Hello community, here is the log from the commit of package shorewall for openSUSE:Factory checked in at Mon Aug 22 16:14:32 CEST 2011. -------- --- shorewall/shorewall.changes 2011-06-16 09:06:17.000000000 +0200 +++ /mounts/work_src_done/STABLE/shorewall/shorewall.changes 2011-08-20 21:00:49.000000000 +0200 @@ -1,0 +2,156 @@ +Sat Aug 20 18:47:26 UTC 2011 - toganm@opensuse.org + +- Update to 4.4.22.3. Corrections in this release are below. + * On older distributions where 'shorewall show capabilities' + indicates 'Connection Tracking Match: Not Available', harmless + Perl diagnostics like the following could be issued: + + Use of uninitialized value $list in pattern match (m//) + at /usr/share/shorewall/Shorewall/Config.pm line 1273, + <$currentfile> line 14. + + Use of uninitialized value $list in split + at /usr/share/shorewall/Shorewall/Config.pm line 1275, + <$currentfile> line 14. + + * On older distributions where 'shorewall show capabilities' + indicates 'Mangle FORWARD Chain: Not Available', entries in the + ecn file generated the following Perl Diagnostic: + + Use of uninitialized value in hash element + at /usr/share/shorewall/Shorewall/Chains.pm line 1119. + + * Previously, if a provider interface was derived from an optional + wildcard entry in /etc/shorewall/providers, then the interface + was never considered to be usable. + + Example: + + /etc/shorewall/interfaces: + + #ZONE INTERFACE BROADCAST OPTIONS + net ppp+ - optionsl + + /etc/shorewall/providers:net + #PROVIDER NUMBER MARK INTERFACE ... + ISP1 1 1 ppp0 + + * When 'shorewall update' or 'shorewall6 update' results in no change + to the .conf file, a message is issued, the .bak file is removed + and the command terminates without error. + + +------------------------------------------------------------------- +Fri Aug 12 08:28:00 UTC 2011 - toganm@opensuse.org + +- patch the Perl diagnostic with a WARNING message. + +------------------------------------------------------------------- +Tue Aug 9 19:22:07 UTC 2011 - toganm@opensuse.org + +- Update to 4.4.22.2 + + * On older distributions where 'shorewall show capabilities' + indicates 'Connection Tracking Match: Not Available', Shorewall + 4.4.22 and 4.4.22.1 generated invalid iptables-restore input. + + * Previously, the compiler always placed '#!/bin/sh' on the first + line of the generated script. It now uses the setting of + SHOREWALL_SHELL on that line rather than '/bin/sh'. Note that + SHOREWALL_SHELL defaults to '/bin/sh' so this change only affects + those who specify a different shell. + +- Patched REDIRECT rule + +------------------------------------------------------------------- +Thu Aug 4 05:13:07 UTC 2011 - toganm@opensuse.org + +- Update to 4.4.22.1 + + * Previously, if the name of a zone began with 'all', then entries + for that zone in /etc/shorewall/rules and /etc/shoreawll6/rules + treated the name the same as 'all'. + + This defect is present in Shorewall 4.4.13 through 4.4.22. + + * Previously, when LOAD_HELPERS_ONLY=No, harmless + iptables-restore warnings as follows could be generated: + + ... + Running /usr/local/sbin/iptables-restore... + --set option deprecated, please use --match-set + --set option deprecated, please use --match-set + IPv4 Forwarding Enabled + + +------------------------------------------------------------------- +Wed Aug 3 15:45:01 UTC 2011 - toganm@opensuse.org + +- Update to 4.4.22. For more details see changelog.txt and + releasenotes.txt + + * Under rare conditions, long port lists (>15 ports) could result in + the following failure when optimization level 4 was enabled. + + Use of uninitialized value in numeric gt (>) + at /usr/share/shorewall/Shorewall/Chains.pm line 1264. + + ERROR: Internal error in + Shorewall::Chains::decrement_reference_count at + /usr/share/shorewall/Shorewall/Chains.pm line 1264 + + * All corrections included in Shorewall 4.4.21.1. + +- A bug in recent versions of Shorewall that could result in rules + that are wider in scope than intended was fixed by applying a patch + by the upstream. + +------------------------------------------------------------------- +Tue Jul 19 22:06:11 UTC 2011 - toganm@opensuse.org + +- Update to 4.4.21.1 Changes in this release are: + + * A harmless Perl run-time "uninitialized variable" diagnostic has + been eliminated from the compiler. The diagnostic was issued while + displaying the capabilities. + + * As the result of a typo, an orphan filter chain named FORWAR + could be created under rare circumstances. This chain was deleted + by OPTIMIZE level 4. + + * The SNAT options --persistent and --randomize now work properly + (/etc/shorewall/masq). + + * The LOGMARK log level was previously generated invalid iptables + input making it unusable. That has been corrected. + + The syntax for LOGMARK is now: + + LOGMARK(<priority>) where <priority> is a syslog priority (1-7 or debug, + info, notice, etc.). + + Example rule: + #ACTION SOURCE DEST PROTO DEST + # PORT(S) + LOG:LOGMARK(info) lan dmz udp 1234 + + +------------------------------------------------------------------- +Mon Jul 11 08:13:36 UTC 2011 - toganm@opensuse.org + +- Update to 4.4.21 For more details see changelog.txt and + releasenotes.txt + + * The Shorewall and Shorewall6 'load' and 'reload' commands + now use the .conf file in the current working directory. + * The 'balance' and 'fallback' options in /etc/shorewall/providers + have always been mutually exclusive but the compiler previously + didn't enforce that restriction. Now it does. + * The ipset modules are now automatically loaded by Shorewall6 when + LOAD_HELPERS_ONLY=No is specified in shorewall6.conf. Additionally, + there is now a /usr/share/shorewall6/modules.ipset file that + lists all of the required modules. + * TPROXY descriptions have been added to shorewall-tcrules(5) and + shorewall6-tcrules(5). + +------------------------------------------------------------------- calling whatdependson for head-i586 Old: ---- shorewall-4.4.14.rpmlintrc shorewall-4.4.20.3.tar.bz2 shorewall-docs-html-4.4.20.3.tar.bz2 shorewall-init-4.4.14.init.patch shorewall-init-4.4.20.3.tar.bz2 shorewall-lite-4.4.20.3.tar.bz2 shorewall6-4.4.20.3.tar.bz2 shorewall6-lite-4.4.20.3.tar.bz2 New: ---- shorewall-4.4.22.3.tar.bz2 shorewall-4.4.22.rpmlintrc shorewall-docs-html-4.4.22.3.tar.bz2 shorewall-init-4.4.21_init_sh.patch shorewall-init-4.4.22.3.tar.bz2 shorewall-lite-4.4.22.3.tar.bz2 shorewall6-4.4.22.3.tar.bz2 shorewall6-lite-4.4.22.3.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shorewall.spec ++++++ --- /var/tmp/diff_new_pack.RruyC7/_old 2011-08-22 16:13:28.000000000 +0200 +++ /var/tmp/diff_new_pack.RruyC7/_new 2011-08-22 16:13:28.000000000 +0200 @@ -18,19 +18,19 @@ Name: shorewall -Version: 4.4.20.3 +Version: 4.4.22.3 Release: 1 License: GPL-2.0 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems Url: http://www.shorewall.net/ Group: Productivity/Networking/Security -Source0: http://www.shorewall.net/pub/shorewall/4.4/shorewall-4.4.20/%name-%version.t... -Source1: http://www.shorewall.net/pub/shorewall/4.4/shorewall-4.4.20/%name-lite-%vers... -Source2: http://www.shorewall.net/pub/shorewall/4.4/shorewall-4.4.20/%name-init-%vers... -Source3: http://www.shorewall.net/pub/shorewall/4.4/shorewall-4.4.20/%{name}6-lite-%version.tar.bz2 -Source4: http://www.shorewall.net/pub/shorewall/4.4/shorewall-4.4.20/%{name}6-%version.tar.bz2 -Source5: http://www.shorewall.net/pub/shorewall/4.4/shorewall-4.4.20/%name-docs-html-... -Source6: %name-4.4.14.rpmlintrc +Source0: http://www.shorewall.net/pub/shorewall/4.4/shorewall-4.4.22/%name-%version.t... +Source1: http://www.shorewall.net/pub/shorewall/4.4/shorewall-4.4.22/%name-lite-%vers... +Source2: http://www.shorewall.net/pub/shorewall/4.4/shorewall-4.4.22/%name-init-%vers... +Source3: http://www.shorewall.net/pub/shorewall/4.4/shorewall-4.4.22/%{name}6-lite-%version.tar.bz2 +Source4: http://www.shorewall.net/pub/shorewall/4.4/shorewall-4.4.22/%{name}6-%version.tar.bz2 +Source5: http://www.shorewall.net/pub/shorewall/4.4/shorewall-4.4.22/%name-docs-html-... +Source6: %name-4.4.22.rpmlintrc Source7: README.openSUSE # PATCH-FIX-UPSTREAM init-4.4.14 toganm@opensuse.org -- Required-Stop and Short descriprtion Patch0: init-4.4.14.patch @@ -40,8 +40,9 @@ Patch2: shorewall6-init-4.4.14.patch # PATCH-FIX-UPSTREAM shorewall6-lite-4.4.14.init.patch toganm@opensuse.org Required-Stop and Short descriprtion Patch3: shorewall6-lite-4.4.14.init.patch -# PATCH-FIX-UPSTREAM shorewall-init-4.4.14.init.patch toganm@opensuse.org added reload which is start actually -Patch4: shorewall-init-4.4.14.init.patch +# PATCH-FIX-UPSTREAM shorewall-init-4.4.21_init_sh.patch toganm@opensuse.org +# Required-Start/Stop +Patch4: shorewall-init-4.4.21_init_sh.patch # PATCH-FIX-OPENSUSE install-4.4.14.patch toganm@opensuse.org -- use of fillup template Patch5: install-4.4.14.patch PreReq: %fillup_prereq @@ -59,6 +60,7 @@ Requires: logrotate BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch + Conflicts: SuSEfirewall2 %description @@ -105,7 +107,6 @@ %package -n %{name}6-lite - Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems PreReq: %fillup_prereq PreReq: %insserv_prereq @@ -155,6 +156,10 @@ %prep %setup -q -c -a1 -a2 -a3 -a4 -a5 +# Remove hash-bang from files which are not directly executed as shell +# scripts. This silences some rpmlint errors. +find . -name "lib.*" -exec sed -i -e '/\#\!\/bin\/sh/d' {} \; + # apply patches to shorewall pushd %name-%version %patch0 @@ -211,7 +216,8 @@ PREFIX=%buildroot DEST=%_initddir %_buildshell install.sh popd pushd %name-init-%version -PREFIX=%buildroot DEST=%_initddir %_buildshell install.sh +%__mkdir_p %buildroot%_sysconfdir/NetworkManager/dispatcher.d/ +SUSE="Yes" PREFIX=%buildroot DEST=%_initddir %_buildshell install.sh popd %clean @@ -267,12 +273,6 @@ %post init %{fillup_and_insserv -n %name-init} -cp -pf %_libexecdir/%name-init/ifupdown %_sysconfdir/sysconfig/network/scripts/%name -ln -sf %_sysconfdir/sysconfig/network/scripts/%name %_sysconfdir/sysconfig/network/if-up.d/%name -ln -sf %_sysconfdir/sysconfig/network/scripts/%name %_sysconfdir/sysconfig/network/if-down.d/%name -if [ -d %_sysconfdir/NetworkManager/dispatcher.d/ ]; then - cp -pf %_libexecdir/%name-init/ifupdown %_sysconfdir/NetworkManager/dispatcher.d/01-%name -fi %postun init %restart_on_update %name-init @@ -281,7 +281,6 @@ %preun init %{stop_on_removal %name-init} -rm -f %_sysconfdir/NetworkManager/dispatcher.d/01-%name %files %defattr(-,root,root,-) @@ -300,11 +299,7 @@ %_datadir/%name/version %_datadir/%name/actions.std -%_datadir/%name/action.Drop -%_datadir/%name/action.Reject -%_datadir/%name/action.template -%_datadir/%name/action.A_Drop -%_datadir/%name/action.A_Reject +%_datadir/%name/action.* %attr(- ,root,root) %_datadir/%name/functions %_datadir/%name/lib.* %_datadir/%name/macro.* @@ -383,13 +378,8 @@ %_datadir/%{name}6/version %_datadir/%{name}6/actions.std -%_datadir/%{name}6/action.AllowICMPs -%_datadir/%{name}6/action.Drop -%_datadir/%{name}6/action.Reject -%_datadir/%{name}6/action.template -%_datadir/%{name}6/action.A_Drop -%_datadir/%{name}6/action.A_Reject -%_datadir/%{name}6/action.A_AllowICMPs +%_datadir/%{name}6/action.* + %attr(- ,root,root) %_datadir/%{name}6/functions %_datadir/%{name}6/lib.* %_datadir/%{name}6/macro.* @@ -455,12 +445,14 @@ %attr(0544,root,root) %config(noreplace) %_sysconfdir/init.d/%name-init %dir %_datadir/%name-init %dir %_libexecdir/%name-init -%ghost %dir %_sysconfdir/NetworkManager -%ghost %dir %_sysconfdir/NetworkManager/dispatcher.d -%ghost %attr(0755,root,root) %_sysconfdir/NetworkManager/dispatcher.d/01-%name +%dir %attr(0755,root,root) %_sysconfdir/NetworkManager +%dir %attr(0755,root,root) %_sysconfdir/NetworkManager/dispatcher.d +%attr(0755,root,root) %_sysconfdir/NetworkManager/dispatcher.d/01-%name %_datadir/%name-init/version %attr(0544,root,root) %_libexecdir/%name-init/ifupdown +%attr(0544,root,root) %_sysconfdir/sysconfig/network/if-down.d/%name +%attr(0755,root,root) %_sysconfdir/sysconfig/network/if-up.d/%name %_mandir/man8/%name-init.8* %doc %name-init-%version/COPYING ++++++ shorewall-4.4.20.3.tar.bz2 -> shorewall-4.4.22.3.tar.bz2 ++++++ ++++ 45996 lines of diff (skipped) ++++++ shorewall-4.4.14.rpmlintrc -> shorewall-4.4.22.rpmlintrc ++++++ --- shorewall/shorewall-4.4.14.rpmlintrc 2011-04-13 20:03:09.000000000 +0200 +++ /mounts/work_src_done/STABLE/shorewall/shorewall-4.4.22.rpmlintrc 2011-08-03 18:39:04.000000000 +0200 @@ -1,13 +1,10 @@ -addFilter("non-executable-script /usr/share/shorewall/prog.header*") -addFilter("non-executable-script /usr/share/shorewall/lib.*") -addFilter("non-executable-script /usr/share/shorewall6/lib.*") -addFilter("non-executable-script /usr/share/shorewall-lite/lib.*") -addFilter("non-executable-script /usr/share/shorewall6-lite/lib.*") -addFilter("non-executable-script /etc/shorewall/scfilter") -addFilter("non-executable-script /etc/shorewall6/scfilter") -addFilter("non-executable-script /usr/share/shorewall/configfiles/scfilter") -addFilter("non-executable-script /usr/share/shorewall6/configfiles/scfilter") addFilter("files-duplicate /usr/share/shorewall6/configfiles/scfilter") addFilter("script-without-shebang /etc/shorewall-lite/shorewall-lite.conf") addFilter("script-without-shebang /etc/shorewall6-lite/shorewall6-lite.conf") +addFilter("non-executable-script /usr/share/shorewall/prog.header") +addFilter("non-executable-script /usr/share/shorewall/prog.header6") +addFilter("non-executable-script /usr/share/shorewall/configfiles/scfilter") +addFilter("non-executable-script /etc/shorewall/scfilter") +addFilter("non-executable-script /usr/share/shorewall6/configfiles/scfilter") +addFilter("non-executable-script /etc/shorewall6/scfilter") addFilter("perl5-naming-policy-not-applied") ++++++ shorewall-docs-html-4.4.20.3.tar.bz2 -> shorewall-docs-html-4.4.22.3.tar.bz2 ++++++ ++++ 7599 lines of diff (skipped) ++++++ shorewall-init-4.4.21_init_sh.patch ++++++ --- init.sh.orig +++ init.sh @@ -22,14 +22,13 @@ # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -# chkconfig: - 09 91 # ### BEGIN INIT INFO # Provides: shorewall-init -# Required-start: $local_fs -# Required-stop: $local_fs +# Required-Start: $local_fs +# Required-Stop: $local_fs # Default-Start: 2 3 5 -# Default-Stop: 6 +# Default-Stop: 0 1 6 # Short-Description: Initialize the firewall at boot time # Description: Place the firewall in a safe state at boot time # prior to bringing up the network. ++++++ shorewall-init-4.4.20.3.tar.bz2 -> shorewall-init-4.4.22.3.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.4.20.3/changelog.txt new/shorewall-init-4.4.22.3/changelog.txt --- old/shorewall-init-4.4.20.3/changelog.txt 2011-06-14 16:40:25.000000000 +0200 +++ new/shorewall-init-4.4.22.3/changelog.txt 2011-08-20 16:23:35.000000000 +0200 @@ -1,20 +1,105 @@ -Changes in Shorewall 4.4.20.3 +Changes in 4.4.22.3 -1) Remove deprecated options from the .conf files. +1) Eliminate Perl diagnostics when CONNTRACK_MATCH is not available. -2) Exempt wildcard interfaces from sfilter. +2) Eliminate Perl diagnostics when MANGLE_FORWARD is not available. -Changes in Shorewall 4.4.20.2 +3) Unlink .bak file when no change to shorewall[6].conf. -1) Reject degenerate tcpri entries. +4) Correct handling of Providers with interfaces derived from wildcards. -2) Correct tc defect. +Changes in 4.4.22.2 -3) Apply sfilters to INPUT traffic. +1) Include header match in DNAT/REDIRECT rules. -4) Exclude ipsec traffic from sfilter. +2) Fix generation of state match on old distributions. -5) Fix an interesting defect. +3) Place $SHOREWALL_SHELL in shebang line. + +Changes in 4.4.22.1 + +1) Correct handling of zone names beginning with 'all'. + +2) Correct detection of OLD_IPSET_MATCH when LOAD_HELPERS_ONLY=No. + +3) Apply Orion Poplawski's SELinux patch. + +Changes in Shorewall 4.4.22 Final + +1) Update release documents + +Changes in Shorewall 4.4.22 RC 2 + +1) Avoid undefined reference in Shorewall::Rules::save_policies. + +Changes in Shorewall 4.4.22 RC 1 + +1) Correct combined port defect. + +2) Correct numerous problems reported by Steven Springl. + +Changes in Shorewall 4.4.22 Beta 3 + +1) Continue to implement and refine the new rule interface. + +2) Rename chains combined with other chains by optimize 8. + +Changes in Shorewall 4.4.22 Beta 2 + +1) Continue to implement the new rule interface in other modules. + +Changes in Shorewall 4.4.22 Beta 1 + +1) Convert most built-in actions to standard actions. + +2) Implement structured rule representation. + +Changes in Shorewall 4.4.21 Final + +1) Correct code generated by TPROXY. + +2) Make 'fallback' and 'balance' mutually exclusive. + +3) Generate error if too many parameters to a function with DEFAULT + +4) Prepare for more parameterized actions + +5) Fix parameter push/pop in process_action() + +6) Add comment push/pop in process_action() + +Changes in Shorewall 4.4.21 RC 1 + +1) Fix empty parameter lists in _DEFAULT settings. + +2) Correct FOREWARD_CLEAR_MARK -> FORWARD_CLEAR_MARK in an error + message. + +3) Use updated config in verification during upgrade. + +Changes in Shorewall 4.4.21 Beta 3 + +1) Shorewall-init can now save/restore ipsets. + +2) Correct handling of DEFAULTS in non-action contexts. + +3) Rename read_action_param and change signature. + +4) Add DEFAULT to macro files. + +Changes in Shorewall 4.4.21 Beta 2 + +1) Implement the 'update' command. + +Changes in Shorewall 4.4.21 Beta 1 + +1) IPSET support in Shorewall6. + +2) Make AUTOMAKE follow CONFIG_PATH + +3) Default values for action parameters. + +4) Parameterize Drop and Reject actions. Changes in Shorewall 4.4.20.1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.4.20.3/init.sh new/shorewall-init-4.4.22.3/init.sh --- old/shorewall-init-4.4.20.3/init.sh 2011-06-14 16:40:07.000000000 +0200 +++ new/shorewall-init-4.4.22.3/init.sh 2011-08-20 16:00:07.000000000 +0200 @@ -29,7 +29,7 @@ # Required-start: $local_fs # Required-stop: $local_fs # Default-Start: 2 3 5 -# Default-Stop: +# Default-Stop: 6 # Short-Description: Initialize the firewall at boot time # Description: Place the firewall in a safe state at boot time # prior to bringing up the network. @@ -69,6 +69,10 @@ fi done + if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then + ipset -R < "$SAVE_IPSETS" + fi + return 0 } @@ -86,6 +90,13 @@ fi done + if [ -n "$SAVE_IPSETS" ]; then + mkdir -p $(dirname "$SAVE_IPSETS") + if ipset -S > "${SAVE_IPSETS}.tmp"; then + grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" + fi + fi + return 0 } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.4.20.3/install.sh new/shorewall-init-4.4.22.3/install.sh --- old/shorewall-init-4.4.20.3/install.sh 2011-06-14 16:40:07.000000000 +0200 +++ new/shorewall-init-4.4.22.3/install.sh 2011-08-20 16:23:35.000000000 +0200 @@ -23,7 +23,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.20.3 +VERSION=4.4.22.3 usage() # $1 = exit status { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.4.20.3/releasenotes.txt new/shorewall-init-4.4.22.3/releasenotes.txt --- old/shorewall-init-4.4.20.3/releasenotes.txt 2011-06-14 16:40:25.000000000 +0200 +++ new/shorewall-init-4.4.22.3/releasenotes.txt 2011-08-20 16:23:35.000000000 +0200 @@ -1,5 +1,5 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 4 . 20 . 3 + S H O R E W A L L 4 . 4 . 2 2 . 3 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -13,6 +13,588 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- +4.4.22.3 + +1) On older distributions where 'shorewall show capabilities' + indicates 'Connection Tracking Match: Not Available', harmless Perl + diagnostics like the following could be issued: + + Use of uninitialized value $list in pattern match (m//) + at /usr/share/shorewall/Shorewall/Config.pm line 1273, + <$currentfile> line 14. + + Use of uninitialized value $list in split + at /usr/share/shorewall/Shorewall/Config.pm line 1275, + <$currentfile> line 14. + +2) On older distributions where 'shorewall show capabilities' + indicates 'Mangle FORWARD Chain: Not Available', entries in the ecn + file generated the following Perl Diagnostic: + + Use of uninitialized value in hash element + at /usr/share/shorewall/Shorewall/Chains.pm line 1119. + +3) Previously, if a provider interface was derived from an optional + wildcard entry in /etc/shorewall/providers, then the interface was + never considered to be usable. + + Example: + + /etc/shorewall/interfaces: + + #ZONE INTERFACE BROADCAST OPTIONS + net ppp+ - optionsl + + /etc/shorewall/providers: + + #PROVIDER NUMBER MARK INTERFACE ... + ISP1 1 1 ppp0 ... + +4.4.22.2 + +1) On older distributions where 'shorewall show capabilities' + indicates 'Connection Tracking Match: Not Available', Shorewall + 4.4.22 and 4.4.22.1 generated invalid iptables-restore input. + +2) Previously, the compiler always placed '#!/bin/sh' on the first + line of the generated script. It now uses the setting of + SHOREWALL_SHELL on that line rather than '/bin/sh'. Note that + SHOREWALL_SHELL defaults to '/bin/sh' so this change only affects + those who specify a different shell. + +4.4.22.1 + +1) Previously, if the name of a zone began with 'all', then entries + for that zone in /etc/shorewall/rules and /etc/shorewall6/rules + treated the name the same as 'all'. + + This defect is present in Shorewall 4.4.13 through 4.4.22. + +2) Previously, when LOAD_HELPERS_ONLY=No, harmless iptables-restore + warnings as follows could be generated: + + ... + Running /usr/local/sbin/iptables-restore... + --set option deprecated, please use --match-set + --set option deprecated, please use --match-set + IPv4 Forwarding Enabled + ... + +3) Potential SELinux issues have been corrected. From Orion Poplawski. + +4.4.22 + +1) Under rare conditions, long port lists (>15 ports) could result in + the following failure when optimization level 4 was enabled. + + Use of uninitialized value in numeric gt (>) + at /usr/share/shorewall/Shorewall/Chains.pm line 1264. + + ERROR: Internal error in + Shorewall::Chains::decrement_reference_count at + /usr/share/shorewall/Shorewall/Chains.pm line 1264 + +2) All corrections included in Shorewall 4.4.21.1 (see below). + +---------------------------------------------------------------------------- + I I. K N O W N P R O B L E M S R E M A I N I N G +---------------------------------------------------------------------------- + +1) On systems running Upstart, shorewall-init cannot reliably secure + the firewall before interfaces are brought up. + +---------------------------------------------------------------------------- + I I I. N E W F E A T U R E S I N T H I S R E L E A S E +---------------------------------------------------------------------------- + +4.4.22.3 + +1) When 'shorewall update' or 'shorewall6 update' results in no change + to the .conf file, a message is issued, the .bak file is removed + and the command terminates without error. + +4.4.22 + +1) Three new parameterized standard actions are included in this release. + + Invalid - Packets in the INVALID connection tracking state + Broadcast - Broadcast and Multicast Packets + NotSyn - TCP packets that have the SYN flag set and all + other flags reset. + + The standard default Drop and Reject actions have been modified to + use these new actions. + + Each accepts two parameters: + + a) Action to perform on matching packets. Must be ACCEPT, DROP or + REJECT. Default is DROP. + b) 'audit' flag. If 'audit', then the action will be audited. + + The new actions deprecate the following built-in actions: + + allowBcast - use Broadcast(ACCEPT) + allowInvalid - use Invalid(ACCEPT) + dropInvalid - use Invalid(DROP) + dropBroadcast - use Broadcast(DROP) + dropNotSyn - use NotSyn(DROP) + rejNotSyn - use NotSyn(REJECT) + +2) Up to this point, the Perl-based compiler has stored rules + internally in iptables/ip6tables command strings. This has + made the optimizing the ruleset difficult and has made the + optimizer the most defect-dense part of the code. + + This release marks to first step toward converting the compiler to + use an internal rule representation that is easier to optimize and + that is easy to convert to iptables/ip6tables commands effeciently. + + The parser still generates iptables/ip6table rules which are then + converted into the internal form. + +3) Optimize level 8 causes chains that are identical to another chain + to be deleted, and their references are replace by references to + the other chain. This can lead to confusion when looking at the + generated ruleset. For example, traffic going from the 'loc' zone + to the 'dmz' zone may now be passing through a chain named + 'wan2dmz'! + + To eliminate this confusion, the compiler now generates a + synthetic name for the combined chains, consisting of "~comb" + followed by an integer (e.g., "~comb1", "~comb2", etc.). + +---------------------------------------------------------------------------- + I V. R E L E A S E 4 . 4 H I G H L I G H T S +---------------------------------------------------------------------------- + +1) Support for Shorewall-shell has been discontinued. Shorewall-perl + has been combined with Shorewall-common to produce a single + Shorewall package. + +2) Support for the "Hierarchical Fair Service Curve" (HFSC) queuing + discipline has been added. HFSC is superior to the "Hierarchical + Token Bucket" queuing discipline where realtime traffic such as + VOIP is being used. + + HTB remains the default queuing discipline. + +3) Support for the "flow" traffic classifier has been added. This + classifier can help prevent multi-connection applications such as + BitTorrent from using an unfair amount of bandwidth. + +4) The Shorewall documentation and man pages have been purged of + information about earlier Shorewall releases. The documentation + describes only the behavior of Shorewall 4.4 and later versions. + +5) The interfaces file OPTIONs have been extended to largely remove the + need for the hosts file. + +6) It is now possible to define PREROUTING and OUTPUT marking rules + that cause new connections to use the same provider as an existing + connection of the same kind. + +7) Dynamic Zone support is once again available for IPv4; ipset support is + required in your kernel and in iptables. + +8) A new AUTOMAKE option has been added to shorewall.conf and + shorewall6.conf. Setting this option will allow Shorewall to skip + the compilation phase during start/restart if no configuration + changes have occurred since the last start/restart. + +9) The LIMIT:BURST column in /etc/shorewall/policy + (/etc/shorewall6/policy) and the RATE LIMIT column in + /etc/shorewall/rules (/etc/shorewall6/rules) may now be used to + limit on a per source IP or per destination IP basis. + +10) Support for per-IP traffic shaping classes has been added. + +11) Support for netfilter's TRACE facility has been added. TRACE allows + you to trace selected packets through Netfilter, including marking + by tcrules. + +12) You may now preview the generated ruleset by using the '-r' option + to the 'check' command (e.g., "shorewall check -r"). + +13) A new simplified Traffic Shaping facility is now available. + +14) Additional ruleset optimization options are available. + +15) TPROXY support has been added. + +16) Explicit support for Linux-vserver has been added. It is now + possible to define sub-zones of $FW. + +17) A 'Universal' sample configuration is now availale for a + 'plug-and-play' firewall. + +18) Support for the AUDIT iptables target has been added. + +19) Shorewall6 now supports ipsets. + +---------------------------------------------------------------------------- + V. M I G R A T I O N I S S U E S +---------------------------------------------------------------------------- +1) If you are currently using Shorewall-shell: + + a) In shorewall.conf, if you have specified + "SHOREWALL_COMPILER=shell" then you must either: + + - change that specification to "SHOREWALL_COMPILER=perl"; or + - change that specification to "SHOREWALL_COMPILER="; or + - delete the specification altogether. + + Failure to do so will result in the following warning: + + WARNING: SHOREWALL_COMPILER=shell ignored. Shorewall-shell + support has been removed in this release. + + b) Review the migration issues at + http://www.shorewall.net/LennyToSqueeze.html and make changes as + required. + + We strongly recommend that you migrate to Shorewall-perl on your + current Shorewall version before upgrading to Shorewall 4.4.0. That + way, you can have both Shorewall-shell and Shorewall-perl available + until you are certain that Shorewall-perl is working correctly for + you. + +2) The 'shorewall stop', 'shorewall clear', 'shorewall6 stop' and + 'shorewall6 clear' commands no longer read the 'routestopped' + file. The 'routestopped' file used is the one that was present at + the last 'start', 'restart' or 'restore' command. + + IMPORTANT: If you modify the routestopped file, you must refresh or + restart Shorewall before the changes to that file take effect. + +3) The old macro parameter syntax (e.g., SSH/ACCEPT) is now deprecated + in favor of the new syntax (e.g., SSH(ACCEPT)). The 4.4 documentation + uses the new syntax exclusively, although the old syntax + continues to be supported. + + The sample configurations also use the new syntax. + +4) Support for the SAME target in /etc/shorewall/masq and + /etc/shorewall/rules has been removed, following the removal of the + underlying support in the Linux kernel. + +5) Supplying an interface name in the SOURCE column of + /etc/shorewall/masq is now deprecated. Entering the name of an + interface there will result in a compile-time warning: + + WARNING: Using an interface as the masq SOURCE requires the + interface to be up and configured when Shorewall + starts/restarts + + To avoid this warning, replace interface names by the corresponding + network(s) in CIDR format (e.g., 192.168.144.0/24). + +6) Previously, Shorewall has treated traffic shaping class IDs as + decimal numbers (or pairs of decimal numbers). That worked fine + until IPMARK was implemented. IPMARK requires Shorewall to generate + class Ids in numeric sequence. In 4.3.9, that didn't work correctly + because Shorewall was generating the sequence "..8,9,10,11..." when + the correct sequence was "...8,9,a,b,...". Shorewall now treats + class IDs as hex, as do 'tc' and 'iptables'. + + This should only be an issue if you have more than 9 interfaces + defined in /etc/shorewall/tcdevices and if you use class IDs in + /etc/shorewall/tcrules or /etc/shorewall/tcfilters. You will need + to renumber the class IDs for devices 10 and greater. + +7) Support for the 'norfc1918' interface and host option has been + removed. If 'norfc1918' is specified for an entry in either the + interfaces or the hosts file, a warning is issued and the option is + ignored. Simply remove the option to avoid the warning. + + Similarly, if RFC1918_STRICT=Yes or a non-empty RFC1918_LOG_LEVEL + is given in shorewall.conf, a warning will be issued and the option + will be ignored. + + You may simply delete the RFC1918-related options from your + shorewall.conf file if you are seeing warnings regarding them. + + Users who currently use 'norfc1918' are encouraged to consider + using NULL_ROUTE_RFC1918=Yes instead. + +8) The install.sh scripts in the Shorewall and Shorewall6 packages no + longer create a backup copy of the existing configuration. If you + want your configuration backed up prior to upgrading, you will + need to do that yourself. + + As part of this change, the fallback.sh scripts are no longer + released. + +9) In earlier releases, if an ipsec zone was defined as a sub-zone of + an ipv4 or ipv6 zone using the special <child>:<parent>,... syntax, + CONTINUE policies for the sub-zone did not work as + expected. Traffic that was not matched by a sub-zone rule was not + compared against the parent zone(s) rules. + + In 4.4.0, such traffic IS compared against the parent zone rules. + +10) The name 'any' is now reserved and may not be used as a zone name. + +11) Perl module initialization has changed in Shorewall + 4.4.1. Previously, each Shorewall Perl package would initialize its + global variables for IPv4 in an INIT block. Then, if the + compilation turned out to be for IPv6, + Shorewall::Compiler::compiler() would reinitialize them for IPv6. + + Beginning in Shorewall 4.4.1, the modules do not initialize + themselves in an INIT block. So if you use Shorewall modules + outside of the Shorewall compilation environment, then you must + explicitly call the module's 'initialize' function after the module + has been loaded. + +12) Checking for zone membership has been tighened up. Previously, + a zone could contain <interface>:0.0.0.0/0 along with other hosts; + now, if the zone has <interface>:0.0.0.0/0 (even with exclusions), + then it may have no additional members in /etc/shorewall/hosts. + +13) ADD_IP_ALIASES=No is now the setting in the released shorewall.conf + and in all of the samples. This will not affect you during upgrade + unless you choose to replace your current shorewall.conf with the + one from the release (not recommended). + +14) The names of interface configuration variables in generated scripts + have been changed to insure uniqueness. These names now begin with + SW_. + + This change will only affect you if your extension scripts are + using one or more of these variables. + + Old Variable Name New Variable Name + ----------------------------------------------------- + iface_ADDRESS SW_iface_ADDRESS + iface_BCASTS SW_iface_BCASTS + iface_ACASTS SW_iface_ACASTS + iface_GATEWAY SW_iface_GATEWAY + iface_ADDRESSES SW_iface_ADDRESSES + iface_NETWORKS SW_iface_NETWORKS + iface_MAC SW_iface_MAC + + provider_IS_USABLE SW_provider_IS_USABLE + + where 'iface' is a capitalized interface name (e.g., ETH0) and + 'provider' is the capitalized name of a provider. + +15) Support for the OPTIONS column in /etc/shorewall/blacklist + (/etc/shorewall6/blacklist) has been removed. Blacklisting by + destination IP address will be included in a later Shorewall + release. + +16) If your /etc/shorewall/params (or /etc/shorewall6/params) file + sends output to Standard Output, you need to be aware that the + output will be redirected to Standard Error beginning with + Shorewall 4.4.16. + +17) Beginning with Shorewall 4.4.17, the EXPORTPARAMS option is + deprecated. With EXPORTPARAMS=No, the variables set by + /etc/shorewall/params (/etc/shorewall6/params) at compile time are + now available in the compiled firewall script. + +---------------------------------------------------------------------------- +V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S + I N P R I O R R E L E A S E S +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 4 . 2 1 +---------------------------------------------------------------------------- + +4.4.21.1 + +1) A harmless Perl runtime "uninitialized variable" diagnostic has + been eliminated from the compiler. The diagnostic was issued while + displaying the capabilities. + +2) As the result of a typo, an orphan filter chain named FORWAR could + be created under rare circumstances. This chain was deleted by + OPTIMIZE level 4. + +3) The SNAT options --persistent and --randomize now work properly + (/etc/shorewall/masq). + +4) The LOGMARK log level was previously generated invalid iptables + input making it unusable. That has been corrected. + + The syntax for LOGMARK is now: + + LOGMARK(<priority>) + + where <priority> is a syslog priority (1-7 or debug, info, notice, + etc.). + + Example rule: + + #ACTION SOURCE DEST PROTO DEST + # PORT(S) + LOG:LOGMARK(info) lan dmz udp 1234 + +4.4.21 + +1) All problems corrections included in Shorewall 4.4.20.1 - 4.4.20.3 + (see below). + +2) The following error message + + FOREWARD_CLEAR_MARK=Yes requires MARK Target in your kernel + and iptables + + has been corrected to read + + FORWARD_CLEAR_MARK=Yes requires MARK Target in your kernel + and iptables + +3) The TPROXY target in the tcrules file could previously cause a + failure during iptables restore like this: + + Running /usr/sbin/iptables-restore... + Bad argument `3128' + Error occurred at line: 110 + Try `iptables-restore -h' or 'iptables-restore --help' for more + information. + + ERROR: iptables-restore Failed. Input is in + /var/lib/shorewall/.iptables-restore-input + +4) The 'balance' and 'fallback' options in /etc/shorewall/providers + have always been mutually exclusive but the compiler previously + didn't enforce that restriction. Now it does. + +1) AUTOMAKE=Yes now causes all directories on the CONFIG_PATH to be + searched for files newer than the script that last + started/restarted the firewall. Previously, only /etc/shorewall + (/etc/shorewall6) was searched. + +2) FORMAT-2 actions may now specify default parameter values using the + DEFAULTS directive. + + DEFAULTS <def1>,<def2>,... + + Where <def1> is the default value for the first parameter, <def2> + is the default value for the second parameter and so on. To specify + an empty default, use '-'. + + The DEFAULTS directive also determines the maximum number of + parameters that an action may have. If more parameters are passed + than have default values, an error message is issued. + +3) Parameterized macros may now specify a default parameter value + using the DEFAULT directive. + + DEFAULT <default> + + Example macro.Foo -- by default, accepts connections on ficticous + tcp port 'foo'. + + DEFAULT ACCEPT + PARAM - - tcp foo + +4) The standard Drop and Reject actions are now parameterized. Each + has 5 parameters: + + 1) Pass 'audit' if you want all ACCEPTs, DROPs and REJECTs audited. + Pass '-' otherwise. + + 2) The action to be applied to Auth requests: + + FIRST PARAMETER DEFAULT + + - REJECT + audit A_REJECT + + 3) The action to be applied to SMB traffic. The default depends on + the action and its first parameter: + + ACTION FIRST PARAMETER DEFAULT + + Reject - REJECT + Drop - DROP + Reject audit A_REJECT + Drop audit A_DROP + + 4) The action to be applied to accepted ICMP packets. + + FIRST PARAMETER DEFAULT + + - ACCEPT + audit A_ACCEPT + + 5) The action to be applied to UPnP (udp port 1900) and late DNS + replies (udp source port 53) + + FIRST PARAMETER DEFAULT + + - DROP + audit A_DROP + + The parameters can be passed in the POLICY column of the policy + file. + + Examples: + + SOURCE DEST POLICY + net all DROP:Drop(audit):audit #Same as + #DROP:A_DROP:audit + + SOURCE DEST POLICY + net all DROP:Drop(-,DROP) #DROP rather than REJECT Auth + + The parameters can also be specified in shorewall.conf: + + Example: + + DROP_DEFAULT=Drop(-,DROP) + +5) An 'update' command has been added to /sbin/shorewall and + /sbin/shorewall6. The command updates the shorewall.conf + (shorewall6.conf) file then validates the configuration. The + updated file will set any options not specified in the old file + with their default values, and will move any deprecated options + with non-default values to a 'deprecated options' section at the + end of the file. Each such deprecated option will generate a + warning message. + + Your original shorewall.conf (shorewall6.conf) file will be saved as + shorewall.conf.bak (shorewall6.conf.bak). + + The 'update' command accepts the same options as the 'check' + command plus a '-a' option that causes the updated file to be + annotated with manpage documentation. + +6) Shorewall6 now supports ipsets. + + Unlike iptables, which has separate configurations for IPv4 and + IPv6, ipset has a single configuration that handles both. This + means the SAVE_IPSETS=Yes in shorewall.conf or shorewall6.conf + won't work correctly. To work around this issue, Shorewall-init is + now capable restoring ipset contents during 'start' and saving them + during 'stop'. + + To direct Shorewall-init to save/restore ipset contents, set the + SAVE_IPSETS option in /etc/sysconfig/shorewall-init + (/etc/default/shorewall-init on Debian and derivatives). The value + of the option is a file name where the contents of the ipsets will + be saved to and restored from. Shorewall-init will create any + parent directories during the first 'save' operation. + + If you configure Shorewall-init to save/restore ipsets, be sure to + set SAVE_IPSETS=No in shorewall.conf and shorewall6.conf. + + As part of this change, Shorewall and Shorewall6 will only restore + saved ipsets if SAVE_IPSETS=Yes in shorewall.conf + (shorewall6.conf). + +7) Shorewall6 now supports dynamic zones: + + 1) The nets=dynamic option is allowed in /etc/shorewall6/interfaces + 2) The HOSTS column of /etc/shorewall6/hosts may now contain + <interface>:dynamic. + 3) /sbin/shorewall6 now supports the 'add' and 'delete' commands. + +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 4 . 2 0 +---------------------------------------------------------------------------- + 4.4.20.3 1) Deprecated options have been removed from the .conf files. @@ -88,6 +670,10 @@ 4.4.20 +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 4 . 2 1 +---------------------------------------------------------------------------- + 1) Previously, when a device number was explicitly specified in /etc/shorewall/tcdevices, all unused numbers less than the one specified were unavailable for allocation to following entries that @@ -117,14 +703,7 @@ are also included in this release. ---------------------------------------------------------------------------- - I I. K N O W N P R O B L E M S R E M A I N I N G ----------------------------------------------------------------------------- - -1) On systems running Upstart, shorewall-init cannot reliably secure - the firewall before interfaces are brought up. - ----------------------------------------------------------------------------- - I I I. N E W F E A T U R E S I N T H I S R E L E A S E + N E W F E A T U R E S I N 4 . 4 . 2 0 ---------------------------------------------------------------------------- 1) The implementation of the environmental variables LIBEXEC and @@ -242,7 +821,7 @@ and modify them to only audit the packets that you care about. 6) Up to this release, the behaviors of 'start -f' and 'restart -f' - has been inconsistent. The 'start -f' command compares the + have been inconsistent. The 'start -f' command compares the modification times of /etc/shorewall[6] with /var/lib/shorewall[6]/restore while 'restart -f' compares with /var/lib/shorewall[6]/firewall. @@ -332,239 +911,9 @@ loc br1 - sfilter=2001:470:b:227::40/124 ---------------------------------------------------------------------------- - I V. R E L E A S E 4 . 4 H I G H L I G H T S ----------------------------------------------------------------------------- - -1) Support for Shorewall-shell has been discontinued. Shorewall-perl - has been combined with Shorewall-common to produce a single - Shorewall package. - -2) Support for the "Hierarchical Fair Service Curve" (HFSC) queuing - discipline has been added. HFSC is superior to the "Hierarchical - Token Bucket" queuing discipline where realtime traffic such as - VOIP is being used. - - HTB remains the default queuing discipline. - -3) Support for the "flow" traffic classifier has been added. This - classifier can help prevent multi-connection applications such as - BitTorrent from using an unfair amount of bandwidth. - -4) The Shorewall documentation and man pages have been purged of - information about earlier Shorewall releases. The documentation - describes only the behavior of Shorewall 4.4 and later versions. - -5) The interfaces file OPTIONs have been extended to largely remove the - need for the hosts file. - -6) It is now possible to define PREROUTING and OUTPUT marking rules - that cause new connections to use the same provider as an existing - connection of the same kind. - -7) Dynamic Zone support is once again available for IPv4; ipset support is - required in your kernel and in iptables. - -8) A new AUTOMAKE option has been added to shorewall.conf and - shorewall6.conf. Setting this option will allow Shorewall to skip - the compilation phase during start/restart if no configuration - changes have occurred since the last start/restart. - -9) The LIMIT:BURST column in /etc/shorewall/policy - (/etc/shorewall6/policy) and the RATE LIMIT column in - /etc/shorewall/rules (/etc/shorewall6/rules) may now be used to - limit on a per source IP or per destination IP basis. - -10) Support for per-IP traffic shaping classes has been added. - -11) Support for netfilter's TRACE facility has been added. TRACE allows - you to trace selected packets through Netfilter, including marking - by tcrules. - -12) You may now preview the generated ruleset by using the '-r' option - to the 'check' command (e.g., "shorewall check -r"). - -13) A new simplified Traffic Shaping facility is now available. - -14) Additional ruleset optimization options are available. - -15) TPROXY support has been added. - -16) Explicit support for Linux-vserver has been added. It is now - possible to define sub-zones of $FW. - -17) A 'Universal' sample configuration is now availale for a - 'plug-and-play' firewall. - -18) Support for the AUDIT iptables target has been added. - ----------------------------------------------------------------------------- - V. M I G R A T I O N I S S U E S ----------------------------------------------------------------------------- -1) If you are currently using Shorewall-shell: - - a) In shorewall.conf, if you have specified - "SHOREWALL_COMPILER=shell" then you must either: - - - change that specification to "SHOREWALL_COMPILER=perl"; or - - change that specification to "SHOREWALL_COMPILER="; or - - delete the specification altogether. - - Failure to do so will result in the following warning: - - WARNING: SHOREWALL_COMPILER=shell ignored. Shorewall-shell - support has been removed in this release. - - b) Review the migration issues at - http://www.shorewall.net/LennyToSqueeze.html and make changes as - required. - - We strongly recommend that you migrate to Shorewall-perl on your - current Shorewall version before upgrading to Shorewall 4.4.0. That - way, you can have both Shorewall-shell and Shorewall-perl available - until you are certain that Shorewall-perl is working correctly for - you. - -2) The 'shorewall stop', 'shorewall clear', 'shorewall6 stop' and - 'shorewall6 clear' commands no longer read the 'routestopped' - file. The 'routestopped' file used is the one that was present at - the last 'start', 'restart' or 'restore' command. - - IMPORTANT: If you modify the routestopped file, you must refresh or - restart Shorewall before the changes to that file take effect. - -3) The old macro parameter syntax (e.g., SSH/ACCEPT) is now deprecated - in favor of the new syntax (e.g., SSH(ACCEPT)). The 4.4 documentation - uses the new syntax exclusively, although the old syntax - continues to be supported. - - The sample configurations also use the new syntax. - -4) Support for the SAME target in /etc/shorewall/masq and - /etc/shorewall/rules has been removed, following the removal of the - underlying support in the Linux kernel. - -5) Supplying an interface name in the SOURCE column of - /etc/shorewall/masq is now deprecated. Entering the name of an - interface there will result in a compile-time warning: - - WARNING: Using an interface as the masq SOURCE requires the - interface to be up and configured when Shorewall - starts/restarts - - To avoid this warning, replace interface names by the corresponding - network(s) in CIDR format (e.g., 192.168.144.0/24). - -6) Previously, Shorewall has treated traffic shaping class IDs as - decimal numbers (or pairs of decimal numbers). That worked fine - until IPMARK was implemented. IPMARK requires Shorewall to generate - class Ids in numeric sequence. In 4.3.9, that didn't work correctly - because Shorewall was generating the sequence "..8,9,10,11..." when - the correct sequence was "...8,9,a,b,...". Shorewall now treats - class IDs as hex, as do 'tc' and 'iptables'. - - This should only be an issue if you have more than 9 interfaces - defined in /etc/shorewall/tcdevices and if you use class IDs in - /etc/shorewall/tcrules or /etc/shorewall/tcfilters. You will need - to renumber the class IDs for devices 10 and greater. - -7) Support for the 'norfc1918' interface and host option has been - removed. If 'norfc1918' is specified for an entry in either the - interfaces or the hosts file, a warning is issued and the option is - ignored. Simply remove the option to avoid the warning. - - Similarly, if RFC1918_STRICT=Yes or a non-empty RFC1918_LOG_LEVEL - is given in shorewall.conf, a warning will be issued and the option - will be ignored. - - You may simply delete the RFC1918-related options from your - shorewall.conf file if you are seeing warnings regarding them. - - Users who currently use 'norfc1918' are encouraged to consider - using NULL_ROUTE_RFC1918=Yes instead. - -8) The install.sh scripts in the Shorewall and Shorewall6 packages no - longer create a backup copy of the existing configuration. If you - want your configuration backed up prior to upgrading, you will - need to do that yourself. - - As part of this change, the fallback.sh scripts are no longer - released. - -9) In earlier releases, if an ipsec zone was defined as a sub-zone of - an ipv4 or ipv6 zone using the special <child>:<parent>,... syntax, - CONTINUE policies for the sub-zone did not work as - expected. Traffic that was not matched by a sub-zone rule was not - compared against the parent zone(s) rules. - - In 4.4.0, such traffic IS compared against the parent zone rules. - -10) The name 'any' is now reserved and may not be used as a zone name. - -11) Perl module initialization has changed in Shorewall - 4.4.1. Previously, each Shorewall Perl package would initialize its - global variables for IPv4 in an INIT block. Then, if the - compilation turned out to be for IPv6, - Shorewall::Compiler::compiler() would reinitialize them for IPv6. - - Beginning in Shorewall 4.4.1, the modules do not initialize - themselves in an INIT block. So if you use Shorewall modules - outside of the Shorewall compilation environment, then you must - explicitly call the module's 'initialize' function after the module - has been loaded. - -12) Checking for zone membership has been tighened up. Previously, - a zone could contain <interface>:0.0.0.0/0 along with other hosts; - now, if the zone has <interface>:0.0.0.0/0 (even with exclusions), - then it may have no additional members in /etc/shorewall/hosts. - -13) ADD_IP_ALIASES=No is now the setting in the released shorewall.conf - and in all of the samples. This will not affect you during upgrade - unless you choose to replace your current shorewall.conf with the - one from the release (not recommended). - -14) The names of interface configuration variables in generated scripts - have been changed to insure uniqueness. These names now begin with - SW_. - - This change will only affect you if your extension scripts are - using one or more of these variables. - - Old Variable Name New Variable Name - ----------------------------------------------------- - iface_ADDRESS SW_iface_ADDRESS - iface_BCASTS SW_iface_BCASTS - iface_ACASTS SW_iface_ACASTS - iface_GATEWAY SW_iface_GATEWAY - iface_ADDRESSES SW_iface_ADDRESSES - iface_NETWORKS SW_iface_NETWORKS - iface_MAC SW_iface_MAC - - provider_IS_USABLE SW_provider_IS_USABLE - - where 'iface' is a capitalized interface name (e.g., ETH0) and - 'provider' is the capitalized name of a provider. - -15) Support for the OPTIONS column in /etc/shorewall/blacklist - (/etc/shorewall6/blacklist) has been removed. Blacklisting by - destination IP address will be included in a later Shorewall - release. - -16) If your /etc/shorewall/params (or /etc/shorewall6/params) file - sends output to Standard Output, you need to be aware that the - output will be redirected to Standard Error beginning with - Shorewall 4.4.16. - -17) Beginning with Shorewall 4.4.17, the EXPORTPARAMS option is - deprecated. With EXPORTPARAMS=No, the variables set by - /etc/shorewall/params (/etc/shorewall6/params) at compile time are - now available in the compiled firewall script. - ----------------------------------------------------------------------------- -V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S - I N P R I O R R E L E A S E S ----------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 4 . 1 9 ---------------------------------------------------------------------------- + 4.4.19.4 1) Previously, the compiler would allow a degenerate entry (only the @@ -3573,7 +3922,7 @@ 8) The generated script now uses iptables[6]-restore to instantiate the Netfilter ruleset during processing of the 'stop' command. As a - consequence, the 'critical' option in /etc/shorewall/route_stopped + consequence, the 'critical' option in /etc/shorewall/routestopped is no longer needed and will result in a warning. 9) A new AUTOMAKE option has been added to shorewall.conf and diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.4.20.3/shorewall-init.spec new/shorewall-init-4.4.22.3/shorewall-init.spec --- old/shorewall-init-4.4.20.3/shorewall-init.spec 2011-06-14 16:40:07.000000000 +0200 +++ new/shorewall-init-4.4.22.3/shorewall-init.spec 2011-08-20 16:23:35.000000000 +0200 @@ -1,5 +1,5 @@ %define name shorewall-init -%define version 4.4.20 +%define version 4.4.22 %define release 3 Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall). @@ -119,10 +119,34 @@ %doc COPYING changelog.txt releasenotes.txt %changelog -* Sun Jun 12 2011 Tom Eastep tom@shorewall.net -- Updated to 4.4.20-3 +* Wed Aug 10 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.22-3 +* Wed Aug 03 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.22-2 +* Tue Aug 02 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.22-1 +* Sat Jul 30 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.22-0base +* Sat Jul 30 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.22-0RC2 +* Fri Jul 22 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.22-0RC1 +* Thu Jul 21 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.22-0Beta3 +* Mon Jul 18 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.22-0Beta2 +* Mon Jul 04 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.22-0Beta1 +* Wed Jun 29 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.21-0base +* Thu Jun 23 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.21-0RC1 +* Sun Jun 19 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.21-0Beta3 +* Sat Jun 18 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.21-0Beta2 * Tue Jun 07 2011 Tom Eastep tom@shorewall.net -- Updated to 4.4.20-2 +- Updated to 4.4.21-0Beta1 * Mon Jun 06 2011 Tom Eastep tom@shorewall.net - Updated to 4.4.20-1 * Tue May 31 2011 Tom Eastep tom@shorewall.net diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.4.20.3/sysconfig new/shorewall-init-4.4.22.3/sysconfig --- old/shorewall-init-4.4.20.3/sysconfig 2011-06-14 16:40:07.000000000 +0200 +++ new/shorewall-init-4.4.22.3/sysconfig 2011-08-20 16:00:07.000000000 +0200 @@ -10,3 +10,9 @@ # ifup/ifdown and NetworkManager events # IFUPDOWN=0 +# +# Set this to the name of the file that is to hold +# ipset contents. Shorewall-init will load those ipsets +# during 'start' and will save them there during 'stop'. +# +SAVE_IPSETS="" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.4.20.3/uninstall.sh new/shorewall-init-4.4.22.3/uninstall.sh --- old/shorewall-init-4.4.20.3/uninstall.sh 2011-06-14 16:40:07.000000000 +0200 +++ new/shorewall-init-4.4.22.3/uninstall.sh 2011-08-20 16:23:35.000000000 +0200 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.20.3 +VERSION=4.4.22.3 usage() # $1 = exit status { ++++++ shorewall-lite-4.4.20.3.tar.bz2 -> shorewall-lite-4.4.22.3.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.4.20.3/changelog.txt new/shorewall-lite-4.4.22.3/changelog.txt --- old/shorewall-lite-4.4.20.3/changelog.txt 2011-06-14 16:40:25.000000000 +0200 +++ new/shorewall-lite-4.4.22.3/changelog.txt 2011-08-20 16:23:35.000000000 +0200 @@ -1,20 +1,105 @@ -Changes in Shorewall 4.4.20.3 +Changes in 4.4.22.3 -1) Remove deprecated options from the .conf files. +1) Eliminate Perl diagnostics when CONNTRACK_MATCH is not available. -2) Exempt wildcard interfaces from sfilter. +2) Eliminate Perl diagnostics when MANGLE_FORWARD is not available. -Changes in Shorewall 4.4.20.2 +3) Unlink .bak file when no change to shorewall[6].conf. -1) Reject degenerate tcpri entries. +4) Correct handling of Providers with interfaces derived from wildcards. -2) Correct tc defect. +Changes in 4.4.22.2 -3) Apply sfilters to INPUT traffic. +1) Include header match in DNAT/REDIRECT rules. -4) Exclude ipsec traffic from sfilter. +2) Fix generation of state match on old distributions. -5) Fix an interesting defect. +3) Place $SHOREWALL_SHELL in shebang line. + +Changes in 4.4.22.1 + +1) Correct handling of zone names beginning with 'all'. + +2) Correct detection of OLD_IPSET_MATCH when LOAD_HELPERS_ONLY=No. + +3) Apply Orion Poplawski's SELinux patch. + +Changes in Shorewall 4.4.22 Final + +1) Update release documents + +Changes in Shorewall 4.4.22 RC 2 + +1) Avoid undefined reference in Shorewall::Rules::save_policies. + +Changes in Shorewall 4.4.22 RC 1 + +1) Correct combined port defect. + +2) Correct numerous problems reported by Steven Springl. + +Changes in Shorewall 4.4.22 Beta 3 + +1) Continue to implement and refine the new rule interface. + +2) Rename chains combined with other chains by optimize 8. + +Changes in Shorewall 4.4.22 Beta 2 + +1) Continue to implement the new rule interface in other modules. + +Changes in Shorewall 4.4.22 Beta 1 + +1) Convert most built-in actions to standard actions. + +2) Implement structured rule representation. + +Changes in Shorewall 4.4.21 Final + +1) Correct code generated by TPROXY. + +2) Make 'fallback' and 'balance' mutually exclusive. + +3) Generate error if too many parameters to a function with DEFAULT + +4) Prepare for more parameterized actions + +5) Fix parameter push/pop in process_action() + +6) Add comment push/pop in process_action() + +Changes in Shorewall 4.4.21 RC 1 + +1) Fix empty parameter lists in _DEFAULT settings. + +2) Correct FOREWARD_CLEAR_MARK -> FORWARD_CLEAR_MARK in an error + message. + +3) Use updated config in verification during upgrade. + +Changes in Shorewall 4.4.21 Beta 3 + +1) Shorewall-init can now save/restore ipsets. + +2) Correct handling of DEFAULTS in non-action contexts. + +3) Rename read_action_param and change signature. + +4) Add DEFAULT to macro files. + +Changes in Shorewall 4.4.21 Beta 2 + +1) Implement the 'update' command. + +Changes in Shorewall 4.4.21 Beta 1 + +1) IPSET support in Shorewall6. + +2) Make AUTOMAKE follow CONFIG_PATH + +3) Default values for action parameters. + +4) Parameterize Drop and Reject actions. Changes in Shorewall 4.4.20.1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.4.20.3/install.sh new/shorewall-lite-4.4.22.3/install.sh --- old/shorewall-lite-4.4.20.3/install.sh 2011-06-14 16:40:07.000000000 +0200 +++ new/shorewall-lite-4.4.22.3/install.sh 2011-08-20 16:23:35.000000000 +0200 @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.20.3 +VERSION=4.4.22.3 usage() # $1 = exit status { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.4.20.3/lib.base new/shorewall-lite-4.4.22.3/lib.base --- old/shorewall-lite-4.4.20.3/lib.base 2011-06-14 16:40:25.000000000 +0200 +++ new/shorewall-lite-4.4.22.3/lib.base 2011-08-20 16:23:35.000000000 +0200 @@ -1,4 +1,3 @@ -#!/bin/sh # # Shorewall 4.4 -- /usr/share/shorewall/lib.base # @@ -29,7 +28,7 @@ # SHOREWALL_LIBVERSION=40407 -SHOREWALL_CAPVERSION=40417 +SHOREWALL_CAPVERSION=40421 [ -n "${VARDIR:=/var/lib/shorewall}" ] [ -n "${SHAREDIR:=/usr/share/shorewall}" ] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.4.20.3/lib.cli new/shorewall-lite-4.4.22.3/lib.cli --- old/shorewall-lite-4.4.20.3/lib.cli 2011-06-14 16:40:25.000000000 +0200 +++ new/shorewall-lite-4.4.22.3/lib.cli 2011-08-20 16:23:35.000000000 +0200 @@ -1,4 +1,3 @@ -#!/bin/sh # # Shorewall 4.4 -- /usr/share/shorewall/lib.cli. # @@ -339,7 +338,7 @@ # # Don't save an 'empty' file # - grep -q '^-N' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets + grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets fi fi ;; @@ -399,6 +398,11 @@ heading "Table $table:" ip route list table $table done + + if [ -n "$g_routecache" ]; then + heading "Route Cache" + ip -4 route list cache + fi else heading "Routing Table" ip route list @@ -422,7 +426,9 @@ [ -n "$(mywhich ipset)" ] || fatal_error "The ipset utility cannot be located" - sets=$(find_sets $1) + sets=$(ipset -L -n | grep '^$1_'); + + [ -n "$sets" ] || sets=$(find_sets $1) for setname in $sets; do echo "${setname#${1}_}:" @@ -535,6 +541,10 @@ g_ipt_options1="--line-numbers" option=${option#l} ;; + c*) + g_routecache=Yes + option=${option#c} + ;; *) usage 1 ;; @@ -913,6 +923,10 @@ g_ipt_options1="--line-numbers" option=${option#l} ;; + c*) + g_routecache=Yes + option=${option#c} + ;; *) usage 1 ;; @@ -1670,6 +1684,7 @@ OWNER_MATCH= IPSET_MATCH= OLD_IPSET_MATCH= + IPSET_V5= CONNMARK= XCONNMARK= CONNMARK_MATCH= @@ -1815,7 +1830,16 @@ if qt mywhich ipset; then qt ipset -X $chain # Just in case something went wrong the last time - if qt ipset -N $chain iphash ; then + local have_ipset + + if qt ipset -N $chain hash:ip family inet; then + IPSET_V5=Yes + have_ipset=Yes + elif qt ipset -N $chain iphash ; then + have_ipset=Yes + fi + + if [ -n "$have_ipset" ]; then if qt $IPTABLES -A $chain -m set --match-set $chain src -j ACCEPT; then qt $IPTABLES -D $chain -m set --match-set $chain src -j ACCEPT IPSET_MATCH=Yes @@ -1857,7 +1881,17 @@ [ -n "$IP" ] && $IP rule add help 2>&1 | grep -q /MASK && FWMARK_RT_MASK=Yes CAPVERSION=$SHOREWALL_CAPVERSION - KERNELVERSION=$(printf "%d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g')) + + KERNELVERSION=$(uname -r 2> /dev/null | sed -e 's/-.*//') + + case "$KERNELVERSION" in + *.*.*) + KERNELVERSION=$(printf "%d%02d%02d" $(echo $KERNELVERSION | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g')) + ;; + *) + KERNELVERSION=$(printf "%d%02d00" $(echo $KERNELVERSION | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2/g')) + ;; + esac } report_capabilities() { @@ -1930,6 +1964,7 @@ report_capability "Header Match" $HEADER_MATCH report_capability "ACCOUNT Target" $ACCOUNT_TARGET report_capability "AUDIT Target" $AUDIT_TARGET + report_capability "ipset V5" $IPSET_V5 fi [ -n "$PKTTYPE" ] || USEPKTTYPE= @@ -1998,6 +2033,7 @@ report_capability1 HEADER_MATCH report_capability1 ACCOUNT_TARGET report_capability1 AUDIT_TARGET + report_capability1 IPSET_V5 echo CAPVERSION=$SHOREWALL_CAPVERSION echo KERNELVERSION=$KERNELVERSION diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.4.20.3/lib.common new/shorewall-lite-4.4.22.3/lib.common --- old/shorewall-lite-4.4.20.3/lib.common 2011-06-14 16:40:25.000000000 +0200 +++ new/shorewall-lite-4.4.22.3/lib.common 2011-08-20 16:23:35.000000000 +0200 @@ -1,4 +1,3 @@ -#!/bin/sh # # Shorewall 4.4 -- /usr/share/shorewall/lib.common. # @@ -164,12 +163,21 @@ "$@" >/dev/null 2>&1 } +# +# Suppress all output and input - mainly for preventing leaked file descriptors +# to avoid SELinux denials +# +qtnoin() +{ + "$@" </dev/null >/dev/null 2>&1 +} + qt1() { local status while [ 1 ]; do - "$@" >/dev/null 2>&1 + "$@" </dev/null >/dev/null 2>&1 status=$? [ $status -ne 4 ] && return $status done @@ -179,7 +187,7 @@ # Determine if Shorewall is "running" # shorewall_is_started() { - qt $IPTABLES -L shorewall -n + qt1 $IPTABLES -L shorewall -n } # diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.4.20.3/manpages/shorewall-lite-vardir.5 new/shorewall-lite-4.4.22.3/manpages/shorewall-lite-vardir.5 --- old/shorewall-lite-4.4.20.3/manpages/shorewall-lite-vardir.5 2011-06-14 16:42:37.000000000 +0200 +++ new/shorewall-lite-4.4.22.3/manpages/shorewall-lite-vardir.5 2011-08-20 16:28:46.000000000 +0200 @@ -1,13 +1,13 @@ '\" t .\" Title: shorewall-lite-vardir .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] -.\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 06/14/2011 +.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/> +.\" Date: 08/20/2011 .\" Manual: [FIXME: manual] .\" Source: [FIXME: source] .\" Language: English .\" -.TH "SHOREWALL\-LITE\-VAR" "5" "06/14/2011" "[FIXME: source]" "[FIXME: manual]" +.TH "SHOREWALL\-LITE\-VAR" "5" "08/20/2011" "[FIXME: source]" "[FIXME: manual]" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.4.20.3/manpages/shorewall-lite.8 new/shorewall-lite-4.4.22.3/manpages/shorewall-lite.8 --- old/shorewall-lite-4.4.20.3/manpages/shorewall-lite.8 2011-06-14 16:42:39.000000000 +0200 +++ new/shorewall-lite-4.4.22.3/manpages/shorewall-lite.8 2011-08-20 16:28:48.000000000 +0200 @@ -1,13 +1,13 @@ '\" t .\" Title: shorewall-lite .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] -.\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 06/14/2011 +.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/> +.\" Date: 08/20/2011 .\" Manual: [FIXME: manual] .\" Source: [FIXME: source] .\" Language: English .\" -.TH "SHOREWALL\-LITE" "8" "06/14/2011" "[FIXME: source]" "[FIXME: manual]" +.TH "SHOREWALL\-LITE" "8" "08/20/2011" "[FIXME: source]" "[FIXME: manual]" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.4.20.3/manpages/shorewall-lite.conf.5 new/shorewall-lite-4.4.22.3/manpages/shorewall-lite.conf.5 --- old/shorewall-lite-4.4.20.3/manpages/shorewall-lite.conf.5 2011-06-14 16:42:38.000000000 +0200 +++ new/shorewall-lite-4.4.22.3/manpages/shorewall-lite.conf.5 2011-08-20 16:28:44.000000000 +0200 @@ -1,13 +1,13 @@ '\" t .\" Title: shorewall-lite.conf .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] -.\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 06/14/2011 +.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/> +.\" Date: 08/20/2011 .\" Manual: [FIXME: manual] .\" Source: [FIXME: source] .\" Language: English .\" -.TH "SHOREWALL\-LITE\&.CO" "5" "06/14/2011" "[FIXME: source]" "[FIXME: manual]" +.TH "SHOREWALL\-LITE\&.CO" "5" "08/20/2011" "[FIXME: source]" "[FIXME: manual]" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.4.20.3/modules.ipset new/shorewall-lite-4.4.22.3/modules.ipset --- old/shorewall-lite-4.4.20.3/modules.ipset 2011-06-14 16:40:25.000000000 +0200 +++ new/shorewall-lite-4.4.22.3/modules.ipset 2011-08-20 16:23:35.000000000 +0200 @@ -13,6 +13,7 @@ # copy. # ############################################################################### +loadmodule xt_set loadmodule ip_set loadmodule ip_set_iphash loadmodule ip_set_ipmap diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.4.20.3/releasenotes.txt new/shorewall-lite-4.4.22.3/releasenotes.txt --- old/shorewall-lite-4.4.20.3/releasenotes.txt 2011-06-14 16:40:25.000000000 +0200 +++ new/shorewall-lite-4.4.22.3/releasenotes.txt 2011-08-20 16:23:35.000000000 +0200 @@ -1,5 +1,5 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 4 . 20 . 3 + S H O R E W A L L 4 . 4 . 2 2 . 3 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -13,6 +13,588 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- +4.4.22.3 + +1) On older distributions where 'shorewall show capabilities' + indicates 'Connection Tracking Match: Not Available', harmless Perl + diagnostics like the following could be issued: + + Use of uninitialized value $list in pattern match (m//) + at /usr/share/shorewall/Shorewall/Config.pm line 1273, + <$currentfile> line 14. + + Use of uninitialized value $list in split + at /usr/share/shorewall/Shorewall/Config.pm line 1275, + <$currentfile> line 14. + +2) On older distributions where 'shorewall show capabilities' + indicates 'Mangle FORWARD Chain: Not Available', entries in the ecn + file generated the following Perl Diagnostic: + + Use of uninitialized value in hash element + at /usr/share/shorewall/Shorewall/Chains.pm line 1119. + +3) Previously, if a provider interface was derived from an optional + wildcard entry in /etc/shorewall/providers, then the interface was + never considered to be usable. + + Example: + + /etc/shorewall/interfaces: + + #ZONE INTERFACE BROADCAST OPTIONS + net ppp+ - optionsl + + /etc/shorewall/providers: + + #PROVIDER NUMBER MARK INTERFACE ... + ISP1 1 1 ppp0 ... + +4.4.22.2 + +1) On older distributions where 'shorewall show capabilities' + indicates 'Connection Tracking Match: Not Available', Shorewall + 4.4.22 and 4.4.22.1 generated invalid iptables-restore input. + +2) Previously, the compiler always placed '#!/bin/sh' on the first + line of the generated script. It now uses the setting of + SHOREWALL_SHELL on that line rather than '/bin/sh'. Note that + SHOREWALL_SHELL defaults to '/bin/sh' so this change only affects + those who specify a different shell. + +4.4.22.1 + +1) Previously, if the name of a zone began with 'all', then entries + for that zone in /etc/shorewall/rules and /etc/shorewall6/rules + treated the name the same as 'all'. + + This defect is present in Shorewall 4.4.13 through 4.4.22. + +2) Previously, when LOAD_HELPERS_ONLY=No, harmless iptables-restore + warnings as follows could be generated: + + ... + Running /usr/local/sbin/iptables-restore... + --set option deprecated, please use --match-set + --set option deprecated, please use --match-set + IPv4 Forwarding Enabled + ... + +3) Potential SELinux issues have been corrected. From Orion Poplawski. + +4.4.22 + +1) Under rare conditions, long port lists (>15 ports) could result in + the following failure when optimization level 4 was enabled. + + Use of uninitialized value in numeric gt (>) + at /usr/share/shorewall/Shorewall/Chains.pm line 1264. + + ERROR: Internal error in + Shorewall::Chains::decrement_reference_count at + /usr/share/shorewall/Shorewall/Chains.pm line 1264 + +2) All corrections included in Shorewall 4.4.21.1 (see below). + +---------------------------------------------------------------------------- + I I. K N O W N P R O B L E M S R E M A I N I N G +---------------------------------------------------------------------------- + +1) On systems running Upstart, shorewall-init cannot reliably secure + the firewall before interfaces are brought up. + +---------------------------------------------------------------------------- + I I I. N E W F E A T U R E S I N T H I S R E L E A S E +---------------------------------------------------------------------------- + +4.4.22.3 + +1) When 'shorewall update' or 'shorewall6 update' results in no change + to the .conf file, a message is issued, the .bak file is removed + and the command terminates without error. + +4.4.22 + +1) Three new parameterized standard actions are included in this release. + + Invalid - Packets in the INVALID connection tracking state + Broadcast - Broadcast and Multicast Packets + NotSyn - TCP packets that have the SYN flag set and all + other flags reset. + + The standard default Drop and Reject actions have been modified to + use these new actions. + + Each accepts two parameters: + + a) Action to perform on matching packets. Must be ACCEPT, DROP or + REJECT. Default is DROP. + b) 'audit' flag. If 'audit', then the action will be audited. + + The new actions deprecate the following built-in actions: + + allowBcast - use Broadcast(ACCEPT) + allowInvalid - use Invalid(ACCEPT) + dropInvalid - use Invalid(DROP) + dropBroadcast - use Broadcast(DROP) + dropNotSyn - use NotSyn(DROP) + rejNotSyn - use NotSyn(REJECT) + +2) Up to this point, the Perl-based compiler has stored rules + internally in iptables/ip6tables command strings. This has + made the optimizing the ruleset difficult and has made the + optimizer the most defect-dense part of the code. + + This release marks to first step toward converting the compiler to + use an internal rule representation that is easier to optimize and + that is easy to convert to iptables/ip6tables commands effeciently. + + The parser still generates iptables/ip6table rules which are then + converted into the internal form. + +3) Optimize level 8 causes chains that are identical to another chain + to be deleted, and their references are replace by references to + the other chain. This can lead to confusion when looking at the + generated ruleset. For example, traffic going from the 'loc' zone + to the 'dmz' zone may now be passing through a chain named + 'wan2dmz'! + + To eliminate this confusion, the compiler now generates a + synthetic name for the combined chains, consisting of "~comb" + followed by an integer (e.g., "~comb1", "~comb2", etc.). + +---------------------------------------------------------------------------- + I V. R E L E A S E 4 . 4 H I G H L I G H T S +---------------------------------------------------------------------------- + +1) Support for Shorewall-shell has been discontinued. Shorewall-perl + has been combined with Shorewall-common to produce a single + Shorewall package. + +2) Support for the "Hierarchical Fair Service Curve" (HFSC) queuing + discipline has been added. HFSC is superior to the "Hierarchical + Token Bucket" queuing discipline where realtime traffic such as + VOIP is being used. + + HTB remains the default queuing discipline. + +3) Support for the "flow" traffic classifier has been added. This + classifier can help prevent multi-connection applications such as + BitTorrent from using an unfair amount of bandwidth. + +4) The Shorewall documentation and man pages have been purged of + information about earlier Shorewall releases. The documentation + describes only the behavior of Shorewall 4.4 and later versions. + +5) The interfaces file OPTIONs have been extended to largely remove the + need for the hosts file. + +6) It is now possible to define PREROUTING and OUTPUT marking rules + that cause new connections to use the same provider as an existing + connection of the same kind. + +7) Dynamic Zone support is once again available for IPv4; ipset support is + required in your kernel and in iptables. + +8) A new AUTOMAKE option has been added to shorewall.conf and + shorewall6.conf. Setting this option will allow Shorewall to skip + the compilation phase during start/restart if no configuration + changes have occurred since the last start/restart. + +9) The LIMIT:BURST column in /etc/shorewall/policy + (/etc/shorewall6/policy) and the RATE LIMIT column in + /etc/shorewall/rules (/etc/shorewall6/rules) may now be used to + limit on a per source IP or per destination IP basis. + +10) Support for per-IP traffic shaping classes has been added. + +11) Support for netfilter's TRACE facility has been added. TRACE allows + you to trace selected packets through Netfilter, including marking + by tcrules. + +12) You may now preview the generated ruleset by using the '-r' option + to the 'check' command (e.g., "shorewall check -r"). + +13) A new simplified Traffic Shaping facility is now available. + +14) Additional ruleset optimization options are available. + +15) TPROXY support has been added. + +16) Explicit support for Linux-vserver has been added. It is now + possible to define sub-zones of $FW. + +17) A 'Universal' sample configuration is now availale for a + 'plug-and-play' firewall. + +18) Support for the AUDIT iptables target has been added. + +19) Shorewall6 now supports ipsets. + +---------------------------------------------------------------------------- + V. M I G R A T I O N I S S U E S +---------------------------------------------------------------------------- +1) If you are currently using Shorewall-shell: + + a) In shorewall.conf, if you have specified + "SHOREWALL_COMPILER=shell" then you must either: + + - change that specification to "SHOREWALL_COMPILER=perl"; or + - change that specification to "SHOREWALL_COMPILER="; or + - delete the specification altogether. + + Failure to do so will result in the following warning: + + WARNING: SHOREWALL_COMPILER=shell ignored. Shorewall-shell + support has been removed in this release. + + b) Review the migration issues at + http://www.shorewall.net/LennyToSqueeze.html and make changes as + required. + + We strongly recommend that you migrate to Shorewall-perl on your + current Shorewall version before upgrading to Shorewall 4.4.0. That + way, you can have both Shorewall-shell and Shorewall-perl available + until you are certain that Shorewall-perl is working correctly for + you. + +2) The 'shorewall stop', 'shorewall clear', 'shorewall6 stop' and + 'shorewall6 clear' commands no longer read the 'routestopped' + file. The 'routestopped' file used is the one that was present at + the last 'start', 'restart' or 'restore' command. + + IMPORTANT: If you modify the routestopped file, you must refresh or + restart Shorewall before the changes to that file take effect. + +3) The old macro parameter syntax (e.g., SSH/ACCEPT) is now deprecated + in favor of the new syntax (e.g., SSH(ACCEPT)). The 4.4 documentation + uses the new syntax exclusively, although the old syntax + continues to be supported. + + The sample configurations also use the new syntax. + +4) Support for the SAME target in /etc/shorewall/masq and + /etc/shorewall/rules has been removed, following the removal of the + underlying support in the Linux kernel. + +5) Supplying an interface name in the SOURCE column of + /etc/shorewall/masq is now deprecated. Entering the name of an + interface there will result in a compile-time warning: + + WARNING: Using an interface as the masq SOURCE requires the + interface to be up and configured when Shorewall + starts/restarts + + To avoid this warning, replace interface names by the corresponding + network(s) in CIDR format (e.g., 192.168.144.0/24). + +6) Previously, Shorewall has treated traffic shaping class IDs as + decimal numbers (or pairs of decimal numbers). That worked fine + until IPMARK was implemented. IPMARK requires Shorewall to generate + class Ids in numeric sequence. In 4.3.9, that didn't work correctly + because Shorewall was generating the sequence "..8,9,10,11..." when + the correct sequence was "...8,9,a,b,...". Shorewall now treats + class IDs as hex, as do 'tc' and 'iptables'. + + This should only be an issue if you have more than 9 interfaces + defined in /etc/shorewall/tcdevices and if you use class IDs in + /etc/shorewall/tcrules or /etc/shorewall/tcfilters. You will need + to renumber the class IDs for devices 10 and greater. + +7) Support for the 'norfc1918' interface and host option has been + removed. If 'norfc1918' is specified for an entry in either the + interfaces or the hosts file, a warning is issued and the option is + ignored. Simply remove the option to avoid the warning. + + Similarly, if RFC1918_STRICT=Yes or a non-empty RFC1918_LOG_LEVEL + is given in shorewall.conf, a warning will be issued and the option + will be ignored. + + You may simply delete the RFC1918-related options from your + shorewall.conf file if you are seeing warnings regarding them. + + Users who currently use 'norfc1918' are encouraged to consider + using NULL_ROUTE_RFC1918=Yes instead. + +8) The install.sh scripts in the Shorewall and Shorewall6 packages no + longer create a backup copy of the existing configuration. If you + want your configuration backed up prior to upgrading, you will + need to do that yourself. + + As part of this change, the fallback.sh scripts are no longer + released. + +9) In earlier releases, if an ipsec zone was defined as a sub-zone of + an ipv4 or ipv6 zone using the special <child>:<parent>,... syntax, + CONTINUE policies for the sub-zone did not work as + expected. Traffic that was not matched by a sub-zone rule was not + compared against the parent zone(s) rules. + + In 4.4.0, such traffic IS compared against the parent zone rules. + +10) The name 'any' is now reserved and may not be used as a zone name. + +11) Perl module initialization has changed in Shorewall + 4.4.1. Previously, each Shorewall Perl package would initialize its + global variables for IPv4 in an INIT block. Then, if the + compilation turned out to be for IPv6, + Shorewall::Compiler::compiler() would reinitialize them for IPv6. + + Beginning in Shorewall 4.4.1, the modules do not initialize + themselves in an INIT block. So if you use Shorewall modules + outside of the Shorewall compilation environment, then you must + explicitly call the module's 'initialize' function after the module + has been loaded. + +12) Checking for zone membership has been tighened up. Previously, + a zone could contain <interface>:0.0.0.0/0 along with other hosts; + now, if the zone has <interface>:0.0.0.0/0 (even with exclusions), + then it may have no additional members in /etc/shorewall/hosts. + +13) ADD_IP_ALIASES=No is now the setting in the released shorewall.conf + and in all of the samples. This will not affect you during upgrade + unless you choose to replace your current shorewall.conf with the + one from the release (not recommended). + +14) The names of interface configuration variables in generated scripts + have been changed to insure uniqueness. These names now begin with + SW_. + + This change will only affect you if your extension scripts are + using one or more of these variables. + + Old Variable Name New Variable Name + ----------------------------------------------------- + iface_ADDRESS SW_iface_ADDRESS + iface_BCASTS SW_iface_BCASTS + iface_ACASTS SW_iface_ACASTS + iface_GATEWAY SW_iface_GATEWAY + iface_ADDRESSES SW_iface_ADDRESSES + iface_NETWORKS SW_iface_NETWORKS + iface_MAC SW_iface_MAC + + provider_IS_USABLE SW_provider_IS_USABLE + + where 'iface' is a capitalized interface name (e.g., ETH0) and + 'provider' is the capitalized name of a provider. + +15) Support for the OPTIONS column in /etc/shorewall/blacklist + (/etc/shorewall6/blacklist) has been removed. Blacklisting by + destination IP address will be included in a later Shorewall + release. + +16) If your /etc/shorewall/params (or /etc/shorewall6/params) file + sends output to Standard Output, you need to be aware that the + output will be redirected to Standard Error beginning with + Shorewall 4.4.16. + +17) Beginning with Shorewall 4.4.17, the EXPORTPARAMS option is + deprecated. With EXPORTPARAMS=No, the variables set by + /etc/shorewall/params (/etc/shorewall6/params) at compile time are + now available in the compiled firewall script. + +---------------------------------------------------------------------------- +V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S + I N P R I O R R E L E A S E S +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 4 . 2 1 +---------------------------------------------------------------------------- + +4.4.21.1 + +1) A harmless Perl runtime "uninitialized variable" diagnostic has + been eliminated from the compiler. The diagnostic was issued while + displaying the capabilities. + +2) As the result of a typo, an orphan filter chain named FORWAR could + be created under rare circumstances. This chain was deleted by + OPTIMIZE level 4. + +3) The SNAT options --persistent and --randomize now work properly + (/etc/shorewall/masq). + +4) The LOGMARK log level was previously generated invalid iptables + input making it unusable. That has been corrected. + + The syntax for LOGMARK is now: + + LOGMARK(<priority>) + + where <priority> is a syslog priority (1-7 or debug, info, notice, + etc.). + + Example rule: + + #ACTION SOURCE DEST PROTO DEST + # PORT(S) + LOG:LOGMARK(info) lan dmz udp 1234 + +4.4.21 + +1) All problems corrections included in Shorewall 4.4.20.1 - 4.4.20.3 + (see below). + +2) The following error message + + FOREWARD_CLEAR_MARK=Yes requires MARK Target in your kernel + and iptables + + has been corrected to read + + FORWARD_CLEAR_MARK=Yes requires MARK Target in your kernel + and iptables + +3) The TPROXY target in the tcrules file could previously cause a + failure during iptables restore like this: + + Running /usr/sbin/iptables-restore... + Bad argument `3128' + Error occurred at line: 110 + Try `iptables-restore -h' or 'iptables-restore --help' for more + information. + + ERROR: iptables-restore Failed. Input is in + /var/lib/shorewall/.iptables-restore-input + +4) The 'balance' and 'fallback' options in /etc/shorewall/providers + have always been mutually exclusive but the compiler previously + didn't enforce that restriction. Now it does. + +1) AUTOMAKE=Yes now causes all directories on the CONFIG_PATH to be + searched for files newer than the script that last + started/restarted the firewall. Previously, only /etc/shorewall + (/etc/shorewall6) was searched. + +2) FORMAT-2 actions may now specify default parameter values using the + DEFAULTS directive. + + DEFAULTS <def1>,<def2>,... + + Where <def1> is the default value for the first parameter, <def2> + is the default value for the second parameter and so on. To specify + an empty default, use '-'. + + The DEFAULTS directive also determines the maximum number of + parameters that an action may have. If more parameters are passed + than have default values, an error message is issued. + +3) Parameterized macros may now specify a default parameter value + using the DEFAULT directive. + + DEFAULT <default> + + Example macro.Foo -- by default, accepts connections on ficticous + tcp port 'foo'. + + DEFAULT ACCEPT + PARAM - - tcp foo + +4) The standard Drop and Reject actions are now parameterized. Each + has 5 parameters: + + 1) Pass 'audit' if you want all ACCEPTs, DROPs and REJECTs audited. + Pass '-' otherwise. + + 2) The action to be applied to Auth requests: + + FIRST PARAMETER DEFAULT + + - REJECT + audit A_REJECT + + 3) The action to be applied to SMB traffic. The default depends on + the action and its first parameter: + + ACTION FIRST PARAMETER DEFAULT + + Reject - REJECT + Drop - DROP + Reject audit A_REJECT + Drop audit A_DROP + + 4) The action to be applied to accepted ICMP packets. + + FIRST PARAMETER DEFAULT + + - ACCEPT + audit A_ACCEPT + + 5) The action to be applied to UPnP (udp port 1900) and late DNS + replies (udp source port 53) + + FIRST PARAMETER DEFAULT + + - DROP + audit A_DROP + + The parameters can be passed in the POLICY column of the policy + file. + + Examples: + + SOURCE DEST POLICY + net all DROP:Drop(audit):audit #Same as + #DROP:A_DROP:audit + + SOURCE DEST POLICY + net all DROP:Drop(-,DROP) #DROP rather than REJECT Auth + + The parameters can also be specified in shorewall.conf: + + Example: + + DROP_DEFAULT=Drop(-,DROP) + +5) An 'update' command has been added to /sbin/shorewall and + /sbin/shorewall6. The command updates the shorewall.conf + (shorewall6.conf) file then validates the configuration. The + updated file will set any options not specified in the old file + with their default values, and will move any deprecated options + with non-default values to a 'deprecated options' section at the + end of the file. Each such deprecated option will generate a + warning message. + + Your original shorewall.conf (shorewall6.conf) file will be saved as + shorewall.conf.bak (shorewall6.conf.bak). + + The 'update' command accepts the same options as the 'check' + command plus a '-a' option that causes the updated file to be + annotated with manpage documentation. + +6) Shorewall6 now supports ipsets. + + Unlike iptables, which has separate configurations for IPv4 and + IPv6, ipset has a single configuration that handles both. This + means the SAVE_IPSETS=Yes in shorewall.conf or shorewall6.conf + won't work correctly. To work around this issue, Shorewall-init is + now capable restoring ipset contents during 'start' and saving them + during 'stop'. + + To direct Shorewall-init to save/restore ipset contents, set the + SAVE_IPSETS option in /etc/sysconfig/shorewall-init + (/etc/default/shorewall-init on Debian and derivatives). The value + of the option is a file name where the contents of the ipsets will + be saved to and restored from. Shorewall-init will create any + parent directories during the first 'save' operation. + + If you configure Shorewall-init to save/restore ipsets, be sure to + set SAVE_IPSETS=No in shorewall.conf and shorewall6.conf. + + As part of this change, Shorewall and Shorewall6 will only restore + saved ipsets if SAVE_IPSETS=Yes in shorewall.conf + (shorewall6.conf). + +7) Shorewall6 now supports dynamic zones: + + 1) The nets=dynamic option is allowed in /etc/shorewall6/interfaces + 2) The HOSTS column of /etc/shorewall6/hosts may now contain + <interface>:dynamic. + 3) /sbin/shorewall6 now supports the 'add' and 'delete' commands. + +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 4 . 2 0 +---------------------------------------------------------------------------- + 4.4.20.3 1) Deprecated options have been removed from the .conf files. @@ -88,6 +670,10 @@ 4.4.20 +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 4 . 2 1 +---------------------------------------------------------------------------- + 1) Previously, when a device number was explicitly specified in /etc/shorewall/tcdevices, all unused numbers less than the one specified were unavailable for allocation to following entries that @@ -117,14 +703,7 @@ are also included in this release. ---------------------------------------------------------------------------- - I I. K N O W N P R O B L E M S R E M A I N I N G ----------------------------------------------------------------------------- - -1) On systems running Upstart, shorewall-init cannot reliably secure - the firewall before interfaces are brought up. - ----------------------------------------------------------------------------- - I I I. N E W F E A T U R E S I N T H I S R E L E A S E + N E W F E A T U R E S I N 4 . 4 . 2 0 ---------------------------------------------------------------------------- 1) The implementation of the environmental variables LIBEXEC and @@ -242,7 +821,7 @@ and modify them to only audit the packets that you care about. 6) Up to this release, the behaviors of 'start -f' and 'restart -f' - has been inconsistent. The 'start -f' command compares the + have been inconsistent. The 'start -f' command compares the modification times of /etc/shorewall[6] with /var/lib/shorewall[6]/restore while 'restart -f' compares with /var/lib/shorewall[6]/firewall. @@ -332,239 +911,9 @@ loc br1 - sfilter=2001:470:b:227::40/124 ---------------------------------------------------------------------------- - I V. R E L E A S E 4 . 4 H I G H L I G H T S ----------------------------------------------------------------------------- - -1) Support for Shorewall-shell has been discontinued. Shorewall-perl - has been combined with Shorewall-common to produce a single - Shorewall package. - -2) Support for the "Hierarchical Fair Service Curve" (HFSC) queuing - discipline has been added. HFSC is superior to the "Hierarchical - Token Bucket" queuing discipline where realtime traffic such as - VOIP is being used. - - HTB remains the default queuing discipline. - -3) Support for the "flow" traffic classifier has been added. This - classifier can help prevent multi-connection applications such as - BitTorrent from using an unfair amount of bandwidth. - -4) The Shorewall documentation and man pages have been purged of - information about earlier Shorewall releases. The documentation - describes only the behavior of Shorewall 4.4 and later versions. - -5) The interfaces file OPTIONs have been extended to largely remove the - need for the hosts file. - -6) It is now possible to define PREROUTING and OUTPUT marking rules - that cause new connections to use the same provider as an existing - connection of the same kind. - -7) Dynamic Zone support is once again available for IPv4; ipset support is - required in your kernel and in iptables. - -8) A new AUTOMAKE option has been added to shorewall.conf and - shorewall6.conf. Setting this option will allow Shorewall to skip - the compilation phase during start/restart if no configuration - changes have occurred since the last start/restart. - -9) The LIMIT:BURST column in /etc/shorewall/policy - (/etc/shorewall6/policy) and the RATE LIMIT column in - /etc/shorewall/rules (/etc/shorewall6/rules) may now be used to - limit on a per source IP or per destination IP basis. - -10) Support for per-IP traffic shaping classes has been added. - -11) Support for netfilter's TRACE facility has been added. TRACE allows - you to trace selected packets through Netfilter, including marking - by tcrules. - -12) You may now preview the generated ruleset by using the '-r' option - to the 'check' command (e.g., "shorewall check -r"). - -13) A new simplified Traffic Shaping facility is now available. - -14) Additional ruleset optimization options are available. - -15) TPROXY support has been added. - -16) Explicit support for Linux-vserver has been added. It is now - possible to define sub-zones of $FW. - -17) A 'Universal' sample configuration is now availale for a - 'plug-and-play' firewall. - -18) Support for the AUDIT iptables target has been added. - ----------------------------------------------------------------------------- - V. M I G R A T I O N I S S U E S ----------------------------------------------------------------------------- -1) If you are currently using Shorewall-shell: - - a) In shorewall.conf, if you have specified - "SHOREWALL_COMPILER=shell" then you must either: - - - change that specification to "SHOREWALL_COMPILER=perl"; or - - change that specification to "SHOREWALL_COMPILER="; or - - delete the specification altogether. - - Failure to do so will result in the following warning: - - WARNING: SHOREWALL_COMPILER=shell ignored. Shorewall-shell - support has been removed in this release. - - b) Review the migration issues at - http://www.shorewall.net/LennyToSqueeze.html and make changes as - required. - - We strongly recommend that you migrate to Shorewall-perl on your - current Shorewall version before upgrading to Shorewall 4.4.0. That - way, you can have both Shorewall-shell and Shorewall-perl available - until you are certain that Shorewall-perl is working correctly for - you. - -2) The 'shorewall stop', 'shorewall clear', 'shorewall6 stop' and - 'shorewall6 clear' commands no longer read the 'routestopped' - file. The 'routestopped' file used is the one that was present at - the last 'start', 'restart' or 'restore' command. - - IMPORTANT: If you modify the routestopped file, you must refresh or - restart Shorewall before the changes to that file take effect. - -3) The old macro parameter syntax (e.g., SSH/ACCEPT) is now deprecated - in favor of the new syntax (e.g., SSH(ACCEPT)). The 4.4 documentation - uses the new syntax exclusively, although the old syntax - continues to be supported. - - The sample configurations also use the new syntax. - -4) Support for the SAME target in /etc/shorewall/masq and - /etc/shorewall/rules has been removed, following the removal of the - underlying support in the Linux kernel. - -5) Supplying an interface name in the SOURCE column of - /etc/shorewall/masq is now deprecated. Entering the name of an - interface there will result in a compile-time warning: - - WARNING: Using an interface as the masq SOURCE requires the - interface to be up and configured when Shorewall - starts/restarts - - To avoid this warning, replace interface names by the corresponding - network(s) in CIDR format (e.g., 192.168.144.0/24). - -6) Previously, Shorewall has treated traffic shaping class IDs as - decimal numbers (or pairs of decimal numbers). That worked fine - until IPMARK was implemented. IPMARK requires Shorewall to generate - class Ids in numeric sequence. In 4.3.9, that didn't work correctly - because Shorewall was generating the sequence "..8,9,10,11..." when - the correct sequence was "...8,9,a,b,...". Shorewall now treats - class IDs as hex, as do 'tc' and 'iptables'. - - This should only be an issue if you have more than 9 interfaces - defined in /etc/shorewall/tcdevices and if you use class IDs in - /etc/shorewall/tcrules or /etc/shorewall/tcfilters. You will need - to renumber the class IDs for devices 10 and greater. - -7) Support for the 'norfc1918' interface and host option has been - removed. If 'norfc1918' is specified for an entry in either the - interfaces or the hosts file, a warning is issued and the option is - ignored. Simply remove the option to avoid the warning. - - Similarly, if RFC1918_STRICT=Yes or a non-empty RFC1918_LOG_LEVEL - is given in shorewall.conf, a warning will be issued and the option - will be ignored. - - You may simply delete the RFC1918-related options from your - shorewall.conf file if you are seeing warnings regarding them. - - Users who currently use 'norfc1918' are encouraged to consider - using NULL_ROUTE_RFC1918=Yes instead. - -8) The install.sh scripts in the Shorewall and Shorewall6 packages no - longer create a backup copy of the existing configuration. If you - want your configuration backed up prior to upgrading, you will - need to do that yourself. - - As part of this change, the fallback.sh scripts are no longer - released. - -9) In earlier releases, if an ipsec zone was defined as a sub-zone of - an ipv4 or ipv6 zone using the special <child>:<parent>,... syntax, - CONTINUE policies for the sub-zone did not work as - expected. Traffic that was not matched by a sub-zone rule was not - compared against the parent zone(s) rules. - - In 4.4.0, such traffic IS compared against the parent zone rules. - -10) The name 'any' is now reserved and may not be used as a zone name. - -11) Perl module initialization has changed in Shorewall - 4.4.1. Previously, each Shorewall Perl package would initialize its - global variables for IPv4 in an INIT block. Then, if the - compilation turned out to be for IPv6, - Shorewall::Compiler::compiler() would reinitialize them for IPv6. - - Beginning in Shorewall 4.4.1, the modules do not initialize - themselves in an INIT block. So if you use Shorewall modules - outside of the Shorewall compilation environment, then you must - explicitly call the module's 'initialize' function after the module - has been loaded. - -12) Checking for zone membership has been tighened up. Previously, - a zone could contain <interface>:0.0.0.0/0 along with other hosts; - now, if the zone has <interface>:0.0.0.0/0 (even with exclusions), - then it may have no additional members in /etc/shorewall/hosts. - -13) ADD_IP_ALIASES=No is now the setting in the released shorewall.conf - and in all of the samples. This will not affect you during upgrade - unless you choose to replace your current shorewall.conf with the - one from the release (not recommended). - -14) The names of interface configuration variables in generated scripts - have been changed to insure uniqueness. These names now begin with - SW_. - - This change will only affect you if your extension scripts are - using one or more of these variables. - - Old Variable Name New Variable Name - ----------------------------------------------------- - iface_ADDRESS SW_iface_ADDRESS - iface_BCASTS SW_iface_BCASTS - iface_ACASTS SW_iface_ACASTS - iface_GATEWAY SW_iface_GATEWAY - iface_ADDRESSES SW_iface_ADDRESSES - iface_NETWORKS SW_iface_NETWORKS - iface_MAC SW_iface_MAC - - provider_IS_USABLE SW_provider_IS_USABLE - - where 'iface' is a capitalized interface name (e.g., ETH0) and - 'provider' is the capitalized name of a provider. - -15) Support for the OPTIONS column in /etc/shorewall/blacklist - (/etc/shorewall6/blacklist) has been removed. Blacklisting by - destination IP address will be included in a later Shorewall - release. - -16) If your /etc/shorewall/params (or /etc/shorewall6/params) file - sends output to Standard Output, you need to be aware that the - output will be redirected to Standard Error beginning with - Shorewall 4.4.16. - -17) Beginning with Shorewall 4.4.17, the EXPORTPARAMS option is - deprecated. With EXPORTPARAMS=No, the variables set by - /etc/shorewall/params (/etc/shorewall6/params) at compile time are - now available in the compiled firewall script. - ----------------------------------------------------------------------------- -V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S - I N P R I O R R E L E A S E S ----------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 4 . 1 9 ---------------------------------------------------------------------------- + 4.4.19.4 1) Previously, the compiler would allow a degenerate entry (only the @@ -3573,7 +3922,7 @@ 8) The generated script now uses iptables[6]-restore to instantiate the Netfilter ruleset during processing of the 'stop' command. As a - consequence, the 'critical' option in /etc/shorewall/route_stopped + consequence, the 'critical' option in /etc/shorewall/routestopped is no longer needed and will result in a warning. 9) A new AUTOMAKE option has been added to shorewall.conf and diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.4.20.3/shorewall-lite.spec new/shorewall-lite-4.4.22.3/shorewall-lite.spec --- old/shorewall-lite-4.4.20.3/shorewall-lite.spec 2011-06-14 16:40:07.000000000 +0200 +++ new/shorewall-lite-4.4.22.3/shorewall-lite.spec 2011-08-20 16:23:35.000000000 +0200 @@ -1,5 +1,5 @@ %define name shorewall-lite -%define version 4.4.20 +%define version 4.4.22 %define release 3 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems. @@ -103,10 +103,34 @@ %doc COPYING changelog.txt releasenotes.txt %changelog -* Sun Jun 12 2011 Tom Eastep tom@shorewall.net -- Updated to 4.4.20-3 +* Wed Aug 10 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.22-3 +* Wed Aug 03 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.22-2 +* Tue Aug 02 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.22-1 +* Sat Jul 30 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.22-0base +* Sat Jul 30 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.22-0RC2 +* Fri Jul 22 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.22-0RC1 +* Thu Jul 21 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.22-0Beta3 +* Mon Jul 18 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.22-0Beta2 +* Mon Jul 04 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.22-0Beta1 +* Wed Jun 29 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.21-0base +* Thu Jun 23 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.21-0RC1 +* Sun Jun 19 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.21-0Beta3 +* Sat Jun 18 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.21-0Beta2 * Tue Jun 07 2011 Tom Eastep tom@shorewall.net -- Updated to 4.4.20-2 +- Updated to 4.4.21-0Beta1 * Mon Jun 06 2011 Tom Eastep tom@shorewall.net - Updated to 4.4.20-1 * Tue May 31 2011 Tom Eastep tom@shorewall.net diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.4.20.3/uninstall.sh new/shorewall-lite-4.4.22.3/uninstall.sh --- old/shorewall-lite-4.4.20.3/uninstall.sh 2011-06-14 16:40:07.000000000 +0200 +++ new/shorewall-lite-4.4.22.3/uninstall.sh 2011-08-20 16:23:35.000000000 +0200 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.20.3 +VERSION=4.4.22.3 usage() # $1 = exit status { ++++++ shorewall-4.4.20.3.tar.bz2 -> shorewall6-4.4.22.3.tar.bz2 ++++++ ++++ 99418 lines of diff (skipped) ++++++ shorewall-lite-4.4.20.3.tar.bz2 -> shorewall6-lite-4.4.22.3.tar.bz2 ++++++ ++++ 10083 lines of diff (skipped) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org