commit shorewall for openSUSE:Factory
![](https://seccdn.libravatar.org/avatar/e2145bc5cf53dda95c308a3c75e8fef3.jpg?s=120&d=mm&r=g)
Hello community,
here is the log from the commit of package shorewall for openSUSE:Factory checked in at 2014-09-03 18:22:34
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/shorewall (Old)
and /work/SRC/openSUSE:Factory/.shorewall.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shorewall"
Changes:
--------
--- /work/SRC/openSUSE:Factory/shorewall/shorewall.changes 2014-08-15 09:56:20.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.shorewall.new/shorewall.changes 2014-09-03 21:09:38.000000000 +0200
@@ -1,0 +2,23 @@
+Sun Aug 31 17:24:13 UTC 2014 - toganm@opensuse.org
+
+- Update to version 4.6.3.1 For more details see changelog.txt and
+ releasenotes.tx
+ * The DNSAmp action released in 4.6.3 matched more packets than it
+ should have. That has now been corrected.
+ * The handling of REJECT in IP[6]TABLES rules has been clarified
+ inthe shorewall-rules(5) and shorewall6-rules(5) manpages.
+ * The following misleading error message has now been corrected:
+
+ ERROR: The xxx TARGET is now allowed in the filter table
+
+ The message now reads:
+
+ ERROR: The xxx TARGET is not allowed in the filter table
+
+- Spec fixes
+
+ * Fixed shorewall-init requires so it needs shoreline-firewall
+ which is an alias for shorewall shorewall6 shorewall-lite and
+ shorewall6-lite packages
+ * shorewall-init package was missing a rc link
+-------------------------------------------------------------------
Old:
----
shorewall-4.6.2.5.tar.bz2
shorewall-core-4.6.2.5.tar.bz2
shorewall-docs-html-4.6.2.5.tar.bz2
shorewall-init-4.6.2.5.tar.bz2
shorewall-lite-4.6.2.5.tar.bz2
shorewall6-4.6.2.5.tar.bz2
shorewall6-lite-4.6.2.5.tar.bz2
New:
----
shorewall-4.6.3.1.tar.bz2
shorewall-core-4.6.3.1.tar.bz2
shorewall-docs-html-4.6.3.1.tar.bz2
shorewall-init-4.6.3.1.tar.bz2
shorewall-lite-4.6.3.1.tar.bz2
shorewall6-4.6.3.1.tar.bz2
shorewall6-lite-4.6.3.1.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ shorewall.spec ++++++
--- /var/tmp/diff_new_pack.YNKUe7/_old 2014-09-03 21:09:40.000000000 +0200
+++ /var/tmp/diff_new_pack.YNKUe7/_new 2014-09-03 21:09:40.000000000 +0200
@@ -20,19 +20,19 @@
%define have_systemd 1
Name: shorewall
-Version: 4.6.2.5
+Version: 4.6.3.1
Release: 0
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems
License: GPL-2.0
Group: Productivity/Networking/Security
Url: http://www.shorewall.net/
-Source: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.2/%name-%version.ta...
-Source1: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.2/%name-core-%versi...
-Source2: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.2/%name-lite-%versi...
-Source3: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.2/%name-init-%versi...
-Source4: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.2/%{name}6-lite-%version.tar.bz2
-Source5: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.2/%{name}6-%version.tar.bz2
-Source6: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.2/%name-docs-html-%...
+Source: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.3/%name-%version.ta...
+Source1: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.3/%name-core-%versi...
+Source2: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.3/%name-lite-%versi...
+Source3: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.3/%name-init-%versi...
+Source4: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.3/%{name}6-lite-%version.tar.bz2
+Source5: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.3/%{name}6-%version.tar.bz2
+Source6: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.3/%name-docs-html-%...
Source7: %name-4.4.22.rpmlintrc
Source8: README.openSUSE
# PATCH-FIX-UPSTREAM toganm@opensuse.org Shorewall-lite init.suse.sh Required Stop
@@ -61,6 +61,8 @@
Requires: iptables
Requires: logrotate
Requires: xtables-addons
+Provides: shoreline_firewall = %{version}-%{release}
+
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildArch: noarch
BuildRequires: bash >= 4
@@ -135,6 +137,7 @@
Requires: iproute2
Requires: iptables
Requires: logrotate
+Provides: shoreline_firewall = %{version}-%{release}
%if 0%{?suse_version}
Conflicts: SuSEfirewall2
%endif
@@ -175,7 +178,7 @@
Requires(preun): systemd-units
Requires(postun): systemd-units
%endif
-
+Provides: shoreline_firewall = %{version}-%{release}
Requires: %name > 4.5.0-0
Requires: logrotate
%if 0%{?suse_version}
@@ -217,6 +220,7 @@
%endif
Requires: %name-core
Requires: logrotate
+Provides: shoreline_firewall = %{version}-%{release}
%if 0%{?suse_version}
Conflicts: SuSEfirewall2
%endif
@@ -257,8 +261,9 @@
Requires(preun): systemd-units
Requires(postun): systemd-units
%endif
-Requires: %name > 4.4.9
-Requires: %{name}6 > 4.4.9
+
+Requires: shoreline_firewall >= 4.5.0
+
Requires: logrotate
%if 0%{?suse_version}
Conflicts: SuSEfirewall2
@@ -391,7 +396,7 @@
done
# FIXME linkto /usr/sbin/service should follow usr_move thing
-rctargets="shorewall shorewall-lite shorewall6 shorewall6-lite"
+rctargets="shorewall shorewall-lite shorewall6 shorewall6-lite shorewall-init"
mkdir -p %buildroot/%_sbindir
for i in $rctargets; do
%if 0%{?suse_version} > 1220
@@ -811,6 +816,8 @@
# FIXME
%if 0%{?suse_version}
+%{_sbindir}/rc%{name}-init
+
%_localstatedir/adm/fillup-templates/sysconfig.%name-init
%if 0%{?suse_version} <= 1220
%attr(0544,root,root) %_initddir/%name-init
++++++ shorewall-4.6.2.5.tar.bz2 -> shorewall-4.6.3.1.tar.bz2 ++++++
++++ 1866 lines of diff (skipped)
++++++ shorewall-core-4.6.2.5.tar.bz2 -> shorewall-core-4.6.3.1.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.2.5/changelog.txt new/shorewall-core-4.6.3.1/changelog.txt
--- old/shorewall-core-4.6.2.5/changelog.txt 2014-08-13 01:53:52.000000000 +0200
+++ new/shorewall-core-4.6.3.1/changelog.txt 2014-08-27 16:54:44.000000000 +0200
@@ -1,23 +1,45 @@
-Changes in 4.6.2.5
+Changes in 4.6.3.1
+
+1) Update release documents
+
+2) Correct the u32 match string in action.DNSAmp.
+
+3) Clarify REJECT handling in IP[6]TABLES rules.
+
+Changes in 4.6.3 Final
+
+1) Update release documents.
+
+2) Apply Thomas D's fix for SAVE_IPSETS on Debian.
+
+Changes in 4.6.3 RC 1
1) Update release documents.
-2) Allow a physical interface name in the INTERFACE column of the
- providers files.
+2) Minor code and documentation cleanup.
-3) Apply Louis Lagendijk's patch for shorewall-init.
+3) Defect repair from 4.6.2.5.
-Changes in 4.6.2.4
+hanges in 4.6.3 Beta 2
1) Update release documents.
-2) Allow inline matches in the body of an action.
+2) Add DNSAmp action
+
+3) Allow inline matches in action bodies (from 4.6.2.4)
-Changes in 4.6.2.3
+4) Allow physical names to be used in the INTERFACE column of the
+ providers file.
+
+Changes in 4.6.3 Beta 1
1) Update release documents.
-2) Correct handling of optimize level 8 with Perl 5.20.
+2) Describe new helper assignment in the FTP article.
+
+3) Merge defect repair from 4.6.2.3.
+
+4) Implement the 'run' command.
Changes in 4.6.2.2
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.2.5/configure new/shorewall-core-4.6.3.1/configure
--- old/shorewall-core-4.6.2.5/configure 2014-08-13 01:53:51.000000000 +0200
+++ new/shorewall-core-4.6.3.1/configure 2014-08-27 16:54:43.000000000 +0200
@@ -28,7 +28,7 @@
#
# Build updates this
#
-VERSION=4.6.2.5
+VERSION=4.6.3.1
case "$BASH_VERSION" in
[4-9].*)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.2.5/configure.pl new/shorewall-core-4.6.3.1/configure.pl
--- old/shorewall-core-4.6.2.5/configure.pl 2014-08-13 01:53:51.000000000 +0200
+++ new/shorewall-core-4.6.3.1/configure.pl 2014-08-27 16:54:43.000000000 +0200
@@ -31,7 +31,7 @@
# Build updates this
#
use constant {
- VERSION => '4.6.2.5'
+ VERSION => '4.6.3.1'
};
my %params;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.2.5/install.sh new/shorewall-core-4.6.3.1/install.sh
--- old/shorewall-core-4.6.2.5/install.sh 2014-08-13 01:53:51.000000000 +0200
+++ new/shorewall-core-4.6.3.1/install.sh 2014-08-27 16:54:43.000000000 +0200
@@ -22,7 +22,7 @@
# along with this program; if not, see http://www.gnu.org/licenses/.
#
-VERSION=4.6.2.5
+VERSION=4.6.3.1
usage() # $1 = exit status
{
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.2.5/known_problems.txt new/shorewall-core-4.6.3.1/known_problems.txt
--- old/shorewall-core-4.6.2.5/known_problems.txt 2014-08-13 01:53:52.000000000 +0200
+++ new/shorewall-core-4.6.3.1/known_problems.txt 2014-08-27 16:54:44.000000000 +0200
@@ -1,87 +1,22 @@
1) On systems running Upstart, shorewall-init cannot reliably secure
the firewall before interfaces are brought up.
-2) In the tcrules file:
+2) The DNSAmp action released in 4.6.3 matches more packets than it
+ should.
- - SAVE and RESTORE generate fatal compilation errors.
- - '|' and '&' are ignored.
+ Workaround: Change the single rule in
+ /usr/share/shorewall/action.DNSAmp to:
- Corrected in 4.6.2.1.
+ IPTABLES(@1) - - udp 53 ; -m u32 --u32 "0>>22&0x3C\@8&0xffff=0x0100 && 0>>22&0x3C\@12&0xffff0000=0x00010000"
-3) In the mangle file:
+ Corrected in 4.6.3.1.
- - '|' and '&' are ignored in MARK ACTIONS.
+3) A typo results in the following misleading error message:
- Corrected in 4.6.2.1.
+ ERROR: The xxx TARGET is now allowed in the filter table
-4) The compiler fails to detect the IPv6 Header Match capability when
- LOAD_MODULES_ONLY=No.
+ The message should read:
- Workaround: Use a capabilities file or set LOAD_MODULES_ONLY=Yes.
+ ERROR: The xxx TARGET is not allowed in the filter table
- Corrected in 4.6.2.2.
-
-5) The compiler fails to detect Ipset Match support when the system is
- running a 3.14 Linux Kernel.
-
- Workaround: Use a capabilities file.
-
- Corrected in 4.6.2.2.
-
-6) The compiler fails to detect the Arptables JF capability when
- LOAD_MODULES_ONLY=No.
-
- Workaround: Use a capabilities file or set LOAD_MODULES_ONLY=Yes.
-
- Corrected in 4.6.2.2.
-
-7) The tcfilter manpages fail to mention that BASIC_FILTERS=Yes is
- required to use ipsets in the tcfilters files.
-
- Corrected in 4.6.2.2.
-
-8) The compiler fails with a Perl diagnostic if:
-
- - Optimize Level 8 is enabled.
- - Perl 5.20 is being used
-
- The diagnostic is:
-
- Can't use string ("nat") as a HASH ref while "strict refs" in use
- at /usr/share/shorewall/Shorewall/Chains.pm line 3486.
-
- Workaround: Disable optimize level 8 by subtracting 8 from the
- current setting. If 'all' is the current value,
- change the setting to OPTIMIZE=23
-
- Corrected in 4.6.2.3.
-
-9) Inline matches are incorrectly disallowed in action files.
-
- Corrected in 4.6.2.4.
-
-10) If the following entry appears in /etc/shorewall/interfaces:
-
- prov2 VPNIF physical=tun1,optional
-
- then this entry in /etc/shorewall/provider
-
- prov2 2 2 - tun1 192.168.1.1 track,fallback
-
- results in the following:
-
- Use of uninitialized value $physical in pattern match
- (m//) at /usr/lib/perl5/vendor_perl/5.18.1/
- Shorewall/Providers.pm line 463, <$currentfile> line 2.
- ERROR: A provider interface must have at least one
- associated zone /opt/etc/shorewall/providers (line 2)
-
- Workaround: Change the provider entry to
-
- prov2 2 2 - VPNIF 192.168.1.1 track,fallback
-
- Corrected in 4.6.2.5.
-
-11) Shorewall-init fails when installed on a system with systemd.
-
- Corrected in 4.6.2.5.
+ Corrected in 4.6.3.1.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.2.5/lib.cli new/shorewall-core-4.6.3.1/lib.cli
--- old/shorewall-core-4.6.2.5/lib.cli 2014-08-13 01:39:52.000000000 +0200
+++ new/shorewall-core-4.6.3.1/lib.cli 2014-08-24 20:59:51.000000000 +0200
@@ -1470,22 +1470,10 @@
$g_tool -t rawpost -L $g_ipt_options
fi
- local count
- local max
+ local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
+ local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
- if [ -f /proc/sys/net/netfilter/nf_conntrack_count ]; then
- count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
- max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
-
- heading "Conntrack Table ($count out of $max)"
- elif [ -f /proc/sys/net/ipv4/netfilter/ip_conntrack_count ]; then
- count=$(cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count)
- max=$(cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max)
-
- heading "Conntrack Table ($count out of $max)"
- else
- heading "Conntrack Table"
- fi
+ heading "Conntrack Table ($count out of $max)"
if [ $g_family -eq 4 ]; then
[ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack
@@ -3527,6 +3515,14 @@
return $rc
}
+run_command() {
+ if [ -x ${VARDIR}/firewall ] ; then
+ run_it ${VARDIR}/firewall $g_debugging $@
+ else
+ fatal_error "${VARDIR}/firewall does not exist or is not executable"
+ fi
+}
+
#
# Give Usage Information
#
@@ -3558,6 +3554,7 @@
echo " reset [ <chain> ... ]"
echo " restart [ -n ] [ -p ] [ -f ] [ <directory> ]"
echo " restore [ -n ] [ <file name> ]"
+ echo " run <command> [ <parameter> ... ]"
echo " save [ <file name> ]"
echo " [ show | list | ls ] [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
echo " [ show | list | ls ] [ -f ] capabilities"
@@ -3586,6 +3583,7 @@
echo " start [ -f ] [ -p ] [ <directory> ]"
echo " stop"
echo " status [ -i ]"
+ echo " run <function> [ function ... ]"
echo " version [ -a ]"
echo
exit $1
@@ -3830,6 +3828,11 @@
fatal_error "$g_product is not running"
fi
;;
+ run)
+ [ $# -gt 1 ] || fatal_error "Missing function name"
+ get_config Yes
+ run_command $@
+ ;;
show|list|ls)
get_config Yes No Yes
shift
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.2.5/lib.common new/shorewall-core-4.6.3.1/lib.common
--- old/shorewall-core-4.6.2.5/lib.common 2014-08-13 01:39:52.000000000 +0200
+++ new/shorewall-core-4.6.3.1/lib.common 2014-08-24 20:59:51.000000000 +0200
@@ -172,6 +172,7 @@
error_message() # $* = Error Message
{
echo " $@" >&2
+ return 1
}
#
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.2.5/releasenotes.txt new/shorewall-core-4.6.3.1/releasenotes.txt
--- old/shorewall-core-4.6.2.5/releasenotes.txt 2014-08-13 01:53:52.000000000 +0200
+++ new/shorewall-core-4.6.3.1/releasenotes.txt 2014-08-27 16:54:44.000000000 +0200
@@ -1,7 +1,7 @@
----------------------------------------------------------------------------
- S H O R E W A L L 4 . 6 . 2 . 5
+ S H O R E W A L L 4 . 6 . 3 . 1
------------------------------------
- A u g u s t 1 4 , 2 0 1 4
+ A u g u s t 2 6 , 2 0 1 4
----------------------------------------------------------------------------
I. PROBLEMS CORRECTED IN THIS RELEASE
@@ -14,80 +14,28 @@
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
-4.6.2.5
+4.6.3
-1) Previously, when an interface specified the 'physical=' option and
- the physical interface name was specified in the INTERFACES column
- of the providers file, compilation would fail with diagnostics
- similar to the following:
+1) The DNSAmp action released in 4.6.3 matched more packets than it
+ should have. That has now been corrected.
- Use of uninitialized value $physical in pattern match
- (m//) at /usr/lib/perl5/vendor_perl/5.18.1/
- Shorewall/Providers.pm line 463, <$currentfile> line 2.
- ERROR: A provider interface must have at least one
- associated zone /opt/etc/shorewall/providers (line 2)
+2) The handling of REJECT in IP[6]TABLES rules has been clarified in
+ the shorewall-rules(5) and shorewall6-rules(5) manpages.
-2) Shorewall-init now works correctly on systems with systemd.
- By Louis Lagendijk.
+3) The following misleading error message has now been corrected:
-4.6.2.4
+ ERROR: The xxx TARGET is now allowed in the filter table
-1) Previously, inline matches were incorrectly disallowed in action
- files. These matches are now allowed.
+ The message now reads:
-4.6.2.3
-
-1) Previously, the compiler would fail with a Perl diagnostic if:
-
- - Optimize Level 8 was enabled.
- - Perl 5.20 was being used. This is the current Perl version on
- Arch Linux.
+ ERROR: The xxx TARGET is not allowed in the filter table
- The diagnostic was:
+4.6.3
- Can't use string ("nat") as a HASH ref while "strict refs" in use
- at /usr/share/shorewall/Shorewall/Chains.pm line 3486.
+1) This release contains defect repair up through release 4.6.2.5.
-4.6.2.2
-
-1) The compiler now correctly detects the IPv6 "Header Match"
- capability when LOAD_MODULES_ONLY=No.
-
-2) The compiler now correctly detects the IPv6 "Ipset Match"
- capability on systems running a 3.14 or later kernel.
-
-3) The compiler now correctly detects "Arptables JF" capability when
- LOAD_MODULES_ONLY=No.
-
-3) The tcfilter manpages previously failed to mention that
- BASIC_FILTERS=Yes is required to use ipsets in the tcfilters files.
-
-4.6.2.1
-
-1) Two issues with tcrules processing have been corrected:
-
- - SAVE and RESTORE generated fatal compilation errors.
- - '|' and '&' were ignored.
-
-4.6.2
-
-1) The DSCP match in the mangle and tcrules files didn't work with
- service class names such as EF, BE, CS1, ... (Thibaut Chèze)
-
-2) The SAVE and RESTORE actions were disallowed in the OUTPUT chain in
- tcrules and mangle; this was a regression from 4.5.21.
-
-3) Additional ports required by Asus, Supermicro and Dell have been
- added to the IPMI macro (Tuomo Soini).
-
-4) Some issues regarding install under Cygwin64 have been addressed.
-
- - configure.pl did not understand CYGWIN returned from `uname`
- - Shorewall-core install.sh did not understand CYGWIN returned from
- `uname`.
- - The Shorewall and Shorewall6 installers tried to run the command
- 'mkdir -p //etc/shorewall[6]' which is broken in the current
- Cygwin64.
+2) The SAVE_IPSETS option in the Debian version of Shorewall-init now
+ works correctly. Thomas D.
----------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G
@@ -100,45 +48,19 @@
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
-1) The 'status' command now allows a -i option which causes the state
- of all optional and provider interfaces to be displayed.
-
- Example:
-
- root@gateway:/etc/shorewall# shorewall status -i
- Shorewall-4.6.1 Status at gateway - Wed Jun 18 14:27:19 PDT 2014
-
- Shorewall is running
- State:Started (Wed Jun 18 09:50:01 PDT 2014) from /etc/shorewall/
- (/var/lib/shorewall/firewall compiled by Shorewall version 4.6.1)
-
- Interface eth0 is Enabled
- Interface eth1 is Enabled
- Interface lo is Enabled
-
-2) A 'shorewall show blacklists' command has been
- implemented. The abbreviation 'bl' may be used in place of
- 'blacklists'.
-
- The command displays the output of the 'dynamic' chain together
- with the chains created by entries in the blrules file.
-
-3) A TIME column has been added to the mangle file. It has the same
- use in that file as the corresponding column in the rules file.
-
-4) A stateful port knocking example has been added to the Events
- article (http://www.shorewall.net/Events.html). This example allows
- a sequence of knocking ports to be defined (Gerhard Weisinger).
-
-5) A macro supporting HP's Integrated Lights Out (ILO) has been added
- (Tuomo Soini).
-
-6) It is now possible to specify the MAC address of a provider
- GATEWAY. This is useful when there are multiple providers serviced
- by a single interface as it avoids the need for the generated
- script to detect the MAC during start/restart.
-
-7) The copyrights in the sample configuration files have been updated.
+1) A new 'run' command has been implemented. This command allows you
+ to run an arbitrary command in the context of the generated
+ script.
+
+ shorewall[6][-lite] run <command> [ <parameter> ... ]
+
+ Normally, <command> will be a function declared in lib.private.
+
+2) A DNSAmp action has been added. This action matches recursive UDP
+ DNS queries. The default disposition is DROP which can be
+ overridden by the single action parameter (e.g, 'DNSAmp(REJECT)'
+ will reject these queries). Recursive DNS queries are the basis for
+ 'DNS Amplification' attacks; hence the action name.
----------------------------------------------------------------------------
I V. M I G R A T I O N I S S U E S
@@ -412,7 +334,130 @@
----------------------------------------------------------------------------
V. N O T E S F R O M O T H E R 4 . 6 R E L E A S E S
----------------------------------------------------------------------------
- P R O B L E M S C O R R E C T E D I N 4 . 6 . 0
+ P R O B L E M S C O R R E C T E D I N 4 . 6 . 2
+----------------------------------------------------------------------------
+
+4.6.2.5
+
+1) Previously, when an interface specified the 'physical=' option and
+ the physical interface name was specified in the INTERFACES column
+ of the providers file, compilation would fail with diagnostics
+ similar to the following:
+
+ Use of uninitialized value $physical in pattern match
+ (m//) at /usr/lib/perl5/vendor_perl/5.18.1/
+ Shorewall/Providers.pm line 463, <$currentfile> line 2.
+ ERROR: A provider interface must have at least one
+ associated zone /opt/etc/shorewall/providers (line 2)
+
+2) Shorewall-init now works correctly on systems with systemd.
+ By Louis Lagendijk.
+
+4.6.2.4
+
+1) Previously, inline matches were incorrectly disallowed in action
+ files. These matches are now allowed.
+
+4.6.2.3
+
+1) Previously, the compiler would fail with a Perl diagnostic if:
+
+ - Optimize Level 8 was enabled.
+ - Perl 5.20 was being used. This is the current Perl version on
+ Arch Linux.
+
+ The diagnostic was:
+
+ Can't use string ("nat") as a HASH ref while "strict refs" in use
+ at /usr/share/shorewall/Shorewall/Chains.pm line 3486.
+
+4.6.2.2
+
+1) The compiler now correctly detects the IPv6 "Header Match"
+ capability when LOAD_MODULES_ONLY=No.
+
+2) The compiler now correctly detects the IPv6 "Ipset Match"
+ capability on systems running a 3.14 or later kernel.
+
+3) The compiler now correctly detects "Arptables JF" capability when
+ LOAD_MODULES_ONLY=No.
+
+3) The tcfilter manpages previously failed to mention that
+ BASIC_FILTERS=Yes is required to use ipsets in the tcfilters files.
+
+4.6.2.1
+
+1) Two issues with tcrules processing have been corrected:
+
+ - SAVE and RESTORE generated fatal compilation errors.
+ - '|' and '&' were ignored.
+
+4.6.2
+
+1) The DSCP match in the mangle and tcrules files didn't work with
+ service class names such as EF, BE, CS1, ... (Thibaut Chèze)
+
+2) The SAVE and RESTORE actions were disallowed in the OUTPUT chain in
+ tcrules and mangle; this was a regression from 4.5.21.
+
+3) Additional ports required by Asus, Supermicro and Dell have been
+ added to the IPMI macro (Tuomo Soini).
+
+4) Some issues regarding install under Cygwin64 have been addressed.
+
+ - configure.pl did not understand CYGWIN returned from `uname`
+ - Shorewall-core install.sh did not understand CYGWIN returned from
+ `uname`.
+ - The Shorewall and Shorewall6 installers tried to run the command
+ 'mkdir -p //etc/shorewall[6]' which is broken in the current
+ Cygwin64.
+
+----------------------------------------------------------------------------
+ N E W F E A T U R E S I N 4 . 6 . 2
+----------------------------------------------------------------------------
+
+1) The 'status' command now allows a -i option which causes the state
+ of all optional and provider interfaces to be displayed.
+
+ Example:
+
+ root@gateway:/etc/shorewall# shorewall status -i
+ Shorewall-4.6.1 Status at gateway - Wed Jun 18 14:27:19 PDT 2014
+
+ Shorewall is running
+ State:Started (Wed Jun 18 09:50:01 PDT 2014) from /etc/shorewall/
+ (/var/lib/shorewall/firewall compiled by Shorewall version 4.6.1)
+
+ Interface eth0 is Enabled
+ Interface eth1 is Enabled
+ Interface lo is Enabled
+
+2) A 'shorewall show blacklists' command has been
+ implemented. The abbreviation 'bl' may be used in place of
+ 'blacklists'.
+
+ The command displays the output of the 'dynamic' chain together
+ with the chains created by entries in the blrules file.
+
+3) A TIME column has been added to the mangle file. It has the same
+ use in that file as the corresponding column in the rules file.
+
+4) A stateful port knocking example has been added to the Events
+ article (http://www.shorewall.net/Events.html). This example allows
+ a sequence of knocking ports to be defined (Gerhard Weisinger).
+
+5) A macro supporting HP's Integrated Lights Out (ILO) has been added
+ (Tuomo Soini).
+
+6) It is now possible to specify the MAC address of a provider
+ GATEWAY. This is useful when there are multiple providers serviced
+ by a single interface as it avoids the need for the generated
+ script to detect the MAC during start/restart.
+
+7) The copyrights in the sample configuration files have been updated.
+
+----------------------------------------------------------------------------
+ P R O B L E M S C O R R E C T E D I N 4 . 6 . 1
----------------------------------------------------------------------------
4.6.1.4
@@ -487,7 +532,7 @@
optimized away.
----------------------------------------------------------------------------
- N E W F E A T U R E S I N 4 . 6 . 0
+ N E W F E A T U R E S I N 4 . 6 . 1
----------------------------------------------------------------------------
1) Tuomo Soini has provided new macros for AMOP, MongoDB, Redis, Sieve
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.2.5/shorewall-core.spec new/shorewall-core-4.6.3.1/shorewall-core.spec
--- old/shorewall-core-4.6.2.5/shorewall-core.spec 2014-08-13 01:53:52.000000000 +0200
+++ new/shorewall-core-4.6.3.1/shorewall-core.spec 2014-08-27 16:54:44.000000000 +0200
@@ -1,6 +1,6 @@
%define name shorewall-core
-%define version 4.6.2
-%define release 5
+%define version 4.6.3
+%define release 1
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
Name: %{name}
@@ -62,12 +62,16 @@
%doc COPYING INSTALL changelog.txt releasenotes.txt
%changelog
-* Tue Aug 12 2014 Tom Eastep tom@shorewall.net
-- Updated to 4.6.2-5
-* Tue Aug 05 2014 Tom Eastep tom@shorewall.net
-- Updated to 4.6.2-4
-* Sat Jul 26 2014 Tom Eastep tom@shorewall.net
-- Updated to 4.6.2-3
+* Thu Aug 21 2014 Tom Eastep tom@shorewall.net
+- Updated to 4.6.3-1
+* Thu Aug 14 2014 Tom Eastep tom@shorewall.net
+- Updated to 4.6.3-0base
+* Sun Aug 10 2014 Tom Eastep tom@shorewall.net
+- Updated to 4.6.3-0RC1
+* Sun Aug 03 2014 Tom Eastep tom@shorewall.net
+- Updated to 4.6.3-0Beta2
+* Fri Jul 25 2014 Tom Eastep tom@shorewall.net
+- Updated to 4.6.3-0Beta1
* Fri Jul 18 2014 Tom Eastep tom@shorewall.net
- Updated to 4.6.2-2
* Fri Jul 18 2014 Tom Eastep tom@shorewall.net
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.2.5/uninstall.sh new/shorewall-core-4.6.3.1/uninstall.sh
--- old/shorewall-core-4.6.2.5/uninstall.sh 2014-08-13 01:53:51.000000000 +0200
+++ new/shorewall-core-4.6.3.1/uninstall.sh 2014-08-27 16:54:43.000000000 +0200
@@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
-VERSION=4.6.2.5
+VERSION=4.6.3.1
usage() # $1 = exit status
{
++++++ shorewall-docs-html-4.6.2.5.tar.bz2 -> shorewall-docs-html-4.6.3.1.tar.bz2 ++++++
++++ 7168 lines of diff (skipped)
++++++ shorewall-init-4.6.2.5.tar.bz2 -> shorewall-init-4.6.3.1.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.2.5/changelog.txt new/shorewall-init-4.6.3.1/changelog.txt
--- old/shorewall-init-4.6.2.5/changelog.txt 2014-08-13 01:53:52.000000000 +0200
+++ new/shorewall-init-4.6.3.1/changelog.txt 2014-08-27 16:54:44.000000000 +0200
@@ -1,23 +1,45 @@
-Changes in 4.6.2.5
+Changes in 4.6.3.1
+
+1) Update release documents
+
+2) Correct the u32 match string in action.DNSAmp.
+
+3) Clarify REJECT handling in IP[6]TABLES rules.
+
+Changes in 4.6.3 Final
+
+1) Update release documents.
+
+2) Apply Thomas D's fix for SAVE_IPSETS on Debian.
+
+Changes in 4.6.3 RC 1
1) Update release documents.
-2) Allow a physical interface name in the INTERFACE column of the
- providers files.
+2) Minor code and documentation cleanup.
-3) Apply Louis Lagendijk's patch for shorewall-init.
+3) Defect repair from 4.6.2.5.
-Changes in 4.6.2.4
+hanges in 4.6.3 Beta 2
1) Update release documents.
-2) Allow inline matches in the body of an action.
+2) Add DNSAmp action
+
+3) Allow inline matches in action bodies (from 4.6.2.4)
-Changes in 4.6.2.3
+4) Allow physical names to be used in the INTERFACE column of the
+ providers file.
+
+Changes in 4.6.3 Beta 1
1) Update release documents.
-2) Correct handling of optimize level 8 with Perl 5.20.
+2) Describe new helper assignment in the FTP article.
+
+3) Merge defect repair from 4.6.2.3.
+
+4) Implement the 'run' command.
Changes in 4.6.2.2
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.2.5/configure new/shorewall-init-4.6.3.1/configure
--- old/shorewall-init-4.6.2.5/configure 2014-08-13 01:53:52.000000000 +0200
+++ new/shorewall-init-4.6.3.1/configure 2014-08-27 16:54:44.000000000 +0200
@@ -28,7 +28,7 @@
#
# Build updates this
#
-VERSION=4.6.2.5
+VERSION=4.6.3.1
case "$BASH_VERSION" in
[4-9].*)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.2.5/configure.pl new/shorewall-init-4.6.3.1/configure.pl
--- old/shorewall-init-4.6.2.5/configure.pl 2014-08-13 01:53:52.000000000 +0200
+++ new/shorewall-init-4.6.3.1/configure.pl 2014-08-27 16:54:44.000000000 +0200
@@ -31,7 +31,7 @@
# Build updates this
#
use constant {
- VERSION => '4.6.2.5'
+ VERSION => '4.6.3.1'
};
my %params;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.2.5/init.debian.sh new/shorewall-init-4.6.3.1/init.debian.sh
--- old/shorewall-init-4.6.2.5/init.debian.sh 2014-08-13 01:39:52.000000000 +0200
+++ new/shorewall-init-4.6.3.1/init.debian.sh 2014-08-24 20:59:51.000000000 +0200
@@ -123,6 +123,17 @@
echo "done."
+ if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
+
+ echo -n "Restoring ipsets: "
+
+ if ! ipset -R < "$SAVE_IPSETS"; then
+ echo_notdone
+ fi
+
+ echo "done."
+ fi
+
return 0
}
@@ -142,6 +153,20 @@
echo "done."
+ if [ -n "$SAVE_IPSETS" ]; then
+
+ echo "Saving ipsets: "
+
+ mkdir -p $(dirname "$SAVE_IPSETS")
+ if ipset -S > "${SAVE_IPSETS}.tmp"; then
+ grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+ else
+ echo_notdone
+ fi
+
+ echo "done."
+ fi
+
return 0
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.2.5/install.sh new/shorewall-init-4.6.3.1/install.sh
--- old/shorewall-init-4.6.2.5/install.sh 2014-08-13 01:53:52.000000000 +0200
+++ new/shorewall-init-4.6.3.1/install.sh 2014-08-27 16:54:44.000000000 +0200
@@ -27,7 +27,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
-VERSION=4.6.2.5
+VERSION=4.6.3.1
usage() # $1 = exit status
{
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.2.5/releasenotes.txt new/shorewall-init-4.6.3.1/releasenotes.txt
--- old/shorewall-init-4.6.2.5/releasenotes.txt 2014-08-13 01:53:52.000000000 +0200
+++ new/shorewall-init-4.6.3.1/releasenotes.txt 2014-08-27 16:54:44.000000000 +0200
@@ -1,7 +1,7 @@
----------------------------------------------------------------------------
- S H O R E W A L L 4 . 6 . 2 . 5
+ S H O R E W A L L 4 . 6 . 3 . 1
------------------------------------
- A u g u s t 1 4 , 2 0 1 4
+ A u g u s t 2 6 , 2 0 1 4
----------------------------------------------------------------------------
I. PROBLEMS CORRECTED IN THIS RELEASE
@@ -14,80 +14,28 @@
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
-4.6.2.5
+4.6.3
-1) Previously, when an interface specified the 'physical=' option and
- the physical interface name was specified in the INTERFACES column
- of the providers file, compilation would fail with diagnostics
- similar to the following:
+1) The DNSAmp action released in 4.6.3 matched more packets than it
+ should have. That has now been corrected.
- Use of uninitialized value $physical in pattern match
- (m//) at /usr/lib/perl5/vendor_perl/5.18.1/
- Shorewall/Providers.pm line 463, <$currentfile> line 2.
- ERROR: A provider interface must have at least one
- associated zone /opt/etc/shorewall/providers (line 2)
+2) The handling of REJECT in IP[6]TABLES rules has been clarified in
+ the shorewall-rules(5) and shorewall6-rules(5) manpages.
-2) Shorewall-init now works correctly on systems with systemd.
- By Louis Lagendijk.
+3) The following misleading error message has now been corrected:
-4.6.2.4
+ ERROR: The xxx TARGET is now allowed in the filter table
-1) Previously, inline matches were incorrectly disallowed in action
- files. These matches are now allowed.
+ The message now reads:
-4.6.2.3
-
-1) Previously, the compiler would fail with a Perl diagnostic if:
-
- - Optimize Level 8 was enabled.
- - Perl 5.20 was being used. This is the current Perl version on
- Arch Linux.
+ ERROR: The xxx TARGET is not allowed in the filter table
- The diagnostic was:
+4.6.3
- Can't use string ("nat") as a HASH ref while "strict refs" in use
- at /usr/share/shorewall/Shorewall/Chains.pm line 3486.
+1) This release contains defect repair up through release 4.6.2.5.
-4.6.2.2
-
-1) The compiler now correctly detects the IPv6 "Header Match"
- capability when LOAD_MODULES_ONLY=No.
-
-2) The compiler now correctly detects the IPv6 "Ipset Match"
- capability on systems running a 3.14 or later kernel.
-
-3) The compiler now correctly detects "Arptables JF" capability when
- LOAD_MODULES_ONLY=No.
-
-3) The tcfilter manpages previously failed to mention that
- BASIC_FILTERS=Yes is required to use ipsets in the tcfilters files.
-
-4.6.2.1
-
-1) Two issues with tcrules processing have been corrected:
-
- - SAVE and RESTORE generated fatal compilation errors.
- - '|' and '&' were ignored.
-
-4.6.2
-
-1) The DSCP match in the mangle and tcrules files didn't work with
- service class names such as EF, BE, CS1, ... (Thibaut Chèze)
-
-2) The SAVE and RESTORE actions were disallowed in the OUTPUT chain in
- tcrules and mangle; this was a regression from 4.5.21.
-
-3) Additional ports required by Asus, Supermicro and Dell have been
- added to the IPMI macro (Tuomo Soini).
-
-4) Some issues regarding install under Cygwin64 have been addressed.
-
- - configure.pl did not understand CYGWIN returned from `uname`
- - Shorewall-core install.sh did not understand CYGWIN returned from
- `uname`.
- - The Shorewall and Shorewall6 installers tried to run the command
- 'mkdir -p //etc/shorewall[6]' which is broken in the current
- Cygwin64.
+2) The SAVE_IPSETS option in the Debian version of Shorewall-init now
+ works correctly. Thomas D.
----------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G
@@ -100,45 +48,19 @@
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
-1) The 'status' command now allows a -i option which causes the state
- of all optional and provider interfaces to be displayed.
-
- Example:
-
- root@gateway:/etc/shorewall# shorewall status -i
- Shorewall-4.6.1 Status at gateway - Wed Jun 18 14:27:19 PDT 2014
-
- Shorewall is running
- State:Started (Wed Jun 18 09:50:01 PDT 2014) from /etc/shorewall/
- (/var/lib/shorewall/firewall compiled by Shorewall version 4.6.1)
-
- Interface eth0 is Enabled
- Interface eth1 is Enabled
- Interface lo is Enabled
-
-2) A 'shorewall show blacklists' command has been
- implemented. The abbreviation 'bl' may be used in place of
- 'blacklists'.
-
- The command displays the output of the 'dynamic' chain together
- with the chains created by entries in the blrules file.
-
-3) A TIME column has been added to the mangle file. It has the same
- use in that file as the corresponding column in the rules file.
-
-4) A stateful port knocking example has been added to the Events
- article (http://www.shorewall.net/Events.html). This example allows
- a sequence of knocking ports to be defined (Gerhard Weisinger).
-
-5) A macro supporting HP's Integrated Lights Out (ILO) has been added
- (Tuomo Soini).
-
-6) It is now possible to specify the MAC address of a provider
- GATEWAY. This is useful when there are multiple providers serviced
- by a single interface as it avoids the need for the generated
- script to detect the MAC during start/restart.
-
-7) The copyrights in the sample configuration files have been updated.
+1) A new 'run' command has been implemented. This command allows you
+ to run an arbitrary command in the context of the generated
+ script.
+
+ shorewall[6][-lite] run <command> [ <parameter> ... ]
+
+ Normally, <command> will be a function declared in lib.private.
+
+2) A DNSAmp action has been added. This action matches recursive UDP
+ DNS queries. The default disposition is DROP which can be
+ overridden by the single action parameter (e.g, 'DNSAmp(REJECT)'
+ will reject these queries). Recursive DNS queries are the basis for
+ 'DNS Amplification' attacks; hence the action name.
----------------------------------------------------------------------------
I V. M I G R A T I O N I S S U E S
@@ -412,7 +334,130 @@
----------------------------------------------------------------------------
V. N O T E S F R O M O T H E R 4 . 6 R E L E A S E S
----------------------------------------------------------------------------
- P R O B L E M S C O R R E C T E D I N 4 . 6 . 0
+ P R O B L E M S C O R R E C T E D I N 4 . 6 . 2
+----------------------------------------------------------------------------
+
+4.6.2.5
+
+1) Previously, when an interface specified the 'physical=' option and
+ the physical interface name was specified in the INTERFACES column
+ of the providers file, compilation would fail with diagnostics
+ similar to the following:
+
+ Use of uninitialized value $physical in pattern match
+ (m//) at /usr/lib/perl5/vendor_perl/5.18.1/
+ Shorewall/Providers.pm line 463, <$currentfile> line 2.
+ ERROR: A provider interface must have at least one
+ associated zone /opt/etc/shorewall/providers (line 2)
+
+2) Shorewall-init now works correctly on systems with systemd.
+ By Louis Lagendijk.
+
+4.6.2.4
+
+1) Previously, inline matches were incorrectly disallowed in action
+ files. These matches are now allowed.
+
+4.6.2.3
+
+1) Previously, the compiler would fail with a Perl diagnostic if:
+
+ - Optimize Level 8 was enabled.
+ - Perl 5.20 was being used. This is the current Perl version on
+ Arch Linux.
+
+ The diagnostic was:
+
+ Can't use string ("nat") as a HASH ref while "strict refs" in use
+ at /usr/share/shorewall/Shorewall/Chains.pm line 3486.
+
+4.6.2.2
+
+1) The compiler now correctly detects the IPv6 "Header Match"
+ capability when LOAD_MODULES_ONLY=No.
+
+2) The compiler now correctly detects the IPv6 "Ipset Match"
+ capability on systems running a 3.14 or later kernel.
+
+3) The compiler now correctly detects "Arptables JF" capability when
+ LOAD_MODULES_ONLY=No.
+
+3) The tcfilter manpages previously failed to mention that
+ BASIC_FILTERS=Yes is required to use ipsets in the tcfilters files.
+
+4.6.2.1
+
+1) Two issues with tcrules processing have been corrected:
+
+ - SAVE and RESTORE generated fatal compilation errors.
+ - '|' and '&' were ignored.
+
+4.6.2
+
+1) The DSCP match in the mangle and tcrules files didn't work with
+ service class names such as EF, BE, CS1, ... (Thibaut Chèze)
+
+2) The SAVE and RESTORE actions were disallowed in the OUTPUT chain in
+ tcrules and mangle; this was a regression from 4.5.21.
+
+3) Additional ports required by Asus, Supermicro and Dell have been
+ added to the IPMI macro (Tuomo Soini).
+
+4) Some issues regarding install under Cygwin64 have been addressed.
+
+ - configure.pl did not understand CYGWIN returned from `uname`
+ - Shorewall-core install.sh did not understand CYGWIN returned from
+ `uname`.
+ - The Shorewall and Shorewall6 installers tried to run the command
+ 'mkdir -p //etc/shorewall[6]' which is broken in the current
+ Cygwin64.
+
+----------------------------------------------------------------------------
+ N E W F E A T U R E S I N 4 . 6 . 2
+----------------------------------------------------------------------------
+
+1) The 'status' command now allows a -i option which causes the state
+ of all optional and provider interfaces to be displayed.
+
+ Example:
+
+ root@gateway:/etc/shorewall# shorewall status -i
+ Shorewall-4.6.1 Status at gateway - Wed Jun 18 14:27:19 PDT 2014
+
+ Shorewall is running
+ State:Started (Wed Jun 18 09:50:01 PDT 2014) from /etc/shorewall/
+ (/var/lib/shorewall/firewall compiled by Shorewall version 4.6.1)
+
+ Interface eth0 is Enabled
+ Interface eth1 is Enabled
+ Interface lo is Enabled
+
+2) A 'shorewall show blacklists' command has been
+ implemented. The abbreviation 'bl' may be used in place of
+ 'blacklists'.
+
+ The command displays the output of the 'dynamic' chain together
+ with the chains created by entries in the blrules file.
+
+3) A TIME column has been added to the mangle file. It has the same
+ use in that file as the corresponding column in the rules file.
+
+4) A stateful port knocking example has been added to the Events
+ article (http://www.shorewall.net/Events.html). This example allows
+ a sequence of knocking ports to be defined (Gerhard Weisinger).
+
+5) A macro supporting HP's Integrated Lights Out (ILO) has been added
+ (Tuomo Soini).
+
+6) It is now possible to specify the MAC address of a provider
+ GATEWAY. This is useful when there are multiple providers serviced
+ by a single interface as it avoids the need for the generated
+ script to detect the MAC during start/restart.
+
+7) The copyrights in the sample configuration files have been updated.
+
+----------------------------------------------------------------------------
+ P R O B L E M S C O R R E C T E D I N 4 . 6 . 1
----------------------------------------------------------------------------
4.6.1.4
@@ -487,7 +532,7 @@
optimized away.
----------------------------------------------------------------------------
- N E W F E A T U R E S I N 4 . 6 . 0
+ N E W F E A T U R E S I N 4 . 6 . 1
----------------------------------------------------------------------------
1) Tuomo Soini has provided new macros for AMOP, MongoDB, Redis, Sieve
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.2.5/shorewall-init new/shorewall-init-4.6.3.1/shorewall-init
--- old/shorewall-init-4.6.2.5/shorewall-init 2014-08-13 01:39:52.000000000 +0200
+++ new/shorewall-init-4.6.3.1/shorewall-init 2014-08-24 20:59:51.000000000 +0200
@@ -63,19 +63,18 @@
for PRODUCT in $PRODUCTS; do
setstatedir
- if [ -x ${STATEDIR}/firewall ]; then
+ if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
#
# Run in a sub-shell to avoid name collisions
#
(
- if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
- ${STATEDIR}/firewall ${OPTIONS} stop || exit 1
+ if ! ${STATEDIR}/$PRODUCT/firewall status > /dev/null 2>&1; then
+ ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} stop || exit 1
else
exit 1
fi
)
else
- echo ERROR: ${STATEDIR}/firewall does not exist or is not executable!
exit 1
fi
done
@@ -96,8 +95,8 @@
for PRODUCT in $PRODUCTS; do
setstatedir
- if [ -x ${STATEDIR}/firewall ]; then
- ${STATEDIR}/firewall ${OPTIONS} clear || exit 1
+ if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
+ ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} clear || exit 1
fi
done
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.2.5/shorewall-init.spec new/shorewall-init-4.6.3.1/shorewall-init.spec
--- old/shorewall-init-4.6.2.5/shorewall-init.spec 2014-08-13 01:53:52.000000000 +0200
+++ new/shorewall-init-4.6.3.1/shorewall-init.spec 2014-08-27 16:54:44.000000000 +0200
@@ -1,6 +1,6 @@
%define name shorewall-init
-%define version 4.6.2
-%define release 5
+%define version 4.6.3
+%define release 1
Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
Name: %{name}
@@ -125,12 +125,16 @@
%doc COPYING changelog.txt releasenotes.txt
%changelog
-* Tue Aug 12 2014 Tom Eastep tom@shorewall.net
-- Updated to 4.6.2-5
-* Tue Aug 05 2014 Tom Eastep tom@shorewall.net
-- Updated to 4.6.2-4
-* Sat Jul 26 2014 Tom Eastep tom@shorewall.net
-- Updated to 4.6.2-3
+* Thu Aug 21 2014 Tom Eastep tom@shorewall.net
+- Updated to 4.6.3-1
+* Thu Aug 14 2014 Tom Eastep tom@shorewall.net
+- Updated to 4.6.3-0base
+* Sun Aug 10 2014 Tom Eastep tom@shorewall.net
+- Updated to 4.6.3-0RC1
+* Sun Aug 03 2014 Tom Eastep tom@shorewall.net
+- Updated to 4.6.3-0Beta2
+* Fri Jul 25 2014 Tom Eastep tom@shorewall.net
+- Updated to 4.6.3-0Beta1
* Fri Jul 18 2014 Tom Eastep tom@shorewall.net
- Updated to 4.6.2-2
* Fri Jul 18 2014 Tom Eastep tom@shorewall.net
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.2.5/uninstall.sh new/shorewall-init-4.6.3.1/uninstall.sh
--- old/shorewall-init-4.6.2.5/uninstall.sh 2014-08-13 01:53:52.000000000 +0200
+++ new/shorewall-init-4.6.3.1/uninstall.sh 2014-08-27 16:54:44.000000000 +0200
@@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
-VERSION=4.6.2.5
+VERSION=4.6.3.1
usage() # $1 = exit status
{
++++++ shorewall-lite-4.6.2.5.tar.bz2 -> shorewall-lite-4.6.3.1.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.2.5/changelog.txt new/shorewall-lite-4.6.3.1/changelog.txt
--- old/shorewall-lite-4.6.2.5/changelog.txt 2014-08-13 01:53:52.000000000 +0200
+++ new/shorewall-lite-4.6.3.1/changelog.txt 2014-08-27 16:54:44.000000000 +0200
@@ -1,23 +1,45 @@
-Changes in 4.6.2.5
+Changes in 4.6.3.1
+
+1) Update release documents
+
+2) Correct the u32 match string in action.DNSAmp.
+
+3) Clarify REJECT handling in IP[6]TABLES rules.
+
+Changes in 4.6.3 Final
+
+1) Update release documents.
+
+2) Apply Thomas D's fix for SAVE_IPSETS on Debian.
+
+Changes in 4.6.3 RC 1
1) Update release documents.
-2) Allow a physical interface name in the INTERFACE column of the
- providers files.
+2) Minor code and documentation cleanup.
-3) Apply Louis Lagendijk's patch for shorewall-init.
+3) Defect repair from 4.6.2.5.
-Changes in 4.6.2.4
+hanges in 4.6.3 Beta 2
1) Update release documents.
-2) Allow inline matches in the body of an action.
+2) Add DNSAmp action
+
+3) Allow inline matches in action bodies (from 4.6.2.4)
-Changes in 4.6.2.3
+4) Allow physical names to be used in the INTERFACE column of the
+ providers file.
+
+Changes in 4.6.3 Beta 1
1) Update release documents.
-2) Correct handling of optimize level 8 with Perl 5.20.
+2) Describe new helper assignment in the FTP article.
+
+3) Merge defect repair from 4.6.2.3.
+
+4) Implement the 'run' command.
Changes in 4.6.2.2
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.2.5/configure new/shorewall-lite-4.6.3.1/configure
--- old/shorewall-lite-4.6.2.5/configure 2014-08-13 01:53:52.000000000 +0200
+++ new/shorewall-lite-4.6.3.1/configure 2014-08-27 16:54:44.000000000 +0200
@@ -28,7 +28,7 @@
#
# Build updates this
#
-VERSION=4.6.2.5
+VERSION=4.6.3.1
case "$BASH_VERSION" in
[4-9].*)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.2.5/configure.pl new/shorewall-lite-4.6.3.1/configure.pl
--- old/shorewall-lite-4.6.2.5/configure.pl 2014-08-13 01:53:52.000000000 +0200
+++ new/shorewall-lite-4.6.3.1/configure.pl 2014-08-27 16:54:44.000000000 +0200
@@ -31,7 +31,7 @@
# Build updates this
#
use constant {
- VERSION => '4.6.2.5'
+ VERSION => '4.6.3.1'
};
my %params;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.2.5/install.sh new/shorewall-lite-4.6.3.1/install.sh
--- old/shorewall-lite-4.6.2.5/install.sh 2014-08-13 01:53:52.000000000 +0200
+++ new/shorewall-lite-4.6.3.1/install.sh 2014-08-27 16:54:44.000000000 +0200
@@ -22,7 +22,7 @@
# along with this program; if not, see http://www.gnu.org/licenses/.
#
-VERSION=4.6.2.5
+VERSION=4.6.3.1
usage() # $1 = exit status
{
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.2.5/manpages/shorewall-lite-vardir.5 new/shorewall-lite-4.6.3.1/manpages/shorewall-lite-vardir.5
--- old/shorewall-lite-4.6.2.5/manpages/shorewall-lite-vardir.5 2014-08-13 01:57:10.000000000 +0200
+++ new/shorewall-lite-4.6.3.1/manpages/shorewall-lite-vardir.5 2014-08-27 16:58:10.000000000 +0200
@@ -2,12 +2,12 @@
.\" Title: shorewall-lite-vardir
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.76.1 http://docbook.sf.net/
-.\" Date: 08/12/2014
+.\" Date: 08/27/2014
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-LITE\-VAR" "5" "08/12/2014" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-LITE\-VAR" "5" "08/27/2014" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.2.5/manpages/shorewall-lite.8 new/shorewall-lite-4.6.3.1/manpages/shorewall-lite.8
--- old/shorewall-lite-4.6.2.5/manpages/shorewall-lite.8 2014-08-13 01:57:12.000000000 +0200
+++ new/shorewall-lite-4.6.3.1/manpages/shorewall-lite.8 2014-08-27 16:58:12.000000000 +0200
@@ -2,12 +2,12 @@
.\" Title: shorewall-lite
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.76.1 http://docbook.sf.net/
-.\" Date: 08/12/2014
+.\" Date: 08/27/2014
.\" Manual: Administrative Commands
.\" Source: Administrative Commands
.\" Language: English
.\"
-.TH "SHOREWALL\-LITE" "8" "08/12/2014" "Administrative Commands" "Administrative Commands"
+.TH "SHOREWALL\-LITE" "8" "08/27/2014" "Administrative Commands" "Administrative Commands"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -75,6 +75,8 @@
.HP \w'\fBshorewall\-lite\fR\ 'u
\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBrestore\fR [\fIfilename\fR]
.HP \w'\fBshorewall\-lite\fR\ 'u
+\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBrun\fR function [\fIparameter\ \&.\&.\&.\fR]
+.HP \w'\fBshorewall\-lite\fR\ 'u
\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBsave\fR [\fIfilename\fR]
.HP \w'\fBshorewall\-lite\fR\ 'u
\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR] [\-\fIoptions\fR] [\fBshow\ |\ list\ |\ ls\ \fR] [\fB\-b\fR] [\fB\-x\fR] [\fB\-l\fR] [\fB\-t\fR\ {\fBfilter\fR|\fBmangle\fR|\fBnat\fR|\fBraw|rawpost\fR}] [[\fBchain\fR]\ \fIchain\fR...]
@@ -376,6 +378,22 @@
\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2(5)\&.
.RE
.PP
+\fBrun\fR
+.RS 4
+Added in Shorewall 4\&.6\&.3\&. Executes
+\fIcommand\fR
+in the context of the generated script passing the supplied
+\fIparameter\fRs\&. Normally, the
+\fIcommand\fR
+will be a function declared in
+lib\&.private\&.
+.sp
+Before executing the
+\fIcommand\fR, the script will detect the configuration, setting all SW_* variables and will run your
+init
+extension script with $COMMAND = \*(Aqrun\*(Aq\&.
+.RE
+.PP
\fBsave\fR
.RS 4
The dynamic blacklist is stored in /var/lib/shorewall\-lite/save\&. The state of the firewall is stored in /var/lib/shorewall\-lite/\fIfilename\fR
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.2.5/manpages/shorewall-lite.conf.5 new/shorewall-lite-4.6.3.1/manpages/shorewall-lite.conf.5
--- old/shorewall-lite-4.6.2.5/manpages/shorewall-lite.conf.5 2014-08-13 01:57:09.000000000 +0200
+++ new/shorewall-lite-4.6.3.1/manpages/shorewall-lite.conf.5 2014-08-27 16:58:09.000000000 +0200
@@ -2,12 +2,12 @@
.\" Title: shorewall-lite.conf
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.76.1 http://docbook.sf.net/
-.\" Date: 08/12/2014
+.\" Date: 08/27/2014
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-LITE\&.CO" "5" "08/12/2014" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-LITE\&.CO" "5" "08/27/2014" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.2.5/manpages/shorewall-lite.xml new/shorewall-lite-4.6.3.1/manpages/shorewall-lite.xml
--- old/shorewall-lite-4.6.2.5/manpages/shorewall-lite.xml 2014-08-13 01:57:12.000000000 +0200
+++ new/shorewall-lite-4.6.3.1/manpages/shorewall-lite.xml 2014-08-27 16:58:12.000000000 +0200
@@ -325,6 +325,21 @@
<arg>-<replaceable>options</replaceable></arg>
+ <arg choice="plain"><option>run</option></arg>
+
+ <arg choice="plain">function</arg>
+
+ <arg><replaceable>parameter ...</replaceable></arg>
+ </cmdsynopsis>
+
+ <cmdsynopsis>
+ <command>shorewall-lite</command>
+
+
participants (1)
-
root@hilbert.suse.de