Hello community, here is the log from the commit of package shorewall for openSUSE:Factory checked in at 2013-03-08 09:51:20 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/shorewall (Old) and /work/SRC/openSUSE:Factory/.shorewall.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "shorewall", Maintainer is "" Changes: -------- --- /work/SRC/openSUSE:Factory/shorewall/shorewall.changes 2013-01-17 10:43:36.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.shorewall.new/shorewall.changes 2013-03-08 09:51:22.000000000 +0100 @@ -1,0 +2,54 @@ +Wed Feb 13 08:42:49 UTC 2013 - toganm@opensuse.org + +- Update to version 4.5.13 For more details see changelog.txt and + releasenotes.txt + + * If a chain consisted of a single RETURN rule, optimize level 4 + would handle it incorrectly by moving the RETURN rule to the + chain(s) that jumped to the single-rule chain. The optimizer + now simply eliminates the chain and rule. + + As part of this change, the optimizer now deletes trailing + RETURN rules from chains. + + * If a default inline action was specified with parameters, the + compiler would fail with an internal error. + + * The compiler was mis-handling simple arithmetic expressions + consisting of a single number, evaluating the number as '' + rather than as its numberic value. + +- Rebased systemd.patch + +------------------------------------------------------------------- +Sun Jan 20 20:12:23 UTC 2013 - toganm@opensuse.org + +- Update to version 4.5.12 For more details see changelog.txt and + releasenotes.txt + * This release contains the defect repairs from Shorewall + 4.5.11.1 and 4.5.11.2. + * Two defects associated with 'update -D' have been corrected. + + shorewall.conf.bak is no longer deleted. + + files that are not changed no longer have their mtime updated. + * Inline actions in the RELATED and ESTABLISHED sections now work + correctly. + * The 'dropInvalid' built-in function now works correctly. + * The compiler now generates an error when a protocol list is + used in a context where only a single protocol name/number is + accepted. + * The generated script now correctly deletes Traffic Control + configurations when CLEAR_TC=Yes. Previously, the + configurations on interfaces with a '@xxxxxx' suffix in their + names were not cleared. + * Under very rare circumstances, optimize level 4 could leave a + rule that jumped to a non-existant chain, causing + iptables-restore to fail. + * If an error was raised while compiling a default action, a Perl + diagnostic could appear and the Shorewall error message would + not be printed. + * It is once again possible to use DNS names in rules without an + interface name. + + + +------------------------------------------------------------------- Old: ---- shorewall-4.5.11.2.tar.bz2 shorewall-core-4.5.11.2.tar.bz2 shorewall-docs-html-4.5.11.2.tar.bz2 shorewall-init-4.5.11.2.tar.bz2 shorewall-lite-4.5.11.2.tar.bz2 shorewall6-4.5.11.2.tar.bz2 shorewall6-lite-4.5.11.2.tar.bz2 New: ---- shorewall-4.5.13.tar.bz2 shorewall-core-4.5.13.tar.bz2 shorewall-docs-html-4.5.13.tar.bz2 shorewall-init-4.5.13.tar.bz2 shorewall-lite-4.5.13.tar.bz2 shorewall6-4.5.13.tar.bz2 shorewall6-lite-4.5.13.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shorewall.spec ++++++ --- /var/tmp/diff_new_pack.YBKfNI/_old 2013-03-08 09:51:24.000000000 +0100 +++ /var/tmp/diff_new_pack.YBKfNI/_new 2013-03-08 09:51:24.000000000 +0100 @@ -20,19 +20,19 @@ %define have_systemd 1 Name: shorewall -Version: 4.5.11.2 +Version: 4.5.13 Release: 0 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems License: GPL-2.0 Group: Productivity/Networking/Security Url: http://www.shorewall.net/ -Source: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.11/%name-%version.t... -Source1: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.11/%name-core-%vers... -Source2: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.11/%name-lite-%vers... -Source3: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.11/%name-init-%vers... -Source4: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.11/%{name}6-lite-%version.tar.bz2 -Source5: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.11/%{name}6-%version.tar.bz2 -Source6: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.11/%name-docs-html-... +Source: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.13/%name-%version.t... +Source1: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.13/%name-core-%vers... +Source2: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.13/%name-lite-%vers... +Source3: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.13/%name-init-%vers... +Source4: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.13/%{name}6-lite-%version.tar.bz2 +Source5: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.13/%{name}6-%version.tar.bz2 +Source6: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.13/%name-docs-html-... Source7: %name-4.4.22.rpmlintrc Source8: README.openSUSE # PATCH-FIX-UPSTREAM toganm@opensuse.org Shorewall-lite init.suse.sh Required Stop @@ -47,6 +47,7 @@ %if 0%{?suse_version} >= 1210 || 0%{?fedora_version} BuildRequires: systemd %{?systemd_requires} +%define have_systemd 1 %else %if 0%{?suse_version} <= 1220 PreReq: %fillup_prereq @@ -60,18 +61,14 @@ Requires: %name-core = %{version}-%{release} Requires: iproute2 Requires: iptables -Requires: xtables-addons -%if 0%{?suse_version} < 1140 -Requires: perl = %{perl_version} -%else -%{perl_requires} -%endif Requires: logrotate +Requires: xtables-addons BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch BuildRequires: bash >= 4 %if 0%{?suse_version} -BuildRequires: distribution-release +BuildRequires: openSUSE-release +%{perl_requires} %endif %if 0%{?redhat_version} || 0%{?centos_version} BuildRequires: redhat-release @@ -355,13 +352,10 @@ # to set it differently. Please see the disccussion in # http://lists.opensuse.org/opensuse-packaging/2012-08/msg00050.html -targets="shorewall-core shorewall shorewall-lite shorewall6 shorewall6-lite shorewall-init" +targets="shorewall shorewall-core shorewall-lite shorewall6 shorewall6-lite shorewall-init" %if 0%{?suse_version} -%define shorewall_target SUSE -%define shorewall_initdir %_initddir - # FIXME # somehow shorewall-init is not installed for opensuse 11.4 @@ -374,9 +368,12 @@ perllibdir=%{perl_vendorlib} \ libexecdir=%{_libexecdir} \ sbindir=%_sbindir \ -%if 0%{?suse_version} >= 1210 + %if 0%{?have_systemd} systemd=%_unitdir \ -%endif + %endif +# %%if 0%%{?suse_version} >= 1210 +# systemd=%%_unitdir \ +# %%endif sharedir=%_datadir if [ $i != shorewall-init ];then @@ -385,8 +382,6 @@ install -d %buildroot/%_sysconfdir/NetworkManager/dispatcher.d DESTDIR=%buildroot ./install.sh shorewallrc - install -d %buildroot/_%sbindir # somehow this fails to install with opensuse 11.4 - install -m 700 shorewall-init %buildroot/%_sbindir/shorewall-init if [ -f ${DESTDIR}/etc/ppp ]; then for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do mkdir -p ${DESTDIR}/etc/ppp/$directory #SuSE doesn't create the IPv6 directories @@ -413,6 +408,9 @@ done %else +# FIXME +# with the shorewall 4.5.13 the installer will install the correct +# service file itself %if 0%{?redhat_version} || 0%{?centos_version} || 0%{?fedora_version} for i in $targets; do pushd ${i}-%{version} ++++++ shorewall-4.5.11.2.tar.bz2 -> shorewall-4.5.13.tar.bz2 ++++++ ++++ 12428 lines of diff (skipped) ++++++ shorewall-core-4.5.11.2.tar.bz2 -> shorewall-core-4.5.13.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.11.2/changelog.txt new/shorewall-core-4.5.13/changelog.txt --- old/shorewall-core-4.5.11.2/changelog.txt 2012-12-31 17:28:59.000000000 +0100 +++ new/shorewall-core-4.5.13/changelog.txt 2013-02-11 14:59:59.000000000 +0100 @@ -1,16 +1,192 @@ -Changes in 4.5.11.2 +Changes in 4.5.13 Final. 1) Update release documents. -2) Correct modules.xtables. +2) Correct action.TCPFlags. -Changes in 4.5.11.1 +3) Allow parameters to be omitted in action invocations. -1) Update release documents +4) Fix reset_optflags(). -2) Avoid invalid function name to start optional interface. +5) Correct handling of numbers in simple arithmetic expressions. -3) Add modules from xtables-addons to modules.xtables +6) Correct inline default actions with parameters. + +Changes in 4.5.13 RC 3. + +1) Update release documents. + +2) Handle RETURN correctly in a state chain. + +3) Correct a syntax error in action.Untracked + +4) Remove cruft from two action files. + +5) Use -j unconditionally to branch to a state chain/disposition. + +6) More tweaks in check_state(). + +7) Convert the legacy dropInvalid and allowInvalid actions to inline + actions. + +Changes in 4.5.13 RC 2. + +1) Update release documents. + +2) Fix the state action.* files. + +3) Correct state rule generation and rule combining. + +Changes in 4.5.13 RC 1. + +1) Update release documents. + +2) Apply Evangelos Foutras's Arch Linux patches. + +3) Remove requirement that the $state argument ends with a space. + +4) Update Shorewall6 actions.std + +5) Allow specification of the action type via perl_action_helper(). + +6) Simplify Perl actions even further. + +7) Correct handling of audited dispositions. + +8) Detect some state conflicts. + +9) Add New action. + +10) Delete imports of process_rule1. + +11) Correct behavior when @chain is altered. + +12) Documentation clarifications. + +13) Handle port numbers passed to the tcp-specific actions. + +14) Fix handling of normal actions in perl_action_tcp_helper(). + +15) Handle UNTRACKED_DISPOSITION=ACCEPT correctly. + +Changes in 4.5.13 Beta 4. + +1) Update release documents. + +2) Update module version. + +3) Favor shorter less-complex chain names in Optimize 8. + +4) Handle chains ending with RETURN in Optimize 4. + +5) Call handle_first_entry() before issuing a warning or error + message. + +6) Allow inline actions to use BEGIN PERL .... END PERL + +7) Make some of the standard actions inlined. + +8) Replace BLACKLISTNEWONLY with BLACKLIST + +Changes in 4.5.13 Beta 3. + +1) Update release documents. + +2) Correct chain completion. + +3) Correct handling of audited RELATED_DISPOSITION + +4) Make optimize 8 a multi-pass operation. + +5) Implement the INVALID and NOTRACK rules sections. + +Changes in 4.5.13 Beta 2. + +1) Update release documents. + +2) Allow RESET of Shorewall variables. + +3) Fix use of Shorewall variables in a default action. + +Changes in 4.5.13 Beta 2. + +1) Update release documents. + +2) Add DEFER_DNS_RESOLUTION configuration option. + +3) Make Shorewall variables writable and use them to generate the log + prefix. + +Changes in 4.5.12 RC 1 + +1) Update release documents. + +2) Fix an old optimizer bug. + +3) Avoid fatal Perl run-time error if an error is raised while + compiling a default action. + +4) Correct handling of rules in the ESTABLISHED section. + +5) Restore the ability to use DNS names without an interface name. + +Changes in 4.5.12 Beta 5 + +1) Update release documents. + +2) Support protocol lists in most files. + +3) Detect and optimize for terminating rules. + +4) Make CLEAR_TC work on interfaces with an @xxxxx suffix in their + names. + +Changes in 4.5.12 Beta 4 + +1) Update release documents. + +2) Fix a lot of bugs in arptables support + +3) Make '+' optional in the ADD and deL statements. + +4) Don't add --cstate to dropInvalid rule + +5) Make inline actions work in sections other than NEW + +6) Change the interpretation of the log tag when LOGTAGONLY=Yes + +7) Generate error when a protocol list appears in the wrong context. + +Changes in 4.5.12 Beta 3 + +1) Merge defect repair from 4.5.11.2 + +2) Correct two defects in 'update -D'. + +3) Add arptables support + +Changes in 4.5.12 Beta 2 + +1) Update release documents. + +2) Avoid invalid function names involving optional interfaces (from + 4.5.11.1). + +3) Correct handling of wildcards whose root matches another interface. + +4) Add support for fq_codel. + +Changes in 4.5.12 Beta 1 + +1) Update release documents. + +2) Add the xtables-addons modules to modules.xtables. + +3) Add the 'WARNOLDCAPVERSION' option. + +4) Finish centralizing the handling of 'COMMENT' and 'FORMAT'. + +5) Ignore COMMENTs when deleting duplicate rules. Changes in 4.5.11 Final diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.11.2/configure new/shorewall-core-4.5.13/configure --- old/shorewall-core-4.5.11.2/configure 2012-12-31 17:28:59.000000000 +0100 +++ new/shorewall-core-4.5.13/configure 2013-02-11 14:59:59.000000000 +0100 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=4.5.11.2 +VERSION=4.5.13 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.11.2/configure.pl new/shorewall-core-4.5.13/configure.pl --- old/shorewall-core-4.5.11.2/configure.pl 2012-12-31 17:28:59.000000000 +0100 +++ new/shorewall-core-4.5.13/configure.pl 2013-02-11 14:59:59.000000000 +0100 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '4.5.11.2' + VERSION => '4.5.13' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.11.2/install.sh new/shorewall-core-4.5.13/install.sh --- old/shorewall-core-4.5.11.2/install.sh 2012-12-31 17:28:59.000000000 +0100 +++ new/shorewall-core-4.5.13/install.sh 2013-02-11 14:59:59.000000000 +0100 @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.5.11.2 +VERSION=4.5.13 usage() # $1 = exit status { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.11.2/known_problems.txt new/shorewall-core-4.5.13/known_problems.txt --- old/shorewall-core-4.5.11.2/known_problems.txt 2012-12-31 17:28:59.000000000 +0100 +++ new/shorewall-core-4.5.13/known_problems.txt 2013-02-11 14:59:59.000000000 +0100 @@ -1,41 +1,2 @@ 1) On systems running Upstart, shorewall-init cannot reliably secure the firewall before interfaces are brought up. - -2) Beginning with Shorewall 4.5.10, if the name of an optional - interface contains one or more characters that are not valid in a - shell function name, then the generated script will fail with a - "syntax error: bad function name" shell diagnostic. - - Workaround: - - Rename the interface so that its name is a valid shell - identifier. - - Corrected in 4.5.11.2. - -3) The following type of configuration resulted in an incorrect - ruleset: - - /etc/shorewall/zones - - ... - bar - foo:bar - - /etc/shorewall/interfaces - - ... - bar xyz+ - foo xyz - ... - - Workaround: - - Reverse the order of the two entries in the interfaces file. - -4) The kernel modules supplied by xtables-addons are not listed in the - modules.xtables files. - - Corrected in 4.5.11.2. - - diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.11.2/lib.cli new/shorewall-core-4.5.13/lib.cli --- old/shorewall-core-4.5.11.2/lib.cli 2012-12-31 17:00:04.000000000 +0100 +++ new/shorewall-core-4.5.13/lib.cli 2013-02-11 14:58:01.000000000 +0100 @@ -25,7 +25,7 @@ # loaded after this one and replaces some of the functions declared here. # -SHOREWALL_CAPVERSION=40509 +SHOREWALL_CAPVERSION=40512 [ -n "${g_program:=shorewall}" ] @@ -329,11 +329,30 @@ done } + +# +# Try to find the arptables binary -- sets the variable 'arptables' +# +resolve_arptables() { + arptables="$ARPTABLES" + + [ -n "${arptables:=arptables}" ] + + case $arptables in + */*) + ;; + *) + arptables=$(mywhich "$arptables") + ;; + esac +} + # # Save currently running configuration # do_save() { local status + local arptables status=0 if [ -f ${VARDIR}/firewall ]; then @@ -353,6 +372,42 @@ status=1 fi + case ${SAVE_ARPTABLES:=No} in + [Yy]es) + resolve_arptables + + if [ -n "$arptables" ]; then + # + # 'sed' command is a hack to work around broken arptables_jf + # + if ${arptables}-save | sed 's/-p[[:space:]]\+0\([[:digit:]]\)00\/ffff/-p 000\1\/ffff/' > ${VARDIR}/restore-$$; then + if grep -q '^-A' ${VARDIR}/restore-$$; then + mv -f ${VARDIR}/restore-$$ ${g_restorepath}-arptables + else + rm -f ${VARDIR}/restore-$$ + fi + fi + else + case "$ARPTABLES" in + */*) + error_message "ERROR: ARPTABLES=$ARPTABLES does not exist or is not executable - arptables not saved" + ;; + *) + error_message "ERROR: The arptables utility cannot be located - arptables not saved" + ;; + esac + + rm -f ${g_restorepath}-arptables + fi + ;; + [Nn]o) + rm -f ${g_restorepath}-arptables + ;; + *) + error_message "WARNING: Invalid value ($SAVE_ARPTABLES) for SAVE_ARPTABLES" + ;; + esac + case ${SAVE_IPSETS:=No} in [Yy]es) case ${IPSET:=ipset} in @@ -683,6 +738,7 @@ table_given= local output_filter output_filter=cat + local arptables show_macro() { foo=`grep 'This macro' $macro | sed 's/This macro //'` @@ -999,6 +1055,17 @@ echo show_nfacct ;; + arptables) + [ $# -gt 1 ] && usage 1 + resolve_arptables + if [ -n "$arptables" -a -x $arptables ]; then + echo "$g_product $SHOREWALL_VERSION arptables at $g_hostname - $(date)" + echo + $arptables -L -n -v + else + error_message "Cannot locate the arptables executable" + fi + ;; *) case "$g_program" in *-lite) @@ -1156,6 +1223,9 @@ do_dump_command() { local finished finished=0 + local arptables + + resolve_arptables while [ $finished -eq 0 -a $# -gt 0 ]; do option=$1 @@ -1230,6 +1300,11 @@ host=$(echo $g_hostname | sed 's/\..*$//') $g_tool -L $g_ipt_options + if [ -n "$arptables" -a -x "$arptables" ]; then + heading "ARP rules" + $arptables -L -n -v + fi + heading "Log ($LOGFILE)" packet_log 20 @@ -2035,6 +2110,7 @@ local tool local chain local chain1 + local arptables if [ -z "$g_tool" ]; then [ $g_family -eq 4 ] && tool=iptables || tool=ip6tables @@ -2125,6 +2201,7 @@ RPFILTER_MATCH= NFACCT_MATCH= CHECKSUM_TARGET= + ARPTABLESJF= AMANDA_HELPER= FTP_HELPER= FTP0_HELPER= @@ -2141,6 +2218,12 @@ TFTP_HELPER= TFTP0_HELPER= + resolve_arptables + + if [ -n "$arptables" -a -x $arptables ]; then + qt $arptables -L OUT && ARPTABLESJF=Yes + fi + chain=fooX$$ if [ -n "$NAT_ENABLED" ]; then @@ -2524,6 +2607,7 @@ report_capability "RPFilter match" $RPFILTER_MATCH report_capability "NFAcct match" $NFACCT_MATCH report_capability "Checksum Target" $CHECKSUM_TARGET + report_capability "Arptables JF" $ARPTABLESJF report_capability "Amanda Helper" $AMANDA_HELPER report_capability "FTP Helper" $FTP_HELPER @@ -2641,6 +2725,7 @@ report_capability1 RPFILTER_MATCH report_capability1 NFACCT_MATCH report_capability1 CHECKSUM_TARGET + report_capability1 ARPTABLESJF report_capability1 AMANDA_HELPER report_capability1 FTP_HELPER @@ -2784,6 +2869,7 @@ rm -f $g_restorepath rm -f ${g_restorepath}-iptables rm -f ${g_restorepath}-ipsets + rm -f ${g_restorepath}-arptables echo " $g_restorepath removed" elif [ -f $g_restorepath ]; then echo " $g_restorepath exists and is not a saved $g_product configuration" @@ -3215,6 +3301,7 @@ echo " save [ <file name> ]" echo " show [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]" echo " show [ -f ] capabilities" + echo " show arptables" echo " show classifiers" echo " show config" echo " show connections" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.11.2/releasenotes.txt new/shorewall-core-4.5.13/releasenotes.txt --- old/shorewall-core-4.5.11.2/releasenotes.txt 2012-12-31 17:28:59.000000000 +0100 +++ new/shorewall-core-4.5.13/releasenotes.txt 2013-02-11 14:59:59.000000000 +0100 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 5 . 1 1 . 2 + S H O R E W A L L 4 . 5 . 1 3 ------------------------------------ - D e c e m b e r 3 1 , 2 0 1 2 + F e b r u a r y 1 1 , 2 0 1 3 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -15,26 +15,20 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -4.5.11.2 - -1) Corrected fix 2 from 4.5.11.1. - -4.5.11.1 - -1) Beginning with Shorewall 4.5.10, if the name of an optional - interface contained one or more characters that are not valid in a - shell function name, then the generated script would fail with a - "syntax error: bad function name" shell diagnostic. - - That problem has been corrected so that a valid function name is - generated. - -2) The kernel modules supplied by xtables-addons are now listed in the - modules.xtables files. They were previously omitted. - -4.5.11 - -1) This release includes the defect repair from Shorewall 4.5.10.1. +1) If a chain consisted of a single RETURN rule, optimize level 4 + would handle it incorrectly by moving the RETURN rule to the + chain(s) that jumped to the single-rule chain. The optimizer now + simply eliminates the chain and rule. + + As part of this change, the optimizer now deletes trailing RETURN + rules from chains. + +2) If a default inline action was specified with parameters, the + compiler would fail with an internal error. + +3) The compiler was mis-handling simple arithmetic expressions + consisting of a single number, evaluating the number as '' rather + than as its numberic value. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -47,149 +41,162 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) This release expands upon the concept of 'Shorewall Variables' - that was introduced in 4.5.10 with the creation of '@0' in SWITCH - columns. Beginning with 4.5.10, '@0' (or '@{0}') in a SWITCH column - expands to the name of the current chain. +1) A new DEFER_DNS_RESOLUTION option has been added to shorewall.conf. - In this release, the Shorewall variables @loglevel and @logtag - are added. These variables are only available within action bodies - (both regular and in-line). + Up to this time, when a DNS name appears in the SOURCE, DEST or + ORIGINAL DEST column of a configuration file, the compiler verifies + that the name can be resolved and then passes the name on to the + generated script. This means that ip[6]tables-restore must resolve + the name when the script runs. - Their contents are: + When DEFER_DNS_RESOLUTION=Yes (the default) this old behavior is + retained. When DEFER_DNS_RESOLUTION=No, the compiler resolves the + name and uses the address(es) in the generated script. - @loglevel - - The log level specified when the action was invoked. If no - level was specified, @loglevel expands to 'none'. +2) The '@' Shorewall variables are now writable using the ?SET directive. - @logtag + The variables are now also used when generating the contents of + --log-prefix in logging rules. Within an action body, the two + fields in the --log-prefix are: - The log tag specified when the action was invoked. If no tag - was specified, @logtag expands to an empty string. + @chain -- Existing variable. + @disposition -- New variable. - @1, @2, ... + When either of these are undefined or empty, the compiler uses + the same value as previously. - Same as $1, $2, ... + When a non-inlined action is entered, @disposition is given the + empty value. When an inline action is entered, @disposition is not + altered. - Additionally, @chain has been added as a synonym for @0. Remember - that, unlike $0, non-alphanumeric charaters other than '_' have - been removed from @0. + Also added is a @caller variable which names the chain or action + which invoked the action. -2) Action variables ($0, $1,...$n) and Shorewall variables are now - available in ?IF and ?ELSIF directives. + When any action is exited, the variables revert to their values + when the action was entered. -3) A 'nolog' option has been added to /etc/shorewall[6]/actions. This - option causes the compiler to forego adding the log level and log - tag from the action invocation to those rules within the body that - do not specify a tag and/or level. + When RESET, the named Shorewall variables are not removed from the + variable table but are rather set to the empty value. -3) An 'IGNOREUNKNOWNVARIABLES' option has been added to - /etc/shorewall[6]/shorewall[6].conf. When set to 'Yes', this option - instructs the compiler to expand unknown shell variables and - action parameters to an empty string rather than raising an error. +3) Optimize level 8 now makes multiple passes of each table. -4) ?SET and ?RESET directives are now available: +4) There are now two new sections in the rules file: - ?SET <variable> <value> - ?RESET <variable> + INVALID - To cater to both Shell and Perl programmers, the <variable> may - be entered with or without leading '$'. + Allows definition of rules to be applied to packets in the + INVALID connection state. - The ?SET command sets the named <variable> to the specified - <value> where <value> is a Perl-compatible expression. + UNTRACKED - The ?RESET command deletes the named <variable> from the compiler's - variable table. + Allows definition of rules to be applied to packets in the + UNTRACKED connection state (due to entries in the conntrack + file). - Shorewall variables (@chain, @loglevel,...) and action parameters - ($1, $2,...) are read-only and their values may not be changed - (although action parameter values may be changed using Embedded - Perl). + The implementation of these sections is modeled after that of the + RELATED section. There are options in shorewall.conf + (shorewall6.conf) that control the disposition and logging of + packets that fail to match any of the rules in the section. -5) This release introduces user-defined address variables. Address - variables are used at run-time rather than at compile-time. Prior - to this release, two types of address variables were available: + INVALID_DISPOSITION - &<interface> Expands to the primary IP address of - <interface> + Valid values are CONTINUE, DROP, REJECT, and A_DROP. - %<interface> Expands to the IP address of the default - gateway out of <interface> + The default is CONTINUE, which provides compatibility with + earlier releases (the packets are subject to the rules in + the NEW section). - The two new types added in this release are distinguished by the - use of "{....}". + INVALID_LOG_LEVEL. - &{<variable>} Address contained in run-time variable - <variable>. The named shell variable must - contain a valid IP address, either from the - generated script's environment or from having - been set in the generated script's 'init' - extension script. If the variable is empty or - if its contents are not a valid IP address, an - error is raised and the state of the firewall - is not changed. + Determines logging of packets handled by + INVALID_DISPOSITION. Empty by default (no logginig). - %{<variable>} Address contained in run-time variable - <variable>. If the named variable is empty, - the generated script sets it to the all-zeros - address (0.0.0.0 in IPv4 and :: in IPv6). When - this variable appears in a SOURCE or - DESTINATION column of any configuration file, - or if it appears in the ADDRESSES column of - the masq file, then no rule is generated when - the address variable is empty. Otherwise, the - rule is generated with the all-zeros address - replacing the variable. As above, if the - variable is non-empty and if it does not - contain a valid IP address, an error is raised - and the firewall state is unchanged. + UNTRACKED_DISPOSITION -6) The output of 'show [-f] capabities' is now sorted to make - individual capabities easier to find. + Valid values are CONTINUE, ACCEPT, DROP, REJECT, A_ACCEPT + and A_DROP. -7) Beginning with this release, ?FORMAT is preferred over FORMAT for - specifying the format of records in these configuration files: + The default is CONTINUE, which provides compatibility with + earlier releases (the packets are subject to the rules in + the NEW section). - action.* files - conntrack - interface - macro.* files - tcrules + UNTRACKED_LOG_LEVEL. - While deprecated, FORMAT (without the '?') is still supported. + Determines logging of packets handled by + NOTRACK_DISPOSITION. Empty by default (no logging). - Also, ?COMMENT is preferred over COMMENT for attaching comments to - generated netfilter rules in the following files. + The new order of sections in the rules files is: - accounting - action.* files - blrules files - conntrack - macro.* files - masq - nat - rules - secmarks - tcrules - tunnels + ALL + ESTABLISHED + RELATED + INVALID + UNTRACKED + NEW - When one of the deprecated forms is encountered, a warning message - is issued. +5) There are now 'Related', 'Untracked', 'Established' and 'New' + actions that match packets in the RELATED, UNTRACKED, ESTABLISHED + and NEW states respectively. - Example: + These actions are in-line and have a single parameter that + specifies the action to be taken. The action may be anything that + is valid in the ACTION column of the rules file. - WARNING: 'FORMAT' is deprecated in favor of '?FORMAT' - - consider running 'shorewall update -D'. + As part of this change, action.Invalid, action.NotSyn and + action.RST are also inline and can accept an arbitrary action as an + argument. The 'audit' parameter, while still accepted, is + deprecated in favor of passing 'A_ACCEPT' etc. directly to the + inline. - As the warning indicates, 'update -D' will traverse the CONFIG_PATH - replacing FORMAT and COMMENT lines with ?FORMAT and ?COMMENT - directives respectively. The original version of modified files - will be saved with a .bak suffix. + The TCPFlags action may also now be inlined, although it is not + inlined by default. - During the update, .bak files are skipped as are files in - ${SHAREDIR}/shorewall and ${SHAREDIR}/shorewall6. +6) The preceding enhancement required infrastructure for allowing + BEGIN PERL...END PERL to function in the body of an inline action. + + use Shorewall::Rules; + + perl_action_helper( $target, $matches ) + + $target is the target of the rule and may include log level and + tag (e.g, 'DROP:info:foo'). + + $matches is a string containing one or more ip[6]tables + matches. + + Example: "-m conntrack --state ESTABLISHED". + + The function returns true. + + This function may be called in both inline and regular actions. In + an inline action, the matches from the invoking rule (SOURCE, DEST, + etc) are applied (in addition to the match(s) passed). In a regular + action only the passed matches are applied to the rule. + +7) To allow finer-grained selection of the connection-tracking states + that are passed through blacklists (both dynamic and static), a + BLACKLIST option has been added in shorewall.conf and + shorewall6.conf. + + The BLACKLISTNEWONLY option is now deprecated. A 'shorewall update' + ( 'shorewall6 update' ) will replace the BLACKLISTNEWONLY option + with the equivalent BLACKLIST option. + +8) The shorewallrc.archlinux file now assumes that systemd is + installed (Evangelos Foutras). + +9) When the 'CONNTRACK match' capability is present (as it is in all + current distros), optimize level 16 now combines adjacent rules + that differ only in the conntrack states matched. + +10) The legacy 'dropInvalid' and 'allowInvalid' builtin actions have + been converted to inline actions that invoke the Invalid action. + +11) Parameters may now be omitted in action invocations. The following + two invocations are equivalent: + + ACTION(-,foo,-,-) + ACTION(,FOO,,) ---------------------------------------------------------------------------- V. M I G R A T I O N I S S U E S @@ -373,13 +380,346 @@ directives respectively. The original version of modified files will be saved with a .bak suffix. - During the update, .bak files are skipped as are files in ${SHAREDIR}/shorewall and ${SHAREDIR}/shorewall6. +15) To allow finer-grained selection of the connection-tracking states + that are passed through blacklists (both dynamic and static), a + BLACKLIST option was added to shorewall.conf and shorewall6.conf in + Shorewall 4.5.13. + + The BLACKLISTNEWONLY option was deprecated at that point. A + 'shorewall update' ( 'shorewall6 update' ) will replace the + BLACKLISTNEWONLY option with the equivalent BLACKLIST option. + ---------------------------------------------------------------------------- V I. N O T E S F R O M O T H E R 4 . 5 R E L E A S E S ---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 5 . 1 2 +---------------------------------------------------------------------------- +1) This release contains the defect repairs from Shorewall 4.5.11.1 + and 4.5.11.2. + +2) Two defects associated with 'update -D' have been corrected. + + - shorewall.conf.bak is no longer deleted. + - files that are not changed no longer have their mtime updated. + +3) Inline actions in the RELATED and ESTABLISHED sections now work + correctly. + +4) The 'dropInvalid' built-in function now works correctly. + +5) The compiler now generates an error when a protocol list is used in + a context where only a single protocol name/number is accepted. + +6) The generated script now correctly deletes Traffic Control + configurations when CLEAR_TC=Yes. Previously, the configurations on + interfaces with a '@xxxxxx' suffix in their names were not cleared. + +7) Under very rare circumstances, optimize level 4 could leave a rule + that jumped to a non-existant chain, causing iptables-restore to + fail. + +8) If an error was raised while compiling a default action, the + following Perl diagnostic could appear and the Shorewall error + message would not be printed. + +9) It is once again possible to use DNS names in rules without an + interface name. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 5 . 1 1 +---------------------------------------------------------------------------- + +1) The rules compiler has traditionally issued a warning when the + version of /etc/shorewall[6]/capabilities is less than the version + supported by the compiler. This warning may be suppressed by + setting the new option 'WARNOLDCAPVERSION' to 'No' in + shorewall[6].conf. + +2) The compiler now ignores '-m comment' differences when deleting + duplicate rules under optimization level 16. + +3) Support has been added for the FQ CODEL (Fair-queuing + Controlled-delay) queuing discipline. See shorewall-tcclasses (5) + and shorewall6-tcclasses (5) for details. + +4) Support for arptables has been added to Shorewall and Shorewall + Lite. + + - Both classic arptables and arptables_jf (fork maintained by Jay + Fenlason) + + - There is now an ARPTABLES option in the shorewall.conf file to + specify the path to the arptables binary. + + - An arprules file has been added to allow specification of + arptables rules. See shorewall-arprules (5) for details. + + - A 'show arptables' command has been added to show the active + arptables rules. + + - arptables rules are saved and restored by the save and restore + commands if the new option SAVE_ARPTABLES is set to Yes in + shorewall.conf. + + - arptables rules are displayed in the 'dump' command. + + As part of this change, a new capability ('Arptables JF') has been + added. If you use a capabilities file, you should regenerate it + after installing this version. + +5) The interpretation of the log tag when LOGTAGONLY=Yes is changed. + Previously, the log tag replaced the chain name in the generated + log prefix. Now, the tag is interpreted as a chain name and a + disposition separated by a comma. + + So this rule: + + LOG:info:foo,bar + + will generate the following log prefix when using the default + LOGFORMAT setting: + + Shorewall:foo:bar: + + Similarly, + + LOG:info:,bar net fw + + will generate + + Shorewall:net2fw:bar: + +6) Rules generated by the RELATED section of the rules file are now in + separate chains. For each pair of zones (za,zb), RELATED + connections are handled by a chain whose name is "+za2zb" + (ZONE_SEPARATOR=2) or "+za-zb" (ZONE_SEPARATOR='-'). This results + in only one state match to jump to the new chain rather than a + state match for every rule in the section. + +7) Protocol lists are now supported in the PROTO columns of the + following additional files: + + accounting + conntrack + masq + secmarks + stoppedrules + tcfilters + tcpri + tcrules + +8) When an terminating rule is added to the end of a chain, the + Compiler now marks that chain as 'complete' and inhibits the + appending of any additional rules. + + A terminating rule is one that has no matches and either uses '-g' + (goto) or is a jump to one of the following: + + ACCEPT + DROP + RETURN + QUEUE + CLASSIFY + CT + DNAT + MASQUERADE + NETMAP + NFQUEUE + NOTRACK + REDIRECT + RAWDNAT + RAWSNAT + REJECT + SAME + SNAT + TPROXY + A chain with no RETURN statements and whose last rule is + terminating. + + + Additionally, when optimize level 4 is selected, chains that + contain a single RETURN rule are optimized away. + +9) Eric Teeter has contributed macro.ActiveDir, a macro that handles + Samba 4 active directory. + +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 5 . 1 1 +---------------------------------------------------------------------------- + +4.5.11.2 + +1) Corrected fix 2 from 4.5.11.1. + +4.5.11.1 + +1) Beginning with Shorewall 4.5.10, if the name of an optional + interface contained one or more characters that are not valid in a + shell function name, then the generated script would fail with a + "syntax error: bad function name" shell diagnostic. + + That problem has been corrected so that a valid function name is + generated. + +2) The kernel modules supplied by xtables-addons are now listed in the + modules.xtables files. They were previously omitted. + +4.5.11 + +1) This release includes the defect repair from Shorewall 4.5.10.1. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 5 . 1 1 +---------------------------------------------------------------------------- + +1) This release expands upon the concept of 'Shorewall Variables' + that was introduced in 4.5.10 with the creation of '@0' in SWITCH + columns. Beginning with 4.5.10, '@0' (or '@{0}') in a SWITCH column + expands to the name of the current chain. + + In this release, the Shorewall variables @loglevel and @logtag + are added. These variables are only available within action bodies + (both regular and in-line). + + Their contents are: + + @loglevel + + The log level specified when the action was invoked. If no + level was specified, @loglevel expands to 'none'. + + @logtag + + The log tag specified when the action was invoked. If no tag + was specified, @logtag expands to an empty string. + + @1, @2, ... + + Same as $1, $2, ... + + Additionally, @chain has been added as a synonym for @0. Remember + that, unlike $0, non-alphanumeric charaters other than '_' have + been removed from @0. + +2) Action variables ($0, $1,...$n) and Shorewall variables are now + available in ?IF and ?ELSIF directives. + +3) A 'nolog' option has been added to /etc/shorewall[6]/actions. This + option causes the compiler to forego adding the log level and log + tag from the action invocation to those rules within the body that + do not specify a tag and/or level. + +3) An 'IGNOREUNKNOWNVARIABLES' option has been added to + /etc/shorewall[6]/shorewall[6].conf. When set to 'Yes', this option + instructs the compiler to expand unknown shell variables and + action parameters to an empty string rather than raising an error. + +4) ?SET and ?RESET directives are now available: + + ?SET <variable> <value> + ?RESET <variable> + + To cater to both Shell and Perl programmers, the <variable> may + be entered with or without leading '$'. + + The ?SET command sets the named <variable> to the specified + <value> where <value> is a Perl-compatible expression. + + The ?RESET command deletes the named <variable> from the compiler's + variable table. + + Shorewall variables (@chain, @loglevel,...) and action parameters + ($1, $2,...) are read-only and their values may not be changed + (although action parameter values may be changed using Embedded + Perl). + +5) This release introduces user-defined address variables. Address + variables are used at run-time rather than at compile-time. Prior + to this release, two types of address variables were available: + + &<interface> Expands to the primary IP address of + <interface> + + %<interface> Expands to the IP address of the default + gateway out of <interface> + + The two new types added in this release are distinguished by the + use of "{....}". + + &{<variable>} Address contained in run-time variable + <variable>. The named shell variable must + contain a valid IP address, either from the + generated script's environment or from having + been set in the generated script's 'init' + extension script. If the variable is empty or + if its contents are not a valid IP address, an + error is raised and the state of the firewall + is not changed. + + %{<variable>} Address contained in run-time variable + <variable>. If the named variable is empty, + the generated script sets it to the all-zeros + address (0.0.0.0 in IPv4 and :: in IPv6). When + this variable appears in a SOURCE or + DESTINATION column of any configuration file, + or if it appears in the ADDRESSES column of + the masq file, then no rule is generated when + the address variable is empty. Otherwise, the + rule is generated with the all-zeros address + replacing the variable. As above, if the + variable is non-empty and if it does not + contain a valid IP address, an error is raised + and the firewall state is unchanged. + +6) The output of 'show [-f] capabities' is now sorted to make + individual capabities easier to find. + +7) Beginning with this release, ?FORMAT is preferred over FORMAT for + specifying the format of records in these configuration files: + + action.* files + conntrack + interface + macro.* files + tcrules + + While deprecated, FORMAT (without the '?') is still supported. + + Also, ?COMMENT is preferred over COMMENT for attaching comments to + generated netfilter rules in the following files. + + accounting + action.* files + blrules files + conntrack + macro.* files + masq + nat + rules + secmarks + tcrules + tunnels + + When one of the deprecated forms is encountered, a warning message + is issued. + + Example: + + WARNING: 'FORMAT' is deprecated in favor of '?FORMAT' - + consider running 'shorewall update -D'. + + As the warning indicates, 'update -D' will traverse the CONFIG_PATH + replacing FORMAT and COMMENT lines with ?FORMAT and ?COMMENT + directives respectively. The original version of modified files + will be saved with a .bak suffix. + + During the update, .bak files are skipped as are files in + ${SHAREDIR}/shorewall and ${SHAREDIR}/shorewall6. + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 5 . 1 0 ---------------------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.11.2/shorewall-core.spec new/shorewall-core-4.5.13/shorewall-core.spec --- old/shorewall-core-4.5.11.2/shorewall-core.spec 2012-12-31 17:28:59.000000000 +0100 +++ new/shorewall-core-4.5.13/shorewall-core.spec 2013-02-11 14:59:59.000000000 +0100 @@ -1,6 +1,6 @@ %define name shorewall-core -%define version 4.5.11 -%define release 2 +%define version 4.5.13 +%define release 0base Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. Name: %{name} @@ -62,12 +62,36 @@ %doc COPYING INSTALL changelog.txt releasenotes.txt %changelog +* Fri Feb 08 2013 Tom Eastep tom@shorewall.net +- Updated to 4.5.13-0base +* Mon Feb 04 2013 Tom Eastep tom@shorewall.net +- Updated to 4.5.13-0RC3 +* Sun Feb 03 2013 Tom Eastep tom@shorewall.net +- Updated to 4.5.13-0RC2 +* Thu Jan 31 2013 Tom Eastep tom@shorewall.net +- Updated to 4.5.13-0RC1 +* Tue Jan 29 2013 Tom Eastep tom@shorewall.net +- Updated to 4.5.13-0Beta4 +* Mon Jan 21 2013 Tom Eastep tom@shorewall.net +- Updated to 4.5.13-0Beta3 +* Sun Jan 20 2013 Tom Eastep tom@shorewall.net +- Updated to 4.5.13-0Beta2 +* Tue Jan 15 2013 Tom Eastep tom@shorewall.net +- Updated to 4.5.13-0Beta1 +* Tue Jan 15 2013 Tom Eastep tom@shorewall.net +- Updated to 4.5.12-0base +* Thu Jan 10 2013 Tom Eastep tom@shorewall.net +- Updated to 4.5.12-0RC1 +* Tue Jan 08 2013 Tom Eastep tom@shorewall.net +- Updated to 4.5.12-0Beta5 +* Sat Jan 05 2013 Tom Eastep tom@shorewall.net +- Updated to 4.5.12-0Beta4 * Mon Dec 31 2012 Tom Eastep tom@shorewall.net -- Updated to 4.5.11-2 -* Fri Dec 28 2012 Tom Eastep tom@shorewall.net -- Updated to 4.5.11-1 +- Updated to 4.5.12-0Beta3 +* Thu Dec 27 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.12-0Beta2 * Wed Dec 26 2012 Tom Eastep tom@shorewall.net -- Updated to 4.5.11-0base +- Updated to 4.5.12-0Beta1 * Wed Dec 19 2012 Tom Eastep tom@shorewall.net - Updated to 4.5.11-0RC1 * Thu Dec 13 2012 Tom Eastep tom@shorewall.net diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.11.2/shorewallrc.archlinux new/shorewall-core-4.5.13/shorewallrc.archlinux --- old/shorewall-core-4.5.11.2/shorewallrc.archlinux 2012-12-31 17:00:04.000000000 +0100 +++ new/shorewall-core-4.5.13/shorewallrc.archlinux 2013-02-11 14:58:01.000000000 +0100 @@ -1,21 +1,21 @@ # -# Archlinux Shorewall 4.5 rc file +# Arch Linux Shorewall 4.5 rc file # -BUILD=archlinux +BUILD= #Default is to detect the build system HOST=archlinux PREFIX=/usr #Top-level directory for shared files, libraries, etc. SHAREDIR=${PREFIX}/share #Directory for arch-neutral files. LIBEXECDIR=${PREFIX}/share #Directory for executable scripts. PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory CONFDIR=/etc #Directory where subsystem configurations are installed -SBINDIR=/sbin #Directory where system administration programs are installed +SBINDIR=/usr/sbin #Directory where system administration programs are installed MANDIR=${SHAREDIR}/man #Directory where manpages are installed. -INITDIR=/etc/rc.d #Directory where SysV init scripts are installed. -INITFILE=$PRODUCT #Name of the product's installed SysV init script -INITSOURCE=init.sh #Name of the distributed file to be installed as the SysV init script +INITDIR= #Directory where SysV init scripts are installed. +INITFILE= #Name of the product's installed SysV init script +INITSOURCE= #Name of the distributed file to be installed as the SysV init script ANNOTATED= #If non-zero, annotated configuration files are installed SYSCONFDIR= #Directory where SysV init parameter files are installed -SYSTEMD= #Directory where .service files are installed (systems running systemd only) +SYSTEMD=/usr/lib/systemd/system #Directory where .service files are installed (systems running systemd only) SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR VARLIB=/var/lib #Directory where product variable data is stored. VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.11.2/uninstall.sh new/shorewall-core-4.5.13/uninstall.sh --- old/shorewall-core-4.5.11.2/uninstall.sh 2012-12-31 17:28:59.000000000 +0100 +++ new/shorewall-core-4.5.13/uninstall.sh 2013-02-11 14:59:59.000000000 +0100 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.5.11.2 +VERSION=4.5.13 usage() # $1 = exit status { ++++++ shorewall-docs-html-4.5.11.2.tar.bz2 -> shorewall-docs-html-4.5.13.tar.bz2 ++++++ ++++ 7589 lines of diff (skipped) ++++++ shorewall-init-4.5.11.2.tar.bz2 -> shorewall-init-4.5.13.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.11.2/changelog.txt new/shorewall-init-4.5.13/changelog.txt --- old/shorewall-init-4.5.11.2/changelog.txt 2012-12-31 17:29:00.000000000 +0100 +++ new/shorewall-init-4.5.13/changelog.txt 2013-02-11 14:59:59.000000000 +0100 @@ -1,16 +1,192 @@ -Changes in 4.5.11.2 +Changes in 4.5.13 Final. 1) Update release documents. -2) Correct modules.xtables. +2) Correct action.TCPFlags. -Changes in 4.5.11.1 +3) Allow parameters to be omitted in action invocations. -1) Update release documents +4) Fix reset_optflags(). -2) Avoid invalid function name to start optional interface. +5) Correct handling of numbers in simple arithmetic expressions. -3) Add modules from xtables-addons to modules.xtables +6) Correct inline default actions with parameters. + +Changes in 4.5.13 RC 3. + +1) Update release documents. + +2) Handle RETURN correctly in a state chain. + +3) Correct a syntax error in action.Untracked + +4) Remove cruft from two action files. + +5) Use -j unconditionally to branch to a state chain/disposition. + +6) More tweaks in check_state(). + +7) Convert the legacy dropInvalid and allowInvalid actions to inline + actions. + +Changes in 4.5.13 RC 2. + +1) Update release documents. + +2) Fix the state action.* files. + +3) Correct state rule generation and rule combining. + +Changes in 4.5.13 RC 1. + +1) Update release documents. + +2) Apply Evangelos Foutras's Arch Linux patches. + +3) Remove requirement that the $state argument ends with a space. + +4) Update Shorewall6 actions.std + +5) Allow specification of the action type via perl_action_helper(). + +6) Simplify Perl actions even further. + +7) Correct handling of audited dispositions. + +8) Detect some state conflicts. + +9) Add New action. + +10) Delete imports of process_rule1. + +11) Correct behavior when @chain is altered. + +12) Documentation clarifications. + +13) Handle port numbers passed to the tcp-specific actions. + +14) Fix handling of normal actions in perl_action_tcp_helper(). + +15) Handle UNTRACKED_DISPOSITION=ACCEPT correctly. + +Changes in 4.5.13 Beta 4. + +1) Update release documents. + +2) Update module version. + +3) Favor shorter less-complex chain names in Optimize 8. + +4) Handle chains ending with RETURN in Optimize 4. + +5) Call handle_first_entry() before issuing a warning or error + message. + +6) Allow inline actions to use BEGIN PERL .... END PERL + +7) Make some of the standard actions inlined. + +8) Replace BLACKLISTNEWONLY with BLACKLIST + +Changes in 4.5.13 Beta 3. + +1) Update release documents. + +2) Correct chain completion. + +3) Correct handling of audited RELATED_DISPOSITION + +4) Make optimize 8 a multi-pass operation. + +5) Implement the INVALID and NOTRACK rules sections. + +Changes in 4.5.13 Beta 2. + +1) Update release documents. + +2) Allow RESET of Shorewall variables. + +3) Fix use of Shorewall variables in a default action. + +Changes in 4.5.13 Beta 2. + +1) Update release documents. + +2) Add DEFER_DNS_RESOLUTION configuration option. + +3) Make Shorewall variables writable and use them to generate the log + prefix. + +Changes in 4.5.12 RC 1 + +1) Update release documents. + +2) Fix an old optimizer bug. + +3) Avoid fatal Perl run-time error if an error is raised while + compiling a default action. + +4) Correct handling of rules in the ESTABLISHED section. + +5) Restore the ability to use DNS names without an interface name. + +Changes in 4.5.12 Beta 5 + +1) Update release documents. + +2) Support protocol lists in most files. + +3) Detect and optimize for terminating rules. + +4) Make CLEAR_TC work on interfaces with an @xxxxx suffix in their + names. + +Changes in 4.5.12 Beta 4 + +1) Update release documents. + +2) Fix a lot of bugs in arptables support + +3) Make '+' optional in the ADD and deL statements. + +4) Don't add --cstate to dropInvalid rule + +5) Make inline actions work in sections other than NEW + +6) Change the interpretation of the log tag when LOGTAGONLY=Yes + +7) Generate error when a protocol list appears in the wrong context. + +Changes in 4.5.12 Beta 3 + +1) Merge defect repair from 4.5.11.2 + +2) Correct two defects in 'update -D'. + +3) Add arptables support + +Changes in 4.5.12 Beta 2 + +1) Update release documents. + +2) Avoid invalid function names involving optional interfaces (from + 4.5.11.1). + +3) Correct handling of wildcards whose root matches another interface. + +4) Add support for fq_codel. + +Changes in 4.5.12 Beta 1 + +1) Update release documents. + +2) Add the xtables-addons modules to modules.xtables. + +3) Add the 'WARNOLDCAPVERSION' option. + +4) Finish centralizing the handling of 'COMMENT' and 'FORMAT'. + +5) Ignore COMMENTs when deleting duplicate rules. Changes in 4.5.11 Final diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.11.2/configure new/shorewall-init-4.5.13/configure --- old/shorewall-init-4.5.11.2/configure 2012-12-31 17:29:00.000000000 +0100 +++ new/shorewall-init-4.5.13/configure 2013-02-11 14:59:59.000000000 +0100 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=4.5.11.2 +VERSION=4.5.13 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.11.2/configure.pl new/shorewall-init-4.5.13/configure.pl --- old/shorewall-init-4.5.11.2/configure.pl 2012-12-31 17:29:00.000000000 +0100 +++ new/shorewall-init-4.5.13/configure.pl 2013-02-11 14:59:59.000000000 +0100 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '4.5.11.2' + VERSION => '4.5.13' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.11.2/install.sh new/shorewall-init-4.5.13/install.sh --- old/shorewall-init-4.5.11.2/install.sh 2012-12-31 17:29:00.000000000 +0100 +++ new/shorewall-init-4.5.13/install.sh 2013-02-11 14:59:59.000000000 +0100 @@ -23,7 +23,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.5.11.2 +VERSION=4.5.13 usage() # $1 = exit status { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.11.2/releasenotes.txt new/shorewall-init-4.5.13/releasenotes.txt --- old/shorewall-init-4.5.11.2/releasenotes.txt 2012-12-31 17:29:00.000000000 +0100 +++ new/shorewall-init-4.5.13/releasenotes.txt 2013-02-11 14:59:59.000000000 +0100 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 5 . 1 1 . 2 + S H O R E W A L L 4 . 5 . 1 3 ------------------------------------ - D e c e m b e r 3 1 , 2 0 1 2 + F e b r u a r y 1 1 , 2 0 1 3 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -15,26 +15,20 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -4.5.11.2 - -1) Corrected fix 2 from 4.5.11.1. - -4.5.11.1 - -1) Beginning with Shorewall 4.5.10, if the name of an optional - interface contained one or more characters that are not valid in a - shell function name, then the generated script would fail with a - "syntax error: bad function name" shell diagnostic. - - That problem has been corrected so that a valid function name is - generated. - -2) The kernel modules supplied by xtables-addons are now listed in the - modules.xtables files. They were previously omitted. - -4.5.11 - -1) This release includes the defect repair from Shorewall 4.5.10.1. +1) If a chain consisted of a single RETURN rule, optimize level 4 + would handle it incorrectly by moving the RETURN rule to the + chain(s) that jumped to the single-rule chain. The optimizer now + simply eliminates the chain and rule. + + As part of this change, the optimizer now deletes trailing RETURN + rules from chains. + +2) If a default inline action was specified with parameters, the + compiler would fail with an internal error. + +3) The compiler was mis-handling simple arithmetic expressions + consisting of a single number, evaluating the number as '' rather + than as its numberic value. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -47,149 +41,162 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) This release expands upon the concept of 'Shorewall Variables' - that was introduced in 4.5.10 with the creation of '@0' in SWITCH - columns. Beginning with 4.5.10, '@0' (or '@{0}') in a SWITCH column - expands to the name of the current chain. +1) A new DEFER_DNS_RESOLUTION option has been added to shorewall.conf. - In this release, the Shorewall variables @loglevel and @logtag - are added. These variables are only available within action bodies - (both regular and in-line). + Up to this time, when a DNS name appears in the SOURCE, DEST or + ORIGINAL DEST column of a configuration file, the compiler verifies + that the name can be resolved and then passes the name on to the + generated script. This means that ip[6]tables-restore must resolve + the name when the script runs. - Their contents are: + When DEFER_DNS_RESOLUTION=Yes (the default) this old behavior is + retained. When DEFER_DNS_RESOLUTION=No, the compiler resolves the + name and uses the address(es) in the generated script. - @loglevel - - The log level specified when the action was invoked. If no - level was specified, @loglevel expands to 'none'. +2) The '@' Shorewall variables are now writable using the ?SET directive. - @logtag + The variables are now also used when generating the contents of + --log-prefix in logging rules. Within an action body, the two + fields in the --log-prefix are: - The log tag specified when the action was invoked. If no tag - was specified, @logtag expands to an empty string. + @chain -- Existing variable. + @disposition -- New variable. - @1, @2, ... + When either of these are undefined or empty, the compiler uses + the same value as previously. - Same as $1, $2, ... + When a non-inlined action is entered, @disposition is given the + empty value. When an inline action is entered, @disposition is not + altered. - Additionally, @chain has been added as a synonym for @0. Remember - that, unlike $0, non-alphanumeric charaters other than '_' have - been removed from @0. + Also added is a @caller variable which names the chain or action + which invoked the action. -2) Action variables ($0, $1,...$n) and Shorewall variables are now - available in ?IF and ?ELSIF directives. + When any action is exited, the variables revert to their values + when the action was entered. -3) A 'nolog' option has been added to /etc/shorewall[6]/actions. This - option causes the compiler to forego adding the log level and log - tag from the action invocation to those rules within the body that - do not specify a tag and/or level. + When RESET, the named Shorewall variables are not removed from the + variable table but are rather set to the empty value. -3) An 'IGNOREUNKNOWNVARIABLES' option has been added to - /etc/shorewall[6]/shorewall[6].conf. When set to 'Yes', this option - instructs the compiler to expand unknown shell variables and - action parameters to an empty string rather than raising an error. +3) Optimize level 8 now makes multiple passes of each table. -4) ?SET and ?RESET directives are now available: +4) There are now two new sections in the rules file: - ?SET <variable> <value> - ?RESET <variable> + INVALID - To cater to both Shell and Perl programmers, the <variable> may - be entered with or without leading '$'. + Allows definition of rules to be applied to packets in the + INVALID connection state. - The ?SET command sets the named <variable> to the specified - <value> where <value> is a Perl-compatible expression. + UNTRACKED - The ?RESET command deletes the named <variable> from the compiler's - variable table. + Allows definition of rules to be applied to packets in the + UNTRACKED connection state (due to entries in the conntrack + file). - Shorewall variables (@chain, @loglevel,...) and action parameters - ($1, $2,...) are read-only and their values may not be changed - (although action parameter values may be changed using Embedded - Perl). + The implementation of these sections is modeled after that of the + RELATED section. There are options in shorewall.conf + (shorewall6.conf) that control the disposition and logging of + packets that fail to match any of the rules in the section. -5) This release introduces user-defined address variables. Address - variables are used at run-time rather than at compile-time. Prior - to this release, two types of address variables were available: + INVALID_DISPOSITION - &<interface> Expands to the primary IP address of - <interface> + Valid values are CONTINUE, DROP, REJECT, and A_DROP. - %<interface> Expands to the IP address of the default - gateway out of <interface> + The default is CONTINUE, which provides compatibility with + earlier releases (the packets are subject to the rules in + the NEW section). - The two new types added in this release are distinguished by the - use of "{....}". + INVALID_LOG_LEVEL. - &{<variable>} Address contained in run-time variable - <variable>. The named shell variable must - contain a valid IP address, either from the - generated script's environment or from having - been set in the generated script's 'init' - extension script. If the variable is empty or - if its contents are not a valid IP address, an - error is raised and the state of the firewall - is not changed. + Determines logging of packets handled by + INVALID_DISPOSITION. Empty by default (no logginig). - %{<variable>} Address contained in run-time variable - <variable>. If the named variable is empty, - the generated script sets it to the all-zeros - address (0.0.0.0 in IPv4 and :: in IPv6). When - this variable appears in a SOURCE or - DESTINATION column of any configuration file, - or if it appears in the ADDRESSES column of - the masq file, then no rule is generated when - the address variable is empty. Otherwise, the - rule is generated with the all-zeros address - replacing the variable. As above, if the - variable is non-empty and if it does not - contain a valid IP address, an error is raised - and the firewall state is unchanged. + UNTRACKED_DISPOSITION -6) The output of 'show [-f] capabities' is now sorted to make - individual capabities easier to find. + Valid values are CONTINUE, ACCEPT, DROP, REJECT, A_ACCEPT + and A_DROP. -7) Beginning with this release, ?FORMAT is preferred over FORMAT for - specifying the format of records in these configuration files: + The default is CONTINUE, which provides compatibility with + earlier releases (the packets are subject to the rules in + the NEW section). - action.* files - conntrack - interface - macro.* files - tcrules + UNTRACKED_LOG_LEVEL. - While deprecated, FORMAT (without the '?') is still supported. + Determines logging of packets handled by + NOTRACK_DISPOSITION. Empty by default (no logging). - Also, ?COMMENT is preferred over COMMENT for attaching comments to - generated netfilter rules in the following files. + The new order of sections in the rules files is: - accounting - action.* files - blrules files - conntrack - macro.* files - masq - nat - rules - secmarks - tcrules - tunnels + ALL + ESTABLISHED + RELATED + INVALID + UNTRACKED + NEW - When one of the deprecated forms is encountered, a warning message - is issued. +5) There are now 'Related', 'Untracked', 'Established' and 'New' + actions that match packets in the RELATED, UNTRACKED, ESTABLISHED + and NEW states respectively. - Example: + These actions are in-line and have a single parameter that + specifies the action to be taken. The action may be anything that + is valid in the ACTION column of the rules file. - WARNING: 'FORMAT' is deprecated in favor of '?FORMAT' - - consider running 'shorewall update -D'. + As part of this change, action.Invalid, action.NotSyn and + action.RST are also inline and can accept an arbitrary action as an + argument. The 'audit' parameter, while still accepted, is + deprecated in favor of passing 'A_ACCEPT' etc. directly to the + inline. - As the warning indicates, 'update -D' will traverse the CONFIG_PATH - replacing FORMAT and COMMENT lines with ?FORMAT and ?COMMENT - directives respectively. The original version of modified files - will be saved with a .bak suffix. + The TCPFlags action may also now be inlined, although it is not + inlined by default. - During the update, .bak files are skipped as are files in - ${SHAREDIR}/shorewall and ${SHAREDIR}/shorewall6. +6) The preceding enhancement required infrastructure for allowing + BEGIN PERL...END PERL to function in the body of an inline action. + + use Shorewall::Rules; + + perl_action_helper( $target, $matches ) + + $target is the target of the rule and may include log level and + tag (e.g, 'DROP:info:foo'). + + $matches is a string containing one or more ip[6]tables + matches. + + Example: "-m conntrack --state ESTABLISHED". + + The function returns true. + + This function may be called in both inline and regular actions. In + an inline action, the matches from the invoking rule (SOURCE, DEST, + etc) are applied (in addition to the match(s) passed). In a regular + action only the passed matches are applied to the rule. + +7) To allow finer-grained selection of the connection-tracking states + that are passed through blacklists (both dynamic and static), a + BLACKLIST option has been added in shorewall.conf and + shorewall6.conf. + + The BLACKLISTNEWONLY option is now deprecated. A 'shorewall update' + ( 'shorewall6 update' ) will replace the BLACKLISTNEWONLY option + with the equivalent BLACKLIST option. + +8) The shorewallrc.archlinux file now assumes that systemd is + installed (Evangelos Foutras). + +9) When the 'CONNTRACK match' capability is present (as it is in all + current distros), optimize level 16 now combines adjacent rules + that differ only in the conntrack states matched. + +10) The legacy 'dropInvalid' and 'allowInvalid' builtin actions have + been converted to inline actions that invoke the Invalid action. + +11) Parameters may now be omitted in action invocations. The following + two invocations are equivalent: + + ACTION(-,foo,-,-) + ACTION(,FOO,,) ---------------------------------------------------------------------------- V. M I G R A T I O N I S S U E S @@ -373,13 +380,346 @@ directives respectively. The original version of modified files will be saved with a .bak suffix. - During the update, .bak files are skipped as are files in ${SHAREDIR}/shorewall and ${SHAREDIR}/shorewall6. +15) To allow finer-grained selection of the connection-tracking states + that are passed through blacklists (both dynamic and static), a + BLACKLIST option was added to shorewall.conf and shorewall6.conf in + Shorewall 4.5.13. + + The BLACKLISTNEWONLY option was deprecated at that point. A + 'shorewall update' ( 'shorewall6 update' ) will replace the + BLACKLISTNEWONLY option with the equivalent BLACKLIST option. + ---------------------------------------------------------------------------- V I. N O T E S F R O M O T H E R 4 . 5 R E L E A S E S ---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 5 . 1 2 +---------------------------------------------------------------------------- +1) This release contains the defect repairs from Shorewall 4.5.11.1 + and 4.5.11.2. + +2) Two defects associated with 'update -D' have been corrected. + + - shorewall.conf.bak is no longer deleted. + - files that are not changed no longer have their mtime updated. + +3) Inline actions in the RELATED and ESTABLISHED sections now work + correctly. + +4) The 'dropInvalid' built-in function now works correctly. + +5) The compiler now generates an error when a protocol list is used in + a context where only a single protocol name/number is accepted. + +6) The generated script now correctly deletes Traffic Control + configurations when CLEAR_TC=Yes. Previously, the configurations on + interfaces with a '@xxxxxx' suffix in their names were not cleared. + +7) Under very rare circumstances, optimize level 4 could leave a rule + that jumped to a non-existant chain, causing iptables-restore to + fail. + +8) If an error was raised while compiling a default action, the + following Perl diagnostic could appear and the Shorewall error + message would not be printed. + +9) It is once again possible to use DNS names in rules without an + interface name. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 5 . 1 1 +---------------------------------------------------------------------------- + +1) The rules compiler has traditionally issued a warning when the + version of /etc/shorewall[6]/capabilities is less than the version + supported by the compiler. This warning may be suppressed by + setting the new option 'WARNOLDCAPVERSION' to 'No' in + shorewall[6].conf. + +2) The compiler now ignores '-m comment' differences when deleting + duplicate rules under optimization level 16. + +3) Support has been added for the FQ CODEL (Fair-queuing + Controlled-delay) queuing discipline. See shorewall-tcclasses (5) + and shorewall6-tcclasses (5) for details. + +4) Support for arptables has been added to Shorewall and Shorewall + Lite. + + - Both classic arptables and arptables_jf (fork maintained by Jay + Fenlason) + + - There is now an ARPTABLES option in the shorewall.conf file to + specify the path to the arptables binary. + + - An arprules file has been added to allow specification of + arptables rules. See shorewall-arprules (5) for details. + + - A 'show arptables' command has been added to show the active + arptables rules. + + - arptables rules are saved and restored by the save and restore + commands if the new option SAVE_ARPTABLES is set to Yes in + shorewall.conf. + + - arptables rules are displayed in the 'dump' command. + + As part of this change, a new capability ('Arptables JF') has been + added. If you use a capabilities file, you should regenerate it + after installing this version. + +5) The interpretation of the log tag when LOGTAGONLY=Yes is changed. + Previously, the log tag replaced the chain name in the generated + log prefix. Now, the tag is interpreted as a chain name and a + disposition separated by a comma. + + So this rule: + + LOG:info:foo,bar + + will generate the following log prefix when using the default + LOGFORMAT setting: + + Shorewall:foo:bar: + + Similarly, + + LOG:info:,bar net fw + + will generate + + Shorewall:net2fw:bar: + +6) Rules generated by the RELATED section of the rules file are now in + separate chains. For each pair of zones (za,zb), RELATED + connections are handled by a chain whose name is "+za2zb" + (ZONE_SEPARATOR=2) or "+za-zb" (ZONE_SEPARATOR='-'). This results + in only one state match to jump to the new chain rather than a + state match for every rule in the section. + +7) Protocol lists are now supported in the PROTO columns of the + following additional files: + + accounting + conntrack + masq + secmarks + stoppedrules + tcfilters + tcpri + tcrules + +8) When an terminating rule is added to the end of a chain, the + Compiler now marks that chain as 'complete' and inhibits the + appending of any additional rules. + + A terminating rule is one that has no matches and either uses '-g' + (goto) or is a jump to one of the following: + + ACCEPT + DROP + RETURN + QUEUE + CLASSIFY + CT + DNAT + MASQUERADE + NETMAP + NFQUEUE + NOTRACK + REDIRECT + RAWDNAT + RAWSNAT + REJECT + SAME + SNAT + TPROXY + A chain with no RETURN statements and whose last rule is + terminating. + + + Additionally, when optimize level 4 is selected, chains that + contain a single RETURN rule are optimized away. + +9) Eric Teeter has contributed macro.ActiveDir, a macro that handles + Samba 4 active directory. + +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 5 . 1 1 +---------------------------------------------------------------------------- + +4.5.11.2 + +1) Corrected fix 2 from 4.5.11.1. + +4.5.11.1 + +1) Beginning with Shorewall 4.5.10, if the name of an optional + interface contained one or more characters that are not valid in a + shell function name, then the generated script would fail with a + "syntax error: bad function name" shell diagnostic. + + That problem has been corrected so that a valid function name is + generated. + +2) The kernel modules supplied by xtables-addons are now listed in the + modules.xtables files. They were previously omitted. + +4.5.11 + +1) This release includes the defect repair from Shorewall 4.5.10.1. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 5 . 1 1 +---------------------------------------------------------------------------- + +1) This release expands upon the concept of 'Shorewall Variables' + that was introduced in 4.5.10 with the creation of '@0' in SWITCH + columns. Beginning with 4.5.10, '@0' (or '@{0}') in a SWITCH column + expands to the name of the current chain. + + In this release, the Shorewall variables @loglevel and @logtag + are added. These variables are only available within action bodies + (both regular and in-line). + + Their contents are: + + @loglevel + + The log level specified when the action was invoked. If no + level was specified, @loglevel expands to 'none'. + + @logtag + + The log tag specified when the action was invoked. If no tag + was specified, @logtag expands to an empty string. + + @1, @2, ... + + Same as $1, $2, ... + + Additionally, @chain has been added as a synonym for @0. Remember + that, unlike $0, non-alphanumeric charaters other than '_' have + been removed from @0. + +2) Action variables ($0, $1,...$n) and Shorewall variables are now + available in ?IF and ?ELSIF directives. + +3) A 'nolog' option has been added to /etc/shorewall[6]/actions. This + option causes the compiler to forego adding the log level and log + tag from the action invocation to those rules within the body that + do not specify a tag and/or level. + +3) An 'IGNOREUNKNOWNVARIABLES' option has been added to + /etc/shorewall[6]/shorewall[6].conf. When set to 'Yes', this option + instructs the compiler to expand unknown shell variables and + action parameters to an empty string rather than raising an error. + +4) ?SET and ?RESET directives are now available: + + ?SET <variable> <value> + ?RESET <variable> + + To cater to both Shell and Perl programmers, the <variable> may + be entered with or without leading '$'. + + The ?SET command sets the named <variable> to the specified + <value> where <value> is a Perl-compatible expression. + + The ?RESET command deletes the named <variable> from the compiler's + variable table. + + Shorewall variables (@chain, @loglevel,...) and action parameters + ($1, $2,...) are read-only and their values may not be changed + (although action parameter values may be changed using Embedded + Perl). + +5) This release introduces user-defined address variables. Address + variables are used at run-time rather than at compile-time. Prior + to this release, two types of address variables were available: + + &<interface> Expands to the primary IP address of + <interface> + + %<interface> Expands to the IP address of the default + gateway out of <interface> + + The two new types added in this release are distinguished by the + use of "{....}". + + &{<variable>} Address contained in run-time variable + <variable>. The named shell variable must + contain a valid IP address, either from the + generated script's environment or from having + been set in the generated script's 'init' + extension script. If the variable is empty or + if its contents are not a valid IP address, an + error is raised and the state of the firewall + is not changed. + + %{<variable>} Address contained in run-time variable + <variable>. If the named variable is empty, + the generated script sets it to the all-zeros + address (0.0.0.0 in IPv4 and :: in IPv6). When + this variable appears in a SOURCE or + DESTINATION column of any configuration file, + or if it appears in the ADDRESSES column of + the masq file, then no rule is generated when + the address variable is empty. Otherwise, the + rule is generated with the all-zeros address + replacing the variable. As above, if the + variable is non-empty and if it does not + contain a valid IP address, an error is raised + and the firewall state is unchanged. + +6) The output of 'show [-f] capabities' is now sorted to make + individual capabities easier to find. + +7) Beginning with this release, ?FORMAT is preferred over FORMAT for + specifying the format of records in these configuration files: + + action.* files + conntrack + interface + macro.* files + tcrules + + While deprecated, FORMAT (without the '?') is still supported. + + Also, ?COMMENT is preferred over COMMENT for attaching comments to + generated netfilter rules in the following files. + + accounting + action.* files + blrules files + conntrack + macro.* files + masq + nat + rules + secmarks + tcrules + tunnels + + When one of the deprecated forms is encountered, a warning message + is issued. + + Example: + + WARNING: 'FORMAT' is deprecated in favor of '?FORMAT' - + consider running 'shorewall update -D'. + + As the warning indicates, 'update -D' will traverse the CONFIG_PATH + replacing FORMAT and COMMENT lines with ?FORMAT and ?COMMENT + directives respectively. The original version of modified files + will be saved with a .bak suffix. + + During the update, .bak files are skipped as are files in + ${SHAREDIR}/shorewall and ${SHAREDIR}/shorewall6. + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 5 . 1 0 ---------------------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.11.2/shorewall-init.service new/shorewall-init-4.5.13/shorewall-init.service --- old/shorewall-init-4.5.11.2/shorewall-init.service 2012-12-31 17:00:04.000000000 +0100 +++ new/shorewall-init-4.5.13/shorewall-init.service 2013-02-11 14:58:01.000000000 +0100 @@ -13,8 +13,8 @@ RemainAfterExit=yes EnvironmentFile=-/etc/sysconfig/shorewall-init StandardOutput=syslog -ExecStart=/sbin/shorewall-init $OPTIONS start -ExecStop=/sbin/shorewall-init $OPTIONS stop +ExecStart=/shorewall-init $OPTIONS start +ExecStop=/shorewall-init $OPTIONS stop [Install] WantedBy=multi-user.target diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.11.2/shorewall-init.spec new/shorewall-init-4.5.13/shorewall-init.spec --- old/shorewall-init-4.5.11.2/shorewall-init.spec 2012-12-31 17:29:00.000000000 +0100 +++ new/shorewall-init-4.5.13/shorewall-init.spec 2013-02-11 14:59:59.000000000 +0100 @@ -1,6 +1,6 @@ %define name shorewall-init -%define version 4.5.11 -%define release 2 +%define version 4.5.13 +%define release 0base Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall). Name: %{name} @@ -125,12 +125,36 @@ %doc COPYING changelog.txt releasenotes.txt %changelog +* Fri Feb 08 2013 Tom Eastep tom@shorewall.net +- Updated to 4.5.13-0base +* Mon Feb 04 2013 Tom Eastep tom@shorewall.net +- Updated to 4.5.13-0RC3 +* Sun Feb 03 2013 Tom Eastep tom@shorewall.net +- Updated to 4.5.13-0RC2 +* Thu Jan 31 2013 Tom Eastep tom@shorewall.net +- Updated to 4.5.13-0RC1 +* Tue Jan 29 2013 Tom Eastep tom@shorewall.net +- Updated to 4.5.13-0Beta4 +* Mon Jan 21 2013 Tom Eastep tom@shorewall.net +- Updated to 4.5.13-0Beta3 +* Sun Jan 20 2013 Tom Eastep tom@shorewall.net +- Updated to 4.5.13-0Beta2 +* Tue Jan 15 2013 Tom Eastep tom@shorewall.net +- Updated to 4.5.13-0Beta1 +* Tue Jan 15 2013 Tom Eastep tom@shorewall.net +- Updated to 4.5.12-0base +* Thu Jan 10 2013 Tom Eastep tom@shorewall.net +- Updated to 4.5.12-0RC1 +* Tue Jan 08 2013 Tom Eastep tom@shorewall.net +- Updated to 4.5.12-0Beta5 +* Sat Jan 05 2013 Tom Eastep tom@shorewall.net +- Updated to 4.5.12-0Beta4 * Mon Dec 31 2012 Tom Eastep tom@shorewall.net -- Updated to 4.5.11-2 -* Fri Dec 28 2012 Tom Eastep tom@shorewall.net -- Updated to 4.5.11-1 +- Updated to 4.5.12-0Beta3 +* Thu Dec 27 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.12-0Beta2 * Wed Dec 26 2012 Tom Eastep tom@shorewall.net -- Updated to 4.5.11-0base +- Updated to 4.5.12-0Beta1 * Wed Dec 19 2012 Tom Eastep tom@shorewall.net - Updated to 4.5.11-0RC1 * Thu Dec 13 2012 Tom Eastep tom@shorewall.net diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.11.2/shorewallrc.archlinux new/shorewall-init-4.5.13/shorewallrc.archlinux --- old/shorewall-init-4.5.11.2/shorewallrc.archlinux 2012-12-31 17:29:00.000000000 +0100 +++ new/shorewall-init-4.5.13/shorewallrc.archlinux 2013-02-11 14:59:59.000000000 +0100 @@ -1,21 +1,21 @@ # -# Archlinux Shorewall 4.5 rc file +# Arch Linux Shorewall 4.5 rc file # -BUILD=archlinux +BUILD= #Default is to detect the build system HOST=archlinux PREFIX=/usr #Top-level directory for shared files, libraries, etc. SHAREDIR=${PREFIX}/share #Directory for arch-neutral files. LIBEXECDIR=${PREFIX}/share #Directory for executable scripts. PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory CONFDIR=/etc #Directory where subsystem configurations are installed -SBINDIR=/sbin #Directory where system administration programs are installed +SBINDIR=/usr/sbin #Directory where system administration programs are installed MANDIR=${SHAREDIR}/man #Directory where manpages are installed. -INITDIR=/etc/rc.d #Directory where SysV init scripts are installed. -INITFILE=$PRODUCT #Name of the product's installed SysV init script -INITSOURCE=init.sh #Name of the distributed file to be installed as the SysV init script +INITDIR= #Directory where SysV init scripts are installed. +INITFILE= #Name of the product's installed SysV init script +INITSOURCE= #Name of the distributed file to be installed as the SysV init script ANNOTATED= #If non-zero, annotated configuration files are installed SYSCONFDIR= #Directory where SysV init parameter files are installed -SYSTEMD= #Directory where .service files are installed (systems running systemd only) +SYSTEMD=/usr/lib/systemd/system #Directory where .service files are installed (systems running systemd only) SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR VARLIB=/var/lib #Directory where product variable data is stored. VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.11.2/uninstall.sh new/shorewall-init-4.5.13/uninstall.sh --- old/shorewall-init-4.5.11.2/uninstall.sh 2012-12-31 17:29:00.000000000 +0100 +++ new/shorewall-init-4.5.13/uninstall.sh 2013-02-11 14:59:59.000000000 +0100 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.5.11.2 +VERSION=4.5.13 usage() # $1 = exit status { ++++++ shorewall-lite-4.5.11.2.tar.bz2 -> shorewall-lite-4.5.13.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.11.2/changelog.txt new/shorewall-lite-4.5.13/changelog.txt --- old/shorewall-lite-4.5.11.2/changelog.txt 2012-12-31 17:29:00.000000000 +0100 +++ new/shorewall-lite-4.5.13/changelog.txt 2013-02-11 14:59:59.000000000 +0100 @@ -1,16 +1,192 @@ -Changes in 4.5.11.2 +Changes in 4.5.13 Final. 1) Update release documents. -2) Correct modules.xtables. +2) Correct action.TCPFlags. -Changes in 4.5.11.1 +3) Allow parameters to be omitted in action invocations. -1) Update release documents +4) Fix reset_optflags(). -2) Avoid invalid function name to start optional interface. +5) Correct handling of numbers in simple arithmetic expressions. -3) Add modules from xtables-addons to modules.xtables +6) Correct inline default actions with parameters. + +Changes in 4.5.13 RC 3. + +1) Update release documents. + +2) Handle RETURN correctly in a state chain. + +3) Correct a syntax error in action.Untracked + +4) Remove cruft from two action files. + +5) Use -j unconditionally to branch to a state chain/disposition. + +6) More tweaks in check_state(). + +7) Convert the legacy dropInvalid and allowInvalid actions to inline + actions. + +Changes in 4.5.13 RC 2. + +1) Update release documents. + +2) Fix the state action.* files. + +3) Correct state rule generation and rule combining. + +Changes in 4.5.13 RC 1. + +1) Update release documents. + +2) Apply Evangelos Foutras's Arch Linux patches. + +3) Remove requirement that the $state argument ends with a space. + +4) Update Shorewall6 actions.std + +5) Allow specification of the action type via perl_action_helper(). + +6) Simplify Perl actions even further. + +7) Correct handling of audited dispositions. + +8) Detect some state conflicts. + +9) Add New action. + +10) Delete imports of process_rule1. + +11) Correct behavior when @chain is altered. + +12) Documentation clarifications. + +13) Handle port numbers passed to the tcp-specific actions. + +14) Fix handling of normal actions in perl_action_tcp_helper(). + +15) Handle UNTRACKED_DISPOSITION=ACCEPT correctly. + +Changes in 4.5.13 Beta 4. + +1) Update release documents. + +2) Update module version. + +3) Favor shorter less-complex chain names in Optimize 8. + +4) Handle chains ending with RETURN in Optimize 4. + +5) Call handle_first_entry() before issuing a warning or error + message. + +6) Allow inline actions to use BEGIN PERL .... END PERL + +7) Make some of the standard actions inlined. + +8) Replace BLACKLISTNEWONLY with BLACKLIST + +Changes in 4.5.13 Beta 3. + +1) Update release documents. + +2) Correct chain completion. + +3) Correct handling of audited RELATED_DISPOSITION + +4) Make optimize 8 a multi-pass operation. + +5) Implement the INVALID and NOTRACK rules sections. + +Changes in 4.5.13 Beta 2. + +1) Update release documents. + +2) Allow RESET of Shorewall variables. + +3) Fix use of Shorewall variables in a default action. + +Changes in 4.5.13 Beta 2. + +1) Update release documents. + +2) Add DEFER_DNS_RESOLUTION configuration option. + +3) Make Shorewall variables writable and use them to generate the log + prefix. + +Changes in 4.5.12 RC 1 + +1) Update release documents. + +2) Fix an old optimizer bug. + +3) Avoid fatal Perl run-time error if an error is raised while + compiling a default action. + +4) Correct handling of rules in the ESTABLISHED section. + +5) Restore the ability to use DNS names without an interface name. + +Changes in 4.5.12 Beta 5 + +1) Update release documents. + +2) Support protocol lists in most files. + +3) Detect and optimize for terminating rules. + +4) Make CLEAR_TC work on interfaces with an @xxxxx suffix in their + names. + +Changes in 4.5.12 Beta 4 + +1) Update release documents. + +2) Fix a lot of bugs in arptables support + +3) Make '+' optional in the ADD and deL statements. + +4) Don't add --cstate to dropInvalid rule + +5) Make inline actions work in sections other than NEW + +6) Change the interpretation of the log tag when LOGTAGONLY=Yes + +7) Generate error when a protocol list appears in the wrong context. + +Changes in 4.5.12 Beta 3 + +1) Merge defect repair from 4.5.11.2 + +2) Correct two defects in 'update -D'. + +3) Add arptables support + +Changes in 4.5.12 Beta 2 + +1) Update release documents. + +2) Avoid invalid function names involving optional interfaces (from + 4.5.11.1). + +3) Correct handling of wildcards whose root matches another interface. + +4) Add support for fq_codel. + +Changes in 4.5.12 Beta 1 + +1) Update release documents. + +2) Add the xtables-addons modules to modules.xtables. + +3) Add the 'WARNOLDCAPVERSION' option. + +4) Finish centralizing the handling of 'COMMENT' and 'FORMAT'. + +5) Ignore COMMENTs when deleting duplicate rules. Changes in 4.5.11 Final diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.11.2/configure new/shorewall-lite-4.5.13/configure --- old/shorewall-lite-4.5.11.2/configure 2012-12-31 17:29:00.000000000 +0100 +++ new/shorewall-lite-4.5.13/configure 2013-02-11 14:59:59.000000000 +0100 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=4.5.11.2 +VERSION=4.5.13 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.11.2/configure.pl new/shorewall-lite-4.5.13/configure.pl --- old/shorewall-lite-4.5.11.2/configure.pl 2012-12-31 17:29:00.000000000 +0100 +++ new/shorewall-lite-4.5.13/configure.pl 2013-02-11 14:59:59.000000000 +0100 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '4.5.11.2' + VERSION => '4.5.13' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.11.2/init.archlinux.sh new/shorewall-lite-4.5.13/init.archlinux.sh --- old/shorewall-lite-4.5.11.2/init.archlinux.sh 2012-12-31 17:00:04.000000000 +0100 +++ new/shorewall-lite-4.5.13/init.archlinux.sh 1970-01-01 01:00:00.000000000 +0100 @@ -1,58 +0,0 @@ -#!/bin/bash - -OPTIONS="-f" - -if [ -f /etc/sysconfig/shorewall ] ; then - . /etc/sysconfig/shorewall -elif [ -f /etc/default/shorewall ] ; then - . /etc/default/shorewall -fi - -# if you want to override options, do so in /etc/sysconfig/shorewall or -# in /etc/default/shorewall -- -# i strongly encourage you use the latter, since /etc/sysconfig/ does not exist. - -. /etc/rc.conf -. /etc/rc.d/functions - -DAEMON_NAME="shorewall" # of course shorewall is NOT a deamon. - -case "$1" in - start) - stat_busy "Starting $DAEMON_NAME" - /sbin/shorewall-lite $OPTIONS start &>/dev/null - if [ $? -gt 0 ]; then - stat_fail - else - add_daemon $DAEMON_NAME - stat_done - fi - ;; - - - stop) - stat_busy "Stopping $DAEMON_NAME" - /sbin/shorewall-lite stop &>/dev/null - if [ $? -gt 0 ]; then - stat_fail - else - rm_daemon $DAEMON_NAME - stat_done - fi - ;; - - restart|reload) - stat_busy "Restarting $DAEMON_NAME" - /sbin/shorewall-lite restart &>/dev/null - if [ $? -gt 0 ]; then - stat_fail - else - stat_done - fi - ;; - - *) - echo "usage: $0 {start|stop|restart}" -esac -exit 0 - diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.11.2/install.sh new/shorewall-lite-4.5.13/install.sh --- old/shorewall-lite-4.5.11.2/install.sh 2012-12-31 17:29:00.000000000 +0100 +++ new/shorewall-lite-4.5.13/install.sh 2013-02-11 14:59:59.000000000 +0100 @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.5.11.2 +VERSION=4.5.13 usage() # $1 = exit status { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.11.2/manpages/shorewall-lite-vardir.5 new/shorewall-lite-4.5.13/manpages/shorewall-lite-vardir.5 --- old/shorewall-lite-4.5.11.2/manpages/shorewall-lite-vardir.5 2012-12-31 17:34:37.000000000 +0100 +++ new/shorewall-lite-4.5.13/manpages/shorewall-lite-vardir.5 2013-02-11 15:05:44.000000000 +0100 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite-vardir .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.75.2 http://docbook.sf.net/ -.\" Date: 12/31/2012 +.\" Date: 02/11/2013 .\" Manual: [FIXME: manual] .\" Source: [FIXME: source] .\" Language: English .\" -.TH "SHOREWALL\-LITE\-VAR" "5" "12/31/2012" "[FIXME: source]" "[FIXME: manual]" +.TH "SHOREWALL\-LITE\-VAR" "5" "02/11/2013" "[FIXME: source]" "[FIXME: manual]" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.11.2/manpages/shorewall-lite.8 new/shorewall-lite-4.5.13/manpages/shorewall-lite.8 --- old/shorewall-lite-4.5.11.2/manpages/shorewall-lite.8 2012-12-31 17:34:39.000000000 +0100 +++ new/shorewall-lite-4.5.13/manpages/shorewall-lite.8 2013-02-11 15:05:46.000000000 +0100 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.75.2 http://docbook.sf.net/ -.\" Date: 12/31/2012 +.\" Date: 02/11/2013 .\" Manual: [FIXME: manual] .\" Source: [FIXME: source] .\" Language: English .\" -.TH "SHOREWALL\-LITE" "8" "12/31/2012" "[FIXME: source]" "[FIXME: manual]" +.TH "SHOREWALL\-LITE" "8" "02/11/2013" "[FIXME: source]" "[FIXME: manual]" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.11.2/manpages/shorewall-lite.conf.5 new/shorewall-lite-4.5.13/manpages/shorewall-lite.conf.5 --- old/shorewall-lite-4.5.11.2/manpages/shorewall-lite.conf.5 2012-12-31 17:34:35.000000000 +0100 +++ new/shorewall-lite-4.5.13/manpages/shorewall-lite.conf.5 2013-02-11 15:05:42.000000000 +0100 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite.conf .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.75.2 http://docbook.sf.net/ -.\" Date: 12/31/2012 +.\" Date: 02/11/2013 .\" Manual: [FIXME: manual] .\" Source: [FIXME: source] .\" Language: English .\" -.TH "SHOREWALL\-LITE\&.CO" "5" "12/31/2012" "[FIXME: source]" "[FIXME: manual]" +.TH "SHOREWALL\-LITE\&.CO" "5" "02/11/2013" "[FIXME: source]" "[FIXME: manual]" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.11.2/modules.tc new/shorewall-lite-4.5.13/modules.tc --- old/shorewall-lite-4.5.11.2/modules.tc 2012-12-31 17:29:00.000000000 +0100 +++ new/shorewall-lite-4.5.13/modules.tc 2013-02-11 14:59:59.000000000 +0100 @@ -19,6 +19,7 @@ loadmodule sch_htb loadmodule sch_prio loadmodule sch_tbf +loadmodule sch_fq_codel loadmodule cls_u32 loadmodule cls_fw loadmodule cls_flow diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.11.2/modules.xtables new/shorewall-lite-4.5.13/modules.xtables --- old/shorewall-lite-4.5.11.2/modules.xtables 2012-12-31 17:29:00.000000000 +0100 +++ new/shorewall-lite-4.5.13/modules.xtables 2013-02-11 14:59:59.000000000 +0100 @@ -36,7 +36,11 @@ loadmodule xt_owner loadmodule xt_physdev loadmodule xt_pkttype +loadmodule xt_policy +loadmodule xt_sctp loadmodule xt_tcpmss +loadmodule xt_TCPMSS +loadmodule xt_time loadmodule xt_IPMARK loadmodule xt_TPROXY # diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.11.2/releasenotes.txt new/shorewall-lite-4.5.13/releasenotes.txt --- old/shorewall-lite-4.5.11.2/releasenotes.txt 2012-12-31 17:29:00.000000000 +0100 +++ new/shorewall-lite-4.5.13/releasenotes.txt 2013-02-11 14:59:59.000000000 +0100 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 5 . 1 1 . 2 + S H O R E W A L L 4 . 5 . 1 3 ------------------------------------ - D e c e m b e r 3 1 , 2 0 1 2 + F e b r u a r y 1 1 , 2 0 1 3 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -15,26 +15,20 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -4.5.11.2 - -1) Corrected fix 2 from 4.5.11.1. - -4.5.11.1 - -1) Beginning with Shorewall 4.5.10, if the name of an optional - interface contained one or more characters that are not valid in a - shell function name, then the generated script would fail with a - "syntax error: bad function name" shell diagnostic. - - That problem has been corrected so that a valid function name is - generated. - -2) The kernel modules supplied by xtables-addons are now listed in the - modules.xtables files. They were previously omitted. - -4.5.11 - -1) This release includes the defect repair from Shorewall 4.5.10.1. +1) If a chain consisted of a single RETURN rule, optimize level 4 + would handle it incorrectly by moving the RETURN rule to the + chain(s) that jumped to the single-rule chain. The optimizer now + simply eliminates the chain and rule. + + As part of this change, the optimizer now deletes trailing RETURN + rules from chains. + +2) If a default inline action was specified with parameters, the + compiler would fail with an internal error. + +3) The compiler was mis-handling simple arithmetic expressions + consisting of a single number, evaluating the number as '' rather + than as its numberic value. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -47,149 +41,162 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) This release expands upon the concept of 'Shorewall Variables' - that was introduced in 4.5.10 with the creation of '@0' in SWITCH - columns. Beginning with 4.5.10, '@0' (or '@{0}') in a SWITCH column - expands to the name of the current chain. +1) A new DEFER_DNS_RESOLUTION option has been added to shorewall.conf. - In this release, the Shorewall variables @loglevel and @logtag - are added. These variables are only available within action bodies - (both regular and in-line). + Up to this time, when a DNS name appears in the SOURCE, DEST or + ORIGINAL DEST column of a configuration file, the compiler verifies + that the name can be resolved and then passes the name on to the + generated script. This means that ip[6]tables-restore must resolve + the name when the script runs. - Their contents are: + When DEFER_DNS_RESOLUTION=Yes (the default) this old behavior is + retained. When DEFER_DNS_RESOLUTION=No, the compiler resolves the + name and uses the address(es) in the generated script. - @loglevel - - The log level specified when the action was invoked. If no - level was specified, @loglevel expands to 'none'. +2) The '@' Shorewall variables are now writable using the ?SET directive. - @logtag + The variables are now also used when generating the contents of + --log-prefix in logging rules. Within an action body, the two + fields in the --log-prefix are: - The log tag specified when the action was invoked. If no tag - was specified, @logtag expands to an empty string. + @chain -- Existing variable. + @disposition -- New variable. - @1, @2, ... + When either of these are undefined or empty, the compiler uses + the same value as previously. - Same as $1, $2, ... + When a non-inlined action is entered, @disposition is given the + empty value. When an inline action is entered, @disposition is not + altered. - Additionally, @chain has been added as a synonym for @0. Remember - that, unlike $0, non-alphanumeric charaters other than '_' have - been removed from @0. + Also added is a @caller variable which names the chain or action + which invoked the action. -2) Action variables ($0, $1,...$n) and Shorewall variables are now - available in ?IF and ?ELSIF directives. + When any action is exited, the variables revert to their values + when the action was entered. -3) A 'nolog' option has been added to /etc/shorewall[6]/actions. This - option causes the compiler to forego adding the log level and log - tag from the action invocation to those rules within the body that - do not specify a tag and/or level. + When RESET, the named Shorewall variables are not removed from the + variable table but are rather set to the empty value. -3) An 'IGNOREUNKNOWNVARIABLES' option has been added to - /etc/shorewall[6]/shorewall[6].conf. When set to 'Yes', this option - instructs the compiler to expand unknown shell variables and - action parameters to an empty string rather than raising an error. +3) Optimize level 8 now makes multiple passes of each table. -4) ?SET and ?RESET directives are now available: +4) There are now two new sections in the rules file: - ?SET <variable> <value> - ?RESET <variable> + INVALID - To cater to both Shell and Perl programmers, the <variable> may - be entered with or without leading '$'. + Allows definition of rules to be applied to packets in the + INVALID connection state. - The ?SET command sets the named <variable> to the specified - <value> where <value> is a Perl-compatible expression. + UNTRACKED - The ?RESET command deletes the named <variable> from the compiler's - variable table. + Allows definition of rules to be applied to packets in the + UNTRACKED connection state (due to entries in the conntrack + file). - Shorewall variables (@chain, @loglevel,...) and action parameters - ($1, $2,...) are read-only and their values may not be changed - (although action parameter values may be changed using Embedded - Perl). + The implementation of these sections is modeled after that of the + RELATED section. There are options in shorewall.conf + (shorewall6.conf) that control the disposition and logging of + packets that fail to match any of the rules in the section. -5) This release introduces user-defined address variables. Address - variables are used at run-time rather than at compile-time. Prior - to this release, two types of address variables were available: + INVALID_DISPOSITION - &<interface> Expands to the primary IP address of - <interface> + Valid values are CONTINUE, DROP, REJECT, and A_DROP. - %<interface> Expands to the IP address of the default - gateway out of <interface> + The default is CONTINUE, which provides compatibility with + earlier releases (the packets are subject to the rules in + the NEW section). - The two new types added in this release are distinguished by the - use of "{....}". + INVALID_LOG_LEVEL. - &{<variable>} Address contained in run-time variable - <variable>. The named shell variable must - contain a valid IP address, either from the - generated script's environment or from having - been set in the generated script's 'init' - extension script. If the variable is empty or - if its contents are not a valid IP address, an - error is raised and the state of the firewall - is not changed. + Determines logging of packets handled by + INVALID_DISPOSITION. Empty by default (no logginig). - %{<variable>} Address contained in run-time variable - <variable>. If the named variable is empty, - the generated script sets it to the all-zeros - address (0.0.0.0 in IPv4 and :: in IPv6). When - this variable appears in a SOURCE or - DESTINATION column of any configuration file, - or if it appears in the ADDRESSES column of - the masq file, then no rule is generated when - the address variable is empty. Otherwise, the - rule is generated with the all-zeros address - replacing the variable. As above, if the - variable is non-empty and if it does not - contain a valid IP address, an error is raised - and the firewall state is unchanged. + UNTRACKED_DISPOSITION -6) The output of 'show [-f] capabities' is now sorted to make - individual capabities easier to find. + Valid values are CONTINUE, ACCEPT, DROP, REJECT, A_ACCEPT + and A_DROP. -7) Beginning with this release, ?FORMAT is preferred over FORMAT for - specifying the format of records in these configuration files: + The default is CONTINUE, which provides compatibility with + earlier releases (the packets are subject to the rules in + the NEW section). - action.* files - conntrack - interface - macro.* files - tcrules + UNTRACKED_LOG_LEVEL. - While deprecated, FORMAT (without the '?') is still supported. + Determines logging of packets handled by + NOTRACK_DISPOSITION. Empty by default (no logging). - Also, ?COMMENT is preferred over COMMENT for attaching comments to - generated netfilter rules in the following files. + The new order of sections in the rules files is: - accounting - action.* files - blrules files - conntrack - macro.* files - masq - nat - rules - secmarks - tcrules - tunnels + ALL + ESTABLISHED + RELATED + INVALID + UNTRACKED + NEW - When one of the deprecated forms is encountered, a warning message - is issued. +5) There are now 'Related', 'Untracked', 'Established' and 'New' + actions that match packets in the RELATED, UNTRACKED, ESTABLISHED + and NEW states respectively. - Example: + These actions are in-line and have a single parameter that + specifies the action to be taken. The action may be anything that + is valid in the ACTION column of the rules file. - WARNING: 'FORMAT' is deprecated in favor of '?FORMAT' - - consider running 'shorewall update -D'. + As part of this change, action.Invalid, action.NotSyn and + action.RST are also inline and can accept an arbitrary action as an + argument. The 'audit' parameter, while still accepted, is + deprecated in favor of passing 'A_ACCEPT' etc. directly to the + inline. - As the warning indicates, 'update -D' will traverse the CONFIG_PATH - replacing FORMAT and COMMENT lines with ?FORMAT and ?COMMENT - directives respectively. The original version of modified files - will be saved with a .bak suffix. + The TCPFlags action may also now be inlined, although it is not + inlined by default. - During the update, .bak files are skipped as are files in - ${SHAREDIR}/shorewall and ${SHAREDIR}/shorewall6. +6) The preceding enhancement required infrastructure for allowing + BEGIN PERL...END PERL to function in the body of an inline action. + + use Shorewall::Rules; + + perl_action_helper( $target, $matches ) + + $target is the target of the rule and may include log level and + tag (e.g, 'DROP:info:foo'). + + $matches is a string containing one or more ip[6]tables + matches. + + Example: "-m conntrack --state ESTABLISHED". + + The function returns true. + + This function may be called in both inline and regular actions. In + an inline action, the matches from the invoking rule (SOURCE, DEST, + etc) are applied (in addition to the match(s) passed). In a regular + action only the passed matches are applied to the rule. + +7) To allow finer-grained selection of the connection-tracking states + that are passed through blacklists (both dynamic and static), a + BLACKLIST option has been added in shorewall.conf and + shorewall6.conf. + + The BLACKLISTNEWONLY option is now deprecated. A 'shorewall update' + ( 'shorewall6 update' ) will replace the BLACKLISTNEWONLY option + with the equivalent BLACKLIST option. + +8) The shorewallrc.archlinux file now assumes that systemd is + installed (Evangelos Foutras). + +9) When the 'CONNTRACK match' capability is present (as it is in all + current distros), optimize level 16 now combines adjacent rules + that differ only in the conntrack states matched. + +10) The legacy 'dropInvalid' and 'allowInvalid' builtin actions have + been converted to inline actions that invoke the Invalid action. + +11) Parameters may now be omitted in action invocations. The following + two invocations are equivalent: + + ACTION(-,foo,-,-) + ACTION(,FOO,,) ---------------------------------------------------------------------------- V. M I G R A T I O N I S S U E S @@ -373,13 +380,346 @@ directives respectively. The original version of modified files will be saved with a .bak suffix. - During the update, .bak files are skipped as are files in ${SHAREDIR}/shorewall and ${SHAREDIR}/shorewall6. +15) To allow finer-grained selection of the connection-tracking states + that are passed through blacklists (both dynamic and static), a + BLACKLIST option was added to shorewall.conf and shorewall6.conf in + Shorewall 4.5.13. + + The BLACKLISTNEWONLY option was deprecated at that point. A + 'shorewall update' ( 'shorewall6 update' ) will replace the + BLACKLISTNEWONLY option with the equivalent BLACKLIST option. + ---------------------------------------------------------------------------- V I. N O T E S F R O M O T H E R 4 . 5 R E L E A S E S ---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 5 . 1 2 +---------------------------------------------------------------------------- +1) This release contains the defect repairs from Shorewall 4.5.11.1 + and 4.5.11.2. + +2) Two defects associated with 'update -D' have been corrected. + + - shorewall.conf.bak is no longer deleted. + - files that are not changed no longer have their mtime updated. + +3) Inline actions in the RELATED and ESTABLISHED sections now work + correctly. + +4) The 'dropInvalid' built-in function now works correctly. + +5) The compiler now generates an error when a protocol list is used in + a context where only a single protocol name/number is accepted. + +6) The generated script now correctly deletes Traffic Control + configurations when CLEAR_TC=Yes. Previously, the configurations on + interfaces with a '@xxxxxx' suffix in their names were not cleared. + +7) Under very rare circumstances, optimize level 4 could leave a rule + that jumped to a non-existant chain, causing iptables-restore to + fail. + +8) If an error was raised while compiling a default action, the + following Perl diagnostic could appear and the Shorewall error + message would not be printed. + +9) It is once again possible to use DNS names in rules without an + interface name. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 5 . 1 1 +---------------------------------------------------------------------------- + +1) The rules compiler has traditionally issued a warning when the + version of /etc/shorewall[6]/capabilities is less than the version + supported by the compiler. This warning may be suppressed by + setting the new option 'WARNOLDCAPVERSION' to 'No' in + shorewall[6].conf. + +2) The compiler now ignores '-m comment' differences when deleting + duplicate rules under optimization level 16. + +3) Support has been added for the FQ CODEL (Fair-queuing + Controlled-delay) queuing discipline. See shorewall-tcclasses (5) + and shorewall6-tcclasses (5) for details. + +4) Support for arptables has been added to Shorewall and Shorewall + Lite. + + - Both classic arptables and arptables_jf (fork maintained by Jay + Fenlason) + + - There is now an ARPTABLES option in the shorewall.conf file to + specify the path to the arptables binary. + + - An arprules file has been added to allow specification of + arptables rules. See shorewall-arprules (5) for details. + + - A 'show arptables' command has been added to show the active + arptables rules. + + - arptables rules are saved and restored by the save and restore + commands if the new option SAVE_ARPTABLES is set to Yes in + shorewall.conf. + + - arptables rules are displayed in the 'dump' command. + + As part of this change, a new capability ('Arptables JF') has been + added. If you use a capabilities file, you should regenerate it + after installing this version. + +5) The interpretation of the log tag when LOGTAGONLY=Yes is changed. + Previously, the log tag replaced the chain name in the generated + log prefix. Now, the tag is interpreted as a chain name and a + disposition separated by a comma. + + So this rule: + + LOG:info:foo,bar + + will generate the following log prefix when using the default + LOGFORMAT setting: + + Shorewall:foo:bar: + + Similarly, + + LOG:info:,bar net fw + + will generate + + Shorewall:net2fw:bar: + +6) Rules generated by the RELATED section of the rules file are now in + separate chains. For each pair of zones (za,zb), RELATED + connections are handled by a chain whose name is "+za2zb" + (ZONE_SEPARATOR=2) or "+za-zb" (ZONE_SEPARATOR='-'). This results + in only one state match to jump to the new chain rather than a + state match for every rule in the section. + +7) Protocol lists are now supported in the PROTO columns of the + following additional files: + + accounting + conntrack + masq + secmarks + stoppedrules + tcfilters + tcpri + tcrules + +8) When an terminating rule is added to the end of a chain, the + Compiler now marks that chain as 'complete' and inhibits the + appending of any additional rules. + + A terminating rule is one that has no matches and either uses '-g' + (goto) or is a jump to one of the following: + + ACCEPT + DROP + RETURN + QUEUE + CLASSIFY + CT + DNAT + MASQUERADE + NETMAP + NFQUEUE + NOTRACK + REDIRECT + RAWDNAT + RAWSNAT + REJECT + SAME + SNAT + TPROXY + A chain with no RETURN statements and whose last rule is + terminating. + + + Additionally, when optimize level 4 is selected, chains that + contain a single RETURN rule are optimized away. + +9) Eric Teeter has contributed macro.ActiveDir, a macro that handles + Samba 4 active directory. + +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 5 . 1 1 +---------------------------------------------------------------------------- + +4.5.11.2 + +1) Corrected fix 2 from 4.5.11.1. + +4.5.11.1 + +1) Beginning with Shorewall 4.5.10, if the name of an optional + interface contained one or more characters that are not valid in a + shell function name, then the generated script would fail with a + "syntax error: bad function name" shell diagnostic. + + That problem has been corrected so that a valid function name is + generated. + +2) The kernel modules supplied by xtables-addons are now listed in the + modules.xtables files. They were previously omitted. + +4.5.11 + +1) This release includes the defect repair from Shorewall 4.5.10.1. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 5 . 1 1 +---------------------------------------------------------------------------- + +1) This release expands upon the concept of 'Shorewall Variables' + that was introduced in 4.5.10 with the creation of '@0' in SWITCH + columns. Beginning with 4.5.10, '@0' (or '@{0}') in a SWITCH column + expands to the name of the current chain. + + In this release, the Shorewall variables @loglevel and @logtag + are added. These variables are only available within action bodies + (both regular and in-line). + + Their contents are: + + @loglevel + + The log level specified when the action was invoked. If no + level was specified, @loglevel expands to 'none'. + + @logtag + + The log tag specified when the action was invoked. If no tag + was specified, @logtag expands to an empty string. + + @1, @2, ... + + Same as $1, $2, ... + + Additionally, @chain has been added as a synonym for @0. Remember + that, unlike $0, non-alphanumeric charaters other than '_' have + been removed from @0. + +2) Action variables ($0, $1,...$n) and Shorewall variables are now + available in ?IF and ?ELSIF directives. + +3) A 'nolog' option has been added to /etc/shorewall[6]/actions. This + option causes the compiler to forego adding the log level and log + tag from the action invocation to those rules within the body that + do not specify a tag and/or level. + +3) An 'IGNOREUNKNOWNVARIABLES' option has been added to + /etc/shorewall[6]/shorewall[6].conf. When set to 'Yes', this option + instructs the compiler to expand unknown shell variables and + action parameters to an empty string rather than raising an error. + +4) ?SET and ?RESET directives are now available: + + ?SET <variable> <value> + ?RESET <variable> + + To cater to both Shell and Perl programmers, the <variable> may + be entered with or without leading '$'. + + The ?SET command sets the named <variable> to the specified + <value> where <value> is a Perl-compatible expression. + + The ?RESET command deletes the named <variable> from the compiler's + variable table. + + Shorewall variables (@chain, @loglevel,...) and action parameters + ($1, $2,...) are read-only and their values may not be changed + (although action parameter values may be changed using Embedded + Perl). + +5) This release introduces user-defined address variables. Address + variables are used at run-time rather than at compile-time. Prior + to this release, two types of address variables were available: + + &<interface> Expands to the primary IP address of + <interface> + + %<interface> Expands to the IP address of the default + gateway out of <interface> + + The two new types added in this release are distinguished by the + use of "{....}". + + &{<variable>} Address contained in run-time variable + <variable>. The named shell variable must + contain a valid IP address, either from the + generated script's environment or from having + been set in the generated script's 'init' + extension script. If the variable is empty or + if its contents are not a valid IP address, an + error is raised and the state of the firewall + is not changed. + + %{<variable>} Address contained in run-time variable + <variable>. If the named variable is empty, + the generated script sets it to the all-zeros + address (0.0.0.0 in IPv4 and :: in IPv6). When + this variable appears in a SOURCE or + DESTINATION column of any configuration file, + or if it appears in the ADDRESSES column of + the masq file, then no rule is generated when + the address variable is empty. Otherwise, the + rule is generated with the all-zeros address + replacing the variable. As above, if the + variable is non-empty and if it does not + contain a valid IP address, an error is raised + and the firewall state is unchanged. + +6) The output of 'show [-f] capabities' is now sorted to make + individual capabities easier to find. + +7) Beginning with this release, ?FORMAT is preferred over FORMAT for + specifying the format of records in these configuration files: + + action.* files + conntrack + interface + macro.* files + tcrules + + While deprecated, FORMAT (without the '?') is still supported. + + Also, ?COMMENT is preferred over COMMENT for attaching comments to + generated netfilter rules in the following files. + + accounting + action.* files + blrules files + conntrack + macro.* files + masq + nat + rules + secmarks + tcrules + tunnels + + When one of the deprecated forms is encountered, a warning message + is issued. + + Example: + + WARNING: 'FORMAT' is deprecated in favor of '?FORMAT' - + consider running 'shorewall update -D'. + + As the warning indicates, 'update -D' will traverse the CONFIG_PATH + replacing FORMAT and COMMENT lines with ?FORMAT and ?COMMENT + directives respectively. The original version of modified files + will be saved with a .bak suffix. + + During the update, .bak files are skipped as are files in + ${SHAREDIR}/shorewall and ${SHAREDIR}/shorewall6. + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 5 . 1 0 ---------------------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.11.2/shorewall-lite.service new/shorewall-lite-4.5.13/shorewall-lite.service --- old/shorewall-lite-4.5.11.2/shorewall-lite.service 2012-12-31 17:00:04.000000000 +0100 +++ new/shorewall-lite-4.5.13/shorewall-lite.service 2013-02-11 14:58:01.000000000 +0100 @@ -13,8 +13,8 @@ RemainAfterExit=yes EnvironmentFile=-/etc/sysconfig/shorewall-lite StandardOutput=syslog -ExecStart=/usr/sbin/shorewall-lite $OPTIONS start -ExecStop=/usr/sbin/shorewall-lite $OPTIONS stop +ExecStart=/sbin/shorewall-lite $OPTIONS start +ExecStop=/sbin/shorewall-lite $OPTIONS stop [Install] WantedBy=multi-user.target diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.11.2/shorewall-lite.spec new/shorewall-lite-4.5.13/shorewall-lite.spec --- old/shorewall-lite-4.5.11.2/shorewall-lite.spec 2012-12-31 17:29:00.000000000 +0100 +++ new/shorewall-lite-4.5.13/shorewall-lite.spec 2013-02-11 14:59:59.000000000 +0100 @@ -1,6 +1,6 @@ %define name shorewall-lite -%define version 4.5.11 -%define release 2 +%define version 4.5.13 +%define release 0base %define initdir /etc/init.d Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems. @@ -105,12 +105,36 @@ %doc COPYING changelog.txt releasenotes.txt %changelog +* Fri Feb 08 2013 Tom Eastep tom@shorewall.net +- Updated to 4.5.13-0base +* Mon Feb 04 2013 Tom Eastep tom@shorewall.net +- Updated to 4.5.13-0RC3 +* Sun Feb 03 2013 Tom Eastep tom@shorewall.net +- Updated to 4.5.13-0RC2 +* Thu Jan 31 2013 Tom Eastep tom@shorewall.net +- Updated to 4.5.13-0RC1 +* Tue Jan 29 2013 Tom Eastep tom@shorewall.net +- Updated to 4.5.13-0Beta4 +* Mon Jan 21 2013 Tom Eastep tom@shorewall.net +- Updated to 4.5.13-0Beta3 +* Sun Jan 20 2013 Tom Eastep tom@shorewall.net +- Updated to 4.5.13-0Beta2 +* Tue Jan 15 2013 Tom Eastep tom@shorewall.net +- Updated to 4.5.13-0Beta1 +* Tue Jan 15 2013 Tom Eastep tom@shorewall.net +- Updated to 4.5.12-0base +* Thu Jan 10 2013 Tom Eastep tom@shorewall.net +- Updated to 4.5.12-0RC1 +* Tue Jan 08 2013 Tom Eastep tom@shorewall.net +- Updated to 4.5.12-0Beta5 +* Sat Jan 05 2013 Tom Eastep tom@shorewall.net +- Updated to 4.5.12-0Beta4 * Mon Dec 31 2012 Tom Eastep tom@shorewall.net -- Updated to 4.5.11-2 -* Fri Dec 28 2012 Tom Eastep tom@shorewall.net -- Updated to 4.5.11-1 +- Updated to 4.5.12-0Beta3 +* Thu Dec 27 2012 Tom Eastep tom@shorewall.net +- Updated to 4.5.12-0Beta2 * Wed Dec 26 2012 Tom Eastep tom@shorewall.net -- Updated to 4.5.11-0base +- Updated to 4.5.12-0Beta1 * Wed Dec 19 2012 Tom Eastep tom@shorewall.net - Updated to 4.5.11-0RC1 * Thu Dec 13 2012 Tom Eastep tom@shorewall.net diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.11.2/shorewallrc.archlinux new/shorewall-lite-4.5.13/shorewallrc.archlinux --- old/shorewall-lite-4.5.11.2/shorewallrc.archlinux 2012-12-31 17:29:00.000000000 +0100 +++ new/shorewall-lite-4.5.13/shorewallrc.archlinux 2013-02-11 14:59:59.000000000 +0100 @@ -1,21 +1,21 @@ # -# Archlinux Shorewall 4.5 rc file +# Arch Linux Shorewall 4.5 rc file # -BUILD=archlinux +BUILD= #Default is to detect the build system HOST=archlinux PREFIX=/usr #Top-level directory for shared files, libraries, etc. SHAREDIR=${PREFIX}/share #Directory for arch-neutral files. LIBEXECDIR=${PREFIX}/share #Directory for executable scripts. PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory CONFDIR=/etc #Directory where subsystem configurations are installed -SBINDIR=/sbin #Directory where system administration programs are installed +SBINDIR=/usr/sbin #Directory where system administration programs are installed MANDIR=${SHAREDIR}/man #Directory where manpages are installed. -INITDIR=/etc/rc.d #Directory where SysV init scripts are installed. -INITFILE=$PRODUCT #Name of the product's installed SysV init script -INITSOURCE=init.sh #Name of the distributed file to be installed as the SysV init script +INITDIR= #Directory where SysV init scripts are installed. +INITFILE= #Name of the product's installed SysV init script +INITSOURCE= #Name of the distributed file to be installed as the SysV init script ANNOTATED= #If non-zero, annotated configuration files are installed SYSCONFDIR= #Directory where SysV init parameter files are installed -SYSTEMD= #Directory where .service files are installed (systems running systemd only) +SYSTEMD=/usr/lib/systemd/system #Directory where .service files are installed (systems running systemd only) SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR VARLIB=/var/lib #Directory where product variable data is stored. VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.11.2/uninstall.sh new/shorewall-lite-4.5.13/uninstall.sh --- old/shorewall-lite-4.5.11.2/uninstall.sh 2012-12-31 17:29:00.000000000 +0100 +++ new/shorewall-lite-4.5.13/uninstall.sh 2013-02-11 14:59:59.000000000 +0100 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.5.11.2 +VERSION=4.5.13 usage() # $1 = exit status { ++++++ shorewall-4.5.11.2.tar.bz2 -> shorewall6-4.5.13.tar.bz2 ++++++ ++++ 109361 lines of diff (skipped) ++++++ shorewall-lite-4.5.11.2.tar.bz2 -> shorewall6-lite-4.5.13.tar.bz2 ++++++ ++++ 7763 lines of diff (skipped) ++++++ systemd.patch ++++++ --- /var/tmp/diff_new_pack.YBKfNI/_old 2013-03-08 09:51:26.000000000 +0100 +++ /var/tmp/diff_new_pack.YBKfNI/_new 2013-03-08 09:51:26.000000000 +0100 @@ -1,13 +1,13 @@ Fixes #bnc798525 --- - shorewall-4.5.11.2/install.sh | 2 +- - shorewall-lite-4.5.11.2/install.sh | 2 +- - shorewall6-4.5.11.2/install.sh | 2 +- - shorewall6-lite-4.5.11.2/install.sh | 2 +- + shorewall-4.5.13/install.sh | 2 +- + shorewall-lite-4.5.13/install.sh | 2 +- + shorewall6-4.5.13/install.sh | 2 +- + shorewall6-lite-4.5.13/install.sh | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) ---- a/shorewall-4.5.11.2/install.sh -+++ b/shorewall-4.5.11.2/install.sh +--- a/shorewall-4.5.13/install.sh ++++ b/shorewall-4.5.13/install.sh @@ -395,7 +395,7 @@ fi if [ -n "$SYSTEMD" ]; then mkdir -p ${DESTDIR}${SYSTEMD} @@ -17,8 +17,8 @@ echo "Service file installed as ${DESTDIR}${SYSTEMD}/$PRODUCT.service" fi ---- a/shorewall-lite-4.5.11.2/install.sh -+++ b/shorewall-lite-4.5.11.2/install.sh +--- a/shorewall-lite-4.5.13/install.sh ++++ b/shorewall-lite-4.5.13/install.sh @@ -355,7 +355,7 @@ fi if [ -n "$SYSTEMD" ]; then mkdir -p ${DESTDIR}${SYSTEMD} @@ -28,8 +28,8 @@ echo "Service file installed as ${DESTDIR}/lib/systemd/system/$PRODUCT.service" fi ---- a/shorewall6-4.5.11.2/install.sh -+++ b/shorewall6-4.5.11.2/install.sh +--- a/shorewall6-4.5.13/install.sh ++++ b/shorewall6-4.5.13/install.sh @@ -395,7 +395,7 @@ fi if [ -n "$SYSTEMD" ]; then mkdir -p ${DESTDIR}${SYSTEMD} @@ -39,8 +39,8 @@ echo "Service file installed as ${DESTDIR}${SYSTEMD}/$PRODUCT.service" fi ---- a/shorewall6-lite-4.5.11.2/install.sh -+++ b/shorewall6-lite-4.5.11.2/install.sh +--- a/shorewall6-lite-4.5.13/install.sh ++++ b/shorewall6-lite-4.5.13/install.sh @@ -355,7 +355,7 @@ fi if [ -n "$SYSTEMD" ]; then mkdir -p ${DESTDIR}${SYSTEMD} -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org