Hello community, here is the log from the commit of package shorewall for openSUSE:Factory checked in at 2012-06-10 23:21:15 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/shorewall (Old) and /work/SRC/openSUSE:Factory/.shorewall.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "shorewall", Maintainer is "" Changes: -------- --- /work/SRC/openSUSE:Factory/shorewall/shorewall.changes 2012-06-01 18:54:19.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.shorewall.new/shorewall.changes 2012-06-10 23:21:18.000000000 +0200 @@ -1,0 +2,82 @@ +Sat Jun 9 22:21:56 UTC 2012 - toganm@opensuse.org + +- Update to 4.5.5 For more details see changelog.txt and + releasnotes.txt + + * This release includes all defect repair from Shorewall 4.5.4.1 + and 4.5.4.2. + + * The Shorewall compiler sometimes must defer generating a rule + until runtime. This is done by placing shell commands in its + internal representation of a chain. These commands are then + executed at run time to create the final rule. + + If all of the following were true, then an incorrect ruleset + could be generated: + + + Optimization level 4 was set. + + A chain (chain A) containing shell commands had three or + fewer rules and commands. + + The last rule in a second chain was a conditional jump to + chain A. + + Under these conditions, the rules and commands in Chain A + + * The Shorewall-core configure and configure.pl script were + treating SYSCONFDIR as a synonym for CONFDIR making it + impossible to set SYSCONFDIR. + +------------------------------------------------------------------- +Thu Jun 7 17:17:59 UTC 2012 - toganm@opensuse.org + +- Update to 4.5.4.2 For more details see changelog.txt and + releasenotes.txt + + * The problems corrected section of the 4.5.4.1 release notes was + missing the third problem corrected in the release. It has now + been added. + + * A number of problems in Shorewall-init have been corrected: + + If more than one product was listed in the PRODUCTS setting + in /etc/default/shorewall-init (/etc/sysconfig/shorewall-init) + then the second product would not be started/stopped. + + + Shorewall-init used 'restart' in response to an optional + provider interface coming up. If the interface has been + marked unusable (1 in the interface's .status file), then the + 'restart' would not enable the interface. + + + Shorewal-init produced a lot of clutter on the console + during boot. You may now specify a LOGFILE in + /etc/default/shorewall-init (/etc/sysconfig/shorewall-init) + and all output produced by up and down events will be sent to + that log. If no log is specified, this output is sent to + /dev/null. + + * The order in which the compiler processes line-continuation + (line ending in '\') and conditional-inclusion directives (?IF, + ?ELSE, and ?ENDIF) has been reversed. + + Previously, the compiler built a concatenated line, then + checked to see if the line began with ?IF, ?ELSE or ?ENDIF. Now, the + compiler checks for ?IF, ?ELSE or ?ENDIF first and prevents + those lines from becoming part of the concatenation. + + * Two issues with the shorecap programs have been corrected: + + + The Shorewall6-lite version failed to run with the message: + + /usr/share/shorewall6-lite/lib.cli: No such file or + directory + + + The Shorewall-lite version would not run if SHAREDIR was + set to a value other than /usr/share in shorewallrc. + + * The Shorewall 4.5.2.3 fix for the Shorewall-core installer's + handling of --host=linux was not brought forward into 4.5.3. + It has been included again in this version. + + * Single-line embedded PERL and SHELL commands have been + re-enabled. + +------------------------------------------------------------------- Old: ---- shorewall-4.5.4.1.tar.bz2 shorewall-core-4.5.4.1.tar.bz2 shorewall-docs-html-4.5.4.1.tar.bz2 shorewall-init-4.5.4.1.tar.bz2 shorewall-lite-4.5.4.1.tar.bz2 shorewall6-4.5.4.1.tar.bz2 shorewall6-lite-4.5.4.1.tar.bz2 New: ---- shorewall-4.5.5.tar.bz2 shorewall-core-4.5.5.tar.bz2 shorewall-docs-html-4.5.5.tar.bz2 shorewall-init-4.5.5.tar.bz2 shorewall-lite-4.5.5.tar.bz2 shorewall6-4.5.5.tar.bz2 shorewall6-lite-4.5.5.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shorewall.spec ++++++ --- /var/tmp/diff_new_pack.5MhluV/_old 2012-06-10 23:21:21.000000000 +0200 +++ /var/tmp/diff_new_pack.5MhluV/_new 2012-06-10 23:21:21.000000000 +0200 @@ -17,19 +17,19 @@ Name: shorewall -Version: 4.5.4.1 +Version: 4.5.5 Release: 0 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems License: GPL-2.0 Group: Productivity/Networking/Security Url: http://www.shorewall.net/ -Source0: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.4/%name-%version.ta... -Source1: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.4/%name-core-%versi... -Source2: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.4/%name-lite-%versi... -Source3: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.4/%name-init-%versi... -Source4: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.4/%{name}6-lite-%version.tar.bz2 -Source5: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.4/%{name}6-%version.tar.bz2 -Source6: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.4/%name-docs-html-%... +Source0: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.5/%name-%version.ta... +Source1: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.5/%name-core-%versi... +Source2: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.5/%name-lite-%versi... +Source3: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.5/%name-init-%versi... +Source4: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.5/%{name}6-lite-%version.tar.bz2 +Source5: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.5/%{name}6-%version.tar.bz2 +Source6: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.5/%name-docs-html-%... Source7: %name-4.4.22.rpmlintrc Source8: README.openSUSE # PATCH-FIX-UPSTREAM init-4.4.14 toganm@opensuse.org -- Required-Stop and Short descriprtion @@ -598,6 +598,8 @@ %attr(0755,root,root) %_sysconfdir/sysconfig/network/if-up.d/%name %_mandir/man8/%name-init.8* +%config(noreplace) %_sysconfdir/logrotate.d/%name-init + %if 0%{?suse_version} >= 1210 %attr(600,root,root) %_unitdir/%name-init.service %endif ++++++ shorewall-4.5.4.1.tar.bz2 -> shorewall-4.5.5.tar.bz2 ++++++ ++++ 6975 lines of diff (skipped) ++++++ shorewall-core-4.5.4.1.tar.bz2 -> shorewall-core-4.5.5.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.4.1/changelog.txt new/shorewall-core-4.5.5/changelog.txt --- old/shorewall-core-4.5.4.1/changelog.txt 2012-05-31 21:45:24.000000000 +0200 +++ new/shorewall-core-4.5.5/changelog.txt 2012-06-09 17:32:56.000000000 +0200 @@ -1,18 +1,34 @@ -Changes in 4.5.4.1 +Changes in 4.5.5 RC 1 -1) Correct 'pptpserver' tunnel configuration. +1) Change in 'ignore' behavior. -2) Fix IPSEC accounting. +2) Optional '?' in embedded script directives. -Changes in 4.5.4 Final +3) Fix IPv6 Shorecap -1) Update the release documents. +4) Fix iprange match on RHEL5 + +5) Fix installer's handling of SYSCONFDIR + +6) Add DIGEST support. + +Changes in 4.5.5 Beta 2 + +1) Merged bug fixes from 4.5.4. -2) Remove quotes from GEOIPDIR setting. +2) Added LOGFILE setting for Shorewall-init. -3) Add macro.MSSQL. +3) Reverse the order of continuation/directive checks. -4) Complete disabling of level 1 optimization when level 4 is set. +Changes in 4.5.5 Beta 1 + +1) Add support for additional log options. + +2) Many fixes for Shoreawll-init. + +Changes in 4.5.4 Final + +1) Update the release documents. Changes in 4.5.4 RC 2 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.4.1/configure new/shorewall-core-4.5.5/configure --- old/shorewall-core-4.5.4.1/configure 2012-05-31 21:45:24.000000000 +0200 +++ new/shorewall-core-4.5.5/configure 2012-06-09 17:32:56.000000000 +0200 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=4.5.4.1 +VERSION=4.5.5 case "$BASH_VERSION" in [4-9].*) @@ -81,9 +81,6 @@ DATADIR) pn=SHAREDIR ;; - SYSCONFDIR) - pn=CONFDIR - ;; esac params[${pn}]="${pv}" @@ -132,7 +129,7 @@ vendor=${params[HOST]} elif [ $vendor = linux ]; then - rcfile=$shorewallrc.default; + rcfile=shorewallrc.default; else rcfile=shorewallrc.$vendor if [ ! -f $rcfile ]; then diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.4.1/configure.pl new/shorewall-core-4.5.5/configure.pl --- old/shorewall-core-4.5.4.1/configure.pl 2012-05-31 21:45:24.000000000 +0200 +++ new/shorewall-core-4.5.5/configure.pl 2012-06-09 17:32:56.000000000 +0200 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '4.5.4.1' + VERSION => '4.5.5' }; my %params; @@ -39,8 +39,7 @@ my %aliases = ( VENDOR => 'HOST', SHAREDSTATEDIR => 'VARDIR', - DATADIR => 'SHAREDIR', - SYSCONFDIR => 'CONFDIR' ); + DATADIR => 'SHAREDIR' ); for ( @ARGV ) { die "ERROR: Invalid option specification ( $_ )" unless /^(?:--)?(\w+)=(.*)$/; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.4.1/install.sh new/shorewall-core-4.5.5/install.sh --- old/shorewall-core-4.5.4.1/install.sh 2012-05-31 21:45:24.000000000 +0200 +++ new/shorewall-core-4.5.5/install.sh 2012-06-09 17:32:56.000000000 +0200 @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.5.4.1 +VERSION=4.5.5 usage() # $1 = exit status { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.4.1/known_problems.txt new/shorewall-core-4.5.5/known_problems.txt --- old/shorewall-core-4.5.4.1/known_problems.txt 2012-05-31 21:45:24.000000000 +0200 +++ new/shorewall-core-4.5.5/known_problems.txt 2012-06-09 17:32:56.000000000 +0200 @@ -1,20 +1,2 @@ 1) On systems running Upstart, shorewall-init cannot reliably secure the firewall before interfaces are brought up. - -2) Beginning with Shorewall 4.4.22, the 'pptpserver' tunnel type has - been configured as a PPTP client running on the firewall rather - than as a server on the firewall. - - Workaround: Configure the tunnel in the rules file rather than in - the tunnels file: - - #ACTION SOURCE DEST PROTO DEST - # PORT(S) - ACCEPT net:<gateway> fw tcp 1723 - ACCEPT net:<gateway> fw 47 - ACCEPT fw net:<gateway> 47 - -3) The shorewall-accounting (5) and shorewall6-accounting (5) - documentation for the IPSEC column is incorrect. Rather than - 'accountin' and 'accountout', the chain names should be - 'accipsecin' and 'accipsecout'. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.4.1/lib.base new/shorewall-core-4.5.5/lib.base --- old/shorewall-core-4.5.4.1/lib.base 2012-05-30 23:37:29.000000000 +0200 +++ new/shorewall-core-4.5.5/lib.base 2012-06-09 17:32:15.000000000 +0200 @@ -131,71 +131,6 @@ } # -# Call this function to assert mutual exclusion with Shorewall. If you invoke the -# /sbin/shorewall program while holding mutual exclusion, you should pass "nolock" as -# the first argument. Example "shorewall nolock refresh" -# -# This function uses the lockfile utility from procmail if it exists. -# Otherwise, it uses a somewhat race-prone algorithm to attempt to simulate the -# behavior of lockfile. -# -mutex_on() -{ - local try - try=0 - local lockf - lockf=${LOCKFILE:=${VARDIR}/lock} - local lockpid - - MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60} - - if [ $MUTEX_TIMEOUT -gt 0 ]; then - - [ -d ${VARDIR} ] || mkdir -p ${VARDIR} - - if [ -f $lockf ]; then - lockpid=`cat ${lockf} 2> /dev/null` - if [ -z "$lockpid" -o $lockpid = 0 ]; then - rm -f ${lockf} - error_message "WARNING: Stale lockfile ${lockf} removed" - elif ! qt ps p ${lockpid}; then - rm -f ${lockf} - error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed" - fi - fi - - if qt mywhich lockfile; then - lockfile -${MUTEX_TIMEOUT} -r1 ${lockf} - chmod u+w ${lockf} - echo $$ > ${lockf} - chmod u-w ${lockf} - else - while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do - sleep 1 - try=$((${try} + 1)) - done - - if [ ${try} -lt ${MUTEX_TIMEOUT} ] ; then - # Create the lockfile - echo $$ > ${lockf} - else - echo "Giving up on lock file ${lockf}" >&2 - fi - fi - fi -} - -# -# Call this function to release mutual exclusion -# -mutex_off() -{ - rm -f ${LOCKFILE:=${VARDIR}/lock} -} - -[ -z "$LEFTSHIFT" ] && . ${g_basedir}/lib.common - -# # Validate an IP address # valid_address() { @@ -323,6 +258,8 @@ done } +[ -z "$LEFTSHIFT" ] && . ${g_basedir}/lib.common + # # Netmask to VLSM # diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.4.1/lib.common new/shorewall-core-4.5.5/lib.common --- old/shorewall-core-4.5.4.1/lib.common 2012-05-30 23:37:29.000000000 +0200 +++ new/shorewall-core-4.5.5/lib.common 2012-06-09 17:32:15.000000000 +0200 @@ -717,3 +717,69 @@ { cut -b -${1} } + +# +# Call this function to assert mutual exclusion with Shorewall. If you invoke the +# /sbin/shorewall program while holding mutual exclusion, you should pass "nolock" as +# the first argument. Example "shorewall nolock refresh" +# +# This function uses the lockfile utility from procmail if it exists. +# Otherwise, it uses a somewhat race-prone algorithm to attempt to simulate the +# behavior of lockfile. +# +mutex_on() +{ + local try + try=0 + local lockf + lockf=${LOCKFILE:=${VARDIR}/lock} + local lockpid + + MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60} + + if [ $MUTEX_TIMEOUT -gt 0 ]; then + + [ -d ${VARDIR} ] || mkdir -p ${VARDIR} + + if [ -f $lockf ]; then + lockpid=`cat ${lockf} 2> /dev/null` + if [ -z "$lockpid" -o $lockpid = 0 ]; then + rm -f ${lockf} + error_message "WARNING: Stale lockfile ${lockf} removed" + elif [ $lockpid -eq $$ ]; then + return 0 + elif ! qt ps p ${lockpid}; then + rm -f ${lockf} + error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed" + fi + fi + + if qt mywhich lockfile; then + lockfile -${MUTEX_TIMEOUT} -r1 ${lockf} + chmod u+w ${lockf} + echo $$ > ${lockf} + chmod u-w ${lockf} + else + while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do + sleep 1 + try=$((${try} + 1)) + done + + if [ ${try} -lt ${MUTEX_TIMEOUT} ] ; then + # Create the lockfile + echo $$ > ${lockf} + else + echo "Giving up on lock file ${lockf}" >&2 + fi + fi + fi +} + +# +# Call this function to release mutual exclusion +# +mutex_off() +{ + rm -f ${LOCKFILE:=${VARDIR}/lock} +} + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.4.1/releasenotes.txt new/shorewall-core-4.5.5/releasenotes.txt --- old/shorewall-core-4.5.4.1/releasenotes.txt 2012-05-31 21:45:24.000000000 +0200 +++ new/shorewall-core-4.5.5/releasenotes.txt 2012-06-09 17:32:56.000000000 +0200 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 5 . 4 . 1 + S H O R E W A L L 4 . 5 . 5 ------------------------------------ - J u n e 0 1 , 2 0 1 2 + J u n e 1 3 , 2 0 1 2 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -15,6 +15,277 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- +1) This release includes all defect repair from Shorewall 4.5.4.1 and + 4.5.4.2. + +2) The Shorewall compiler sometimes must defer generating a rule until + runtime. This is done by placing shell commands in its internal + representation of a chain. These commands are then executed at run + time to create the final rule. + + If all of the following were true, then an incorrect ruleset could + be generated: + + a) Optimization level 4 was set. + b) A chain (chain A) containing shell commands had three or fewer + rules and commands. + c) The last rule in a second chain was a conditional jump to + chain A. + + Under these conditions, the rules and commands in Chain A replaced + the conditional jump and the conditional part was lost. + + Example (Lines are folded to fit the release note format): + + Chain A: + + if [ $SW_ETH0_ADDRESS != 0.0.0.0 ]; then + echo "-A net_dnat -d $SW_ETH0_ADDRESS\ + -j DNAT --to-destination 1.2.3.4" >&3 + fi + + Chain B: + + ... + -A dnat -i eth0 -j + + Result: + + if [ $SW_ETH0_ADDRESS != 0.0.0.0 ]; then + echo "-A dnat -d $SW_ETH0_ADDRESS\ + -j DNAT --to-destination 1.2.3.4" >&3 + fi + + Notice that the '-i eth0' match has been lost. + +3) The Shorewall-core configure and configure.pl script were treating + SYSCONFDIR as a synonym for CONFDIR making it impossible to set + SYSCONFDIR. + +---------------------------------------------------------------------------- + I I. K N O W N P R O B L E M S R E M A I N I N G +---------------------------------------------------------------------------- + +1) On systems running Upstart, shorewall-init cannot reliably secure + the firewall before interfaces are brought up. + +---------------------------------------------------------------------------- + I I I. N E W F E A T U R E S I N T H I S R E L E A S E +---------------------------------------------------------------------------- + +1) It is now possible to include additional information in netfilter + messages when using plain log levels (debug, info, ...). This is + done by following the level with a parenthesized comma-separated + list of "log options". + + Valid log options are: + + ip_options + + Log messages will include the option settings from the IP + header. + + macdecode + + Decode the MAC address and protocol. + + tcp_sequence + + Include TCP sequence numbers. + + tcp_options + + Include options from the TCP header. + + uid + + Include the UID of the sending program; only effective for + packets originating on the firewall itself. + + Example: info(tcp_options,tcp_sequence) + +2) The Shorewall-init configuration file (/etc/default/shorewall-init + or /etc/sysconfig/shorewall-init) now contains a LOGFILE setting. + When specified, all messages generated by interface updown events + are logged there. The sample configuration file and the logrotate + file configure this log as /var/log/shorewall-ifupdown.log. + +3) Previously, the 'ignore' interface option could only be specified + by itself and could not be specified unless the ZONE column was + empty (i.e, contained '-'). Now, it is allowed to specify + 'ignore=1' without these restrictions. + + With 'ignore=1', the generated script will still ignore + Shorewall-init 'up' and 'down' events but the interface will still + be subject to hairpin filtering unless it has the 'routefilter' or + 'routeback' option. + +4) Imbedded shell and Perl directives may now be optionally preceded + by a question mark ('?'). + + Example: + + ?BEGIN PERL + use strict; + ... + ?END PERL + +5) To aid package maintainers for distributions that don't include the + Digest::SHA Perl module, the Shorewall install.sh script looks for + the DIGEST environmental variable and if the setting is not 'SHA', + then the Shorewall::Chains module is modified to use $DIGEST as the + module name. + + To specify SHA1 + + DIGEST=SHA1 ./install.sh + +---------------------------------------------------------------------------- + V. M I G R A T I O N I S S U E S +---------------------------------------------------------------------------- + +1) If you are migrating from Shorewall 4.2.x or earlier, please see + http://www.shorewall.net/pub/shorewall/4.4/shorewall-4.4.27/releasenotes.txt + +2) The BLACKLIST section of the rules file has been eliminated. + If you have entries in that file section, you must move them to the + blrules file. + +3) This version of Shorewall requires either the Digest::SHA1 or + Digest::SHA Perl module. + + Debian: libdigest-sha1-perl or libdigest-sha-perl + Fedora: perl-Digest-SHA1 or perl-Digest-SHA + OpenSuSE: perl-Digest-SHA1 or perl-Digest-SHA + +4) The generated firewall script now maintains the + /var/lib/shorewall[6][-lite]/interface.status files used by SWPING + and by LSM. + + If you have optional providers and to not run a link monitor like + SWPING or LSM that updates these files, then you should remove + /etc/shorewall[6]/isusable if it is installed. + + Beginning with Shorewall 4.5.3.1: + + - The 'disable' command stores a 1 in the interface's .status file. + - The .status file is ignored on 'enable' but not on 'start', + 'restart', 'restore' and 'refresh'. + + This means that a disabled interface can only be re-enabled using + the 'enable' command. + +5) The /etc/shorewall[6]/tos file is now deprecated in favor of the + TOS() action in /etc/shorewall[6]/tcrules. + +6) The MARK/CLASSIFY column in /etc/shorewall[6]/tcrules has been + renamed ACTION to reflect the expanded set of actions that can be + specified in the column. There is no change to existing + functionality. + +7) Beginning with Shorewall 4.5.2, using /etc/shorewall-lite/vardir + and /etc/shorewall6-lite/vardir to specify VARDIR is deprecated in + favor of the VARDIR setting in shorewallrc. + + NOTE: While the name of the variable remains VARDIR, the + meaning is slightly different. When set in shorewallrc, + each product (shorewall-lite, and shorewall6-lite) will + create a directory under the specified path name to + hold state information. + + Example: + + VARDIR=/opt/var/ + + The state directory for shorewall-lite will be + /opt/var/shorewall-lite/ and the directory for + shorewall6-lite will be /opt/var/shorewall6-lite. + + When VARDIR is set in /etc/shorewall[6]/vardir, the + product will save its state directly in the specified + directory. + +---------------------------------------------------------------------------- + V I. N O T E S F R O M O T H E R 4 . 5 R E L E A S E S +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 5 . 4 +---------------------------------------------------------------------------- +4.5.4.2 + +A large number of defects in Shorewall-init have been corrected: + + a) The installer now enables startup at boot on Debian. + + b) When more than one product was listed in the PRODUCTS setting in + /etc/default/shorewall-init (/etc/sysconfig/shorewall-init), + only the first product was acted upon. + + b) Interface up/down handling was always using 'restart'; if an + interface is disabled, 'restart' doesn't bring it up. Interface + up/down handling now uses the 'enable' and 'disable' commands + when an optional provider interface goes up or down. + +2) The order in which the compiler processes line-continuation (line + ending in '\') and conditional-inclusion directives (?IF, ?ELSE, + and ?ENDIF) has been reversed. + + Previously, the compiler built a concatenated line, then checked + to see if the line began with ?IF, ?ELSE or ?ENDIF. Now, the + compiler checks for ?IF, ?ELSE or ?ENDIF first and prevents those + lines from becoming part of the concatenation. + + Example: + + Previously, given these lines and assuming that $FOO was + non-empty and non-zero: + + ACCEPT:\ + ?IF $FOO + bar + ?ELSE + baz + ?END + + then the lines would become + + ACCEPT:\?IF $FOO + bar + ?ELSE + baz + ?END + + Now, they will be become simply + + ACCEPT:bar + +3) Two issues with the shorecap programs have been corrected: + + a) The Shorewall6-lite version failed to run with the message: + + /usr/share/shorewall6-lite/lib.cli: No such file or directory + + b) The Shorewall-lite version would not run if SHAREDIR was set to + a value other than /usr/share in shorewallrc. + +4) If an iprange appeared in the SOURCE column of /etc/shorewall/masq, + then compilation would fail on RHEL5-based systems with the error: + + Address Ranges require the Multiple Match capability in + your kernel and iptables + +5) The Shorewall 4.5.2.3 fix for the Shorewall-core installer's + handling of --host=linux was not brought forward into 4.5.3. It has + been included again in this version. + +6) Single-line embedded PERL and SHELL commands have been + re-enabled. + +7) If an iprange appeared in the SOURCE column of /etc/shorewall/masq, + then compilation would fail on RHEL5-based systems with the error: + + Address Ranges require the Multiple Match capability in + your kernel and iptables + 4.5.4.1 1) Beginning with Shorewall 4.4.22, the 'pptpserver' tunnel type has @@ -27,6 +298,17 @@ 'accountin' and 'accountout', the chain names should be 'accipsecin' and 'accipsecout'. +3) IPSEC accounting did not work if the accounting file was sectioned. + + Beginning with this release, the IPSEC column can be specified in + any section. As always, the IPSEC column contains a comma-separated + list of items. In the FORWARD chain, the first (or only) item in + the list must be either 'in' or 'out' to indicate whether the rule + matches incoming packets that have been decrypted ('in') or + outgoing packets that will be encrypted ('out'). There are no + restrictions with respect to which chain IPSEC rules can appear in + a sectioned file. + 4.5.4 1) This release includes all defect repairs from Shorewall 4.5.3.1. @@ -65,14 +347,7 @@ 'fallback' providers. ---------------------------------------------------------------------------- - I I. K N O W N P R O B L E M S R E M A I N I N G ----------------------------------------------------------------------------- - -1) On systems running Upstart, shorewall-init cannot reliably secure - the firewall before interfaces are brought up. - ----------------------------------------------------------------------------- - I I I. N E W F E A T U R E S I N T H I S R E L E A S E + N E W F E A T U R E S I N 4 . 5 . 4 ---------------------------------------------------------------------------- 1) The TPROXY tcrules action introduced in Shorewall 4.4.7 was @@ -219,75 +494,6 @@ are selected, the level 1 optimization step is skipped because it is now a limited subset of level 4. -4) Tuomo Soini contributed a macro for MS SQL (macro.MSSQL). - ----------------------------------------------------------------------------- - V. M I G R A T I O N I S S U E S ----------------------------------------------------------------------------- - -1) If you are migrating from Shorewall 4.2.x or earlier, please see - http://www.shorewall.net/pub/shorewall/4.4/shorewall-4.4.27/releasenotes.txt - -2) The BLACKLIST section of the rules file has been eliminated. - If you have entries in that file section, you must move them to the - blrules file. - -3) This version of Shorewall requires either the Digest::SHA1 or - Digest::SHA Perl module. - - Debian: libdigest-sha1-perl or libdigest-sha-perl - Fedora: perl-Digest-SHA1 or perl-Digest-SHA - OpenSuSE: perl-Digest-SHA1 or perl-Digest-SHA - -4) The generated firewall script now maintains the - /var/lib/shorewall[6][-lite]/interface.status files used by SWPING - and by LSM. - - If you have optional providers and to not run a link monitor like - SWPING or LSM that updates these files, then you should remove - /etc/shorewall[6]/isusable if it is installed. - - Beginning with Shorewall 4.5.3.1: - - - The 'disable' command stores a 1 in the interface's .status file. - - The .status file is ignored on 'enable' but not on 'start', - 'restart', 'restore' and 'refresh'. - - This means that a disabled interface can only be re-enabled using - the 'enable' command. - -5) The /etc/shorewall[6]/tos file is now deprecated in favor of the - TOS() action in /etc/shorewall[6]/tcrules. - -6) The MARK/CLASSIFY column in /etc/shorewall[6]/tcrules has been - renamed ACTION to reflect the expanded set of actions that can be - specified in the column. There is no change to existing - functionality. - -7) Beginning with Shorewall 4.5.2, using /etc/shorewall-lite/vardir - and /etc/shorewall6-lite/vardir to specify VARDIR is deprecated in - favor of the VARDIR setting in shorewallrc. - - NOTE: While the name of the variable remains VARDIR, the - meaning is slightly different. When set in shorewallrc, - each product (shorewall-lite, and shorewall6-lite) will - create a directory under the specified path name to - hold state information. - - Example: - - VARDIR=/opt/var/ - - The state directory for shorewall-lite will be - /opt/var/shorewall-lite/ and the directory for - shorewall6-lite will be /opt/var/shorewall6-lite. - - When VARDIR is set in /etc/shorewall[6]/vardir, the - product will save its state directly in the specified - directory. - ----------------------------------------------------------------------------- - V I. N O T E S F R O M O T H E R 4 . 5 R E L E A S E S ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 5 . 3 ---------------------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.4.1/shorewall-core.spec new/shorewall-core-4.5.5/shorewall-core.spec --- old/shorewall-core-4.5.4.1/shorewall-core.spec 2012-05-31 21:45:24.000000000 +0200 +++ new/shorewall-core-4.5.5/shorewall-core.spec 2012-06-09 17:32:56.000000000 +0200 @@ -1,6 +1,6 @@ %define name shorewall-core -%define version 4.5.4 -%define release 1 +%define version 4.5.5 +%define release 0base Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. Name: %{name} @@ -62,8 +62,14 @@ %doc COPYING INSTALL changelog.txt releasenotes.txt %changelog -* Tue May 29 2012 Tom Eastep tom@shorewall.net -- Updated to 4.5.4-1 +* Wed Jun 06 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.5-0base +* Tue Jun 05 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.5-0RC1 +* Sat Jun 02 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.5-0Beta2 +* Thu May 24 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.5-0Beta1 * Thu May 24 2012 Tom Eastep tom@shorewall.net - Updated to 4.5.4-0base * Tue May 22 2012 Tom Eastep tom@shorewall.net diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.4.1/uninstall.sh new/shorewall-core-4.5.5/uninstall.sh --- old/shorewall-core-4.5.4.1/uninstall.sh 2012-05-31 21:45:24.000000000 +0200 +++ new/shorewall-core-4.5.5/uninstall.sh 2012-06-09 17:32:56.000000000 +0200 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.5.4.1 +VERSION=4.5.5 usage() # $1 = exit status { ++++++ shorewall-docs-html-4.5.4.1.tar.bz2 -> shorewall-docs-html-4.5.5.tar.bz2 ++++++ ++++ 6230 lines of diff (skipped) ++++++ shorewall-init-4.5.4.1.tar.bz2 -> shorewall-init-4.5.5.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.4.1/changelog.txt new/shorewall-init-4.5.5/changelog.txt --- old/shorewall-init-4.5.4.1/changelog.txt 2012-05-31 21:45:25.000000000 +0200 +++ new/shorewall-init-4.5.5/changelog.txt 2012-06-09 17:32:56.000000000 +0200 @@ -1,18 +1,34 @@ -Changes in 4.5.4.1 +Changes in 4.5.5 RC 1 -1) Correct 'pptpserver' tunnel configuration. +1) Change in 'ignore' behavior. -2) Fix IPSEC accounting. +2) Optional '?' in embedded script directives. -Changes in 4.5.4 Final +3) Fix IPv6 Shorecap -1) Update the release documents. +4) Fix iprange match on RHEL5 + +5) Fix installer's handling of SYSCONFDIR + +6) Add DIGEST support. + +Changes in 4.5.5 Beta 2 + +1) Merged bug fixes from 4.5.4. -2) Remove quotes from GEOIPDIR setting. +2) Added LOGFILE setting for Shorewall-init. -3) Add macro.MSSQL. +3) Reverse the order of continuation/directive checks. -4) Complete disabling of level 1 optimization when level 4 is set. +Changes in 4.5.5 Beta 1 + +1) Add support for additional log options. + +2) Many fixes for Shoreawll-init. + +Changes in 4.5.4 Final + +1) Update the release documents. Changes in 4.5.4 RC 2 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.4.1/configure new/shorewall-init-4.5.5/configure --- old/shorewall-init-4.5.4.1/configure 2012-05-31 21:45:25.000000000 +0200 +++ new/shorewall-init-4.5.5/configure 2012-06-09 17:32:56.000000000 +0200 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=4.5.4.1 +VERSION=4.5.5 case "$BASH_VERSION" in [4-9].*) @@ -81,9 +81,6 @@ DATADIR) pn=SHAREDIR ;; - SYSCONFDIR) - pn=CONFDIR - ;; esac params[${pn}]="${pv}" @@ -132,7 +129,7 @@ vendor=${params[HOST]} elif [ $vendor = linux ]; then - rcfile=$shorewallrc.default; + rcfile=shorewallrc.default; else rcfile=shorewallrc.$vendor if [ ! -f $rcfile ]; then diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.4.1/configure.pl new/shorewall-init-4.5.5/configure.pl --- old/shorewall-init-4.5.4.1/configure.pl 2012-05-31 21:45:25.000000000 +0200 +++ new/shorewall-init-4.5.5/configure.pl 2012-06-09 17:32:56.000000000 +0200 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '4.5.4.1' + VERSION => '4.5.5' }; my %params; @@ -39,8 +39,7 @@ my %aliases = ( VENDOR => 'HOST', SHAREDSTATEDIR => 'VARDIR', - DATADIR => 'SHAREDIR', - SYSCONFDIR => 'CONFDIR' ); + DATADIR => 'SHAREDIR' ); for ( @ARGV ) { die "ERROR: Invalid option specification ( $_ )" unless /^(?:--)?(\w+)=(.*)$/; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.4.1/ifupdown.sh new/shorewall-init-4.5.5/ifupdown.sh --- old/shorewall-init-4.5.4.1/ifupdown.sh 2012-05-30 23:37:29.000000000 +0200 +++ new/shorewall-init-4.5.5/ifupdown.sh 2012-06-09 17:32:15.000000000 +0200 @@ -106,15 +106,11 @@ else exit 0 fi - - case "$PHASE" in - pre-*) - exit 0 - ;; - esac ;; esac elif [ -f /etc/SuSE-release ]; then + PHASE='' + case $0 in /etc/ppp*) # @@ -146,6 +142,8 @@ # # Assume RedHat/Fedora/CentOS/Foobar/... # + PHASE='' + case $0 in /etc/ppp*) INTERFACE="$1" @@ -186,20 +184,12 @@ esac fi +[ -n "$LOGFILE" ] || LOGFILE=/dev/null + for PRODUCT in $PRODUCTS; do - # - # For backward compatibility, lib.base appends the product name to VARDIR - # Save it here and restore it below - # - save_vardir=${VARDIR} if [ -x $VARDIR/$PRODUCT/firewall ]; then - ( . ${SHAREDIR}/shorewall/lib.base - mutex_on - ${VARDIR}/firewall -V0 $COMMAND $INTERFACE || echo_notdone - mutex_off - ) + ( ${VARDIR}/$PRODUCT/firewall -V0 $COMMAND $INTERFACE >> $LOGFILE 2>&1 ) || true fi - VARDIR=${save_vardir} done exit 0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.4.1/install.sh new/shorewall-init-4.5.5/install.sh --- old/shorewall-init-4.5.4.1/install.sh 2012-05-31 21:45:25.000000000 +0200 +++ new/shorewall-init-4.5.5/install.sh 2012-06-09 17:32:56.000000000 +0200 @@ -23,7 +23,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.5.4.1 +VERSION=4.5.5 usage() # $1 = exit status { @@ -260,6 +260,11 @@ first_install="Yes" fi +if [ -n "$DESTDIR" ]; then + mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d + chmod 755 ${DESTDIR}${CONFDIR}/logrotate.d +fi + # # Install the Firewall Script # @@ -296,6 +301,14 @@ chmod 755 ${DESTDIR}/usr/share/shorewall-init # +# Install logrotate file +# +if [ -d ${DESTDIR}${CONFDIR}/logrotate.d ]; then + run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT + echo "Logrotate file installed as ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT" +fi + +# # Create the version file # echo "$VERSION" > ${DESTDIR}/usr/share/shorewall-init/version @@ -312,7 +325,7 @@ if [ $HOST = debian ]; then if [ -n "${DESTDIR}" ]; then mkdir -p ${DESTDIR}/etc/network/if-up.d/ - mkdir -p ${DESTDIR}/etc/network/if-post-down.d/ + mkdir -p ${DESTDIR}/etc/network/if-down.d/ fi if [ ! -f ${DESTDIR}/etc/default/shorewall-init ]; then @@ -347,7 +360,7 @@ cp ifupdown.sh ifupdown -d[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ifupdown +[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ifupdown mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall-init @@ -360,6 +373,7 @@ case $HOST in debian) install_file ifupdown ${DESTDIR}/etc/network/if-up.d/shorewall 0544 + install_file ifupdown ${DESTDIR}/etc/network/if-down.d/shorewall 0544 install_file ifupdown ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544 ;; suse) @@ -382,7 +396,7 @@ if [ -n "$first_install" ]; then if [ $HOST = debian ]; then - update-rc.d shorewall-init defaults + update-rc.d shorewall-init enable echo "Shorewall Init will start automatically at boot" else diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.4.1/logrotate new/shorewall-init-4.5.5/logrotate --- old/shorewall-init-4.5.4.1/logrotate 1970-01-01 01:00:00.000000000 +0100 +++ new/shorewall-init-4.5.5/logrotate 2012-06-09 17:32:15.000000000 +0200 @@ -0,0 +1,5 @@ +/var/log/shorewall-ifupdown.log { + missingok + notifempty + create 0600 root root +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.4.1/releasenotes.txt new/shorewall-init-4.5.5/releasenotes.txt --- old/shorewall-init-4.5.4.1/releasenotes.txt 2012-05-31 21:45:25.000000000 +0200 +++ new/shorewall-init-4.5.5/releasenotes.txt 2012-06-09 17:32:56.000000000 +0200 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 5 . 4 . 1 + S H O R E W A L L 4 . 5 . 5 ------------------------------------ - J u n e 0 1 , 2 0 1 2 + J u n e 1 3 , 2 0 1 2 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -15,6 +15,277 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- +1) This release includes all defect repair from Shorewall 4.5.4.1 and + 4.5.4.2. + +2) The Shorewall compiler sometimes must defer generating a rule until + runtime. This is done by placing shell commands in its internal + representation of a chain. These commands are then executed at run + time to create the final rule. + + If all of the following were true, then an incorrect ruleset could + be generated: + + a) Optimization level 4 was set. + b) A chain (chain A) containing shell commands had three or fewer + rules and commands. + c) The last rule in a second chain was a conditional jump to + chain A. + + Under these conditions, the rules and commands in Chain A replaced + the conditional jump and the conditional part was lost. + + Example (Lines are folded to fit the release note format): + + Chain A: + + if [ $SW_ETH0_ADDRESS != 0.0.0.0 ]; then + echo "-A net_dnat -d $SW_ETH0_ADDRESS\ + -j DNAT --to-destination 1.2.3.4" >&3 + fi + + Chain B: + + ... + -A dnat -i eth0 -j + + Result: + + if [ $SW_ETH0_ADDRESS != 0.0.0.0 ]; then + echo "-A dnat -d $SW_ETH0_ADDRESS\ + -j DNAT --to-destination 1.2.3.4" >&3 + fi + + Notice that the '-i eth0' match has been lost. + +3) The Shorewall-core configure and configure.pl script were treating + SYSCONFDIR as a synonym for CONFDIR making it impossible to set + SYSCONFDIR. + +---------------------------------------------------------------------------- + I I. K N O W N P R O B L E M S R E M A I N I N G +---------------------------------------------------------------------------- + +1) On systems running Upstart, shorewall-init cannot reliably secure + the firewall before interfaces are brought up. + +---------------------------------------------------------------------------- + I I I. N E W F E A T U R E S I N T H I S R E L E A S E +---------------------------------------------------------------------------- + +1) It is now possible to include additional information in netfilter + messages when using plain log levels (debug, info, ...). This is + done by following the level with a parenthesized comma-separated + list of "log options". + + Valid log options are: + + ip_options + + Log messages will include the option settings from the IP + header. + + macdecode + + Decode the MAC address and protocol. + + tcp_sequence + + Include TCP sequence numbers. + + tcp_options + + Include options from the TCP header. + + uid + + Include the UID of the sending program; only effective for + packets originating on the firewall itself. + + Example: info(tcp_options,tcp_sequence) + +2) The Shorewall-init configuration file (/etc/default/shorewall-init + or /etc/sysconfig/shorewall-init) now contains a LOGFILE setting. + When specified, all messages generated by interface updown events + are logged there. The sample configuration file and the logrotate + file configure this log as /var/log/shorewall-ifupdown.log. + +3) Previously, the 'ignore' interface option could only be specified + by itself and could not be specified unless the ZONE column was + empty (i.e, contained '-'). Now, it is allowed to specify + 'ignore=1' without these restrictions. + + With 'ignore=1', the generated script will still ignore + Shorewall-init 'up' and 'down' events but the interface will still + be subject to hairpin filtering unless it has the 'routefilter' or + 'routeback' option. + +4) Imbedded shell and Perl directives may now be optionally preceded + by a question mark ('?'). + + Example: + + ?BEGIN PERL + use strict; + ... + ?END PERL + +5) To aid package maintainers for distributions that don't include the + Digest::SHA Perl module, the Shorewall install.sh script looks for + the DIGEST environmental variable and if the setting is not 'SHA', + then the Shorewall::Chains module is modified to use $DIGEST as the + module name. + + To specify SHA1 + + DIGEST=SHA1 ./install.sh + +---------------------------------------------------------------------------- + V. M I G R A T I O N I S S U E S +---------------------------------------------------------------------------- + +1) If you are migrating from Shorewall 4.2.x or earlier, please see + http://www.shorewall.net/pub/shorewall/4.4/shorewall-4.4.27/releasenotes.txt + +2) The BLACKLIST section of the rules file has been eliminated. + If you have entries in that file section, you must move them to the + blrules file. + +3) This version of Shorewall requires either the Digest::SHA1 or + Digest::SHA Perl module. + + Debian: libdigest-sha1-perl or libdigest-sha-perl + Fedora: perl-Digest-SHA1 or perl-Digest-SHA + OpenSuSE: perl-Digest-SHA1 or perl-Digest-SHA + +4) The generated firewall script now maintains the + /var/lib/shorewall[6][-lite]/interface.status files used by SWPING + and by LSM. + + If you have optional providers and to not run a link monitor like + SWPING or LSM that updates these files, then you should remove + /etc/shorewall[6]/isusable if it is installed. + + Beginning with Shorewall 4.5.3.1: + + - The 'disable' command stores a 1 in the interface's .status file. + - The .status file is ignored on 'enable' but not on 'start', + 'restart', 'restore' and 'refresh'. + + This means that a disabled interface can only be re-enabled using + the 'enable' command. + +5) The /etc/shorewall[6]/tos file is now deprecated in favor of the + TOS() action in /etc/shorewall[6]/tcrules. + +6) The MARK/CLASSIFY column in /etc/shorewall[6]/tcrules has been + renamed ACTION to reflect the expanded set of actions that can be + specified in the column. There is no change to existing + functionality. + +7) Beginning with Shorewall 4.5.2, using /etc/shorewall-lite/vardir + and /etc/shorewall6-lite/vardir to specify VARDIR is deprecated in + favor of the VARDIR setting in shorewallrc. + + NOTE: While the name of the variable remains VARDIR, the + meaning is slightly different. When set in shorewallrc, + each product (shorewall-lite, and shorewall6-lite) will + create a directory under the specified path name to + hold state information. + + Example: + + VARDIR=/opt/var/ + + The state directory for shorewall-lite will be + /opt/var/shorewall-lite/ and the directory for + shorewall6-lite will be /opt/var/shorewall6-lite. + + When VARDIR is set in /etc/shorewall[6]/vardir, the + product will save its state directly in the specified + directory. + +---------------------------------------------------------------------------- + V I. N O T E S F R O M O T H E R 4 . 5 R E L E A S E S +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 5 . 4 +---------------------------------------------------------------------------- +4.5.4.2 + +A large number of defects in Shorewall-init have been corrected: + + a) The installer now enables startup at boot on Debian. + + b) When more than one product was listed in the PRODUCTS setting in + /etc/default/shorewall-init (/etc/sysconfig/shorewall-init), + only the first product was acted upon. + + b) Interface up/down handling was always using 'restart'; if an + interface is disabled, 'restart' doesn't bring it up. Interface + up/down handling now uses the 'enable' and 'disable' commands + when an optional provider interface goes up or down. + +2) The order in which the compiler processes line-continuation (line + ending in '\') and conditional-inclusion directives (?IF, ?ELSE, + and ?ENDIF) has been reversed. + + Previously, the compiler built a concatenated line, then checked + to see if the line began with ?IF, ?ELSE or ?ENDIF. Now, the + compiler checks for ?IF, ?ELSE or ?ENDIF first and prevents those + lines from becoming part of the concatenation. + + Example: + + Previously, given these lines and assuming that $FOO was + non-empty and non-zero: + + ACCEPT:\ + ?IF $FOO + bar + ?ELSE + baz + ?END + + then the lines would become + + ACCEPT:\?IF $FOO + bar + ?ELSE + baz + ?END + + Now, they will be become simply + + ACCEPT:bar + +3) Two issues with the shorecap programs have been corrected: + + a) The Shorewall6-lite version failed to run with the message: + + /usr/share/shorewall6-lite/lib.cli: No such file or directory + + b) The Shorewall-lite version would not run if SHAREDIR was set to + a value other than /usr/share in shorewallrc. + +4) If an iprange appeared in the SOURCE column of /etc/shorewall/masq, + then compilation would fail on RHEL5-based systems with the error: + + Address Ranges require the Multiple Match capability in + your kernel and iptables + +5) The Shorewall 4.5.2.3 fix for the Shorewall-core installer's + handling of --host=linux was not brought forward into 4.5.3. It has + been included again in this version. + +6) Single-line embedded PERL and SHELL commands have been + re-enabled. + +7) If an iprange appeared in the SOURCE column of /etc/shorewall/masq, + then compilation would fail on RHEL5-based systems with the error: + + Address Ranges require the Multiple Match capability in + your kernel and iptables + 4.5.4.1 1) Beginning with Shorewall 4.4.22, the 'pptpserver' tunnel type has @@ -27,6 +298,17 @@ 'accountin' and 'accountout', the chain names should be 'accipsecin' and 'accipsecout'. +3) IPSEC accounting did not work if the accounting file was sectioned. + + Beginning with this release, the IPSEC column can be specified in + any section. As always, the IPSEC column contains a comma-separated + list of items. In the FORWARD chain, the first (or only) item in + the list must be either 'in' or 'out' to indicate whether the rule + matches incoming packets that have been decrypted ('in') or + outgoing packets that will be encrypted ('out'). There are no + restrictions with respect to which chain IPSEC rules can appear in + a sectioned file. + 4.5.4 1) This release includes all defect repairs from Shorewall 4.5.3.1. @@ -65,14 +347,7 @@ 'fallback' providers. ---------------------------------------------------------------------------- - I I. K N O W N P R O B L E M S R E M A I N I N G ----------------------------------------------------------------------------- - -1) On systems running Upstart, shorewall-init cannot reliably secure - the firewall before interfaces are brought up. - ----------------------------------------------------------------------------- - I I I. N E W F E A T U R E S I N T H I S R E L E A S E + N E W F E A T U R E S I N 4 . 5 . 4 ---------------------------------------------------------------------------- 1) The TPROXY tcrules action introduced in Shorewall 4.4.7 was @@ -219,75 +494,6 @@ are selected, the level 1 optimization step is skipped because it is now a limited subset of level 4. -4) Tuomo Soini contributed a macro for MS SQL (macro.MSSQL). - ----------------------------------------------------------------------------- - V. M I G R A T I O N I S S U E S ----------------------------------------------------------------------------- - -1) If you are migrating from Shorewall 4.2.x or earlier, please see - http://www.shorewall.net/pub/shorewall/4.4/shorewall-4.4.27/releasenotes.txt - -2) The BLACKLIST section of the rules file has been eliminated. - If you have entries in that file section, you must move them to the - blrules file. - -3) This version of Shorewall requires either the Digest::SHA1 or - Digest::SHA Perl module. - - Debian: libdigest-sha1-perl or libdigest-sha-perl - Fedora: perl-Digest-SHA1 or perl-Digest-SHA - OpenSuSE: perl-Digest-SHA1 or perl-Digest-SHA - -4) The generated firewall script now maintains the - /var/lib/shorewall[6][-lite]/interface.status files used by SWPING - and by LSM. - - If you have optional providers and to not run a link monitor like - SWPING or LSM that updates these files, then you should remove - /etc/shorewall[6]/isusable if it is installed. - - Beginning with Shorewall 4.5.3.1: - - - The 'disable' command stores a 1 in the interface's .status file. - - The .status file is ignored on 'enable' but not on 'start', - 'restart', 'restore' and 'refresh'. - - This means that a disabled interface can only be re-enabled using - the 'enable' command. - -5) The /etc/shorewall[6]/tos file is now deprecated in favor of the - TOS() action in /etc/shorewall[6]/tcrules. - -6) The MARK/CLASSIFY column in /etc/shorewall[6]/tcrules has been - renamed ACTION to reflect the expanded set of actions that can be - specified in the column. There is no change to existing - functionality. - -7) Beginning with Shorewall 4.5.2, using /etc/shorewall-lite/vardir - and /etc/shorewall6-lite/vardir to specify VARDIR is deprecated in - favor of the VARDIR setting in shorewallrc. - - NOTE: While the name of the variable remains VARDIR, the - meaning is slightly different. When set in shorewallrc, - each product (shorewall-lite, and shorewall6-lite) will - create a directory under the specified path name to - hold state information. - - Example: - - VARDIR=/opt/var/ - - The state directory for shorewall-lite will be - /opt/var/shorewall-lite/ and the directory for - shorewall6-lite will be /opt/var/shorewall6-lite. - - When VARDIR is set in /etc/shorewall[6]/vardir, the - product will save its state directly in the specified - directory. - ----------------------------------------------------------------------------- - V I. N O T E S F R O M O T H E R 4 . 5 R E L E A S E S ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 5 . 3 ---------------------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.4.1/shorewall-init.spec new/shorewall-init-4.5.5/shorewall-init.spec --- old/shorewall-init-4.5.4.1/shorewall-init.spec 2012-05-31 21:45:25.000000000 +0200 +++ new/shorewall-init-4.5.5/shorewall-init.spec 2012-06-09 17:32:56.000000000 +0200 @@ -1,6 +1,6 @@ %define name shorewall-init -%define version 4.5.4 -%define release 1 +%define version 4.5.5 +%define release 0base Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall). Name: %{name} @@ -117,14 +117,22 @@ %attr(0544,root,root) %{_initddir}/shorewall-init %attr(0755,root,root) %dir %{_libexecdir}/shorewall-init +%attr(0644,root,root) /etc/logrotate.d/shorewall-init + %attr(0644,root,root) /usr/share/shorewall-init/version %attr(0544,root,root) %{_libexecdir}/shorewall-init/ifupdown %doc COPYING changelog.txt releasenotes.txt %changelog -* Tue May 29 2012 Tom Eastep tom@shorewall.net -- Updated to 4.5.4-1 +* Wed Jun 06 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.5-0base +* Tue Jun 05 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.5-0RC1 +* Sat Jun 02 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.5-0Beta2 +* Thu May 24 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.5-0Beta1 * Thu May 24 2012 Tom Eastep tom@shorewall.net - Updated to 4.5.4-0base * Tue May 22 2012 Tom Eastep tom@shorewall.net diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.4.1/sysconfig new/shorewall-init-4.5.5/sysconfig --- old/shorewall-init-4.5.4.1/sysconfig 2012-05-30 23:37:29.000000000 +0200 +++ new/shorewall-init-4.5.5/sysconfig 2012-06-09 17:32:15.000000000 +0200 @@ -16,3 +16,8 @@ # during 'start' and will save them there during 'stop'. # SAVE_IPSETS="" +# +# Where Up/Down events get logged +# +LOGFILE=/var/log/shorewall-ifupdown.log + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.4.1/uninstall.sh new/shorewall-init-4.5.5/uninstall.sh --- old/shorewall-init-4.5.4.1/uninstall.sh 2012-05-31 21:45:25.000000000 +0200 +++ new/shorewall-init-4.5.5/uninstall.sh 2012-06-09 17:32:56.000000000 +0200 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.5.4.1 +VERSION=4.5.5 usage() # $1 = exit status { ++++++ shorewall-lite-4.5.4.1.tar.bz2 -> shorewall-lite-4.5.5.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.4.1/changelog.txt new/shorewall-lite-4.5.5/changelog.txt --- old/shorewall-lite-4.5.4.1/changelog.txt 2012-05-31 21:45:25.000000000 +0200 +++ new/shorewall-lite-4.5.5/changelog.txt 2012-06-09 17:32:56.000000000 +0200 @@ -1,18 +1,34 @@ -Changes in 4.5.4.1 +Changes in 4.5.5 RC 1 -1) Correct 'pptpserver' tunnel configuration. +1) Change in 'ignore' behavior. -2) Fix IPSEC accounting. +2) Optional '?' in embedded script directives. -Changes in 4.5.4 Final +3) Fix IPv6 Shorecap -1) Update the release documents. +4) Fix iprange match on RHEL5 + +5) Fix installer's handling of SYSCONFDIR + +6) Add DIGEST support. + +Changes in 4.5.5 Beta 2 + +1) Merged bug fixes from 4.5.4. -2) Remove quotes from GEOIPDIR setting. +2) Added LOGFILE setting for Shorewall-init. -3) Add macro.MSSQL. +3) Reverse the order of continuation/directive checks. -4) Complete disabling of level 1 optimization when level 4 is set. +Changes in 4.5.5 Beta 1 + +1) Add support for additional log options. + +2) Many fixes for Shoreawll-init. + +Changes in 4.5.4 Final + +1) Update the release documents. Changes in 4.5.4 RC 2 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.4.1/configure new/shorewall-lite-4.5.5/configure --- old/shorewall-lite-4.5.4.1/configure 2012-05-31 21:45:25.000000000 +0200 +++ new/shorewall-lite-4.5.5/configure 2012-06-09 17:32:56.000000000 +0200 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=4.5.4.1 +VERSION=4.5.5 case "$BASH_VERSION" in [4-9].*) @@ -81,9 +81,6 @@ DATADIR) pn=SHAREDIR ;; - SYSCONFDIR) - pn=CONFDIR - ;; esac params[${pn}]="${pv}" @@ -132,7 +129,7 @@ vendor=${params[HOST]} elif [ $vendor = linux ]; then - rcfile=$shorewallrc.default; + rcfile=shorewallrc.default; else rcfile=shorewallrc.$vendor if [ ! -f $rcfile ]; then diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.4.1/configure.pl new/shorewall-lite-4.5.5/configure.pl --- old/shorewall-lite-4.5.4.1/configure.pl 2012-05-31 21:45:25.000000000 +0200 +++ new/shorewall-lite-4.5.5/configure.pl 2012-06-09 17:32:56.000000000 +0200 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '4.5.4.1' + VERSION => '4.5.5' }; my %params; @@ -39,8 +39,7 @@ my %aliases = ( VENDOR => 'HOST', SHAREDSTATEDIR => 'VARDIR', - DATADIR => 'SHAREDIR', - SYSCONFDIR => 'CONFDIR' ); + DATADIR => 'SHAREDIR' ); for ( @ARGV ) { die "ERROR: Invalid option specification ( $_ )" unless /^(?:--)?(\w+)=(.*)$/; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.4.1/install.sh new/shorewall-lite-4.5.5/install.sh --- old/shorewall-lite-4.5.4.1/install.sh 2012-05-31 21:45:25.000000000 +0200 +++ new/shorewall-lite-4.5.5/install.sh 2012-06-09 17:32:56.000000000 +0200 @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.5.4.1 +VERSION=4.5.5 usage() # $1 = exit status { @@ -403,6 +403,7 @@ # install_file shorecap ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shorecap 0755 +[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${LIBEXECDIR}/$PRODUCT/shorecap echo echo "Capability file builder installed in ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shorecap" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.4.1/manpages/shorewall-lite-vardir.5 new/shorewall-lite-4.5.5/manpages/shorewall-lite-vardir.5 --- old/shorewall-lite-4.5.4.1/manpages/shorewall-lite-vardir.5 2012-05-31 21:50:55.000000000 +0200 +++ new/shorewall-lite-4.5.5/manpages/shorewall-lite-vardir.5 2012-06-09 17:38:26.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite-vardir .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.75.2 http://docbook.sf.net/ -.\" Date: 05/31/2012 +.\" Date: 06/09/2012 .\" Manual: [FIXME: manual] .\" Source: [FIXME: source] .\" Language: English .\" -.TH "SHOREWALL\-LITE\-VAR" "5" "05/31/2012" "[FIXME: source]" "[FIXME: manual]" +.TH "SHOREWALL\-LITE\-VAR" "5" "06/09/2012" "[FIXME: source]" "[FIXME: manual]" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.4.1/manpages/shorewall-lite.8 new/shorewall-lite-4.5.5/manpages/shorewall-lite.8 --- old/shorewall-lite-4.5.4.1/manpages/shorewall-lite.8 2012-05-31 21:50:57.000000000 +0200 +++ new/shorewall-lite-4.5.5/manpages/shorewall-lite.8 2012-06-09 17:38:28.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.75.2 http://docbook.sf.net/ -.\" Date: 05/31/2012 +.\" Date: 06/09/2012 .\" Manual: [FIXME: manual] .\" Source: [FIXME: source] .\" Language: English .\" -.TH "SHOREWALL\-LITE" "8" "05/31/2012" "[FIXME: source]" "[FIXME: manual]" +.TH "SHOREWALL\-LITE" "8" "06/09/2012" "[FIXME: source]" "[FIXME: manual]" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.4.1/manpages/shorewall-lite.conf.5 new/shorewall-lite-4.5.5/manpages/shorewall-lite.conf.5 --- old/shorewall-lite-4.5.4.1/manpages/shorewall-lite.conf.5 2012-05-31 21:50:52.000000000 +0200 +++ new/shorewall-lite-4.5.5/manpages/shorewall-lite.conf.5 2012-06-09 17:38:23.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite.conf .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.75.2 http://docbook.sf.net/ -.\" Date: 05/31/2012 +.\" Date: 06/09/2012 .\" Manual: [FIXME: manual] .\" Source: [FIXME: source] .\" Language: English .\" -.TH "SHOREWALL\-LITE\&.CO" "5" "05/31/2012" "[FIXME: source]" "[FIXME: manual]" +.TH "SHOREWALL\-LITE\&.CO" "5" "06/09/2012" "[FIXME: source]" "[FIXME: manual]" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.4.1/releasenotes.txt new/shorewall-lite-4.5.5/releasenotes.txt --- old/shorewall-lite-4.5.4.1/releasenotes.txt 2012-05-31 21:45:25.000000000 +0200 +++ new/shorewall-lite-4.5.5/releasenotes.txt 2012-06-09 17:32:56.000000000 +0200 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 5 . 4 . 1 + S H O R E W A L L 4 . 5 . 5 ------------------------------------ - J u n e 0 1 , 2 0 1 2 + J u n e 1 3 , 2 0 1 2 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -15,6 +15,277 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- +1) This release includes all defect repair from Shorewall 4.5.4.1 and + 4.5.4.2. + +2) The Shorewall compiler sometimes must defer generating a rule until + runtime. This is done by placing shell commands in its internal + representation of a chain. These commands are then executed at run + time to create the final rule. + + If all of the following were true, then an incorrect ruleset could + be generated: + + a) Optimization level 4 was set. + b) A chain (chain A) containing shell commands had three or fewer + rules and commands. + c) The last rule in a second chain was a conditional jump to + chain A. + + Under these conditions, the rules and commands in Chain A replaced + the conditional jump and the conditional part was lost. + + Example (Lines are folded to fit the release note format): + + Chain A: + + if [ $SW_ETH0_ADDRESS != 0.0.0.0 ]; then + echo "-A net_dnat -d $SW_ETH0_ADDRESS\ + -j DNAT --to-destination 1.2.3.4" >&3 + fi + + Chain B: + + ... + -A dnat -i eth0 -j + + Result: + + if [ $SW_ETH0_ADDRESS != 0.0.0.0 ]; then + echo "-A dnat -d $SW_ETH0_ADDRESS\ + -j DNAT --to-destination 1.2.3.4" >&3 + fi + + Notice that the '-i eth0' match has been lost. + +3) The Shorewall-core configure and configure.pl script were treating + SYSCONFDIR as a synonym for CONFDIR making it impossible to set + SYSCONFDIR. + +---------------------------------------------------------------------------- + I I. K N O W N P R O B L E M S R E M A I N I N G +---------------------------------------------------------------------------- + +1) On systems running Upstart, shorewall-init cannot reliably secure + the firewall before interfaces are brought up. + +---------------------------------------------------------------------------- + I I I. N E W F E A T U R E S I N T H I S R E L E A S E +---------------------------------------------------------------------------- + +1) It is now possible to include additional information in netfilter + messages when using plain log levels (debug, info, ...). This is + done by following the level with a parenthesized comma-separated + list of "log options". + + Valid log options are: + + ip_options + + Log messages will include the option settings from the IP + header. + + macdecode + + Decode the MAC address and protocol. + + tcp_sequence + + Include TCP sequence numbers. + + tcp_options + + Include options from the TCP header. + + uid + + Include the UID of the sending program; only effective for + packets originating on the firewall itself. + + Example: info(tcp_options,tcp_sequence) + +2) The Shorewall-init configuration file (/etc/default/shorewall-init + or /etc/sysconfig/shorewall-init) now contains a LOGFILE setting. + When specified, all messages generated by interface updown events + are logged there. The sample configuration file and the logrotate + file configure this log as /var/log/shorewall-ifupdown.log. + +3) Previously, the 'ignore' interface option could only be specified + by itself and could not be specified unless the ZONE column was + empty (i.e, contained '-'). Now, it is allowed to specify + 'ignore=1' without these restrictions. + + With 'ignore=1', the generated script will still ignore + Shorewall-init 'up' and 'down' events but the interface will still + be subject to hairpin filtering unless it has the 'routefilter' or + 'routeback' option. + +4) Imbedded shell and Perl directives may now be optionally preceded + by a question mark ('?'). + + Example: + + ?BEGIN PERL + use strict; + ... + ?END PERL + +5) To aid package maintainers for distributions that don't include the + Digest::SHA Perl module, the Shorewall install.sh script looks for + the DIGEST environmental variable and if the setting is not 'SHA', + then the Shorewall::Chains module is modified to use $DIGEST as the + module name. + + To specify SHA1 + + DIGEST=SHA1 ./install.sh + +---------------------------------------------------------------------------- + V. M I G R A T I O N I S S U E S +---------------------------------------------------------------------------- + +1) If you are migrating from Shorewall 4.2.x or earlier, please see + http://www.shorewall.net/pub/shorewall/4.4/shorewall-4.4.27/releasenotes.txt + +2) The BLACKLIST section of the rules file has been eliminated. + If you have entries in that file section, you must move them to the + blrules file. + +3) This version of Shorewall requires either the Digest::SHA1 or + Digest::SHA Perl module. + + Debian: libdigest-sha1-perl or libdigest-sha-perl + Fedora: perl-Digest-SHA1 or perl-Digest-SHA + OpenSuSE: perl-Digest-SHA1 or perl-Digest-SHA + +4) The generated firewall script now maintains the + /var/lib/shorewall[6][-lite]/interface.status files used by SWPING + and by LSM. + + If you have optional providers and to not run a link monitor like + SWPING or LSM that updates these files, then you should remove + /etc/shorewall[6]/isusable if it is installed. + + Beginning with Shorewall 4.5.3.1: + + - The 'disable' command stores a 1 in the interface's .status file. + - The .status file is ignored on 'enable' but not on 'start', + 'restart', 'restore' and 'refresh'. + + This means that a disabled interface can only be re-enabled using + the 'enable' command. + +5) The /etc/shorewall[6]/tos file is now deprecated in favor of the + TOS() action in /etc/shorewall[6]/tcrules. + +6) The MARK/CLASSIFY column in /etc/shorewall[6]/tcrules has been + renamed ACTION to reflect the expanded set of actions that can be + specified in the column. There is no change to existing + functionality. + +7) Beginning with Shorewall 4.5.2, using /etc/shorewall-lite/vardir + and /etc/shorewall6-lite/vardir to specify VARDIR is deprecated in + favor of the VARDIR setting in shorewallrc. + + NOTE: While the name of the variable remains VARDIR, the + meaning is slightly different. When set in shorewallrc, + each product (shorewall-lite, and shorewall6-lite) will + create a directory under the specified path name to + hold state information. + + Example: + + VARDIR=/opt/var/ + + The state directory for shorewall-lite will be + /opt/var/shorewall-lite/ and the directory for + shorewall6-lite will be /opt/var/shorewall6-lite. + + When VARDIR is set in /etc/shorewall[6]/vardir, the + product will save its state directly in the specified + directory. + +---------------------------------------------------------------------------- + V I. N O T E S F R O M O T H E R 4 . 5 R E L E A S E S +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 5 . 4 +---------------------------------------------------------------------------- +4.5.4.2 + +A large number of defects in Shorewall-init have been corrected: + + a) The installer now enables startup at boot on Debian. + + b) When more than one product was listed in the PRODUCTS setting in + /etc/default/shorewall-init (/etc/sysconfig/shorewall-init), + only the first product was acted upon. + + b) Interface up/down handling was always using 'restart'; if an + interface is disabled, 'restart' doesn't bring it up. Interface + up/down handling now uses the 'enable' and 'disable' commands + when an optional provider interface goes up or down. + +2) The order in which the compiler processes line-continuation (line + ending in '\') and conditional-inclusion directives (?IF, ?ELSE, + and ?ENDIF) has been reversed. + + Previously, the compiler built a concatenated line, then checked + to see if the line began with ?IF, ?ELSE or ?ENDIF. Now, the + compiler checks for ?IF, ?ELSE or ?ENDIF first and prevents those + lines from becoming part of the concatenation. + + Example: + + Previously, given these lines and assuming that $FOO was + non-empty and non-zero: + + ACCEPT:\ + ?IF $FOO + bar + ?ELSE + baz + ?END + + then the lines would become + + ACCEPT:\?IF $FOO + bar + ?ELSE + baz + ?END + + Now, they will be become simply + + ACCEPT:bar + +3) Two issues with the shorecap programs have been corrected: + + a) The Shorewall6-lite version failed to run with the message: + + /usr/share/shorewall6-lite/lib.cli: No such file or directory + + b) The Shorewall-lite version would not run if SHAREDIR was set to + a value other than /usr/share in shorewallrc. + +4) If an iprange appeared in the SOURCE column of /etc/shorewall/masq, + then compilation would fail on RHEL5-based systems with the error: + + Address Ranges require the Multiple Match capability in + your kernel and iptables + +5) The Shorewall 4.5.2.3 fix for the Shorewall-core installer's + handling of --host=linux was not brought forward into 4.5.3. It has + been included again in this version. + +6) Single-line embedded PERL and SHELL commands have been + re-enabled. + +7) If an iprange appeared in the SOURCE column of /etc/shorewall/masq, + then compilation would fail on RHEL5-based systems with the error: + + Address Ranges require the Multiple Match capability in + your kernel and iptables + 4.5.4.1 1) Beginning with Shorewall 4.4.22, the 'pptpserver' tunnel type has @@ -27,6 +298,17 @@ 'accountin' and 'accountout', the chain names should be 'accipsecin' and 'accipsecout'. +3) IPSEC accounting did not work if the accounting file was sectioned. + + Beginning with this release, the IPSEC column can be specified in + any section. As always, the IPSEC column contains a comma-separated + list of items. In the FORWARD chain, the first (or only) item in + the list must be either 'in' or 'out' to indicate whether the rule + matches incoming packets that have been decrypted ('in') or + outgoing packets that will be encrypted ('out'). There are no + restrictions with respect to which chain IPSEC rules can appear in + a sectioned file. + 4.5.4 1) This release includes all defect repairs from Shorewall 4.5.3.1. @@ -65,14 +347,7 @@ 'fallback' providers. ---------------------------------------------------------------------------- - I I. K N O W N P R O B L E M S R E M A I N I N G ----------------------------------------------------------------------------- - -1) On systems running Upstart, shorewall-init cannot reliably secure - the firewall before interfaces are brought up. - ----------------------------------------------------------------------------- - I I I. N E W F E A T U R E S I N T H I S R E L E A S E + N E W F E A T U R E S I N 4 . 5 . 4 ---------------------------------------------------------------------------- 1) The TPROXY tcrules action introduced in Shorewall 4.4.7 was @@ -219,75 +494,6 @@ are selected, the level 1 optimization step is skipped because it is now a limited subset of level 4. -4) Tuomo Soini contributed a macro for MS SQL (macro.MSSQL). - ----------------------------------------------------------------------------- - V. M I G R A T I O N I S S U E S ----------------------------------------------------------------------------- - -1) If you are migrating from Shorewall 4.2.x or earlier, please see - http://www.shorewall.net/pub/shorewall/4.4/shorewall-4.4.27/releasenotes.txt - -2) The BLACKLIST section of the rules file has been eliminated. - If you have entries in that file section, you must move them to the - blrules file. - -3) This version of Shorewall requires either the Digest::SHA1 or - Digest::SHA Perl module. - - Debian: libdigest-sha1-perl or libdigest-sha-perl - Fedora: perl-Digest-SHA1 or perl-Digest-SHA - OpenSuSE: perl-Digest-SHA1 or perl-Digest-SHA - -4) The generated firewall script now maintains the - /var/lib/shorewall[6][-lite]/interface.status files used by SWPING - and by LSM. - - If you have optional providers and to not run a link monitor like - SWPING or LSM that updates these files, then you should remove - /etc/shorewall[6]/isusable if it is installed. - - Beginning with Shorewall 4.5.3.1: - - - The 'disable' command stores a 1 in the interface's .status file. - - The .status file is ignored on 'enable' but not on 'start', - 'restart', 'restore' and 'refresh'. - - This means that a disabled interface can only be re-enabled using - the 'enable' command. - -5) The /etc/shorewall[6]/tos file is now deprecated in favor of the - TOS() action in /etc/shorewall[6]/tcrules. - -6) The MARK/CLASSIFY column in /etc/shorewall[6]/tcrules has been - renamed ACTION to reflect the expanded set of actions that can be - specified in the column. There is no change to existing - functionality. - -7) Beginning with Shorewall 4.5.2, using /etc/shorewall-lite/vardir - and /etc/shorewall6-lite/vardir to specify VARDIR is deprecated in - favor of the VARDIR setting in shorewallrc. - - NOTE: While the name of the variable remains VARDIR, the - meaning is slightly different. When set in shorewallrc, - each product (shorewall-lite, and shorewall6-lite) will - create a directory under the specified path name to - hold state information. - - Example: - - VARDIR=/opt/var/ - - The state directory for shorewall-lite will be - /opt/var/shorewall-lite/ and the directory for - shorewall6-lite will be /opt/var/shorewall6-lite. - - When VARDIR is set in /etc/shorewall[6]/vardir, the - product will save its state directly in the specified - directory. - ----------------------------------------------------------------------------- - V I. N O T E S F R O M O T H E R 4 . 5 R E L E A S E S ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 5 . 3 ---------------------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.4.1/shorecap new/shorewall-lite-4.5.5/shorecap --- old/shorewall-lite-4.5.4.1/shorecap 2012-05-30 23:37:29.000000000 +0200 +++ new/shorewall-lite-4.5.5/shorecap 2012-06-09 17:32:15.000000000 +0200 @@ -45,17 +45,22 @@ # used during firewall compilation, then the generated firewall program will likewise not # require Shorewall to be installed. -SHAREDIR=/usr/share/shorewall-lite -VARDIR=/var/lib/shorewall-lite -CONFDIR=/etc/shorewall-lite + g_program=shorewall-lite -g_product="Shorewall Lite" -g_family=4 -g_base=shorewall -g_basedir=/usr/share/shorewall-lite -. /usr/share/shorewall-lite/lib.base -. /usr/share/shorewall/lib.cli +# +# This is modified by the installer when ${SHAREDIR} != /usr/share +# +. /usr/share/shorewall/shorewallrc + +g_libexec="$LIBEXECDIR" +g_sharedir="$SHAREDIR"/shorewall-lite +g_sbindir="$SBINDIR" +g_vardir="$VARDIR" +g_confdir="$CONFDIR"/shorewall-lite +g_readrc=1 + +. ${SHAREDIR}/shorewall/lib.cli . /usr/share/shorewall-lite/configpath [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.4.1/shorewall-lite.spec new/shorewall-lite-4.5.5/shorewall-lite.spec --- old/shorewall-lite-4.5.4.1/shorewall-lite.spec 2012-05-31 21:45:25.000000000 +0200 +++ new/shorewall-lite-4.5.5/shorewall-lite.spec 2012-06-09 17:32:56.000000000 +0200 @@ -1,6 +1,6 @@ %define name shorewall-lite -%define version 4.5.4 -%define release 1 +%define version 4.5.5 +%define release 0base %define initdir /etc/init.d Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems. @@ -105,8 +105,14 @@ %doc COPYING changelog.txt releasenotes.txt %changelog -* Tue May 29 2012 Tom Eastep tom@shorewall.net -- Updated to 4.5.4-1 +* Wed Jun 06 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.5-0base +* Tue Jun 05 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.5-0RC1 +* Sat Jun 02 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.5-0Beta2 +* Thu May 24 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.5-0Beta1 * Thu May 24 2012 Tom Eastep tom@shorewall.net - Updated to 4.5.4-0base * Tue May 22 2012 Tom Eastep tom@shorewall.net diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.4.1/uninstall.sh new/shorewall-lite-4.5.5/uninstall.sh --- old/shorewall-lite-4.5.4.1/uninstall.sh 2012-05-31 21:45:25.000000000 +0200 +++ new/shorewall-lite-4.5.5/uninstall.sh 2012-06-09 17:32:56.000000000 +0200 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.5.4.1 +VERSION=4.5.5 usage() # $1 = exit status { ++++++ shorewall-4.5.4.1.tar.bz2 -> shorewall6-4.5.5.tar.bz2 ++++++ ++++ 99746 lines of diff (skipped) ++++++ shorewall-lite-4.5.4.1.tar.bz2 -> shorewall6-lite-4.5.5.tar.bz2 ++++++ ++++ 7092 lines of diff (skipped) -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org