commit shorewall for openSUSE:Factory
Hello community, here is the log from the commit of package shorewall for openSUSE:Factory checked in at 2012-07-12 10:52:46 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/shorewall (Old) and /work/SRC/openSUSE:Factory/.shorewall.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "shorewall", Maintainer is "" Changes: -------- --- /work/SRC/openSUSE:Factory/shorewall/shorewall.changes 2012-07-02 11:13:56.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.shorewall.new/shorewall.changes 2012-07-12 10:52:49.000000000 +0200 @@ -1,0 +2,13 @@ +Tue Jul 10 08:02:07 UTC 2012 - toganm@opensuse.org + +- Update to 4.5.6 For more details see changelog.txt and + releasenotes.txt + * This release includes the defect repairs from Shorewall 4.5.5.1 + through 4.5.5.4. + * Previously, the tcrules file was not processed when + TC_ENABLED=No. That meant that to use features like TPROXY, it + was necessary to set TC_ENABLED=Yes and create a dummy + /etc/shorewall/tcstart file. Now, only MANGLE_ENABLED=Yes is + required. + +------------------------------------------------------------------- Old: ---- shorewall-4.5.5.3.tar.bz2 shorewall-core-4.5.5.3.tar.bz2 shorewall-docs-html-4.5.5.3.tar.bz2 shorewall-init-4.5.5.3.tar.bz2 shorewall-lite-4.5.5.3.tar.bz2 shorewall6-4.5.5.3.tar.bz2 shorewall6-lite-4.5.5.3.tar.bz2 New: ---- shorewall-4.5.6.tar.bz2 shorewall-core-4.5.6.tar.bz2 shorewall-docs-html-4.5.6.tar.bz2 shorewall-init-4.5.6.tar.bz2 shorewall-lite-4.5.6.tar.bz2 shorewall6-4.5.6.tar.bz2 shorewall6-lite-4.5.6.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shorewall.spec ++++++ --- /var/tmp/diff_new_pack.2pzU4L/_old 2012-07-12 10:52:51.000000000 +0200 +++ /var/tmp/diff_new_pack.2pzU4L/_new 2012-07-12 10:52:51.000000000 +0200 @@ -17,19 +17,19 @@ Name: shorewall -Version: 4.5.5.3 +Version: 4.5.6 Release: 0 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems License: GPL-2.0 Group: Productivity/Networking/Security Url: http://www.shorewall.net/ -Source0: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.5/%name-%version.ta... -Source1: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.5/%name-core-%versi... -Source2: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.5/%name-lite-%versi... -Source3: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.5/%name-init-%versi... -Source4: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.5/%{name}6-lite-%version.tar.bz2 -Source5: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.5/%{name}6-%version.tar.bz2 -Source6: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.5/%name-docs-html-%... +Source0: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.6/%name-%version.ta... +Source1: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.6/%name-core-%versi... +Source2: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.6/%name-lite-%versi... +Source3: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.6/%name-init-%versi... +Source4: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.6/%{name}6-lite-%version.tar.bz2 +Source5: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.6/%{name}6-%version.tar.bz2 +Source6: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.6/%name-docs-html-%... Source7: %name-4.4.22.rpmlintrc Source8: README.openSUSE # PATCH-FIX-UPSTREAM init-4.4.14 toganm@opensuse.org -- Required-Stop and Short descriprtion ++++++ shorewall-4.5.5.3.tar.bz2 -> shorewall-4.5.6.tar.bz2 ++++++ ++++ 4375 lines of diff (skipped) ++++++ shorewall-core-4.5.5.3.tar.bz2 -> shorewall-core-4.5.6.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.5.3/changelog.txt new/shorewall-core-4.5.6/changelog.txt --- old/shorewall-core-4.5.5.3/changelog.txt 2012-06-28 17:00:50.000000000 +0200 +++ new/shorewall-core-4.5.6/changelog.txt 2012-07-07 20:07:11.000000000 +0200 @@ -1,24 +1,64 @@ -Changes in 4.5.5.3 +Changes in 4.5.6 Final -1) Correct a Perl trap caused by using logical names with 'classify'. +1) Update release documents. -2) Ensure that exclusion chains always have the 'DONT_MOVE' flag set. +2) Simplify handling of __IPVn in conditional directives -Changes in 4.5.5.2 +3) Avoid a call to eval() for simple expressions -1) Allow UID/GID ranges in the USER/GROUP column (undocumented) +4) Apply patch from Daniel Meißner correcting STARTUP_ENABLED=No message -2) Don't use '--ctmark' when saving marks. +5) Correct typo in ISO 3660 doc. -3) Display PROXY_MARK in 'show marks'. +6) Add FAQ 99 (empty ruleset after boot) -4) Another fix for nested ?IFs +7) When TC_ENABLED=No, require providers to process tcrules. -Changes in 4.5.5.1 +Changes in 4.5.6 RC 1 -1) Fix handling of multiple fallback providers. +1) Update release documents. -2) Allow logical device names in the REDIRECTED column. +2) Add $VERSION as a defined variable. + +3) Add missing 'sleep 1' when waiting for wildcard interfaces. + +4) Only require MANGLE_ENABLED for tcrules processing. + +Changes in 4.5.6 Beta 4 + +1) Support ?ELSIF + +2) Allow generalized expressions in ?IF and ?ELSIF + +3) Correct a logical name bug in tc + +4) Add ORIGINAL DEST column to the masq file. + +Changes in 4.5.6 Beta 3 + +1) Rewrote RED option handling. + +2) Rewrote USER/GROUP column handling. + +3) Allow UID/GID ranges in USR/GROUP. + +4) Display PROXY_MARK in 'show marks'. + +Changes in 4.5.6 Beta 2 + +1) May logical->physical name when using an IFB. + +2) Allow fractional delays in TC. + +3) Allow Linksharing rate to be specified in HFSC. + +4) Add RED support. + +Changes in 4.5.6 Beta 1 + +1) Fix multiple unweighted 'fallback' providers. + +2) Add stab TC support. Changes in 4.5.5 Final @@ -38,10 +78,6 @@ 4) Fix iprange match on RHEL5 -5) Fix installer's handling of SYSCONFDIR - -6) Add DIGEST support. - Changes in 4.5.5 Beta 2 1) Merged bug fixes from 4.5.4. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.5.3/configure new/shorewall-core-4.5.6/configure --- old/shorewall-core-4.5.5.3/configure 2012-06-28 17:00:50.000000000 +0200 +++ new/shorewall-core-4.5.6/configure 2012-07-07 20:07:09.000000000 +0200 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=4.5.5.3 +VERSION=4.5.6 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.5.3/configure.pl new/shorewall-core-4.5.6/configure.pl --- old/shorewall-core-4.5.5.3/configure.pl 2012-06-28 17:00:50.000000000 +0200 +++ new/shorewall-core-4.5.6/configure.pl 2012-07-07 20:07:09.000000000 +0200 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '4.5.5.3' + VERSION => '4.5.6' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.5.3/install.sh new/shorewall-core-4.5.6/install.sh --- old/shorewall-core-4.5.5.3/install.sh 2012-06-28 17:00:50.000000000 +0200 +++ new/shorewall-core-4.5.6/install.sh 2012-07-07 20:07:09.000000000 +0200 @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.5.5.3 +VERSION=4.5.6 usage() # $1 = exit status { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.5.3/known_problems.txt new/shorewall-core-4.5.6/known_problems.txt --- old/shorewall-core-4.5.5.3/known_problems.txt 2012-06-28 17:00:50.000000000 +0200 +++ new/shorewall-core-4.5.6/known_problems.txt 2012-07-07 20:07:11.000000000 +0200 @@ -1,68 +1,2 @@ 1) On systems running Upstart, shorewall-init cannot reliably secure the firewall before interfaces are brought up. - -2) The change in Shorewall 4.5.4 that cleared the 'default' table if - there were no 'fallback' providers broke multiple 'fallback' - providers that didn't supply a weight. The symptoms are that there - are host routes to the default gateways in the 'default' routing - table but no default routes through them. - - Corrected in Shorewall 4.5.5.1. - -3) When a logical device name is specified in the REDIRECTED - INTERFACES column of /etc/shorewall/tcdevices, that name is used - in the generated script rather than the devices's physical - name. Unless the two are the same, this causes start/restart - failure. - - Corrected in Shorewall 4.5.5.1. - -4) When ipp2p is used in the /etc/shorewall/tcpri file, the generated - code for saving the packet mark is clearing the connection marks - fields not having to do with traffic shaping. - - Corrected in Shorewall 4.5.5.2. - -5) Shorewall 4.4.11 allows UID and GID ranges to be specified in the - USER:GROUP column of the rules file. That undocumented feature - is not present in Shorewall 4.5. - - Corrected in Shorewall 4.5.5.2. - -6) The special TPROXY mark value is not shown in the output of - 'shorewall show marks'. - - Corrected in Shorewall 4.5.5.2. - -7) Assuming that A = 0 and B = 1, the following conditionals produce - incorrect results: - - ?IF $A - ?IF $B - <text> - ?ENDIF - ?ENDIF - - The <text> is included when it should be omitted. - - Corrected in Shorewall 4.5.5.2. - -8) When logical interface names are used, an entry in tcrules that - includes a classid can result in the compiler failing with this - Perl diagnostic: - - Can't use an undefined value as an ARRAY reference at - /usr/share/shorewall/Shorewall/Tc.pm line nnn, <$currentfile> - line 20. - - Workarounds: - - a: Use only physical names for interfaces appearing in the - tcrules file when classids are needed. - - b: Follow classids in the rules file with ':T' (e.g., 1:4:T). - - Corrected in Shorewall 4.5.5.3. - - - diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.5.3/releasenotes.txt new/shorewall-core-4.5.6/releasenotes.txt --- old/shorewall-core-4.5.5.3/releasenotes.txt 2012-06-28 17:00:50.000000000 +0200 +++ new/shorewall-core-4.5.6/releasenotes.txt 2012-07-07 20:07:11.000000000 +0200 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 5 . 5 . 3 + S H O R E W A L L 4 . 5 . 6 ------------------------------------ - J u n e 2 8 , 2 0 1 2 + J u l y 1 0 , 2 0 1 2 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -15,6 +15,246 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- +1) This release includes the defect repairs from Shorewall 4.5.5.1 through + 4.5.5.4. + +2) Previously, the tcrules file was not processed when + TC_ENABLED=No. That meant that to use features like TPROXY, it was + necessary to set TC_ENABLED=Yes and create a dummy + /etc/shorewall/tcstart file. Now, only MANGLE_ENABLED=Yes is + required. + +---------------------------------------------------------------------------- + I I. K N O W N P R O B L E M S R E M A I N I N G +---------------------------------------------------------------------------- + +1) On systems running Upstart, shorewall-init cannot reliably secure + the firewall before interfaces are brought up. + +---------------------------------------------------------------------------- + I I I. N E W F E A T U R E S I N T H I S R E L E A S E +---------------------------------------------------------------------------- + +1) Support for size tables has been added in complex TC. + + The OPTIONS column of /etc/shorewall/tcdevices now allows a + 'linklayer' option whose value may be 'ethernet', 'atm' or 'adsl'; + the last two are synonyms. + + When 'linklayer' is specified, it may be followed by additional + options: + + mtu=<mtu> - The device MTU; default 2048 (will be rounded up to a + power of two) + + mpu=<mpubytes> - Minimum packet size used in + calculations. Smaller packets will be rounded up + to this size + + tsize=<tablesize> - Size table entries; default is 512 + + overhead=<overheadbytes> - Number of overhead bytes per packet. + + See tc-stab (8) for details about these options. + +2) It is now possible to specify the LS (linksharing) rate for an HFSC + class in /etc/shorewall/tcclasses. See shorewall-tcclasses (5) for + details. + +3) It is now possible to specify that a leaf class will use the RED + (Random Early Detection) queuing discipline rather than SFQ or + pfifo. A new class OPTION is defined: + + red=(<red option>=<value>, ...) + + When specified on a leaf class, causes the class to use the RED + (Random Early Detection) queuing discipline rather than + SFQ. See tc-red (8) for additional information. + + Allowable <red option>s are: + + min <min> + Average queue size in bytes at which marking becomes a + possibility. + max <max> + At this average queue size, the marking probability is + maximal. Must be at least twice <min> to prevent + synchronous retransmits, higher for low <min>. + probability <probability> + Maximum probability for marking, specified as a floating + point number from 0.0 to 1.0. Suggested values are 0.01 or + 0.02 (1 or 2%, respectively). + limit <limit> + Hard limit on the real (not average) queue size in bytes. + Further packets are dropped. Should be set higher than + <max>+<burst>. It is advised to set this a few times higher + than <max>. Shorewall requires that <limit> be at least + twice <min>. + burst <burst> + Used for determining how fast the average queue size is + influenced by the real queue size. Larger values make the + calculation more sluggish, allowing longer bursts of + traffic before marking starts. Real life experiments + support the following guide‐line: + (<min>+<min>+<max>)/(3*<avpkt>). + avpkt <avpkt> + Optional. Specified in bytes. Used with burst to determine + the time constant for average queue size calculations. 1000 + is a good value and is the Shorewall default. + bandwidth <bandwidth> + Optional. This rate is used for calculating the average + queue size after some idle time. Should be set to the + bandwidth of your interface. Does not mean that RED will + shape for you! + ecn + RED can either 'mark' or 'drop'. Explicit Congestion + Notification (ECN) allows RED to notify remote hosts that + their rate exceeds the amount of bandwidth + available. Non-ECN capable hosts can only be notified by + dropping a packet. If this parameter is specified, packets + which indicate that their hosts honor ECN will only be + marked and not dropped, unless the queue size hits limit + bytes. Needs a tc binary with RED support compiled + in. Recommended. + +4) The handling of the USER/GROUP column of the rules file has been + rewritten. As part of this rewrite: + + a) The ability to specify a program name (e.g., +prog) has been + eliminated. The kernel feature which that ability depended on + was removed in kernel version 2.6.14. + + b) It is now possible to specify UID and/or GID ranges of the form + 'low-high' where 'low' and 'high' are integers and low <= high. + +5) It is now possible to use Perl-compatible expressions in ?IF + directives. As before, variables must be environmental variables, + options from shorewall.conf, shell variables set in the params file + or capabilities. As previously, capabilities may be entered with + leading '__' rather than '$'. + + Example: + + ?IF $BLACKLIST_LOGLEVEL && ! __LOG_OPTIONS + +6) The ?ELSIF directive has been added allowing more convenient + expression of complex include scenarios. + + Example (column headings abbreviated to fit release notes format): + + #NAME NUM MARK DUP INTERFACE GWAY OPTIONS + ?IF $FALLBACK + ComcastB 1 0x10000 - COMB_IF detect fallback + ComcastC 2 0x20000 - COMC_IF detect fallback + ?ELSIF $STATISTICAL + ComcastB 1 0x10000 - COMB_IF detect load=0.66666667 + ComcastC 2 0x20000 - COMC_IF detect load=0.33333333 + ?ELSE + ComcastB 1 0x10000 - COMB_IF detect balance=2 + ComcastC 2 0x20000 - COMC_IF detect loose,balance + ?ENDIF + +7) And ORIGINAL DEST column has been added to the masq file, allowing + SNAT rules to match only DNAT traffic to a particular original source + address. + +---------------------------------------------------------------------------- + V. M I G R A T I O N I S S U E S +---------------------------------------------------------------------------- + +1) If you are migrating from Shorewall 4.2.x or earlier, please see + http://www.shorewall.net/pub/shorewall/4.4/shorewall-4.4.27/releasenotes.txt + +2) The BLACKLIST section of the rules file has been eliminated. + If you have entries in that file section, you must move them to the + blrules file. + +3) This version of Shorewall requires either the Digest::SHA1 or + Digest::SHA Perl module. + + Debian: libdigest-sha1-perl or libdigest-sha-perl + Fedora: perl-Digest-SHA1 or perl-Digest-SHA + OpenSuSE: perl-Digest-SHA1 or perl-Digest-SHA + +4) The generated firewall script now maintains the + /var/lib/shorewall[6][-lite]/interface.status files used by SWPING + and by LSM. + + If you have optional providers and to not run a link monitor like + SWPING or LSM that updates these files, then you should remove + /etc/shorewall[6]/isusable if it is installed. + + Beginning with Shorewall 4.5.3.1: + + - The 'disable' command stores a 1 in the interface's .status file. + - The .status file is ignored on 'enable' but not on 'start', + 'restart', 'restore' and 'refresh'. + + This means that a disabled interface can only be re-enabled using + the 'enable' command. + +5) The /etc/shorewall[6]/tos file is now deprecated in favor of the + TOS() action in /etc/shorewall[6]/tcrules. + +6) The MARK/CLASSIFY column in /etc/shorewall[6]/tcrules has been + renamed ACTION to reflect the expanded set of actions that can be + specified in the column. There is no change to existing + functionality. + +7) Beginning with Shorewall 4.5.2, using /etc/shorewall-lite/vardir + and /etc/shorewall6-lite/vardir to specify VARDIR is deprecated in + favor of the VARDIR setting in shorewallrc. + + NOTE: While the name of the variable remains VARDIR, the + meaning is slightly different. When set in shorewallrc, + each product (shorewall-lite, and shorewall6-lite) will + create a directory under the specified path name to + hold state information. + + Example: + + VARDIR=/opt/var/ + + The state directory for shorewall-lite will be + /opt/var/shorewall-lite/ and the directory for + shorewall6-lite will be /opt/var/shorewall6-lite. + + When VARDIR is set in /etc/shorewall[6]/vardir, the + product will save its state directly in the specified + directory. + +8) Begining with Shorewall 4.5.6, the tcrules file is processed if + MANGLE_ENABLED=Yes, independent of the setting of TC_ENABLED. This + allows actions like TTL and TPROXY to be used without enabling + traffic shaping. + + If you have rules in your tcrules file that you only want processed + when TC_ENABLED is other than 'No', then enclose them in + + ?IF $TC_ENABLED + ... + ?ENDIF + + If they are to be processed only if TC_ENABLED=Internal, then enclose + them in + + ?IF TC_ENABLED eq 'Internal' + ... + ?ENDIF + +---------------------------------------------------------------------------- + V I. N O T E S F R O M O T H E R 4 . 5 R E L E A S E S +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 5 . 5 +---------------------------------------------------------------------------- + +4.5.5.4 + +1) In the generated script, the logic for handling wildcard interfaces + with the 'wait=n' option was incorrect. For each matching interface, + the script would check its readiness n times in rapid + succession. The script now sleeps 1 second between checks. + 4.5.5.3 1) When logical interface names were used, an entry in tcrules that @@ -118,14 +358,7 @@ SYSCONFDIR. ---------------------------------------------------------------------------- - I I. K N O W N P R O B L E M S R E M A I N I N G ----------------------------------------------------------------------------- - -1) On systems running Upstart, shorewall-init cannot reliably secure - the firewall before interfaces are brought up. - ----------------------------------------------------------------------------- - I I I. N E W F E A T U R E S I N T H I S R E L E A S E + N E W F E A T U R E S I N 4 . 5 . 4 ---------------------------------------------------------------------------- 1) It is now possible to include additional information in netfilter @@ -196,75 +429,9 @@ DIGEST=SHA1 ./install.sh ---------------------------------------------------------------------------- - V. M I G R A T I O N I S S U E S ----------------------------------------------------------------------------- - -1) If you are migrating from Shorewall 4.2.x or earlier, please see - http://www.shorewall.net/pub/shorewall/4.4/shorewall-4.4.27/releasenotes.txt - -2) The BLACKLIST section of the rules file has been eliminated. - If you have entries in that file section, you must move them to the - blrules file. - -3) This version of Shorewall requires either the Digest::SHA1 or - Digest::SHA Perl module. - - Debian: libdigest-sha1-perl or libdigest-sha-perl - Fedora: perl-Digest-SHA1 or perl-Digest-SHA - OpenSuSE: perl-Digest-SHA1 or perl-Digest-SHA - -4) The generated firewall script now maintains the - /var/lib/shorewall[6][-lite]/interface.status files used by SWPING - and by LSM. - - If you have optional providers and to not run a link monitor like - SWPING or LSM that updates these files, then you should remove - /etc/shorewall[6]/isusable if it is installed. - - Beginning with Shorewall 4.5.3.1: - - - The 'disable' command stores a 1 in the interface's .status file. - - The .status file is ignored on 'enable' but not on 'start', - 'restart', 'restore' and 'refresh'. - - This means that a disabled interface can only be re-enabled using - the 'enable' command. - -5) The /etc/shorewall[6]/tos file is now deprecated in favor of the - TOS() action in /etc/shorewall[6]/tcrules. - -6) The MARK/CLASSIFY column in /etc/shorewall[6]/tcrules has been - renamed ACTION to reflect the expanded set of actions that can be - specified in the column. There is no change to existing - functionality. - -7) Beginning with Shorewall 4.5.2, using /etc/shorewall-lite/vardir - and /etc/shorewall6-lite/vardir to specify VARDIR is deprecated in - favor of the VARDIR setting in shorewallrc. - - NOTE: While the name of the variable remains VARDIR, the - meaning is slightly different. When set in shorewallrc, - each product (shorewall-lite, and shorewall6-lite) will - create a directory under the specified path name to - hold state information. - - Example: - - VARDIR=/opt/var/ - - The state directory for shorewall-lite will be - /opt/var/shorewall-lite/ and the directory for - shorewall6-lite will be /opt/var/shorewall6-lite. - - When VARDIR is set in /etc/shorewall[6]/vardir, the - product will save its state directly in the specified - directory. - ----------------------------------------------------------------------------- - V I. N O T E S F R O M O T H E R 4 . 5 R E L E A S E S ----------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 5 . 4 ---------------------------------------------------------------------------- + 4.5.4.2 A large number of defects in Shorewall-init have been corrected: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.5.3/shorewall-core.spec new/shorewall-core-4.5.6/shorewall-core.spec --- old/shorewall-core-4.5.5.3/shorewall-core.spec 2012-06-28 17:00:50.000000000 +0200 +++ new/shorewall-core-4.5.6/shorewall-core.spec 2012-07-07 20:07:11.000000000 +0200 @@ -1,6 +1,6 @@ %define name shorewall-core -%define version 4.5.5 -%define release 3 +%define version 4.5.6 +%define release 0base Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. Name: %{name} @@ -62,12 +62,16 @@ %doc COPYING INSTALL changelog.txt releasenotes.txt %changelog -* Thu Jun 28 2012 Tom Eastep tom@shorewall.net -- Updated to 4.5.5-3 -* Fri Jun 22 2012 Tom Eastep tom@shorewall.net -- Updated to 4.5.5-2 -* Tue Jun 12 2012 Tom Eastep tom@shorewall.net -- Updated to 4.5.5-1 +* Thu Jul 05 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.6-0base +* Sat Jun 30 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.6-0RC1 +* Wed Jun 27 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.6-0Beta4 +* Mon Jun 18 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.6-0Beta3 +* Fri Jun 15 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.6-0Beta2 * Sat Jun 09 2012 Tom Eastep tom@shorewall.net - Updated to 4.5.6-0Beta1 * Wed Jun 06 2012 Tom Eastep tom@shorewall.net diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.5.3/uninstall.sh new/shorewall-core-4.5.6/uninstall.sh --- old/shorewall-core-4.5.5.3/uninstall.sh 2012-06-28 17:00:50.000000000 +0200 +++ new/shorewall-core-4.5.6/uninstall.sh 2012-07-07 20:07:09.000000000 +0200 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.5.5.3 +VERSION=4.5.6 usage() # $1 = exit status { ++++++ shorewall-docs-html-4.5.5.3.tar.bz2 -> shorewall-docs-html-4.5.6.tar.bz2 ++++++ ++++ 6791 lines of diff (skipped) ++++++ shorewall-init-4.5.5.3.tar.bz2 -> shorewall-init-4.5.6.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.5.3/changelog.txt new/shorewall-init-4.5.6/changelog.txt --- old/shorewall-init-4.5.5.3/changelog.txt 2012-06-28 17:00:50.000000000 +0200 +++ new/shorewall-init-4.5.6/changelog.txt 2012-07-07 20:07:12.000000000 +0200 @@ -1,24 +1,64 @@ -Changes in 4.5.5.3 +Changes in 4.5.6 Final -1) Correct a Perl trap caused by using logical names with 'classify'. +1) Update release documents. -2) Ensure that exclusion chains always have the 'DONT_MOVE' flag set. +2) Simplify handling of __IPVn in conditional directives -Changes in 4.5.5.2 +3) Avoid a call to eval() for simple expressions -1) Allow UID/GID ranges in the USER/GROUP column (undocumented) +4) Apply patch from Daniel Meißner correcting STARTUP_ENABLED=No message -2) Don't use '--ctmark' when saving marks. +5) Correct typo in ISO 3660 doc. -3) Display PROXY_MARK in 'show marks'. +6) Add FAQ 99 (empty ruleset after boot) -4) Another fix for nested ?IFs +7) When TC_ENABLED=No, require providers to process tcrules. -Changes in 4.5.5.1 +Changes in 4.5.6 RC 1 -1) Fix handling of multiple fallback providers. +1) Update release documents. -2) Allow logical device names in the REDIRECTED column. +2) Add $VERSION as a defined variable. + +3) Add missing 'sleep 1' when waiting for wildcard interfaces. + +4) Only require MANGLE_ENABLED for tcrules processing. + +Changes in 4.5.6 Beta 4 + +1) Support ?ELSIF + +2) Allow generalized expressions in ?IF and ?ELSIF + +3) Correct a logical name bug in tc + +4) Add ORIGINAL DEST column to the masq file. + +Changes in 4.5.6 Beta 3 + +1) Rewrote RED option handling. + +2) Rewrote USER/GROUP column handling. + +3) Allow UID/GID ranges in USR/GROUP. + +4) Display PROXY_MARK in 'show marks'. + +Changes in 4.5.6 Beta 2 + +1) May logical->physical name when using an IFB. + +2) Allow fractional delays in TC. + +3) Allow Linksharing rate to be specified in HFSC. + +4) Add RED support. + +Changes in 4.5.6 Beta 1 + +1) Fix multiple unweighted 'fallback' providers. + +2) Add stab TC support. Changes in 4.5.5 Final @@ -38,10 +78,6 @@ 4) Fix iprange match on RHEL5 -5) Fix installer's handling of SYSCONFDIR - -6) Add DIGEST support. - Changes in 4.5.5 Beta 2 1) Merged bug fixes from 4.5.4. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.5.3/configure new/shorewall-init-4.5.6/configure --- old/shorewall-init-4.5.5.3/configure 2012-06-28 17:00:50.000000000 +0200 +++ new/shorewall-init-4.5.6/configure 2012-07-07 20:07:12.000000000 +0200 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=4.5.5.3 +VERSION=4.5.6 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.5.3/configure.pl new/shorewall-init-4.5.6/configure.pl --- old/shorewall-init-4.5.5.3/configure.pl 2012-06-28 17:00:50.000000000 +0200 +++ new/shorewall-init-4.5.6/configure.pl 2012-07-07 20:07:12.000000000 +0200 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '4.5.5.3' + VERSION => '4.5.6' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.5.3/install.sh new/shorewall-init-4.5.6/install.sh --- old/shorewall-init-4.5.5.3/install.sh 2012-06-28 17:00:50.000000000 +0200 +++ new/shorewall-init-4.5.6/install.sh 2012-07-07 20:07:12.000000000 +0200 @@ -23,7 +23,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.5.5.3 +VERSION=4.5.6 usage() # $1 = exit status { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.5.3/releasenotes.txt new/shorewall-init-4.5.6/releasenotes.txt --- old/shorewall-init-4.5.5.3/releasenotes.txt 2012-06-28 17:00:50.000000000 +0200 +++ new/shorewall-init-4.5.6/releasenotes.txt 2012-07-07 20:07:12.000000000 +0200 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 5 . 5 . 3 + S H O R E W A L L 4 . 5 . 6 ------------------------------------ - J u n e 2 8 , 2 0 1 2 + J u l y 1 0 , 2 0 1 2 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -15,6 +15,246 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- +1) This release includes the defect repairs from Shorewall 4.5.5.1 through + 4.5.5.4. + +2) Previously, the tcrules file was not processed when + TC_ENABLED=No. That meant that to use features like TPROXY, it was + necessary to set TC_ENABLED=Yes and create a dummy + /etc/shorewall/tcstart file. Now, only MANGLE_ENABLED=Yes is + required. + +---------------------------------------------------------------------------- + I I. K N O W N P R O B L E M S R E M A I N I N G +---------------------------------------------------------------------------- + +1) On systems running Upstart, shorewall-init cannot reliably secure + the firewall before interfaces are brought up. + +---------------------------------------------------------------------------- + I I I. N E W F E A T U R E S I N T H I S R E L E A S E +---------------------------------------------------------------------------- + +1) Support for size tables has been added in complex TC. + + The OPTIONS column of /etc/shorewall/tcdevices now allows a + 'linklayer' option whose value may be 'ethernet', 'atm' or 'adsl'; + the last two are synonyms. + + When 'linklayer' is specified, it may be followed by additional + options: + + mtu=<mtu> - The device MTU; default 2048 (will be rounded up to a + power of two) + + mpu=<mpubytes> - Minimum packet size used in + calculations. Smaller packets will be rounded up + to this size + + tsize=<tablesize> - Size table entries; default is 512 + + overhead=<overheadbytes> - Number of overhead bytes per packet. + + See tc-stab (8) for details about these options. + +2) It is now possible to specify the LS (linksharing) rate for an HFSC + class in /etc/shorewall/tcclasses. See shorewall-tcclasses (5) for + details. + +3) It is now possible to specify that a leaf class will use the RED + (Random Early Detection) queuing discipline rather than SFQ or + pfifo. A new class OPTION is defined: + + red=(<red option>=<value>, ...) + + When specified on a leaf class, causes the class to use the RED + (Random Early Detection) queuing discipline rather than + SFQ. See tc-red (8) for additional information. + + Allowable <red option>s are: + + min <min> + Average queue size in bytes at which marking becomes a + possibility. + max <max> + At this average queue size, the marking probability is + maximal. Must be at least twice <min> to prevent + synchronous retransmits, higher for low <min>. + probability <probability> + Maximum probability for marking, specified as a floating + point number from 0.0 to 1.0. Suggested values are 0.01 or + 0.02 (1 or 2%, respectively). + limit <limit> + Hard limit on the real (not average) queue size in bytes. + Further packets are dropped. Should be set higher than + <max>+<burst>. It is advised to set this a few times higher + than <max>. Shorewall requires that <limit> be at least + twice <min>. + burst <burst> + Used for determining how fast the average queue size is + influenced by the real queue size. Larger values make the + calculation more sluggish, allowing longer bursts of + traffic before marking starts. Real life experiments + support the following guide‐line: + (<min>+<min>+<max>)/(3*<avpkt>). + avpkt <avpkt> + Optional. Specified in bytes. Used with burst to determine + the time constant for average queue size calculations. 1000 + is a good value and is the Shorewall default. + bandwidth <bandwidth> + Optional. This rate is used for calculating the average + queue size after some idle time. Should be set to the + bandwidth of your interface. Does not mean that RED will + shape for you! + ecn + RED can either 'mark' or 'drop'. Explicit Congestion + Notification (ECN) allows RED to notify remote hosts that + their rate exceeds the amount of bandwidth + available. Non-ECN capable hosts can only be notified by + dropping a packet. If this parameter is specified, packets + which indicate that their hosts honor ECN will only be + marked and not dropped, unless the queue size hits limit + bytes. Needs a tc binary with RED support compiled + in. Recommended. + +4) The handling of the USER/GROUP column of the rules file has been + rewritten. As part of this rewrite: + + a) The ability to specify a program name (e.g., +prog) has been + eliminated. The kernel feature which that ability depended on + was removed in kernel version 2.6.14. + + b) It is now possible to specify UID and/or GID ranges of the form + 'low-high' where 'low' and 'high' are integers and low <= high. + +5) It is now possible to use Perl-compatible expressions in ?IF + directives. As before, variables must be environmental variables, + options from shorewall.conf, shell variables set in the params file + or capabilities. As previously, capabilities may be entered with + leading '__' rather than '$'. + + Example: + + ?IF $BLACKLIST_LOGLEVEL && ! __LOG_OPTIONS + +6) The ?ELSIF directive has been added allowing more convenient + expression of complex include scenarios. + + Example (column headings abbreviated to fit release notes format): + + #NAME NUM MARK DUP INTERFACE GWAY OPTIONS + ?IF $FALLBACK + ComcastB 1 0x10000 - COMB_IF detect fallback + ComcastC 2 0x20000 - COMC_IF detect fallback + ?ELSIF $STATISTICAL + ComcastB 1 0x10000 - COMB_IF detect load=0.66666667 + ComcastC 2 0x20000 - COMC_IF detect load=0.33333333 + ?ELSE + ComcastB 1 0x10000 - COMB_IF detect balance=2 + ComcastC 2 0x20000 - COMC_IF detect loose,balance + ?ENDIF + +7) And ORIGINAL DEST column has been added to the masq file, allowing + SNAT rules to match only DNAT traffic to a particular original source + address. + +---------------------------------------------------------------------------- + V. M I G R A T I O N I S S U E S +---------------------------------------------------------------------------- + +1) If you are migrating from Shorewall 4.2.x or earlier, please see + http://www.shorewall.net/pub/shorewall/4.4/shorewall-4.4.27/releasenotes.txt + +2) The BLACKLIST section of the rules file has been eliminated. + If you have entries in that file section, you must move them to the + blrules file. + +3) This version of Shorewall requires either the Digest::SHA1 or + Digest::SHA Perl module. + + Debian: libdigest-sha1-perl or libdigest-sha-perl + Fedora: perl-Digest-SHA1 or perl-Digest-SHA + OpenSuSE: perl-Digest-SHA1 or perl-Digest-SHA + +4) The generated firewall script now maintains the + /var/lib/shorewall[6][-lite]/interface.status files used by SWPING + and by LSM. + + If you have optional providers and to not run a link monitor like + SWPING or LSM that updates these files, then you should remove + /etc/shorewall[6]/isusable if it is installed. + + Beginning with Shorewall 4.5.3.1: + + - The 'disable' command stores a 1 in the interface's .status file. + - The .status file is ignored on 'enable' but not on 'start', + 'restart', 'restore' and 'refresh'. + + This means that a disabled interface can only be re-enabled using + the 'enable' command. + +5) The /etc/shorewall[6]/tos file is now deprecated in favor of the + TOS() action in /etc/shorewall[6]/tcrules. + +6) The MARK/CLASSIFY column in /etc/shorewall[6]/tcrules has been + renamed ACTION to reflect the expanded set of actions that can be + specified in the column. There is no change to existing + functionality. + +7) Beginning with Shorewall 4.5.2, using /etc/shorewall-lite/vardir + and /etc/shorewall6-lite/vardir to specify VARDIR is deprecated in + favor of the VARDIR setting in shorewallrc. + + NOTE: While the name of the variable remains VARDIR, the + meaning is slightly different. When set in shorewallrc, + each product (shorewall-lite, and shorewall6-lite) will + create a directory under the specified path name to + hold state information. + + Example: + + VARDIR=/opt/var/ + + The state directory for shorewall-lite will be + /opt/var/shorewall-lite/ and the directory for + shorewall6-lite will be /opt/var/shorewall6-lite. + + When VARDIR is set in /etc/shorewall[6]/vardir, the + product will save its state directly in the specified + directory. + +8) Begining with Shorewall 4.5.6, the tcrules file is processed if + MANGLE_ENABLED=Yes, independent of the setting of TC_ENABLED. This + allows actions like TTL and TPROXY to be used without enabling + traffic shaping. + + If you have rules in your tcrules file that you only want processed + when TC_ENABLED is other than 'No', then enclose them in + + ?IF $TC_ENABLED + ... + ?ENDIF + + If they are to be processed only if TC_ENABLED=Internal, then enclose + them in + + ?IF TC_ENABLED eq 'Internal' + ... + ?ENDIF + +---------------------------------------------------------------------------- + V I. N O T E S F R O M O T H E R 4 . 5 R E L E A S E S +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 5 . 5 +---------------------------------------------------------------------------- + +4.5.5.4 + +1) In the generated script, the logic for handling wildcard interfaces + with the 'wait=n' option was incorrect. For each matching interface, + the script would check its readiness n times in rapid + succession. The script now sleeps 1 second between checks. + 4.5.5.3 1) When logical interface names were used, an entry in tcrules that @@ -118,14 +358,7 @@ SYSCONFDIR. ---------------------------------------------------------------------------- - I I. K N O W N P R O B L E M S R E M A I N I N G ----------------------------------------------------------------------------- - -1) On systems running Upstart, shorewall-init cannot reliably secure - the firewall before interfaces are brought up. - ----------------------------------------------------------------------------- - I I I. N E W F E A T U R E S I N T H I S R E L E A S E + N E W F E A T U R E S I N 4 . 5 . 4 ---------------------------------------------------------------------------- 1) It is now possible to include additional information in netfilter @@ -196,75 +429,9 @@ DIGEST=SHA1 ./install.sh ---------------------------------------------------------------------------- - V. M I G R A T I O N I S S U E S ----------------------------------------------------------------------------- - -1) If you are migrating from Shorewall 4.2.x or earlier, please see - http://www.shorewall.net/pub/shorewall/4.4/shorewall-4.4.27/releasenotes.txt - -2) The BLACKLIST section of the rules file has been eliminated. - If you have entries in that file section, you must move them to the - blrules file. - -3) This version of Shorewall requires either the Digest::SHA1 or - Digest::SHA Perl module. - - Debian: libdigest-sha1-perl or libdigest-sha-perl - Fedora: perl-Digest-SHA1 or perl-Digest-SHA - OpenSuSE: perl-Digest-SHA1 or perl-Digest-SHA - -4) The generated firewall script now maintains the - /var/lib/shorewall[6][-lite]/interface.status files used by SWPING - and by LSM. - - If you have optional providers and to not run a link monitor like - SWPING or LSM that updates these files, then you should remove - /etc/shorewall[6]/isusable if it is installed. - - Beginning with Shorewall 4.5.3.1: - - - The 'disable' command stores a 1 in the interface's .status file. - - The .status file is ignored on 'enable' but not on 'start', - 'restart', 'restore' and 'refresh'. - - This means that a disabled interface can only be re-enabled using - the 'enable' command. - -5) The /etc/shorewall[6]/tos file is now deprecated in favor of the - TOS() action in /etc/shorewall[6]/tcrules. - -6) The MARK/CLASSIFY column in /etc/shorewall[6]/tcrules has been - renamed ACTION to reflect the expanded set of actions that can be - specified in the column. There is no change to existing - functionality. - -7) Beginning with Shorewall 4.5.2, using /etc/shorewall-lite/vardir - and /etc/shorewall6-lite/vardir to specify VARDIR is deprecated in - favor of the VARDIR setting in shorewallrc. - - NOTE: While the name of the variable remains VARDIR, the - meaning is slightly different. When set in shorewallrc, - each product (shorewall-lite, and shorewall6-lite) will - create a directory under the specified path name to - hold state information. - - Example: - - VARDIR=/opt/var/ - - The state directory for shorewall-lite will be - /opt/var/shorewall-lite/ and the directory for - shorewall6-lite will be /opt/var/shorewall6-lite. - - When VARDIR is set in /etc/shorewall[6]/vardir, the - product will save its state directly in the specified - directory. - ----------------------------------------------------------------------------- - V I. N O T E S F R O M O T H E R 4 . 5 R E L E A S E S ----------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 5 . 4 ---------------------------------------------------------------------------- + 4.5.4.2 A large number of defects in Shorewall-init have been corrected: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.5.3/shorewall-init.spec new/shorewall-init-4.5.6/shorewall-init.spec --- old/shorewall-init-4.5.5.3/shorewall-init.spec 2012-06-28 17:00:50.000000000 +0200 +++ new/shorewall-init-4.5.6/shorewall-init.spec 2012-07-07 20:07:12.000000000 +0200 @@ -1,6 +1,6 @@ %define name shorewall-init -%define version 4.5.5 -%define release 3 +%define version 4.5.6 +%define release 0base Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall). Name: %{name} @@ -125,12 +125,16 @@ %doc COPYING changelog.txt releasenotes.txt %changelog -* Thu Jun 28 2012 Tom Eastep tom@shorewall.net -- Updated to 4.5.5-3 -* Fri Jun 22 2012 Tom Eastep tom@shorewall.net -- Updated to 4.5.5-2 -* Tue Jun 12 2012 Tom Eastep tom@shorewall.net -- Updated to 4.5.5-1 +* Thu Jul 05 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.6-0base +* Sat Jun 30 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.6-0RC1 +* Wed Jun 27 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.6-0Beta4 +* Mon Jun 18 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.6-0Beta3 +* Fri Jun 15 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.6-0Beta2 * Sat Jun 09 2012 Tom Eastep tom@shorewall.net - Updated to 4.5.6-0Beta1 * Wed Jun 06 2012 Tom Eastep tom@shorewall.net diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.5.3/uninstall.sh new/shorewall-init-4.5.6/uninstall.sh --- old/shorewall-init-4.5.5.3/uninstall.sh 2012-06-28 17:00:50.000000000 +0200 +++ new/shorewall-init-4.5.6/uninstall.sh 2012-07-07 20:07:12.000000000 +0200 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.5.5.3 +VERSION=4.5.6 usage() # $1 = exit status { ++++++ shorewall-lite-4.5.5.3.tar.bz2 -> shorewall-lite-4.5.6.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.5.3/changelog.txt new/shorewall-lite-4.5.6/changelog.txt --- old/shorewall-lite-4.5.5.3/changelog.txt 2012-06-28 17:00:51.000000000 +0200 +++ new/shorewall-lite-4.5.6/changelog.txt 2012-07-07 20:07:12.000000000 +0200 @@ -1,24 +1,64 @@ -Changes in 4.5.5.3 +Changes in 4.5.6 Final -1) Correct a Perl trap caused by using logical names with 'classify'. +1) Update release documents. -2) Ensure that exclusion chains always have the 'DONT_MOVE' flag set. +2) Simplify handling of __IPVn in conditional directives -Changes in 4.5.5.2 +3) Avoid a call to eval() for simple expressions -1) Allow UID/GID ranges in the USER/GROUP column (undocumented) +4) Apply patch from Daniel Meißner correcting STARTUP_ENABLED=No message -2) Don't use '--ctmark' when saving marks. +5) Correct typo in ISO 3660 doc. -3) Display PROXY_MARK in 'show marks'. +6) Add FAQ 99 (empty ruleset after boot) -4) Another fix for nested ?IFs +7) When TC_ENABLED=No, require providers to process tcrules. -Changes in 4.5.5.1 +Changes in 4.5.6 RC 1 -1) Fix handling of multiple fallback providers. +1) Update release documents. -2) Allow logical device names in the REDIRECTED column. +2) Add $VERSION as a defined variable. + +3) Add missing 'sleep 1' when waiting for wildcard interfaces. + +4) Only require MANGLE_ENABLED for tcrules processing. + +Changes in 4.5.6 Beta 4 + +1) Support ?ELSIF + +2) Allow generalized expressions in ?IF and ?ELSIF + +3) Correct a logical name bug in tc + +4) Add ORIGINAL DEST column to the masq file. + +Changes in 4.5.6 Beta 3 + +1) Rewrote RED option handling. + +2) Rewrote USER/GROUP column handling. + +3) Allow UID/GID ranges in USR/GROUP. + +4) Display PROXY_MARK in 'show marks'. + +Changes in 4.5.6 Beta 2 + +1) May logical->physical name when using an IFB. + +2) Allow fractional delays in TC. + +3) Allow Linksharing rate to be specified in HFSC. + +4) Add RED support. + +Changes in 4.5.6 Beta 1 + +1) Fix multiple unweighted 'fallback' providers. + +2) Add stab TC support. Changes in 4.5.5 Final @@ -38,10 +78,6 @@ 4) Fix iprange match on RHEL5 -5) Fix installer's handling of SYSCONFDIR - -6) Add DIGEST support. - Changes in 4.5.5 Beta 2 1) Merged bug fixes from 4.5.4. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.5.3/configure new/shorewall-lite-4.5.6/configure --- old/shorewall-lite-4.5.5.3/configure 2012-06-28 17:00:51.000000000 +0200 +++ new/shorewall-lite-4.5.6/configure 2012-07-07 20:07:12.000000000 +0200 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=4.5.5.3 +VERSION=4.5.6 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.5.3/configure.pl new/shorewall-lite-4.5.6/configure.pl --- old/shorewall-lite-4.5.5.3/configure.pl 2012-06-28 17:00:51.000000000 +0200 +++ new/shorewall-lite-4.5.6/configure.pl 2012-07-07 20:07:12.000000000 +0200 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '4.5.5.3' + VERSION => '4.5.6' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.5.3/install.sh new/shorewall-lite-4.5.6/install.sh --- old/shorewall-lite-4.5.5.3/install.sh 2012-06-28 17:00:51.000000000 +0200 +++ new/shorewall-lite-4.5.6/install.sh 2012-07-07 20:07:12.000000000 +0200 @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.5.5.3 +VERSION=4.5.6 usage() # $1 = exit status { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.5.3/manpages/shorewall-lite-vardir.5 new/shorewall-lite-4.5.6/manpages/shorewall-lite-vardir.5 --- old/shorewall-lite-4.5.5.3/manpages/shorewall-lite-vardir.5 2012-06-28 17:06:20.000000000 +0200 +++ new/shorewall-lite-4.5.6/manpages/shorewall-lite-vardir.5 2012-07-07 20:13:55.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite-vardir .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.75.2 http://docbook.sf.net/ -.\" Date: 06/28/2012 +.\" Date: 07/07/2012 .\" Manual: [FIXME: manual] .\" Source: [FIXME: source] .\" Language: English .\" -.TH "SHOREWALL\-LITE\-VAR" "5" "06/28/2012" "[FIXME: source]" "[FIXME: manual]" +.TH "SHOREWALL\-LITE\-VAR" "5" "07/07/2012" "[FIXME: source]" "[FIXME: manual]" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.5.3/manpages/shorewall-lite.8 new/shorewall-lite-4.5.6/manpages/shorewall-lite.8 --- old/shorewall-lite-4.5.5.3/manpages/shorewall-lite.8 2012-06-28 17:06:22.000000000 +0200 +++ new/shorewall-lite-4.5.6/manpages/shorewall-lite.8 2012-07-07 20:18:00.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.75.2 http://docbook.sf.net/ -.\" Date: 06/28/2012 +.\" Date: 07/07/2012 .\" Manual: [FIXME: manual] .\" Source: [FIXME: source] .\" Language: English .\" -.TH "SHOREWALL\-LITE" "8" "06/28/2012" "[FIXME: source]" "[FIXME: manual]" +.TH "SHOREWALL\-LITE" "8" "07/07/2012" "[FIXME: source]" "[FIXME: manual]" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.5.3/manpages/shorewall-lite.conf.5 new/shorewall-lite-4.5.6/manpages/shorewall-lite.conf.5 --- old/shorewall-lite-4.5.5.3/manpages/shorewall-lite.conf.5 2012-06-28 17:06:17.000000000 +0200 +++ new/shorewall-lite-4.5.6/manpages/shorewall-lite.conf.5 2012-07-07 20:17:54.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite.conf .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.75.2 http://docbook.sf.net/ -.\" Date: 06/28/2012 +.\" Date: 07/07/2012 .\" Manual: [FIXME: manual] .\" Source: [FIXME: source] .\" Language: English .\" -.TH "SHOREWALL\-LITE\&.CO" "5" "06/28/2012" "[FIXME: source]" "[FIXME: manual]" +.TH "SHOREWALL\-LITE\&.CO" "5" "07/07/2012" "[FIXME: source]" "[FIXME: manual]" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.5.3/releasenotes.txt new/shorewall-lite-4.5.6/releasenotes.txt --- old/shorewall-lite-4.5.5.3/releasenotes.txt 2012-06-28 17:00:51.000000000 +0200 +++ new/shorewall-lite-4.5.6/releasenotes.txt 2012-07-07 20:07:12.000000000 +0200 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 5 . 5 . 3 + S H O R E W A L L 4 . 5 . 6 ------------------------------------ - J u n e 2 8 , 2 0 1 2 + J u l y 1 0 , 2 0 1 2 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -15,6 +15,246 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- +1) This release includes the defect repairs from Shorewall 4.5.5.1 through + 4.5.5.4. + +2) Previously, the tcrules file was not processed when + TC_ENABLED=No. That meant that to use features like TPROXY, it was + necessary to set TC_ENABLED=Yes and create a dummy + /etc/shorewall/tcstart file. Now, only MANGLE_ENABLED=Yes is + required. + +---------------------------------------------------------------------------- + I I. K N O W N P R O B L E M S R E M A I N I N G +---------------------------------------------------------------------------- + +1) On systems running Upstart, shorewall-init cannot reliably secure + the firewall before interfaces are brought up. + +---------------------------------------------------------------------------- + I I I. N E W F E A T U R E S I N T H I S R E L E A S E +---------------------------------------------------------------------------- + +1) Support for size tables has been added in complex TC. + + The OPTIONS column of /etc/shorewall/tcdevices now allows a + 'linklayer' option whose value may be 'ethernet', 'atm' or 'adsl'; + the last two are synonyms. + + When 'linklayer' is specified, it may be followed by additional + options: + + mtu=<mtu> - The device MTU; default 2048 (will be rounded up to a + power of two) + + mpu=<mpubytes> - Minimum packet size used in + calculations. Smaller packets will be rounded up + to this size + + tsize=<tablesize> - Size table entries; default is 512 + + overhead=<overheadbytes> - Number of overhead bytes per packet. + + See tc-stab (8) for details about these options. + +2) It is now possible to specify the LS (linksharing) rate for an HFSC + class in /etc/shorewall/tcclasses. See shorewall-tcclasses (5) for + details. + +3) It is now possible to specify that a leaf class will use the RED + (Random Early Detection) queuing discipline rather than SFQ or + pfifo. A new class OPTION is defined: + + red=(<red option>=<value>, ...) + + When specified on a leaf class, causes the class to use the RED + (Random Early Detection) queuing discipline rather than + SFQ. See tc-red (8) for additional information. + + Allowable <red option>s are: + + min <min> + Average queue size in bytes at which marking becomes a + possibility. + max <max> + At this average queue size, the marking probability is + maximal. Must be at least twice <min> to prevent + synchronous retransmits, higher for low <min>. + probability <probability> + Maximum probability for marking, specified as a floating + point number from 0.0 to 1.0. Suggested values are 0.01 or + 0.02 (1 or 2%, respectively). + limit <limit> + Hard limit on the real (not average) queue size in bytes. + Further packets are dropped. Should be set higher than + <max>+<burst>. It is advised to set this a few times higher + than <max>. Shorewall requires that <limit> be at least + twice <min>. + burst <burst> + Used for determining how fast the average queue size is + influenced by the real queue size. Larger values make the + calculation more sluggish, allowing longer bursts of + traffic before marking starts. Real life experiments + support the following guide‐line: + (<min>+<min>+<max>)/(3*<avpkt>). + avpkt <avpkt> + Optional. Specified in bytes. Used with burst to determine + the time constant for average queue size calculations. 1000 + is a good value and is the Shorewall default. + bandwidth <bandwidth> + Optional. This rate is used for calculating the average + queue size after some idle time. Should be set to the + bandwidth of your interface. Does not mean that RED will + shape for you! + ecn + RED can either 'mark' or 'drop'. Explicit Congestion + Notification (ECN) allows RED to notify remote hosts that + their rate exceeds the amount of bandwidth + available. Non-ECN capable hosts can only be notified by + dropping a packet. If this parameter is specified, packets + which indicate that their hosts honor ECN will only be + marked and not dropped, unless the queue size hits limit + bytes. Needs a tc binary with RED support compiled + in. Recommended. + +4) The handling of the USER/GROUP column of the rules file has been + rewritten. As part of this rewrite: + + a) The ability to specify a program name (e.g., +prog) has been + eliminated. The kernel feature which that ability depended on + was removed in kernel version 2.6.14. + + b) It is now possible to specify UID and/or GID ranges of the form + 'low-high' where 'low' and 'high' are integers and low <= high. + +5) It is now possible to use Perl-compatible expressions in ?IF + directives. As before, variables must be environmental variables, + options from shorewall.conf, shell variables set in the params file + or capabilities. As previously, capabilities may be entered with + leading '__' rather than '$'. + + Example: + + ?IF $BLACKLIST_LOGLEVEL && ! __LOG_OPTIONS + +6) The ?ELSIF directive has been added allowing more convenient + expression of complex include scenarios. + + Example (column headings abbreviated to fit release notes format): + + #NAME NUM MARK DUP INTERFACE GWAY OPTIONS + ?IF $FALLBACK + ComcastB 1 0x10000 - COMB_IF detect fallback + ComcastC 2 0x20000 - COMC_IF detect fallback + ?ELSIF $STATISTICAL + ComcastB 1 0x10000 - COMB_IF detect load=0.66666667 + ComcastC 2 0x20000 - COMC_IF detect load=0.33333333 + ?ELSE + ComcastB 1 0x10000 - COMB_IF detect balance=2 + ComcastC 2 0x20000 - COMC_IF detect loose,balance + ?ENDIF + +7) And ORIGINAL DEST column has been added to the masq file, allowing + SNAT rules to match only DNAT traffic to a particular original source + address. + +---------------------------------------------------------------------------- + V. M I G R A T I O N I S S U E S +---------------------------------------------------------------------------- + +1) If you are migrating from Shorewall 4.2.x or earlier, please see + http://www.shorewall.net/pub/shorewall/4.4/shorewall-4.4.27/releasenotes.txt + +2) The BLACKLIST section of the rules file has been eliminated. + If you have entries in that file section, you must move them to the + blrules file. + +3) This version of Shorewall requires either the Digest::SHA1 or + Digest::SHA Perl module. + + Debian: libdigest-sha1-perl or libdigest-sha-perl + Fedora: perl-Digest-SHA1 or perl-Digest-SHA + OpenSuSE: perl-Digest-SHA1 or perl-Digest-SHA + +4) The generated firewall script now maintains the + /var/lib/shorewall[6][-lite]/interface.status files used by SWPING + and by LSM. + + If you have optional providers and to not run a link monitor like + SWPING or LSM that updates these files, then you should remove + /etc/shorewall[6]/isusable if it is installed. + + Beginning with Shorewall 4.5.3.1: + + - The 'disable' command stores a 1 in the interface's .status file. + - The .status file is ignored on 'enable' but not on 'start', + 'restart', 'restore' and 'refresh'. + + This means that a disabled interface can only be re-enabled using + the 'enable' command. + +5) The /etc/shorewall[6]/tos file is now deprecated in favor of the + TOS() action in /etc/shorewall[6]/tcrules. + +6) The MARK/CLASSIFY column in /etc/shorewall[6]/tcrules has been + renamed ACTION to reflect the expanded set of actions that can be + specified in the column. There is no change to existing + functionality. + +7) Beginning with Shorewall 4.5.2, using /etc/shorewall-lite/vardir + and /etc/shorewall6-lite/vardir to specify VARDIR is deprecated in + favor of the VARDIR setting in shorewallrc. + + NOTE: While the name of the variable remains VARDIR, the + meaning is slightly different. When set in shorewallrc, + each product (shorewall-lite, and shorewall6-lite) will + create a directory under the specified path name to + hold state information. + + Example: + + VARDIR=/opt/var/ + + The state directory for shorewall-lite will be + /opt/var/shorewall-lite/ and the directory for + shorewall6-lite will be /opt/var/shorewall6-lite. + + When VARDIR is set in /etc/shorewall[6]/vardir, the + product will save its state directly in the specified + directory. + +8) Begining with Shorewall 4.5.6, the tcrules file is processed if + MANGLE_ENABLED=Yes, independent of the setting of TC_ENABLED. This + allows actions like TTL and TPROXY to be used without enabling + traffic shaping. + + If you have rules in your tcrules file that you only want processed + when TC_ENABLED is other than 'No', then enclose them in + + ?IF $TC_ENABLED + ... + ?ENDIF + + If they are to be processed only if TC_ENABLED=Internal, then enclose + them in + + ?IF TC_ENABLED eq 'Internal' + ... + ?ENDIF + +---------------------------------------------------------------------------- + V I. N O T E S F R O M O T H E R 4 . 5 R E L E A S E S +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 5 . 5 +---------------------------------------------------------------------------- + +4.5.5.4 + +1) In the generated script, the logic for handling wildcard interfaces + with the 'wait=n' option was incorrect. For each matching interface, + the script would check its readiness n times in rapid + succession. The script now sleeps 1 second between checks. + 4.5.5.3 1) When logical interface names were used, an entry in tcrules that @@ -118,14 +358,7 @@ SYSCONFDIR. ---------------------------------------------------------------------------- - I I. K N O W N P R O B L E M S R E M A I N I N G ----------------------------------------------------------------------------- - -1) On systems running Upstart, shorewall-init cannot reliably secure - the firewall before interfaces are brought up. - ----------------------------------------------------------------------------- - I I I. N E W F E A T U R E S I N T H I S R E L E A S E + N E W F E A T U R E S I N 4 . 5 . 4 ---------------------------------------------------------------------------- 1) It is now possible to include additional information in netfilter @@ -196,75 +429,9 @@ DIGEST=SHA1 ./install.sh ---------------------------------------------------------------------------- - V. M I G R A T I O N I S S U E S ----------------------------------------------------------------------------- - -1) If you are migrating from Shorewall 4.2.x or earlier, please see - http://www.shorewall.net/pub/shorewall/4.4/shorewall-4.4.27/releasenotes.txt - -2) The BLACKLIST section of the rules file has been eliminated. - If you have entries in that file section, you must move them to the - blrules file. - -3) This version of Shorewall requires either the Digest::SHA1 or - Digest::SHA Perl module. - - Debian: libdigest-sha1-perl or libdigest-sha-perl - Fedora: perl-Digest-SHA1 or perl-Digest-SHA - OpenSuSE: perl-Digest-SHA1 or perl-Digest-SHA - -4) The generated firewall script now maintains the - /var/lib/shorewall[6][-lite]/interface.status files used by SWPING - and by LSM. - - If you have optional providers and to not run a link monitor like - SWPING or LSM that updates these files, then you should remove - /etc/shorewall[6]/isusable if it is installed. - - Beginning with Shorewall 4.5.3.1: - - - The 'disable' command stores a 1 in the interface's .status file. - - The .status file is ignored on 'enable' but not on 'start', - 'restart', 'restore' and 'refresh'. - - This means that a disabled interface can only be re-enabled using - the 'enable' command. - -5) The /etc/shorewall[6]/tos file is now deprecated in favor of the - TOS() action in /etc/shorewall[6]/tcrules. - -6) The MARK/CLASSIFY column in /etc/shorewall[6]/tcrules has been - renamed ACTION to reflect the expanded set of actions that can be - specified in the column. There is no change to existing - functionality. - -7) Beginning with Shorewall 4.5.2, using /etc/shorewall-lite/vardir - and /etc/shorewall6-lite/vardir to specify VARDIR is deprecated in - favor of the VARDIR setting in shorewallrc. - - NOTE: While the name of the variable remains VARDIR, the - meaning is slightly different. When set in shorewallrc, - each product (shorewall-lite, and shorewall6-lite) will - create a directory under the specified path name to - hold state information. - - Example: - - VARDIR=/opt/var/ - - The state directory for shorewall-lite will be - /opt/var/shorewall-lite/ and the directory for - shorewall6-lite will be /opt/var/shorewall6-lite. - - When VARDIR is set in /etc/shorewall[6]/vardir, the - product will save its state directly in the specified - directory. - ----------------------------------------------------------------------------- - V I. N O T E S F R O M O T H E R 4 . 5 R E L E A S E S ----------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 5 . 4 ---------------------------------------------------------------------------- + 4.5.4.2 A large number of defects in Shorewall-init have been corrected: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.5.3/shorewall-lite.spec new/shorewall-lite-4.5.6/shorewall-lite.spec --- old/shorewall-lite-4.5.5.3/shorewall-lite.spec 2012-06-28 17:00:51.000000000 +0200 +++ new/shorewall-lite-4.5.6/shorewall-lite.spec 2012-07-07 20:07:12.000000000 +0200 @@ -1,6 +1,6 @@ %define name shorewall-lite -%define version 4.5.5 -%define release 3 +%define version 4.5.6 +%define release 0base %define initdir /etc/init.d Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems. @@ -105,12 +105,16 @@ %doc COPYING changelog.txt releasenotes.txt %changelog -* Thu Jun 28 2012 Tom Eastep tom@shorewall.net -- Updated to 4.5.5-3 -* Fri Jun 22 2012 Tom Eastep tom@shorewall.net -- Updated to 4.5.5-2 -* Tue Jun 12 2012 Tom Eastep tom@shorewall.net -- Updated to 4.5.5-1 +* Thu Jul 05 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.6-0base +* Sat Jun 30 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.6-0RC1 +* Wed Jun 27 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.6-0Beta4 +* Mon Jun 18 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.6-0Beta3 +* Fri Jun 15 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.6-0Beta2 * Sat Jun 09 2012 Tom Eastep tom@shorewall.net - Updated to 4.5.6-0Beta1 * Wed Jun 06 2012 Tom Eastep tom@shorewall.net diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.5.3/uninstall.sh new/shorewall-lite-4.5.6/uninstall.sh --- old/shorewall-lite-4.5.5.3/uninstall.sh 2012-06-28 17:00:51.000000000 +0200 +++ new/shorewall-lite-4.5.6/uninstall.sh 2012-07-07 20:07:12.000000000 +0200 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.5.5.3 +VERSION=4.5.6 usage() # $1 = exit status { ++++++ shorewall-4.5.5.3.tar.bz2 -> shorewall6-4.5.6.tar.bz2 ++++++ ++++ 100329 lines of diff (skipped) ++++++ shorewall-lite-4.5.5.3.tar.bz2 -> shorewall6-lite-4.5.6.tar.bz2 ++++++ ++++ 7070 lines of diff (skipped) -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org
participants (1)
-
root@hilbert.suse.de