when no other marks have yet - been applied to the packet. +3) Before this release, the 'started' script was run prior to copying + the temporary script file (e.g., /var/lib/shorewall/.start) to + /var/dir/shorewall/firewall. If the script failed, the copy would + not take place even though the firewall had started + successfully. The script is now copied before running the 'started' + script. + + If you compare the script generated by this release with one + generated by a prior release, We suggest that you ignore whitespace + changes (e.g., use the '-w' option in diff); that way, you can see + the actual change more clearly. -2) If exclusion was used with TPROXY in the tcrules file, an invalid - iptables ruleset was generated causing start and restart commands - to fail when running iptables-restore. +4) AUTOCOMMENT=No now works correctly; previously, it behaved the same + as AUTOCOMMENT=Yes. -3) Previously, if a provider and its interface had the same name, then - the 'enable' command would not work on that interface. +5) A harmless extraneous comma has been deleted from the rule + generated by action.RST. -4.5.9.1 +---------------------------------------------------------------------------- + I I. K N O W N P R O B L E M S R E M A I N I N G +---------------------------------------------------------------------------- -1) Previously, using a wildcard interface name in a rule would result - in this error: +1) On systems running Upstart, shorewall-init cannot reliably secure + the firewall before interfaces are brought up. - ERROR: Invalid ipset name (ppp+) : ... +---------------------------------------------------------------------------- + I I I. N E W F E A T U R E S I N T H I S R E L E A S E +---------------------------------------------------------------------------- - Such entries are now handled correctly. +1) Shorewall now treats optional non-provider interfaces in a manner + similar to provider interfaces. -2) The shorewall-masq(5) manpage incorrectly stated that the SOURCE - column may use exclusion with an interface name (e.g., - eth1:!1.2.3.4). That hasn't been the case for some time. To - accomplish the same thing, do this: + - They may have entries in /etc/shorewall/routes. + - They may be enabled/disabled using the 'enable' and 'disable' + commands. + - Shorewall-init will simply enable an optional interface when it + comes up and disable it when it goes down. - eth0 1.2.3.4 NONAT - eth0 eth1 +2) The /etc/shorewall/secmarks and /etc/shorewall6/secmarks files now + support the UNTRACKED state. See the manpages for details. - Note: Using an interface name in the SOURCE column is deprecated. +3) The /etc/shorewall/conntrack and /etc/shorewall6/conntrack files + now support a DROP target. -3) Previously, if a MARK was specified for a tc class that explicitly - specified a class number, the following spurious warning message - was issued: + It is now possible to specify 'all-' in the SOURCE column which + generates rules for all zones that are outside of the firewall + itself. - WARNING: Class NUMBER ignored -- - INTERFACE <name> does not have the 'classify' option +4) A SWITCH column has been added to the /etc/shorewall/conntrack and + /etc/shorewall/conntrack6 files. - That warning message is no longer issued. +5) In a SWITCH column, the character '@' is replaced by the chain + name (non-alphanumeric characters other than '-' and '_' are + suppressed). -4) With Shorewall 4.5.9, there were issues when the ipset utility was - not installed, some of which prevented Shorewall from starting. +6) An AUDIT action has been added to the /etc/shorewall/rules and + /etc/shorewall6/rules. -4.5.9 +7) The audited targets (A_ACCEPT, A_DROP, etc.) are now supported in + /etc/shorewall6/rules. -1) This release contains all defect repair from Shorewall 4.5.8.2. +8) An additional format (3) has been added to the conntrack file. In + this format, zone names are not used in the SOURCE column; rather, + a suffix in the ACTION column determines which raw-table chain the + generated Netfilter rule will be placed in. See the manpages for + details. -2) A typo has been corrected in the shorewallrc.default file. +9) A ULOG ACTION has been added to /etc/shorewall/rules. -3) Beginning with Shorewall 4.5.7.2, Shorewall unconditionally - restores the provider mark as the first rule in the mangle table - OUTPUT and PREROUTING chains. Previously, the provider mark was - restored only if it was non-zero. +10) Within an action body, the variable $0 now expands to the action + chain name (including leading '%' if present). - It has become clear that some users need it one way while others - need it the other way. To resolve this issue, a RESTORE_ROUTEMARKS - option has been added to shorewall.conf and shorewall6.conf. When - this option is set to Yes (the default), the 4.5.7.2 approach is - used (always restore the mark, even if it is zero); when it is set - to No, the pre-4.5.7.2 behavior is retained (only restore the mark - if it is non-zero). +11) 'In-line' actions are now available. An action is designated as + in-line within /etc/shorewall[6]/actions; that file has a + new OPTIONS column and specifying 'inline' in that column + designates the action as in-line. -4) Two error messages produced by the RST action have been - corrected. They previously referred to errors in the NotSyn action - rather than RST. + Normally, actions are expanded into their own chain with a + unique chain being created for each unique invocation (considering + log level, tag and parameters). An in-line actions is expanded + inline within the chain that invokes it. In that sense, + in-line actions are very similar to macros. ----------------------------------------------------------------------------- - I I. K N O W N P R O B L E M S R E M A I N I N G ----------------------------------------------------------------------------- + In-line actions differ from macros in several ways: -1) On systems running Upstart, shorewall-init cannot reliably secure - the firewall before interfaces are brought up. + a) A zone may be specified in the SOURCE and DEST columns of a + macro, while zone names are disallowed in these columns within + an in-line action (same as in a regular action). ----------------------------------------------------------------------------- - I I I. N E W F E A T U R E S I N T H I S R E L E A S E ----------------------------------------------------------------------------- + b) The name of the current chain is available in $0 within the body + of an in-line action (also within a regular action beginning with + Beta 3). -1) Prior to this release, if a dynamic zone was associated with more - than one interface, then Shorewall created a separate ipset for - each interface. This meant that multiple 'add' and 'delete' - commands might be required to change the zone composition. + c) In-line actions accept multiple parameters which are available + in$1, $2, etc (as they are in a regular action). - This release introduces a 'dynamic_shared' zone option. When that - option is specified, a single ipset is generated regardless of the - number of entries the zone has in the hosts file. + d) PARAM has no special meaning in the body of an in-line action + ($1 serves the same purpose in an in-line action). - The 'dynamic_shared' option may only be specified in the OPTIONS - column of the zones file. + e) Only FORMAT 2 is available in an in-line action. - The syntax of the 'add' and 'delete' commands is changed for zones - having the 'dynamic_shared' option: + f) In-line actions must be defined in + /etc/shorewall[6]/actions. Those files have been extended to + include an OPTIONS column. The only option currently supported + is 'in-line'. - add <zone> <address>[,<address> ... ] + In-line actions differ from normal actions in that: - delete <zone> <address>[,<address> ... ] + a) Obviously, they are expanded in-line like a macro rather than + being in their own chain. That means that columns in the + invocation are merged with those in the action body in the same + way as they are in a macro. - Example: + b) When AUTOCOMMENT=Yes, each generated rule is commented with the + name of an in-line action. - shorewall add direct 172.20.1.99 + c) Within an in-line action, ?BEGIN PERL ... ?END PERL does not + have access to the special features available in action a normal + action body. - The syntax for 'add' and 'delete' for zones not having the - 'dynamic_shared' option is unchanged. + The compiler allows overriding the setting of 'inline' on the + Shorewall standard actions within + /etc/shorewall[6]/actions. Beware, however, that some of them + don't work when in-lined so the compiler will ignore the 'inline' + option with a warning for those actions: -2) Puppet and Teredo macros have been contributed by Paul Gear. + Broadcast + DropSmurfs + Invalid + NonSyn + RST + TCPFlags -3) The 'show' command now supports a -b (brief) option that suppresses - listing of rules that have zero packet count and omits chains that - have no rules listed (Paul Gear). +12) In SWITCH columns, the named switch can now be initialized by the + 'start' command (other commands do not change switch values). -4) A CHECKSUM action has been added to the tcrules files. This action - computes and fills in the checksum in a packet that lacks one. - This is particularly useful if you need to work around old - applications, such as dhcp clients, that do not work well with - checksum offloads, but you don't want to disable checksum offload - in your device. + Initialization is accomplished by adding '=0' or '=1' to the + switch name. - As part of this change, a new 'Checksum Target' capability has been - added, so if you use a capabilities file, it needs to be - re-generated after you install this release. + Example (using alternative rule column specification): -5) The 'shorewall6 show routing' command now sorts the contents of - each routing table in the same way as 'shorewall show routing'. + #ACTION SOURCE DEST ... + NFLOG all all ; switch:logall=1 -6) It is now possible to specify a mark range in the ACTION column of - the tcrules file. This causes the generated ruleset to assign marks - in the range in round-robin fashion. As part of this change, a - STATE column is also added that allows marks to be assigned only to - packets that are in one of the specified states (NEW, RELATED, - ESTABLISHED, etc.). Specifying NEW in this column along with - a range in the ACTION column allows for load-balancing SNAT rules - over a number of different external addresses. + The above will cause the 'logall' switch + (/proc/net/nf_condition/logall) to be initialized to 1 (on). Note + that netfilter provides no atomic way to define and initialize a + switch so the loading of the ruleset and the initialization of the + switches are distinct operations. - Example: +13) Also in SWITCH columns, the name of the current Netfilter chain + will be substituted for '@0' and '@{0}'. - /etc/shorewall/tcrules + Example (using alternative rule column specification): - #ACTION SOURCE DEST ... - 1-3:CF eth1 172.20.1.0/24 ; state=NEW + #ACTION SOURCE DEST ... + NFLOG net fw ; switch:@{0}_logall - /etc/shorewall/masq + The name of the switch will be 'net2fw_logall'. - #INTERFACE SOURCE ADDRESS ... - eth0 192.168.1.0/24 1.1.1.1 ; mark=1:C - eth0 192.168.1.0/24 1.1.1.5 ; mark=2:C - eth0 192.168.1.0/24 1.1.1.9 ; mark=3:C + Note 1: Non-alphanumeric characters other than '_' and '-' will be + deleted from the chain name before substitution. + + Note 2: The chain name substituted is the one to which the rule is + initially added. The rule may end up in a different chain due to + optimization. + +14) Optimization level 16 now suppresses duplicate rules in chains from + all tables (it previously only suppressed duplicates in the 'raw' + table). + + Non-adjacent rules containing 'mark', 'connmark', 'dscp', 'ecn', + 'set', 'tos' or 'u32' matches are not suppressed: - Specifying a mark range require the 'Statistics Match' capability - in your iptables and kernel. - ---------------------------------------------------------------------------- V. M I G R A T I O N I S S U E S ---------------------------------------------------------------------------- @@ -314,6 +338,187 @@ ---------------------------------------------------------------------------- V I. N O T E S F R O M O T H E R 4 . 5 R E L E A S E S ---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 5 . 9 +---------------------------------------------------------------------------- +4.5.9.3 + +1) References to the obsolete USE_ACTIONS option have been removed + from the manpages. + +2) NFLOG has been documented for some time as a valid ACTION in the + rules files but support for that action has never been implemented + until this release. + +3) The Checksum Target capability detection in the rules compiler was + broken with the result that the presence of the capability was not + detected. + +4) If an interface named in the INTERFACE column was not defined in + tcdevices and if the REDIRECTED column for that entry was + non-empty, then compile-time Perl diagnostics were generated and an + invalid firewall script was generated. + +5) When LOAD_HELPERS_ONLY=No, the 'compile' command previously left + behind a temporary chain in the raw table. + +6) Under very rare circumstances involving exclusion in multiple + Netfilter tables, optimization level 8 could result in + start/restart failure or jumps to the wrong exclusion chain. + +7) 4.5.9.2 broke multi-ISP on RHEL5-based systems. This release + includes a patch from Tuomo Soini that corrects the problem. + +4.5.9.2 + +1) Previously, the rules in the 'routemark' chain did not specify a + mask in the MARK target. While a mask isn't strictly necessary in + those rules, one has been added to ally fears of those who read the + generated ruleset. + + Note: The 'routemark' chain is used to apply provider marks to + packets received from 'track' provider interfaces. It is traversed + early in the mangle PREROUTING chain when no other marks have yet + been applied to the packet. + +2) If exclusion was used with TPROXY in the tcrules file, an invalid + iptables ruleset was generated causing start and restart commands + to fail when running iptables-restore. + +3) Previously, when the name of provider was the same as it's + associated interface, the generated script contained a syntax + error. + +4.5.9.1 + +1) Previously, using a wildcard interface name in a rule would result + in this error: + + ERROR: Invalid ipset name (ppp+) : ... + + Such entries are now handled correctly. + +2) The shorewall-masq(5) manpage incorrectly stated that the SOURCE + column may use exclusion with an interface name (e.g., + eth1:!1.2.3.4). That hasn't been the case for some time. To + accomplish the same thing, do this: + + eth0 1.2.3.4 NONAT + eth0 eth1 + + Note: Using an interface name in the SOURCE column is deprecated. + +3) Previously, if a MARK was specified for a tc class that explicitly + specified a class number, the following spurious warning message + was issued: + + WARNING: Class NUMBER ignored -- + INTERFACE <name> does not have the 'classify' option + + That warning message is no longer issued. + +4) With Shorewall 4.5.9, there were issues when the ipset utility was + not installed, some of which prevented Shorewall from starting. + +4.5.9 + +1) This release contains all defect repair from Shorewall 4.5.8.2. + +2) A typo has been corrected in the shorewallrc.default file. + +3) Beginning with Shorewall 4.5.7.2, Shorewall unconditionally + restores the provider mark as the first rule in the mangle table + OUTPUT and PREROUTING chains. Previously, the provider mark was + restored only if it was non-zero. + + It has become clear that some users need it one way while others + need it the other way. To resolve this issue, a RESTORE_ROUTEMARKS + option has been added to shorewall.conf and shorewall6.conf. When + this option is set to Yes (the default), the 4.5.7.2 approach is + used (always restore the mark, even if it is zero); when it is set + to No, the pre-4.5.7.2 behavior is retained (only restore the mark + if it is non-zero). + +4) Two error messages produced by the RST action have been + corrected. They previously referred to errors in the NotSyn action + rather than RST. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 5 . 9 +---------------------------------------------------------------------------- + +1) Prior to this release, if a dynamic zone was associated with more + than one interface, then Shorewall created a separate ipset for + each interface. This meant that multiple 'add' and 'delete' + commands might be required to change the zone composition. + + This release introduces a 'dynamic_shared' zone option. When that + option is specified, a single ipset is generated regardless of the + number of entries the zone has in the hosts file. + + The 'dynamic_shared' option may only be specified in the OPTIONS + column of the zones file. + + The syntax of the 'add' and 'delete' commands is changed for zones + having the 'dynamic_shared' option: + + add <zone> <address>[,<address> ... ] + + delete <zone> <address>[,<address> ... ] + + Example: + + shorewall add direct 172.20.1.99 + + The syntax for 'add' and 'delete' for zones not having the + 'dynamic_shared' option is unchanged. + +2) Puppet and Teredo macros have been contributed by Paul Gear. + +3) The 'show' command now supports a -b (brief) option that suppresses + listing of rules that have zero packet count and omits chains that + have no rules listed (Paul Gear). + +4) A CHECKSUM action has been added to the tcrules files. This action + computes and fills in the checksum in a packet that lacks one. + This is particularly useful if you need to work around old + applications, such as dhcp clients, that do not work well with + checksum offloads, but you don't want to disable checksum offload + in your device. + + As part of this change, a new 'Checksum Target' capability has been + added, so if you use a capabilities file, it needs to be + re-generated after you install this release. + +5) The 'shorewall6 show routing' command now sorts the contents of + each routing table in the same way as 'shorewall show routing'. + +6) It is now possible to specify a mark range in the ACTION column of + the tcrules file. This causes the generated ruleset to assign marks + in the range in round-robin fashion. As part of this change, a + STATE column is also added that allows marks to be assigned only to + packets that are in one of the specified states (NEW, RELATED, + ESTABLISHED, etc.). Specifying NEW in this column along with + a range in the ACTION column allows for load-balancing SNAT rules + over a number of different external addresses. + + Example: + + /etc/shorewall/tcrules + + #ACTION SOURCE DEST ... + 1-3:CF eth1 172.20.1.0/24 ; state=NEW + + /etc/shorewall/masq + + #INTERFACE SOURCE ADDRESS ... + eth0 192.168.1.0/24 1.1.1.1 ; mark=1:C + eth0 192.168.1.0/24 1.1.1.5 ; mark=2:C + eth0 192.168.1.0/24 1.1.1.9 ; mark=3:C + + Specifying a mark range require the 'Statistics Match' capability + in your iptables and kernel. + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 5 . 8 ---------------------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.9.2/shorewall-core.spec new/shorewall-core-4.5.10/shorewall-core.spec --- old/shorewall-core-4.5.9.2/shorewall-core.spec 2012-11-17 16:46:47.000000000 +0100 +++ new/shorewall-core-4.5.10/shorewall-core.spec 2012-12-08 01:57:35.000000000 +0100 @@ -1,6 +1,6 @@ %define name shorewall-core -%define version 4.5.9 -%define release 2 +%define version 4.5.10 +%define release 0base Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. Name: %{name} @@ -62,6 +62,16 @@ %doc COPYING INSTALL changelog.txt releasenotes.txt %changelog +* Sun Dec 02 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.10-0base +* Wed Nov 28 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.10-0RC1 +* Sat Nov 24 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.10-0Beta3 +* Tue Nov 20 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.10-0Beta2 +* Fri Nov 16 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.10-0Beta1 * Sun Nov 11 2012 Tom Eastep tom@shorewall.net - Updated to 4.5.9-2 * Sat Nov 03 2012 Tom Eastep tom@shorewall.net diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.9.2/uninstall.sh new/shorewall-core-4.5.10/uninstall.sh --- old/shorewall-core-4.5.9.2/uninstall.sh 2012-11-17 16:46:47.000000000 +0100 +++ new/shorewall-core-4.5.10/uninstall.sh 2012-12-08 01:57:35.000000000 +0100 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.5.9.2 +VERSION=4.5.10 usage() # $1 = exit status { ++++++ shorewall-docs-html-4.5.9.2.tar.bz2 -> shorewall-docs-html-4.5.10.tar.bz2 ++++++ ++++ 7458 lines of diff (skipped) ++++++ shorewall-init-4.5.9.2.tar.bz2 -> shorewall-init-4.5.10.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.9.2/changelog.txt new/shorewall-init-4.5.10/changelog.txt --- old/shorewall-init-4.5.9.2/changelog.txt 2012-11-17 16:46:47.000000000 +0100 +++ new/shorewall-init-4.5.10/changelog.txt 2012-12-08 01:57:36.000000000 +0100 @@ -1,3 +1,99 @@ +Changes in 4.5.10 Final + +1) Update release documents. + +2) Correct pushing of parameters with nested parens. + +3) Remove extraneous ',' from the rule generated by action.RST. + +Changes in 4.5.10 RC 1 + +1) Change '@' substitution to '@0' (${0}'. + +2) Disallow leading '0' in action parameter numbers. + +3) Eliminate the need for functions called by + Shorewall::Compiler::generate_script_3 to have knowledge of the + current script file indentation. + +4) Copy the temporary script to $VARDIR/$PRODUCT/firewall before + running the 'started' script. + +5) Ignore 'inline' on certain actions. + +6) Only initialize switches that survived optimization. + +7) Be more agressive about detecting action recursion. + +8) Support passing log levels inside parameters. + +9) Fix AUTOCOMMENT=No + +10) Delete duplicate rules in tables + +Changes in 4.5.10 Beta 3 + +1) Update release documents. + +2) Inherit 'tag' from macro/action invocation. + +3) Correct NFLOG/ULOG documentation. + +4) Another optimizer bug fixed. + +5) Multiple parameter support for macros. + +6) $0 expands to current action chain name. + +7) Replace '@' by chain name in SWITCH contents. + +8) Add in-line actions. + +9) Add switch initialization. + +10) Allowing inline override on Standard Actions. + +Changes in 4.5.10 Beta 2 + +1) Update release documents. + +2) New macro expansion capability. + +3) Add NFLOG and ULOG macros. + +4) Add UNTRACKED match to the secmarks file. + +5) Add DROP target to the conntrack file. + +6) Remove references to USE_ACTIONS + +7) Allow macros to be used as default actions. + +8) Correct the compiler's CHECKSUM detection + +9) Don't generate start/stop functions for wildcard optional + interfaces. + +10) Apply Tuomo Soini's fix for RHEL5 + +11) Improve handling of 'all' in the conntrack file. + +12) Add SWITCH column to the conntrack file. + +13) Add AUDIT built-in + +14) Support audited targets on IPv6. + +Changes in 4.5.10 Beta 1 + +1) Update release documents. + +2) Treat optional interfaces as pseudo-providers. + +3) New macro expansion capability. + +4) Add NFLOG and ULOG macros. + Changes in 4.5.9.2 1) Update release documents. @@ -8,8 +104,6 @@ 4) Make exclusion work with TPROXY. -5) Fix 'enable' when interface and provider have same name. - Changes in 4.5.9.1 1) Update release documents. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.9.2/configure new/shorewall-init-4.5.10/configure --- old/shorewall-init-4.5.9.2/configure 2012-11-17 16:46:47.000000000 +0100 +++ new/shorewall-init-4.5.10/configure 2012-12-08 01:57:36.000000000 +0100 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=4.5.9.2 +VERSION=4.5.10 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.9.2/configure.pl new/shorewall-init-4.5.10/configure.pl --- old/shorewall-init-4.5.9.2/configure.pl 2012-11-17 16:46:47.000000000 +0100 +++ new/shorewall-init-4.5.10/configure.pl 2012-12-08 01:57:36.000000000 +0100 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '4.5.9.2' + VERSION => '4.5.10' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.9.2/install.sh new/shorewall-init-4.5.10/install.sh --- old/shorewall-init-4.5.9.2/install.sh 2012-11-17 16:46:47.000000000 +0100 +++ new/shorewall-init-4.5.10/install.sh 2012-12-08 01:57:36.000000000 +0100 @@ -23,7 +23,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.5.9.2 +VERSION=4.5.10 usage() # $1 = exit status { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.9.2/releasenotes.txt new/shorewall-init-4.5.10/releasenotes.txt --- old/shorewall-init-4.5.9.2/releasenotes.txt 2012-11-17 16:46:47.000000000 +0100 +++ new/shorewall-init-4.5.10/releasenotes.txt 2012-12-08 01:57:36.000000000 +0100 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 5 . 9 . 2 + S H O R E W A L L 4 . 5 . 1 0 ------------------------------------ - N o v e m b e r 1 7 , 2 0 1 2 + D e c e m b e r 0 2 , 2 0 1 2 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -15,162 +15,186 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -4.5.9.2 +1) This release includes all defect repair included in + 4.5.9.1-4.5.9.3. -1) Previously, the rules in the 'routemark' chain did not specify a - mask in the MARK target. While a mask isn't strictly necessary in - those rules, one has been added to ally fears of those who read the - generated ruleset. +2) Under rare circumstances, optimize level 16 could produce invalid + iptables-restore input which would cause start/restart to fail. - Note: The 'routemark' chain is used to apply provider marks to - packets received from 'track' provider interfaces. It is traversed - early in the mangle PREROUTING chain when no other marks have yet - been applied to the packet. +3) Before this release, the 'started' script was run prior to copying + the temporary script file (e.g., /var/lib/shorewall/.start) to + /var/dir/shorewall/firewall. If the script failed, the copy would + not take place even though the firewall had started + successfully. The script is now copied before running the 'started' + script. + + If you compare the script generated by this release with one + generated by a prior release, We suggest that you ignore whitespace + changes (e.g., use the '-w' option in diff); that way, you can see + the actual change more clearly. -2) If exclusion was used with TPROXY in the tcrules file, an invalid - iptables ruleset was generated causing start and restart commands - to fail when running iptables-restore. +4) AUTOCOMMENT=No now works correctly; previously, it behaved the same + as AUTOCOMMENT=Yes. -3) Previously, if a provider and its interface had the same name, then - the 'enable' command would not work on that interface. +5) A harmless extraneous comma has been deleted from the rule + generated by action.RST. -4.5.9.1 +---------------------------------------------------------------------------- + I I. K N O W N P R O B L E M S R E M A I N I N G +---------------------------------------------------------------------------- -1) Previously, using a wildcard interface name in a rule would result - in this error: +1) On systems running Upstart, shorewall-init cannot reliably secure + the firewall before interfaces are brought up. - ERROR: Invalid ipset name (ppp+) : ... +---------------------------------------------------------------------------- + I I I. N E W F E A T U R E S I N T H I S R E L E A S E +---------------------------------------------------------------------------- - Such entries are now handled correctly. +1) Shorewall now treats optional non-provider interfaces in a manner + similar to provider interfaces. -2) The shorewall-masq(5) manpage incorrectly stated that the SOURCE - column may use exclusion with an interface name (e.g., - eth1:!1.2.3.4). That hasn't been the case for some time. To - accomplish the same thing, do this: + - They may have entries in /etc/shorewall/routes. + - They may be enabled/disabled using the 'enable' and 'disable' + commands. + - Shorewall-init will simply enable an optional interface when it + comes up and disable it when it goes down. - eth0 1.2.3.4 NONAT - eth0 eth1 +2) The /etc/shorewall/secmarks and /etc/shorewall6/secmarks files now + support the UNTRACKED state. See the manpages for details. - Note: Using an interface name in the SOURCE column is deprecated. +3) The /etc/shorewall/conntrack and /etc/shorewall6/conntrack files + now support a DROP target. -3) Previously, if a MARK was specified for a tc class that explicitly - specified a class number, the following spurious warning message - was issued: + It is now possible to specify 'all-' in the SOURCE column which + generates rules for all zones that are outside of the firewall + itself. - WARNING: Class NUMBER ignored -- - INTERFACE <name> does not have the 'classify' option +4) A SWITCH column has been added to the /etc/shorewall/conntrack and + /etc/shorewall/conntrack6 files. - That warning message is no longer issued. +5) In a SWITCH column, the character '@' is replaced by the chain + name (non-alphanumeric characters other than '-' and '_' are + suppressed). -4) With Shorewall 4.5.9, there were issues when the ipset utility was - not installed, some of which prevented Shorewall from starting. +6) An AUDIT action has been added to the /etc/shorewall/rules and + /etc/shorewall6/rules. -4.5.9 +7) The audited targets (A_ACCEPT, A_DROP, etc.) are now supported in + /etc/shorewall6/rules. -1) This release contains all defect repair from Shorewall 4.5.8.2. +8) An additional format (3) has been added to the conntrack file. In + this format, zone names are not used in the SOURCE column; rather, + a suffix in the ACTION column determines which raw-table chain the + generated Netfilter rule will be placed in. See the manpages for + details. -2) A typo has been corrected in the shorewallrc.default file. +9) A ULOG ACTION has been added to /etc/shorewall/rules. -3) Beginning with Shorewall 4.5.7.2, Shorewall unconditionally - restores the provider mark as the first rule in the mangle table - OUTPUT and PREROUTING chains. Previously, the provider mark was - restored only if it was non-zero. +10) Within an action body, the variable $0 now expands to the action + chain name (including leading '%' if present). - It has become clear that some users need it one way while others - need it the other way. To resolve this issue, a RESTORE_ROUTEMARKS - option has been added to shorewall.conf and shorewall6.conf. When - this option is set to Yes (the default), the 4.5.7.2 approach is - used (always restore the mark, even if it is zero); when it is set - to No, the pre-4.5.7.2 behavior is retained (only restore the mark - if it is non-zero). +11) 'In-line' actions are now available. An action is designated as + in-line within /etc/shorewall[6]/actions; that file has a + new OPTIONS column and specifying 'inline' in that column + designates the action as in-line. -4) Two error messages produced by the RST action have been - corrected. They previously referred to errors in the NotSyn action - rather than RST. + Normally, actions are expanded into their own chain with a + unique chain being created for each unique invocation (considering + log level, tag and parameters). An in-line actions is expanded + inline within the chain that invokes it. In that sense, + in-line actions are very similar to macros. ----------------------------------------------------------------------------- - I I. K N O W N P R O B L E M S R E M A I N I N G ----------------------------------------------------------------------------- + In-line actions differ from macros in several ways: -1) On systems running Upstart, shorewall-init cannot reliably secure - the firewall before interfaces are brought up. + a) A zone may be specified in the SOURCE and DEST columns of a + macro, while zone names are disallowed in these columns within + an in-line action (same as in a regular action). ----------------------------------------------------------------------------- - I I I. N E W F E A T U R E S I N T H I S R E L E A S E ----------------------------------------------------------------------------- + b) The name of the current chain is available in $0 within the body + of an in-line action (also within a regular action beginning with + Beta 3). -1) Prior to this release, if a dynamic zone was associated with more - than one interface, then Shorewall created a separate ipset for - each interface. This meant that multiple 'add' and 'delete' - commands might be required to change the zone composition. + c) In-line actions accept multiple parameters which are available + in$1, $2, etc (as they are in a regular action). - This release introduces a 'dynamic_shared' zone option. When that - option is specified, a single ipset is generated regardless of the - number of entries the zone has in the hosts file. + d) PARAM has no special meaning in the body of an in-line action + ($1 serves the same purpose in an in-line action). - The 'dynamic_shared' option may only be specified in the OPTIONS - column of the zones file. + e) Only FORMAT 2 is available in an in-line action. - The syntax of the 'add' and 'delete' commands is changed for zones - having the 'dynamic_shared' option: + f) In-line actions must be defined in + /etc/shorewall[6]/actions. Those files have been extended to + include an OPTIONS column. The only option currently supported + is 'in-line'. - add <zone> <address>[,<address> ... ] + In-line actions differ from normal actions in that: - delete <zone> <address>[,<address> ... ] + a) Obviously, they are expanded in-line like a macro rather than + being in their own chain. That means that columns in the + invocation are merged with those in the action body in the same + way as they are in a macro. - Example: + b) When AUTOCOMMENT=Yes, each generated rule is commented with the + name of an in-line action. - shorewall add direct 172.20.1.99 + c) Within an in-line action, ?BEGIN PERL ... ?END PERL does not + have access to the special features available in action a normal + action body. - The syntax for 'add' and 'delete' for zones not having the - 'dynamic_shared' option is unchanged. + The compiler allows overriding the setting of 'inline' on the + Shorewall standard actions within + /etc/shorewall[6]/actions. Beware, however, that some of them + don't work when in-lined so the compiler will ignore the 'inline' + option with a warning for those actions: -2) Puppet and Teredo macros have been contributed by Paul Gear. + Broadcast + DropSmurfs + Invalid + NonSyn + RST + TCPFlags -3) The 'show' command now supports a -b (brief) option that suppresses - listing of rules that have zero packet count and omits chains that - have no rules listed (Paul Gear). +12) In SWITCH columns, the named switch can now be initialized by the + 'start' command (other commands do not change switch values). -4) A CHECKSUM action has been added to the tcrules files. This action - computes and fills in the checksum in a packet that lacks one. - This is particularly useful if you need to work around old - applications, such as dhcp clients, that do not work well with - checksum offloads, but you don't want to disable checksum offload - in your device. + Initialization is accomplished by adding '=0' or '=1' to the + switch name. - As part of this change, a new 'Checksum Target' capability has been - added, so if you use a capabilities file, it needs to be - re-generated after you install this release. + Example (using alternative rule column specification): -5) The 'shorewall6 show routing' command now sorts the contents of - each routing table in the same way as 'shorewall show routing'. + #ACTION SOURCE DEST ... + NFLOG all all ; switch:logall=1 -6) It is now possible to specify a mark range in the ACTION column of - the tcrules file. This causes the generated ruleset to assign marks - in the range in round-robin fashion. As part of this change, a - STATE column is also added that allows marks to be assigned only to - packets that are in one of the specified states (NEW, RELATED, - ESTABLISHED, etc.). Specifying NEW in this column along with - a range in the ACTION column allows for load-balancing SNAT rules - over a number of different external addresses. + The above will cause the 'logall' switch + (/proc/net/nf_condition/logall) to be initialized to 1 (on). Note + that netfilter provides no atomic way to define and initialize a + switch so the loading of the ruleset and the initialization of the + switches are distinct operations. - Example: +13) Also in SWITCH columns, the name of the current Netfilter chain + will be substituted for '@0' and '@{0}'. - /etc/shorewall/tcrules + Example (using alternative rule column specification): - #ACTION SOURCE DEST ... - 1-3:CF eth1 172.20.1.0/24 ; state=NEW + #ACTION SOURCE DEST ... + NFLOG net fw ; switch:@{0}_logall - /etc/shorewall/masq + The name of the switch will be 'net2fw_logall'. - #INTERFACE SOURCE ADDRESS ... - eth0 192.168.1.0/24 1.1.1.1 ; mark=1:C - eth0 192.168.1.0/24 1.1.1.5 ; mark=2:C - eth0 192.168.1.0/24 1.1.1.9 ; mark=3:C + Note 1: Non-alphanumeric characters other than '_' and '-' will be + deleted from the chain name before substitution. + + Note 2: The chain name substituted is the one to which the rule is + initially added. The rule may end up in a different chain due to + optimization. + +14) Optimization level 16 now suppresses duplicate rules in chains from + all tables (it previously only suppressed duplicates in the 'raw' + table). + + Non-adjacent rules containing 'mark', 'connmark', 'dscp', 'ecn', + 'set', 'tos' or 'u32' matches are not suppressed: - Specifying a mark range require the 'Statistics Match' capability - in your iptables and kernel. - ---------------------------------------------------------------------------- V. M I G R A T I O N I S S U E S ---------------------------------------------------------------------------- @@ -314,6 +338,187 @@ ---------------------------------------------------------------------------- V I. N O T E S F R O M O T H E R 4 . 5 R E L E A S E S ---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 5 . 9 +---------------------------------------------------------------------------- +4.5.9.3 + +1) References to the obsolete USE_ACTIONS option have been removed + from the manpages. + +2) NFLOG has been documented for some time as a valid ACTION in the + rules files but support for that action has never been implemented + until this release. + +3) The Checksum Target capability detection in the rules compiler was + broken with the result that the presence of the capability was not + detected. + +4) If an interface named in the INTERFACE column was not defined in + tcdevices and if the REDIRECTED column for that entry was + non-empty, then compile-time Perl diagnostics were generated and an + invalid firewall script was generated. + +5) When LOAD_HELPERS_ONLY=No, the 'compile' command previously left + behind a temporary chain in the raw table. + +6) Under very rare circumstances involving exclusion in multiple + Netfilter tables, optimization level 8 could result in + start/restart failure or jumps to the wrong exclusion chain. + +7) 4.5.9.2 broke multi-ISP on RHEL5-based systems. This release + includes a patch from Tuomo Soini that corrects the problem. + +4.5.9.2 + +1) Previously, the rules in the 'routemark' chain did not specify a + mask in the MARK target. While a mask isn't strictly necessary in + those rules, one has been added to ally fears of those who read the + generated ruleset. + + Note: The 'routemark' chain is used to apply provider marks to + packets received from 'track' provider interfaces. It is traversed + early in the mangle PREROUTING chain when no other marks have yet + been applied to the packet. + +2) If exclusion was used with TPROXY in the tcrules file, an invalid + iptables ruleset was generated causing start and restart commands + to fail when running iptables-restore. + +3) Previously, when the name of provider was the same as it's + associated interface, the generated script contained a syntax + error. + +4.5.9.1 + +1) Previously, using a wildcard interface name in a rule would result + in this error: + + ERROR: Invalid ipset name (ppp+) : ... + + Such entries are now handled correctly. + +2) The shorewall-masq(5) manpage incorrectly stated that the SOURCE + column may use exclusion with an interface name (e.g., + eth1:!1.2.3.4). That hasn't been the case for some time. To + accomplish the same thing, do this: + + eth0 1.2.3.4 NONAT + eth0 eth1 + + Note: Using an interface name in the SOURCE column is deprecated. + +3) Previously, if a MARK was specified for a tc class that explicitly + specified a class number, the following spurious warning message + was issued: + + WARNING: Class NUMBER ignored -- + INTERFACE <name> does not have the 'classify' option + + That warning message is no longer issued. + +4) With Shorewall 4.5.9, there were issues when the ipset utility was + not installed, some of which prevented Shorewall from starting. + +4.5.9 + +1) This release contains all defect repair from Shorewall 4.5.8.2. + +2) A typo has been corrected in the shorewallrc.default file. + +3) Beginning with Shorewall 4.5.7.2, Shorewall unconditionally + restores the provider mark as the first rule in the mangle table + OUTPUT and PREROUTING chains. Previously, the provider mark was + restored only if it was non-zero. + + It has become clear that some users need it one way while others + need it the other way. To resolve this issue, a RESTORE_ROUTEMARKS + option has been added to shorewall.conf and shorewall6.conf. When + this option is set to Yes (the default), the 4.5.7.2 approach is + used (always restore the mark, even if it is zero); when it is set + to No, the pre-4.5.7.2 behavior is retained (only restore the mark + if it is non-zero). + +4) Two error messages produced by the RST action have been + corrected. They previously referred to errors in the NotSyn action + rather than RST. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 5 . 9 +---------------------------------------------------------------------------- + +1) Prior to this release, if a dynamic zone was associated with more + than one interface, then Shorewall created a separate ipset for + each interface. This meant that multiple 'add' and 'delete' + commands might be required to change the zone composition. + + This release introduces a 'dynamic_shared' zone option. When that + option is specified, a single ipset is generated regardless of the + number of entries the zone has in the hosts file. + + The 'dynamic_shared' option may only be specified in the OPTIONS + column of the zones file. + + The syntax of the 'add' and 'delete' commands is changed for zones + having the 'dynamic_shared' option: + + add <zone> <address>[,<address> ... ] + + delete <zone> <address>[,<address> ... ] + + Example: + + shorewall add direct 172.20.1.99 + + The syntax for 'add' and 'delete' for zones not having the + 'dynamic_shared' option is unchanged. + +2) Puppet and Teredo macros have been contributed by Paul Gear. + +3) The 'show' command now supports a -b (brief) option that suppresses + listing of rules that have zero packet count and omits chains that + have no rules listed (Paul Gear). + +4) A CHECKSUM action has been added to the tcrules files. This action + computes and fills in the checksum in a packet that lacks one. + This is particularly useful if you need to work around old + applications, such as dhcp clients, that do not work well with + checksum offloads, but you don't want to disable checksum offload + in your device. + + As part of this change, a new 'Checksum Target' capability has been + added, so if you use a capabilities file, it needs to be + re-generated after you install this release. + +5) The 'shorewall6 show routing' command now sorts the contents of + each routing table in the same way as 'shorewall show routing'. + +6) It is now possible to specify a mark range in the ACTION column of + the tcrules file. This causes the generated ruleset to assign marks + in the range in round-robin fashion. As part of this change, a + STATE column is also added that allows marks to be assigned only to + packets that are in one of the specified states (NEW, RELATED, + ESTABLISHED, etc.). Specifying NEW in this column along with + a range in the ACTION column allows for load-balancing SNAT rules + over a number of different external addresses. + + Example: + + /etc/shorewall/tcrules + + #ACTION SOURCE DEST ... + 1-3:CF eth1 172.20.1.0/24 ; state=NEW + + /etc/shorewall/masq + + #INTERFACE SOURCE ADDRESS ... + eth0 192.168.1.0/24 1.1.1.1 ; mark=1:C + eth0 192.168.1.0/24 1.1.1.5 ; mark=2:C + eth0 192.168.1.0/24 1.1.1.9 ; mark=3:C + + Specifying a mark range require the 'Statistics Match' capability + in your iptables and kernel. + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 5 . 8 ---------------------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.9.2/shorewall-init.spec new/shorewall-init-4.5.10/shorewall-init.spec --- old/shorewall-init-4.5.9.2/shorewall-init.spec 2012-11-17 16:46:47.000000000 +0100 +++ new/shorewall-init-4.5.10/shorewall-init.spec 2012-12-08 01:57:36.000000000 +0100 @@ -1,6 +1,6 @@ %define name shorewall-init -%define version 4.5.9 -%define release 2 +%define version 4.5.10 +%define release 0base Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall). Name: %{name} @@ -125,6 +125,16 @@ %doc COPYING changelog.txt releasenotes.txt %changelog +* Sun Dec 02 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.10-0base +* Wed Nov 28 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.10-0RC1 +* Sat Nov 24 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.10-0Beta3 +* Tue Nov 20 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.10-0Beta2 +* Fri Nov 16 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.10-0Beta1 * Sun Nov 11 2012 Tom Eastep tom@shorewall.net - Updated to 4.5.9-2 * Sat Nov 03 2012 Tom Eastep tom@shorewall.net diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.9.2/uninstall.sh new/shorewall-init-4.5.10/uninstall.sh --- old/shorewall-init-4.5.9.2/uninstall.sh 2012-11-17 16:46:47.000000000 +0100 +++ new/shorewall-init-4.5.10/uninstall.sh 2012-12-08 01:57:36.000000000 +0100 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.5.9.2 +VERSION=4.5.10 usage() # $1 = exit status { ++++++ shorewall-lite-4.5.9.2.tar.bz2 -> shorewall-lite-4.5.10.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.9.2/changelog.txt new/shorewall-lite-4.5.10/changelog.txt --- old/shorewall-lite-4.5.9.2/changelog.txt 2012-11-17 16:46:47.000000000 +0100 +++ new/shorewall-lite-4.5.10/changelog.txt 2012-12-08 01:57:36.000000000 +0100 @@ -1,3 +1,99 @@ +Changes in 4.5.10 Final + +1) Update release documents. + +2) Correct pushing of parameters with nested parens. + +3) Remove extraneous ',' from the rule generated by action.RST. + +Changes in 4.5.10 RC 1 + +1) Change '@' substitution to '@0' (${0}'. + +2) Disallow leading '0' in action parameter numbers. + +3) Eliminate the need for functions called by + Shorewall::Compiler::generate_script_3 to have knowledge of the + current script file indentation. + +4) Copy the temporary script to $VARDIR/$PRODUCT/firewall before + running the 'started' script. + +5) Ignore 'inline' on certain actions. + +6) Only initialize switches that survived optimization. + +7) Be more agressive about detecting action recursion. + +8) Support passing log levels inside parameters. + +9) Fix AUTOCOMMENT=No + +10) Delete duplicate rules in tables + +Changes in 4.5.10 Beta 3 + +1) Update release documents. + +2) Inherit 'tag' from macro/action invocation. + +3) Correct NFLOG/ULOG documentation. + +4) Another optimizer bug fixed. + +5) Multiple parameter support for macros. + +6) $0 expands to current action chain name. + +7) Replace '@' by chain name in SWITCH contents. + +8) Add in-line actions. + +9) Add switch initialization. + +10) Allowing inline override on Standard Actions. + +Changes in 4.5.10 Beta 2 + +1) Update release documents. + +2) New macro expansion capability. + +3) Add NFLOG and ULOG macros. + +4) Add UNTRACKED match to the secmarks file. + +5) Add DROP target to the conntrack file. + +6) Remove references to USE_ACTIONS + +7) Allow macros to be used as default actions. + +8) Correct the compiler's CHECKSUM detection + +9) Don't generate start/stop functions for wildcard optional + interfaces. + +10) Apply Tuomo Soini's fix for RHEL5 + +11) Improve handling of 'all' in the conntrack file. + +12) Add SWITCH column to the conntrack file. + +13) Add AUDIT built-in + +14) Support audited targets on IPv6. + +Changes in 4.5.10 Beta 1 + +1) Update release documents. + +2) Treat optional interfaces as pseudo-providers. + +3) New macro expansion capability. + +4) Add NFLOG and ULOG macros. + Changes in 4.5.9.2 1) Update release documents. @@ -8,8 +104,6 @@ 4) Make exclusion work with TPROXY. -5) Fix 'enable' when interface and provider have same name. - Changes in 4.5.9.1 1) Update release documents. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.9.2/configure new/shorewall-lite-4.5.10/configure --- old/shorewall-lite-4.5.9.2/configure 2012-11-17 16:46:47.000000000 +0100 +++ new/shorewall-lite-4.5.10/configure 2012-12-08 01:57:36.000000000 +0100 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=4.5.9.2 +VERSION=4.5.10 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.9.2/configure.pl new/shorewall-lite-4.5.10/configure.pl --- old/shorewall-lite-4.5.9.2/configure.pl 2012-11-17 16:46:47.000000000 +0100 +++ new/shorewall-lite-4.5.10/configure.pl 2012-12-08 01:57:36.000000000 +0100 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '4.5.9.2' + VERSION => '4.5.10' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.9.2/install.sh new/shorewall-lite-4.5.10/install.sh --- old/shorewall-lite-4.5.9.2/install.sh 2012-11-17 16:46:47.000000000 +0100 +++ new/shorewall-lite-4.5.10/install.sh 2012-12-08 01:57:36.000000000 +0100 @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.5.9.2 +VERSION=4.5.10 usage() # $1 = exit status { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.9.2/manpages/shorewall-lite-vardir.5 new/shorewall-lite-4.5.10/manpages/shorewall-lite-vardir.5 --- old/shorewall-lite-4.5.9.2/manpages/shorewall-lite-vardir.5 2012-11-17 16:52:30.000000000 +0100 +++ new/shorewall-lite-4.5.10/manpages/shorewall-lite-vardir.5 2012-12-08 02:03:13.000000000 +0100 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite-vardir .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.75.2 http://docbook.sf.net/ -.\" Date: 11/17/2012 +.\" Date: 12/07/2012 .\" Manual: [FIXME: manual] .\" Source: [FIXME: source] .\" Language: English .\" -.TH "SHOREWALL\-LITE\-VAR" "5" "11/17/2012" "[FIXME: source]" "[FIXME: manual]" +.TH "SHOREWALL\-LITE\-VAR" "5" "12/07/2012" "[FIXME: source]" "[FIXME: manual]" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.9.2/manpages/shorewall-lite.8 new/shorewall-lite-4.5.10/manpages/shorewall-lite.8 --- old/shorewall-lite-4.5.9.2/manpages/shorewall-lite.8 2012-11-17 16:52:32.000000000 +0100 +++ new/shorewall-lite-4.5.10/manpages/shorewall-lite.8 2012-12-08 02:03:15.000000000 +0100 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.75.2 http://docbook.sf.net/ -.\" Date: 11/17/2012 +.\" Date: 12/07/2012 .\" Manual: [FIXME: manual] .\" Source: [FIXME: source] .\" Language: English .\" -.TH "SHOREWALL\-LITE" "8" "11/17/2012" "[FIXME: source]" "[FIXME: manual]" +.TH "SHOREWALL\-LITE" "8" "12/07/2012" "[FIXME: source]" "[FIXME: manual]" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.9.2/manpages/shorewall-lite.conf.5 new/shorewall-lite-4.5.10/manpages/shorewall-lite.conf.5 --- old/shorewall-lite-4.5.9.2/manpages/shorewall-lite.conf.5 2012-11-17 16:52:27.000000000 +0100 +++ new/shorewall-lite-4.5.10/manpages/shorewall-lite.conf.5 2012-12-08 02:03:11.000000000 +0100 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite.conf .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.75.2 http://docbook.sf.net/ -.\" Date: 11/17/2012 +.\" Date: 12/07/2012 .\" Manual: [FIXME: manual] .\" Source: [FIXME: source] .\" Language: English .\" -.TH "SHOREWALL\-LITE\&.CO" "5" "11/17/2012" "[FIXME: source]" "[FIXME: manual]" +.TH "SHOREWALL\-LITE\&.CO" "5" "12/07/2012" "[FIXME: source]" "[FIXME: manual]" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.9.2/releasenotes.txt new/shorewall-lite-4.5.10/releasenotes.txt --- old/shorewall-lite-4.5.9.2/releasenotes.txt 2012-11-17 16:46:47.000000000 +0100 +++ new/shorewall-lite-4.5.10/releasenotes.txt 2012-12-08 01:57:36.000000000 +0100 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 5 . 9 . 2 + S H O R E W A L L 4 . 5 . 1 0 ------------------------------------ - N o v e m b e r 1 7 , 2 0 1 2 + D e c e m b e r 0 2 , 2 0 1 2 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -15,162 +15,186 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -4.5.9.2 +1) This release includes all defect repair included in + 4.5.9.1-4.5.9.3. -1) Previously, the rules in the 'routemark' chain did not specify a - mask in the MARK target. While a mask isn't strictly necessary in - those rules, one has been added to ally fears of those who read the - generated ruleset. +2) Under rare circumstances, optimize level 16 could produce invalid + iptables-restore input which would cause start/restart to fail. - Note: The 'routemark' chain is used to apply provider marks to - packets received from 'track' provider interfaces. It is traversed - early in the mangle PREROUTING chain when no other marks have yet - been applied to the packet. +3) Before this release, the 'started' script was run prior to copying + the temporary script file (e.g., /var/lib/shorewall/.start) to + /var/dir/shorewall/firewall. If the script failed, the copy would + not take place even though the firewall had started + successfully. The script is now copied before running the 'started' + script. + + If you compare the script generated by this release with one + generated by a prior release, We suggest that you ignore whitespace + changes (e.g., use the '-w' option in diff); that way, you can see + the actual change more clearly. -2) If exclusion was used with TPROXY in the tcrules file, an invalid - iptables ruleset was generated causing start and restart commands - to fail when running iptables-restore. +4) AUTOCOMMENT=No now works correctly; previously, it behaved the same + as AUTOCOMMENT=Yes. -3) Previously, if a provider and its interface had the same name, then - the 'enable' command would not work on that interface. +5) A harmless extraneous comma has been deleted from the rule + generated by action.RST. -4.5.9.1 +---------------------------------------------------------------------------- + I I. K N O W N P R O B L E M S R E M A I N I N G +---------------------------------------------------------------------------- -1) Previously, using a wildcard interface name in a rule would result - in this error: +1) On systems running Upstart, shorewall-init cannot reliably secure + the firewall before interfaces are brought up. - ERROR: Invalid ipset name (ppp+) : ... +---------------------------------------------------------------------------- + I I I. N E W F E A T U R E S I N T H I S R E L E A S E +---------------------------------------------------------------------------- - Such entries are now handled correctly. +1) Shorewall now treats optional non-provider interfaces in a manner + similar to provider interfaces. -2) The shorewall-masq(5) manpage incorrectly stated that the SOURCE - column may use exclusion with an interface name (e.g., - eth1:!1.2.3.4). That hasn't been the case for some time. To - accomplish the same thing, do this: + - They may have entries in /etc/shorewall/routes. + - They may be enabled/disabled using the 'enable' and 'disable' + commands. + - Shorewall-init will simply enable an optional interface when it + comes up and disable it when it goes down. - eth0 1.2.3.4 NONAT - eth0 eth1 +2) The /etc/shorewall/secmarks and /etc/shorewall6/secmarks files now + support the UNTRACKED state. See the manpages for details. - Note: Using an interface name in the SOURCE column is deprecated. +3) The /etc/shorewall/conntrack and /etc/shorewall6/conntrack files + now support a DROP target. -3) Previously, if a MARK was specified for a tc class that explicitly - specified a class number, the following spurious warning message - was issued: + It is now possible to specify 'all-' in the SOURCE column which + generates rules for all zones that are outside of the firewall + itself. - WARNING: Class NUMBER ignored -- - INTERFACE <name> does not have the 'classify' option +4) A SWITCH column has been added to the /etc/shorewall/conntrack and + /etc/shorewall/conntrack6 files. - That warning message is no longer issued. +5) In a SWITCH column, the character '@' is replaced by the chain + name (non-alphanumeric characters other than '-' and '_' are + suppressed). -4) With Shorewall 4.5.9, there were issues when the ipset utility was - not installed, some of which prevented Shorewall from starting. +6) An AUDIT action has been added to the /etc/shorewall/rules and + /etc/shorewall6/rules. -4.5.9 +7) The audited targets (A_ACCEPT, A_DROP, etc.) are now supported in + /etc/shorewall6/rules. -1) This release contains all defect repair from Shorewall 4.5.8.2. +8) An additional format (3) has been added to the conntrack file. In + this format, zone names are not used in the SOURCE column; rather, + a suffix in the ACTION column determines which raw-table chain the + generated Netfilter rule will be placed in. See the manpages for + details. -2) A typo has been corrected in the shorewallrc.default file. +9) A ULOG ACTION has been added to /etc/shorewall/rules. -3) Beginning with Shorewall 4.5.7.2, Shorewall unconditionally - restores the provider mark as the first rule in the mangle table - OUTPUT and PREROUTING chains. Previously, the provider mark was - restored only if it was non-zero. +10) Within an action body, the variable $0 now expands to the action + chain name (including leading '%' if present). - It has become clear that some users need it one way while others - need it the other way. To resolve this issue, a RESTORE_ROUTEMARKS - option has been added to shorewall.conf and shorewall6.conf. When - this option is set to Yes (the default), the 4.5.7.2 approach is - used (always restore the mark, even if it is zero); when it is set - to No, the pre-4.5.7.2 behavior is retained (only restore the mark - if it is non-zero). +11) 'In-line' actions are now available. An action is designated as + in-line within /etc/shorewall[6]/actions; that file has a + new OPTIONS column and specifying 'inline' in that column + designates the action as in-line. -4) Two error messages produced by the RST action have been - corrected. They previously referred to errors in the NotSyn action - rather than RST. + Normally, actions are expanded into their own chain with a + unique chain being created for each unique invocation (considering + log level, tag and parameters). An in-line actions is expanded + inline within the chain that invokes it. In that sense, + in-line actions are very similar to macros. ----------------------------------------------------------------------------- - I I. K N O W N P R O B L E M S R E M A I N I N G ----------------------------------------------------------------------------- + In-line actions differ from macros in several ways: -1) On systems running Upstart, shorewall-init cannot reliably secure - the firewall before interfaces are brought up. + a) A zone may be specified in the SOURCE and DEST columns of a + macro, while zone names are disallowed in these columns within + an in-line action (same as in a regular action). ----------------------------------------------------------------------------- - I I I. N E W F E A T U R E S I N T H I S R E L E A S E ----------------------------------------------------------------------------- + b) The name of the current chain is available in $0 within the body + of an in-line action (also within a regular action beginning with + Beta 3). -1) Prior to this release, if a dynamic zone was associated with more - than one interface, then Shorewall created a separate ipset for - each interface. This meant that multiple 'add' and 'delete' - commands might be required to change the zone composition. + c) In-line actions accept multiple parameters which are available + in$1, $2, etc (as they are in a regular action). - This release introduces a 'dynamic_shared' zone option. When that - option is specified, a single ipset is generated regardless of the - number of entries the zone has in the hosts file. + d) PARAM has no special meaning in the body of an in-line action + ($1 serves the same purpose in an in-line action). - The 'dynamic_shared' option may only be specified in the OPTIONS - column of the zones file. + e) Only FORMAT 2 is available in an in-line action. - The syntax of the 'add' and 'delete' commands is changed for zones - having the 'dynamic_shared' option: + f) In-line actions must be defined in + /etc/shorewall[6]/actions. Those files have been extended to + include an OPTIONS column. The only option currently supported + is 'in-line'. - add <zone> <address>[,<address> ... ] + In-line actions differ from normal actions in that: - delete <zone> <address>[,<address> ... ] + a) Obviously, they are expanded in-line like a macro rather than + being in their own chain. That means that columns in the + invocation are merged with those in the action body in the same + way as they are in a macro. - Example: + b) When AUTOCOMMENT=Yes, each generated rule is commented with the + name of an in-line action. - shorewall add direct 172.20.1.99 + c) Within an in-line action, ?BEGIN PERL ... ?END PERL does not + have access to the special features available in action a normal + action body. - The syntax for 'add' and 'delete' for zones not having the - 'dynamic_shared' option is unchanged. + The compiler allows overriding the setting of 'inline' on the + Shorewall standard actions within + /etc/shorewall[6]/actions. Beware, however, that some of them + don't work when in-lined so the compiler will ignore the 'inline' + option with a warning for those actions: -2) Puppet and Teredo macros have been contributed by Paul Gear. + Broadcast + DropSmurfs + Invalid + NonSyn + RST + TCPFlags -3) The 'show' command now supports a -b (brief) option that suppresses - listing of rules that have zero packet count and omits chains that - have no rules listed (Paul Gear). +12) In SWITCH columns, the named switch can now be initialized by the + 'start' command (other commands do not change switch values). -4) A CHECKSUM action has been added to the tcrules files. This action - computes and fills in the checksum in a packet that lacks one. - This is particularly useful if you need to work around old - applications, such as dhcp clients, that do not work well with - checksum offloads, but you don't want to disable checksum offload - in your device. + Initialization is accomplished by adding '=0' or '=1' to the + switch name. - As part of this change, a new 'Checksum Target' capability has been - added, so if you use a capabilities file, it needs to be - re-generated after you install this release. + Example (using alternative rule column specification): -5) The 'shorewall6 show routing' command now sorts the contents of - each routing table in the same way as 'shorewall show routing'. + #ACTION SOURCE DEST ... + NFLOG all all ; switch:logall=1 -6) It is now possible to specify a mark range in the ACTION column of - the tcrules file. This causes the generated ruleset to assign marks - in the range in round-robin fashion. As part of this change, a - STATE column is also added that allows marks to be assigned only to - packets that are in one of the specified states (NEW, RELATED, - ESTABLISHED, etc.). Specifying NEW in this column along with - a range in the ACTION column allows for load-balancing SNAT rules - over a number of different external addresses. + The above will cause the 'logall' switch + (/proc/net/nf_condition/logall) to be initialized to 1 (on). Note + that netfilter provides no atomic way to define and initialize a + switch so the loading of the ruleset and the initialization of the + switches are distinct operations. - Example: +13) Also in SWITCH columns, the name of the current Netfilter chain + will be substituted for '@0' and '@{0}'. - /etc/shorewall/tcrules + Example (using alternative rule column specification): - #ACTION SOURCE DEST ... - 1-3:CF eth1 172.20.1.0/24 ; state=NEW + #ACTION SOURCE DEST ... + NFLOG net fw ; switch:@{0}_logall - /etc/shorewall/masq + The name of the switch will be 'net2fw_logall'. - #INTERFACE SOURCE ADDRESS ... - eth0 192.168.1.0/24 1.1.1.1 ; mark=1:C - eth0 192.168.1.0/24 1.1.1.5 ; mark=2:C - eth0 192.168.1.0/24 1.1.1.9 ; mark=3:C + Note 1: Non-alphanumeric characters other than '_' and '-' will be + deleted from the chain name before substitution. + + Note 2: The chain name substituted is the one to which the rule is + initially added. The rule may end up in a different chain due to + optimization. + +14) Optimization level 16 now suppresses duplicate rules in chains from + all tables (it previously only suppressed duplicates in the 'raw' + table). + + Non-adjacent rules containing 'mark', 'connmark', 'dscp', 'ecn', + 'set', 'tos' or 'u32' matches are not suppressed: - Specifying a mark range require the 'Statistics Match' capability - in your iptables and kernel. - ---------------------------------------------------------------------------- V. M I G R A T I O N I S S U E S ---------------------------------------------------------------------------- @@ -314,6 +338,187 @@ ---------------------------------------------------------------------------- V I. N O T E S F R O M O T H E R 4 . 5 R E L E A S E S ---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 5 . 9 +---------------------------------------------------------------------------- +4.5.9.3 + +1) References to the obsolete USE_ACTIONS option have been removed + from the manpages. + +2) NFLOG has been documented for some time as a valid ACTION in the + rules files but support for that action has never been implemented + until this release. + +3) The Checksum Target capability detection in the rules compiler was + broken with the result that the presence of the capability was not + detected. + +4) If an interface named in the INTERFACE column was not defined in + tcdevices and if the REDIRECTED column for that entry was + non-empty, then compile-time Perl diagnostics were generated and an + invalid firewall script was generated. + +5) When LOAD_HELPERS_ONLY=No, the 'compile' command previously left + behind a temporary chain in the raw table. + +6) Under very rare circumstances involving exclusion in multiple + Netfilter tables, optimization level 8 could result in + start/restart failure or jumps to the wrong exclusion chain. + +7) 4.5.9.2 broke multi-ISP on RHEL5-based systems. This release + includes a patch from Tuomo Soini that corrects the problem. + +4.5.9.2 + +1) Previously, the rules in the 'routemark' chain did not specify a + mask in the MARK target. While a mask isn't strictly necessary in + those rules, one has been added to ally fears of those who read the + generated ruleset. + + Note: The 'routemark' chain is used to apply provider marks to + packets received from 'track' provider interfaces. It is traversed + early in the mangle PREROUTING chain when no other marks have yet + been applied to the packet. + +2) If exclusion was used with TPROXY in the tcrules file, an invalid + iptables ruleset was generated causing start and restart commands + to fail when running iptables-restore. + +3) Previously, when the name of provider was the same as it's + associated interface, the generated script contained a syntax + error. + +4.5.9.1 + +1) Previously, using a wildcard interface name in a rule would result + in this error: + + ERROR: Invalid ipset name (ppp+) : ... + + Such entries are now handled correctly. + +2) The shorewall-masq(5) manpage incorrectly stated that the SOURCE + column may use exclusion with an interface name (e.g., + eth1:!1.2.3.4). That hasn't been the case for some time. To + accomplish the same thing, do this: + + eth0 1.2.3.4 NONAT + eth0 eth1 + + Note: Using an interface name in the SOURCE column is deprecated. + +3) Previously, if a MARK was specified for a tc class that explicitly + specified a class number, the following spurious warning message + was issued: + + WARNING: Class NUMBER ignored -- + INTERFACE <name> does not have the 'classify' option + + That warning message is no longer issued. + +4) With Shorewall 4.5.9, there were issues when the ipset utility was + not installed, some of which prevented Shorewall from starting. + +4.5.9 + +1) This release contains all defect repair from Shorewall 4.5.8.2. + +2) A typo has been corrected in the shorewallrc.default file. + +3) Beginning with Shorewall 4.5.7.2, Shorewall unconditionally + restores the provider mark as the first rule in the mangle table + OUTPUT and PREROUTING chains. Previously, the provider mark was + restored only if it was non-zero. + + It has become clear that some users need it one way while others + need it the other way. To resolve this issue, a RESTORE_ROUTEMARKS + option has been added to shorewall.conf and shorewall6.conf. When + this option is set to Yes (the default), the 4.5.7.2 approach is + used (always restore the mark, even if it is zero); when it is set + to No, the pre-4.5.7.2 behavior is retained (only restore the mark + if it is non-zero). + +4) Two error messages produced by the RST action have been + corrected. They previously referred to errors in the NotSyn action + rather than RST. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 5 . 9 +---------------------------------------------------------------------------- + +1) Prior to this release, if a dynamic zone was associated with more + than one interface, then Shorewall created a separate ipset for + each interface. This meant that multiple 'add' and 'delete' + commands might be required to change the zone composition. + + This release introduces a 'dynamic_shared' zone option. When that + option is specified, a single ipset is generated regardless of the + number of entries the zone has in the hosts file. + + The 'dynamic_shared' option may only be specified in the OPTIONS + column of the zones file. + + The syntax of the 'add' and 'delete' commands is changed for zones + having the 'dynamic_shared' option: + + add <zone> <address>[,<address> ... ] + + delete <zone> <address>[,<address> ... ] + + Example: + + shorewall add direct 172.20.1.99 + + The syntax for 'add' and 'delete' for zones not having the + 'dynamic_shared' option is unchanged. + +2) Puppet and Teredo macros have been contributed by Paul Gear. + +3) The 'show' command now supports a -b (brief) option that suppresses + listing of rules that have zero packet count and omits chains that + have no rules listed (Paul Gear). + +4) A CHECKSUM action has been added to the tcrules files. This action + computes and fills in the checksum in a packet that lacks one. + This is particularly useful if you need to work around old + applications, such as dhcp clients, that do not work well with + checksum offloads, but you don't want to disable checksum offload + in your device. + + As part of this change, a new 'Checksum Target' capability has been + added, so if you use a capabilities file, it needs to be + re-generated after you install this release. + +5) The 'shorewall6 show routing' command now sorts the contents of + each routing table in the same way as 'shorewall show routing'. + +6) It is now possible to specify a mark range in the ACTION column of + the tcrules file. This causes the generated ruleset to assign marks + in the range in round-robin fashion. As part of this change, a + STATE column is also added that allows marks to be assigned only to + packets that are in one of the specified states (NEW, RELATED, + ESTABLISHED, etc.). Specifying NEW in this column along with + a range in the ACTION column allows for load-balancing SNAT rules + over a number of different external addresses. + + Example: + + /etc/shorewall/tcrules + + #ACTION SOURCE DEST ... + 1-3:CF eth1 172.20.1.0/24 ; state=NEW + + /etc/shorewall/masq + + #INTERFACE SOURCE ADDRESS ... + eth0 192.168.1.0/24 1.1.1.1 ; mark=1:C + eth0 192.168.1.0/24 1.1.1.5 ; mark=2:C + eth0 192.168.1.0/24 1.1.1.9 ; mark=3:C + + Specifying a mark range require the 'Statistics Match' capability + in your iptables and kernel. + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 5 . 8 ---------------------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.9.2/shorewall-lite.spec new/shorewall-lite-4.5.10/shorewall-lite.spec --- old/shorewall-lite-4.5.9.2/shorewall-lite.spec 2012-11-17 16:46:47.000000000 +0100 +++ new/shorewall-lite-4.5.10/shorewall-lite.spec 2012-12-08 01:57:36.000000000 +0100 @@ -1,6 +1,6 @@ %define name shorewall-lite -%define version 4.5.9 -%define release 2 +%define version 4.5.10 +%define release 0base %define initdir /etc/init.d Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems. @@ -105,6 +105,16 @@ %doc COPYING changelog.txt releasenotes.txt %changelog +* Sun Dec 02 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.10-0base +* Wed Nov 28 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.10-0RC1 +* Sat Nov 24 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.10-0Beta3 +* Tue Nov 20 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.10-0Beta2 +* Fri Nov 16 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.10-0Beta1 * Sun Nov 11 2012 Tom Eastep tom@shorewall.net - Updated to 4.5.9-2 * Sat Nov 03 2012 Tom Eastep tom@shorewall.net diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.9.2/uninstall.sh new/shorewall-lite-4.5.10/uninstall.sh --- old/shorewall-lite-4.5.9.2/uninstall.sh 2012-11-17 16:46:47.000000000 +0100 +++ new/shorewall-lite-4.5.10/uninstall.sh 2012-12-08 01:57:36.000000000 +0100 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.5.9.2 +VERSION=4.5.10 usage() # $1 = exit status { ++++++ shorewall-4.5.9.2.tar.bz2 -> shorewall6-4.5.10.tar.bz2 ++++++ ++++ 106410 lines of diff (skipped) ++++++ shorewall-lite-4.5.9.2.tar.bz2 -> shorewall6-lite-4.5.10.tar.bz2 ++++++ ++++ 7408 lines of diff (skipped) -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org