Hello community,
here is the log from the commit of package shorewall for openSUSE:Factory checked in at 2013-07-02 07:46:01
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/shorewall (Old)
and /work/SRC/openSUSE:Factory/.shorewall.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shorewall"
Changes:
--------
--- /work/SRC/openSUSE:Factory/shorewall/shorewall.changes 2013-06-06 12:59:55.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.shorewall.new/shorewall.changes 2013-07-02 07:46:03.000000000 +0200
@@ -1,0 +2,47 @@
+Sun Jun 30 23:12:01 UTC 2013 - toganm@opensuse.org
+
+- Spec file changes
+ * Added 0001-Fix-Exec-directory.patch which fixes ExecStart
+ ExecStop path of systemd shorewall-init.service (bnc#827524)
+
+ * removed systemd.patch
+
+-------------------------------------------------------------------
+Sun Jun 30 10:29:17 UTC 2013 - toganm@opensuse.org
+
+- Update to version 4.5.18 For more details see changelog.txt and
+ releasenotes.txt
+
+ * This release includes all defect repair from Shorewall
+ 4.5.17.1.
+
+ * The following warning message could be emitted inappropriately
+ when running shorewall 4.5.17.
+
+ The rule(s) generated by this entry are unreachable and have
+ been discarded
+
+ These warnings, which were disabled in Shorewall 4.5.17.1, are
+ now only emitted where appropriate. The message has also been
+ reworded to:
+
+ One or more unreachable rules in chain <name> have been
+ discarded
+
+ The message is issued a maximum of once per Netfilter chain.
+
+ * A problem that could cause the 'trace' compiler option to
+ produce false error messages or to produce an altered generated
+ firewall script has been corrected.
+
+ * If the 'Owner Name Match' capability was not available, the
+ following error message would previously appear during
+ compilation:
+
+ iptables: No chain/target/match by that name.
+
+- spec file changes
+ * rebased systemd.patch
+
+
+-------------------------------------------------------------------
Old:
----
shorewall-4.5.17.1.tar.bz2
shorewall-core-4.5.17.1.tar.bz2
shorewall-docs-html-4.5.17.1.tar.bz2
shorewall-init-4.5.17.1.tar.bz2
shorewall-lite-4.5.17.1.tar.bz2
shorewall6-4.5.17.1.tar.bz2
shorewall6-lite-4.5.17.1.tar.bz2
systemd.patch
New:
----
0001-Fix-Exec-directory.patch
shorewall-4.5.18.tar.bz2
shorewall-core-4.5.18.tar.bz2
shorewall-docs-html-4.5.18.tar.bz2
shorewall-init-4.5.18.tar.bz2
shorewall-lite-4.5.18.tar.bz2
shorewall6-4.5.18.tar.bz2
shorewall6-lite-4.5.18.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ shorewall.spec ++++++
--- /var/tmp/diff_new_pack.EYJurw/_old 2013-07-02 07:46:05.000000000 +0200
+++ /var/tmp/diff_new_pack.EYJurw/_new 2013-07-02 07:46:05.000000000 +0200
@@ -20,19 +20,19 @@
%define have_systemd 1
Name: shorewall
-Version: 4.5.17.1
+Version: 4.5.18
Release: 0
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems
License: GPL-2.0
Group: Productivity/Networking/Security
Url: http://www.shorewall.net/
-Source: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.17/%name-%version.t...
-Source1: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.17/%name-core-%vers...
-Source2: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.17/%name-lite-%vers...
-Source3: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.17/%name-init-%vers...
-Source4: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.17/%{name}6-lite-%version.tar.bz2
-Source5: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.17/%{name}6-%version.tar.bz2
-Source6: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.17/%name-docs-html-...
+Source: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.18/%name-%version.t...
+Source1: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.18/%name-core-%vers...
+Source2: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.18/%name-lite-%vers...
+Source3: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.18/%name-init-%vers...
+Source4: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.18/%{name}6-lite-%version.tar.bz2
+Source5: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.18/%{name}6-%version.tar.bz2
+Source6: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.18/%name-docs-html-...
Source7: %name-4.4.22.rpmlintrc
Source8: README.openSUSE
# PATCH-FIX-UPSTREAM toganm@opensuse.org Shorewall-lite init.suse.sh Required Stop
@@ -41,9 +41,8 @@
Patch1: shorewall-init-4.5.15-install.patch
# PATCH-FIX-UPSTREAM toganm@opensuse.org Shorewall-init init.suse.sh Required Start
Patch2: 0001-remote_fs.patch
-# PATCH-FIX-UPSTREAM toganm@opensuse.org systemd.patch correct path for /usr/sbin [bnc#798525]
-Patch3: systemd.patch
-
+# PATCH-FIX-UPSTREAM toganm@opensuse.org systemd.patch correct path for /usr/sbin [bnc#827524]
+Patch3: 0001-Fix-Exec-directory.patch
%if 0%{?suse_version} >= 1210 || 0%{?fedora_version}
BuildRequires: systemd
%{?systemd_requires}
@@ -307,7 +306,6 @@
# we need the patches for suse only
%if 0%{?suse_version}
-%patch3 -p1
# apply patches to shorewall
pushd %name-%version
@@ -330,6 +328,7 @@
pushd %name-init-%version
%patch1 -p1
%patch2 -p1
+%patch3 -p1
popd
%endif
++++++ 0001-Fix-Exec-directory.patch ++++++
From 3d40b7fab437cf8a8bb28a183e7198994188625b Mon Sep 17 00:00:00 2001
From: Togan Muftuoglu
Date: Mon, 1 Jul 2013 00:22:11 +0200
Subject: [PATCH] Fix Exec directory
ExecStart and Execstart should be /sbin
Signed-off-by: Togan Muftuoglu
---
shorewall-init.service | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/shorewall-init.service
+++ b/shorewall-init.service
@@ -13,8 +13,8 @@ Type=oneshot
RemainAfterExit=yes
EnvironmentFile=-/etc/sysconfig/shorewall-init
StandardOutput=syslog
-ExecStart=/shorewall-init $OPTIONS start
-ExecStop=/shorewall-init $OPTIONS stop
+ExecStart=/sbin/shorewall-init $OPTIONS start
+ExecStop=/sbin/shorewall-init $OPTIONS stop
[Install]
WantedBy=multi-user.target
++++++ shorewall-4.5.17.1.tar.bz2 -> shorewall-4.5.18.tar.bz2 ++++++
++++ 2764 lines of diff (skipped)
++++++ shorewall-core-4.5.17.1.tar.bz2 -> shorewall-core-4.5.18.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.17.1/changelog.txt new/shorewall-core-4.5.18/changelog.txt
--- old/shorewall-core-4.5.17.1/changelog.txt 2013-06-02 23:05:16.000000000 +0200
+++ new/shorewall-core-4.5.18/changelog.txt 2013-06-27 20:30:17.000000000 +0200
@@ -1,13 +1,46 @@
-Changes in 4.5.17.1
+Changes in 4.5.18 Final
1) Update release documents.
-2) Don't issue 'unreachable" warnings.
+Changes in 4.5.18 RC 2
-3) Don't delete nfacct rules that have the same target as the
- terminating rule.
+1) Update release documents.
+
+2) Fix 'qt' and bridge detection.
+
+Changes in 4.5.18 RC 1
+
+1) Update release documents.
+
+2) Make ?...shell/perl directives case-insensitive.
+
+Changes in 4.5.18 Beta 3
+
+1) Update release documents.
+
+2) Reword 'unreachable' warning.
+
+3) Remove incorrect statement from the Macro article.
+
+4) Make 'routeback' a binary option.
-4) Corrent optimization of expensive matches
+Changes in 4.5.18 Beta 2
+
+1) Update release documents.
+
+2) Add Kerberos macro from James Shubin
+
+3) Allow 'unmanaged' interfaces.
+
+Changes in 4.5.18 Beta 1
+
+1) Update release documents.
+
+2) Merge 4.5.17.1 fixes.
+
+3) Re-implement 'discarded' message.
+
+4) Replace ersatz logic with NONE policies.
Changes in 4.5.17 Final
@@ -21,6 +54,10 @@
5) Fix minor IPv6 TPROXY bug.
+6) Rework 'unreachable' warning implementation.
+
+7) Don't drop 'nfacct' rules.
+
Changes in 4.5.17 RC 2
1) Update release documents.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.17.1/configure new/shorewall-core-4.5.18/configure
--- old/shorewall-core-4.5.17.1/configure 2013-06-02 23:05:16.000000000 +0200
+++ new/shorewall-core-4.5.18/configure 2013-06-27 20:30:17.000000000 +0200
@@ -28,7 +28,7 @@
#
# Build updates this
#
-VERSION=4.5.17.1
+VERSION=4.5.18
case "$BASH_VERSION" in
[4-9].*)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.17.1/configure.pl new/shorewall-core-4.5.18/configure.pl
--- old/shorewall-core-4.5.17.1/configure.pl 2013-06-02 23:05:16.000000000 +0200
+++ new/shorewall-core-4.5.18/configure.pl 2013-06-27 20:30:17.000000000 +0200
@@ -31,7 +31,7 @@
# Build updates this
#
use constant {
- VERSION => '4.5.17.1'
+ VERSION => '4.5.18'
};
my %params;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.17.1/install.sh new/shorewall-core-4.5.18/install.sh
--- old/shorewall-core-4.5.17.1/install.sh 2013-06-02 23:05:16.000000000 +0200
+++ new/shorewall-core-4.5.18/install.sh 2013-06-27 20:30:17.000000000 +0200
@@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
-VERSION=4.5.17.1
+VERSION=4.5.18
usage() # $1 = exit status
{
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.17.1/known_problems.txt new/shorewall-core-4.5.18/known_problems.txt
--- old/shorewall-core-4.5.17.1/known_problems.txt 2013-06-02 23:05:16.000000000 +0200
+++ new/shorewall-core-4.5.18/known_problems.txt 2013-06-27 20:30:17.000000000 +0200
@@ -1,15 +1,19 @@
1) On systems running Upstart, shorewall-init cannot reliably secure
the firewall before interfaces are brought up.
-2) A bug in the optimizer in 4.5.17 can cause 'set' and 'geoip matches
- to be dropped.
+2) Version 4.5.16 broke the handling of application helpers when the
+ CT Target. Symptom is messages like the following:
- Corrected in Shorewall 4.5.17.1.
+ Use of uninitialized value $Shorewall::Config::sillyname in
+ concatenation (.) or string at
+ /usr/share/shorewall/Shorewall/Config.pm line 3907.
-3) The following warning message may be emitted inappropriately when
- running shorewall 4.5.17.
+ Workaround: Use a capabilities file.
- The rule(s) generated by this entry are unreachable and have been
- discarded
+ Corrected in Shorewall 4.5.16.1.
- Corrected in Shorewall 4.5.17.1.
+3) When INLINE is used in the tcrules file and no target ('-j' part)
+ is included in the free-form part of the rule, an invalid
+ iptables rule is generated.
+
+ Workaround: Always specify '-j'.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.17.1/releasenotes.txt new/shorewall-core-4.5.18/releasenotes.txt
--- old/shorewall-core-4.5.17.1/releasenotes.txt 2013-06-02 23:05:16.000000000 +0200
+++ new/shorewall-core-4.5.18/releasenotes.txt 2013-06-27 20:30:17.000000000 +0200
@@ -1,7 +1,7 @@
----------------------------------------------------------------------------
- S H O R E W A L L 4 . 5 . 1 7 . 1
+ S H O R E W A L L 4 . 5 . 1 8
------------------------------------
- J u n e 0 2 , 2 0 1 3
+ J u n e 2 8 , 2 0 1 3
----------------------------------------------------------------------------
I. PROBLEMS CORRECTED IN THIS RELEASE
@@ -15,77 +15,30 @@
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
-4.5.17.1
+1) This release includes all defect repair from Shorewall 4.5.17.1.
-1) The following warning message may be emitted inappropriately when
- running shorewall 4.5.17. The message is no longer issued.
-
+2) The following warning message could be emitted inappropriately when
+ running shorewall 4.5.17.
+
The rule(s) generated by this entry are unreachable and have been
discarded
-2) Rules intended to increment nfacct objects would previously be
- optimized away when they immediately preceded an unconditional jump
- to the same target. Such rules are now retained.
+ These warnings, which were disabled in Shorewall 4.5.17.1, are now
+ only emitted where appropriate. The message has also been reworded
+ to:
-3) A bug in the optimizer in 4.5.17 can cause 'set' and 'geoip'
- matches to be dropped. That has been corrected.
+ One or more unreachable rules in chain <name> have been discarded
-4.5.17
+ The message is issued a maximum of once per Netfilter chain.
-1) When INLINE was used in the tcrules file and no target ('-j' part)
- is included in the free-form part of the rule, an invalid
- iptables rule was generated.
-
-2) Thanks to Roberto Sanchez, many typos in the manpages have been
- corrected.
-
-3) A number of issues have been corrected in the Debian and
- Redhat/Fedora Shorewall-init SysV init scripts:
-
- a) Settings in ${SHAREDIR}/vardir are now handled correctly.
-
- b) Exit status is now returned correctly.
-
- c) Stale lock files are avoided.
-
-4) When the compiled firewall script is run directly, it no longer
- attempts to copy itself onto itself using the 'cp' utility.
-
-5) An optimizer defect that could leave unreferenced chains in the
- configuration has been corrected.
-
-6) Unreferenced chains in the IPV6 nat table are now omitted.
-
-7) Rules with trivial exclusion (a single net or ipset preceded by
- '!') now generate the iptables matches in the correct
- order. Previously, the exclusion match(es) was(were) placed at the
- end. This is important in rules that auto-increment nfacct objects.
-
-8) Previously, conntrack helpers were enabled by the 'stop'
- command. Now, these helpers are only enabled by the 'clear'
- command.
-
-9) Previously, an interface label (e.g., dev:N) could be specified
- as the 'physical' interface in /etc/shorewall/interfaces. This
- is now disallowed.
+3) A problem that could cause the 'trace' compiler option to produce
+ false error messages or to produce an altered generated firewall
+ script has been corrected.
-10) The Perl function 'shorewall' was not previously exported by
- Shorewall::Config, with the result that the function had
- to be called as Shorewall::Config::shorewall(...). the function is
- now exported and can be called from ?BEGIN PERL blocks as simply
- shorewall(...).
+4) If the 'Owner Name Match' capability was not available, the
+ following error message would previously appear during compilation:
-11) Previously, two ICMPv6 type names were mis-translated.
-
- address-unreachable was translated to 1/2; should be 1/3
- port-unreachable was translated to 1/3; should be 1/4
-
- These translations have been corrected.
-
-12) If a TPROXY IPv6 address was specified in /etc/shorewall6/tcrules
- using the [<address>]/vlsm form (e.g.,
- 'TPROXY(0x100,3129,[2001:470:b:227::44]/64)') then an 'Invalid Address'
- error was issued. This has been corrected.
+ iptables: No chain/target/match by that name.
----------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G
@@ -98,81 +51,57 @@
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
-1) Route types 'blackhole', 'unreachable' and 'prohibit' are no longer
- copied to provider routing tables by default when
- USE_DEFAULT_RT=No. You may cause them to be copied by including
- 'blackhole', 'unreachable' and/or 'prohibit' in the COPY list along
- with interface names.
-
-2) Previously, the generated script always added a host route to a
- provider's gateway in the provider's routing table. Beginning with
- this release, the 'noautosrc' provider option can be used to
- inhibit this behavior. 'noautosrc' must be used with care since the
- absense of such a route can cause start/restart runtime failures.
+1) 'NONE' policies are now instantiated between 'local' zone and zones
+ other than the firewall. Similarly, 'NONE' policies are
+ instantiated between 'loopback' zones and zones other than $FW
+ and other 'loopback' zones.
+
+ This provides a cleaner implementation than the one provided in
+ Shorewall 4.5.17, and one that should be easier to maintain going
+ forward.
+
+2) James Shubin has contributed a Kerberos macro.
+
+3) A new 'unmanaged' interface option has been added. This option may
+ be used to define interfaces that allow all traffic to/from the
+ firewall but that's all. They are not accessible from hosts on
+ other interfaces nor can traffic from an unmanaged interface be
+ forwarded to hosts on other interfaces.
+
+ The following interface options are mutually-exclusive with
+ 'unmanaged':
+
+ - blacklist
+ - bridge
+ - destonly
+ - detectnets
+ - dhcp
+ - maclist
+ - nets
+ - norfc1918
+ - nosmurfs
+ - optional
+ - routeback
+ - rpfilter
+ - sfilter
+ - tcpflags
+ - upnp
+ - upnpclient
+
+ Unmanaged interfaces may not be associated with a zone in either
+ the interfaces or hosts files.
+
+ The 'lo' interface may not be unmanaged when there are vserver
+ zones defined.
+
+4) The value (0 or 1) for the 'routeback' interface option may now
+ be specified (e.g., 'routeback=0'). This allows overriding the
+ Shorewall default setting for bridge devices which is
+ 'routeback=1'.
-3) A '-c' (conditional) option has been added to the 'compile' command.
- This option causes compilation to proceed if:
+5) The ?SHELL, ?PERL, ?BEGIN SHELL, ?END SHELL, ?BEGIN PERL and ?END
+ PERL directives are now case-insensitive.
- a) The specified (or defaulted) firewall script does not exist; or
- b) A file on the CONFIG_PATH (including any directory specified in
- the command) is newer than the existing script.
-
-4) A new interface option has been added.
-
- destonly
-
- Causes the compiler to omit rules to handle traffic arriving on
- the interface.
-
-5) It is now possible to use 'all+' in the SOURCE and DEST columns of
- /etc/shorewall[6]/policy file. It has the same meaning as in the
- rules file in that it can override default intra-zone ACCEPT
- policies.
-
-6) Beginning with this release, most special handling of 'Auth' (TCP
- port 113) has been removed. In particular, the Drop default action
- will no longer default to silently REJECTing Auth requests but will
- rather simply process them like other tcp packets.
-
-7) Traditionally, Shorewall has treated the loopback interface ('lo')
- as follows:
-
- - It deals with firewall-to-firewall, firewall-to-vserver,
- vserver-to-firewall, and vserver-to-vserver traffic.
- - All filtering is done in the OUTPUT flow; all traffic arriving on
- 'lo' is silently accepted.
- - If no firewall-to-firewall policy or rules are defined, then
- a simple ACCEPT rule is also included in the OUTPUT chain for
- 'lo' (after any vserver-oriented jumps).
-
- Beginning with this release, the handling of firewall-to-firewall
- traffic can be altered by adding a zone of type 'loopback'.
-
- - 'loopback' zones must be associated with the loopback device in
- the interfaces and/or hosts file.
-
- /etc/shorewall/zones
-
- #ZONE TYPE
- loop loopback
-
- /etc/shorewall/interfaces
-
- ?FORMAT 2
- #ZONE INTERFACE OPTIONS
- loop lo ...
-
- When this is done, the ACCEPT jumps for 'lo' in the INPUT and
- OUTPUT chains are omitted and replaced with jumps to the loop2fw
- and fw2loop (loop-fw and fw-lop) chains respectively. This
- provides a model similar to other zones for fireall-to-firewall
- traffic.
-
-8) A new 'local' zone TYPE has been added to /etc/shorewall[6]/zones.
- A 'local' zone is similar to an 'ipv4' ('ipv6') zone, except that
- rules and policies to/from a 'local' zone may only be to/from the
- firewall zone and vserver zones.
-
----------------------------------------------------------------------------
V. M I G R A T I O N I S S U E S
----------------------------------------------------------------------------
@@ -376,6 +305,144 @@
----------------------------------------------------------------------------
V I. N O T E S F R O M O T H E R 4 . 5 R E L E A S E S
----------------------------------------------------------------------------
+ P R O B L E M S C O R R E C T E D I N 4 . 5 . 1 7
+----------------------------------------------------------------------------
+
+1) When INLINE was used in the tcrules file and no target ('-j' part)
+ is included in the free-form part of the rule, an invalid
+ iptables rule was generated.
+
+2) Thanks to Roberto Sanchez, many typos in the manpages have been
+ corrected.
+
+3) A number of issues have been corrected in the Debian and
+ Redhat/Fedora Shorewall-init SysV init scripts:
+
+ a) Settings in ${SHAREDIR}/vardir are now handled correctly.
+
+ b) Exit status is now returned correctly.
+
+ c) Stale lock files are avoided.
+
+4) When the compiled firewall script is run directly, it no longer
+ attempts to copy itself onto itself using the 'cp' utility.
+
+5) An optimizer defect that could leave unreferenced chains in the
+ configuration has been corrected.
+
+6) Unreferenced chains in the IPV6 nat table are now omitted.
+
+7) Rules with trivial exclusion (a single net or ipset preceded by
+ '!') now generate the iptables matches in the correct
+ order. Previously, the exclusion match(es) was(were) placed at the
+ end. This is important in rules that auto-increment nfacct objects.
+
+8) Previously, conntrack helpers were enabled by the 'stop'
+ command. Now, these helpers are only enabled by the 'clear'
+ command.
+
+9) Previously, an interface label (e.g., dev:N) could be specified
+ as the 'physical' interface in /etc/shorewall/interfaces. This
+ is now disallowed.
+
+10) The Perl function 'shorewall' was not previously exported by
+ Shorewall::Config, with the result that the function had
+ to be called as Shorewall::Config::shorewall(...). the function is
+ now exported and can be called from ?BEGIN PERL blocks as simply
+ shorewall(...).
+
+11) Previously, two ICMPv6 type names were mis-translated.
+
+ address-unreachable was translated to 1/2; should be 1/3
+ port-unreachable was translated to 1/3; should be 1/4
+
+ These translations have been corrected.
+
+12) If a TPROXY IPv6 address was specified in /etc/shorewall6/tcrules
+ using the [<address>]/vlsm form (e.g.,
+ 'TPROXY(0x100,3129,[2001:470:b:227::44]/64)') then an 'Invalid Address'
+ error was issued. This has been corrected.
+
+----------------------------------------------------------------------------
+ N E W F E A T U R E S I N 4 . 5 . 1 7
+----------------------------------------------------------------------------
+
+1) Route types 'blackhole', 'unreachable' and 'prohibit' are no longer
+ copied to provider routing tables by default when
+ USE_DEFAULT_RT=No. You may cause them to be copied by including
+ 'blackhole', 'unreachable' and/or 'prohibit' in the COPY list along
+ with interface names.
+
+2) Previously, the generated script always added a host route to a
+ provider's gateway in the provider's routing table. Beginning with
+ this release, the 'noautosrc' provider option can be used to
+ inhibit this behavior. 'noautosrc' must be used with care since the
+ absense of such a route can cause start/restart runtime failures.
+
+3) A '-c' (conditional) option has been added to the 'compile' command.
+ This option causes compilation to proceed if:
+
+ a) The specified (or defaulted) firewall script does not exist; or
+ b) A file on the CONFIG_PATH (including any directory specified in
+ the command) is newer than the existing script.
+
+4) A new interface option has been added.
+
+ destonly
+
+ Causes the compiler to omit rules to handle traffic arriving on
+ the interface.
+
+5) It is now possible to use 'all+' in the SOURCE and DEST columns of
+ /etc/shorewall[6]/policy file. It has the same meaning as in the
+ rules file in that it can override default intra-zone ACCEPT
+ policies.
+
+6) Beginning with this release, most special handling of 'Auth' (TCP
+ port 113) has been removed. In particular, the Drop default action
+ will no longer default to silently REJECTing Auth requests but will
+ rather simply process them like other tcp packets.
+
+7) Traditionally, Shorewall has treated the loopback interface ('lo')
+ as follows:
+
+ - It deals with firewall-to-firewall, firewall-to-vserver,
+ vserver-to-firewall, and vserver-to-vserver traffic.
+ - All filtering is done in the OUTPUT flow; all traffic arriving on
+ 'lo' is silently accepted.
+ - If no firewall-to-firewall policy or rules are defined, then
+ a simple ACCEPT rule is also included in the OUTPUT chain for
+ 'lo' (after any vserver-oriented jumps).
+
+ Beginning with this release, the handling of firewall-to-firewall
+ traffic can be altered by adding a zone of type 'loopback'.
+
+ - 'loopback' zones must be associated with the loopback device in
+ the interfaces and/or hosts file.
+
+ /etc/shorewall/zones
+
+ #ZONE TYPE
+ loop loopback
+
+ /etc/shorewall/interfaces
+
+ ?FORMAT 2
+ #ZONE INTERFACE OPTIONS
+ loop lo ...
+
+ When this is done, the ACCEPT jumps for 'lo' in the INPUT and
+ OUTPUT chains are omitted and replaced with jumps to the loop2fw
+ and fw2loop (loop-fw and fw-lop) chains respectively. This
+ provides a model similar to other zones for fireall-to-firewall
+ traffic.
+
+8) A new 'local' zone TYPE has been added to /etc/shorewall[6]/zones.
+ A 'local' zone is similar to an 'ipv4' ('ipv6') zone, except that
+ rules and policies to/from a 'local' zone may only be to/from the
+ firewall zone and vserver zones.
+
+----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 4 . 5 . 1 6
----------------------------------------------------------------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.17.1/shorewall-core.spec new/shorewall-core-4.5.18/shorewall-core.spec
--- old/shorewall-core-4.5.17.1/shorewall-core.spec 2013-06-02 23:05:16.000000000 +0200
+++ new/shorewall-core-4.5.18/shorewall-core.spec 2013-06-27 20:30:17.000000000 +0200
@@ -1,6 +1,6 @@
%define name shorewall-core
-%define version 4.5.17
-%define release 1
+%define version 4.5.18
+%define release 0base
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
Name: %{name}
@@ -62,8 +62,18 @@
%doc COPYING INSTALL changelog.txt releasenotes.txt
%changelog
-* Sat Jun 01 2013 Tom Eastep tom@shorewall.net
-- Updated to 4.5.17-1
+* Thu Jun 27 2013 Tom Eastep tom@shorewall.net
+- Updated to 4.5.18-0base
+* Mon Jun 24 2013 Tom Eastep tom@shorewall.net
+- Updated to 4.5.18-0RC2
+* Mon Jun 17 2013 Tom Eastep tom@shorewall.net
+- Updated to 4.5.18-0RC1
+* Tue Jun 11 2013 Tom Eastep tom@shorewall.net
+- Updated to 4.5.18-0Beta3
+* Tue Jun 04 2013 Tom Eastep tom@shorewall.net
+- Updated to 4.5.18-0Beta2
+* Thu May 30 2013 Tom Eastep tom@shorewall.net
+- Updated to 4.5.18-0Beta1
* Mon May 27 2013 Tom Eastep tom@shorewall.net
- Updated to 4.5.17-0base
* Sun May 26 2013 Tom Eastep tom@shorewall.net
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.17.1/uninstall.sh new/shorewall-core-4.5.18/uninstall.sh
--- old/shorewall-core-4.5.17.1/uninstall.sh 2013-06-02 23:05:16.000000000 +0200
+++ new/shorewall-core-4.5.18/uninstall.sh 2013-06-27 20:30:17.000000000 +0200
@@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
-VERSION=4.5.17.1
+VERSION=4.5.18
usage() # $1 = exit status
{
++++++ shorewall-docs-html-4.5.17.1.tar.bz2 -> shorewall-docs-html-4.5.18.tar.bz2 ++++++
++++ 6670 lines of diff (skipped)
++++++ shorewall-init-4.5.17.1.tar.bz2 -> shorewall-init-4.5.18.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.17.1/changelog.txt new/shorewall-init-4.5.18/changelog.txt
--- old/shorewall-init-4.5.17.1/changelog.txt 2013-06-02 23:05:16.000000000 +0200
+++ new/shorewall-init-4.5.18/changelog.txt 2013-06-27 20:30:18.000000000 +0200
@@ -1,13 +1,46 @@
-Changes in 4.5.17.1
+Changes in 4.5.18 Final
1) Update release documents.
-2) Don't issue 'unreachable" warnings.
+Changes in 4.5.18 RC 2
-3) Don't delete nfacct rules that have the same target as the
- terminating rule.
+1) Update release documents.
+
+2) Fix 'qt' and bridge detection.
+
+Changes in 4.5.18 RC 1
+
+1) Update release documents.
+
+2) Make ?...shell/perl directives case-insensitive.
+
+Changes in 4.5.18 Beta 3
+
+1) Update release documents.
+
+2) Reword 'unreachable' warning.
+
+3) Remove incorrect statement from the Macro article.
+
+4) Make 'routeback' a binary option.
-4) Corrent optimization of expensive matches
+Changes in 4.5.18 Beta 2
+
+1) Update release documents.
+
+2) Add Kerberos macro from James Shubin
+
+3) Allow 'unmanaged' interfaces.
+
+Changes in 4.5.18 Beta 1
+
+1) Update release documents.
+
+2) Merge 4.5.17.1 fixes.
+
+3) Re-implement 'discarded' message.
+
+4) Replace ersatz logic with NONE policies.
Changes in 4.5.17 Final
@@ -21,6 +54,10 @@
5) Fix minor IPv6 TPROXY bug.
+6) Rework 'unreachable' warning implementation.
+
+7) Don't drop 'nfacct' rules.
+
Changes in 4.5.17 RC 2
1) Update release documents.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.17.1/configure new/shorewall-init-4.5.18/configure
--- old/shorewall-init-4.5.17.1/configure 2013-06-02 23:05:16.000000000 +0200
+++ new/shorewall-init-4.5.18/configure 2013-06-27 20:30:18.000000000 +0200
@@ -28,7 +28,7 @@
#
# Build updates this
#
-VERSION=4.5.17.1
+VERSION=4.5.18
case "$BASH_VERSION" in
[4-9].*)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.17.1/configure.pl new/shorewall-init-4.5.18/configure.pl
--- old/shorewall-init-4.5.17.1/configure.pl 2013-06-02 23:05:16.000000000 +0200
+++ new/shorewall-init-4.5.18/configure.pl 2013-06-27 20:30:18.000000000 +0200
@@ -31,7 +31,7 @@
# Build updates this
#
use constant {
- VERSION => '4.5.17.1'
+ VERSION => '4.5.18'
};
my %params;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.17.1/install.sh new/shorewall-init-4.5.18/install.sh
--- old/shorewall-init-4.5.17.1/install.sh 2013-06-02 23:05:16.000000000 +0200
+++ new/shorewall-init-4.5.18/install.sh 2013-06-27 20:30:18.000000000 +0200
@@ -23,7 +23,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
-VERSION=4.5.17.1
+VERSION=4.5.18
usage() # $1 = exit status
{
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.17.1/releasenotes.txt new/shorewall-init-4.5.18/releasenotes.txt
--- old/shorewall-init-4.5.17.1/releasenotes.txt 2013-06-02 23:05:16.000000000 +0200
+++ new/shorewall-init-4.5.18/releasenotes.txt 2013-06-27 20:30:18.000000000 +0200
@@ -1,7 +1,7 @@
----------------------------------------------------------------------------
- S H O R E W A L L 4 . 5 . 1 7 . 1
+ S H O R E W A L L 4 . 5 . 1 8
------------------------------------
- J u n e 0 2 , 2 0 1 3
+ J u n e 2 8 , 2 0 1 3
----------------------------------------------------------------------------
I. PROBLEMS CORRECTED IN THIS RELEASE
@@ -15,77 +15,30 @@
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
-4.5.17.1
+1) This release includes all defect repair from Shorewall 4.5.17.1.
-1) The following warning message may be emitted inappropriately when
- running shorewall 4.5.17. The message is no longer issued.
-
+2) The following warning message could be emitted inappropriately when
+ running shorewall 4.5.17.
+
The rule(s) generated by this entry are unreachable and have been
discarded
-2) Rules intended to increment nfacct objects would previously be
- optimized away when they immediately preceded an unconditional jump
- to the same target. Such rules are now retained.
+ These warnings, which were disabled in Shorewall 4.5.17.1, are now
+ only emitted where appropriate. The message has also been reworded
+ to:
-3) A bug in the optimizer in 4.5.17 can cause 'set' and 'geoip'
- matches to be dropped. That has been corrected.
+ One or more unreachable rules in chain <name> have been discarded
-4.5.17
+ The message is issued a maximum of once per Netfilter chain.
-1) When INLINE was used in the tcrules file and no target ('-j' part)
- is included in the free-form part of the rule, an invalid
- iptables rule was generated.
-
-2) Thanks to Roberto Sanchez, many typos in the manpages have been
- corrected.
-
-3) A number of issues have been corrected in the Debian and
- Redhat/Fedora Shorewall-init SysV init scripts:
-
- a) Settings in ${SHAREDIR}/vardir are now handled correctly.
-
- b) Exit status is now returned correctly.
-
- c) Stale lock files are avoided.
-
-4) When the compiled firewall script is run directly, it no longer
- attempts to copy itself onto itself using the 'cp' utility.
-
-5) An optimizer defect that could leave unreferenced chains in the
- configuration has been corrected.
-
-6) Unreferenced chains in the IPV6 nat table are now omitted.
-
-7) Rules with trivial exclusion (a single net or ipset preceded by
- '!') now generate the iptables matches in the correct
- order. Previously, the exclusion match(es) was(were) placed at the
- end. This is important in rules that auto-increment nfacct objects.
-
-8) Previously, conntrack helpers were enabled by the 'stop'
- command. Now, these helpers are only enabled by the 'clear'
- command.
-
-9) Previously, an interface label (e.g., dev:N) could be specified
- as the 'physical' interface in /etc/shorewall/interfaces. This
- is now disallowed.
+3) A problem that could cause the 'trace' compiler option to produce
+ false error messages or to produce an altered generated firewall
+ script has been corrected.
-10) The Perl function 'shorewall' was not previously exported by
- Shorewall::Config, with the result that the function had
- to be called as Shorewall::Config::shorewall(...). the function is
- now exported and can be called from ?BEGIN PERL blocks as simply
- shorewall(...).
+4) If the 'Owner Name Match' capability was not available, the
+ following error message would previously appear during compilation:
-11) Previously, two ICMPv6 type names were mis-translated.
-
- address-unreachable was translated to 1/2; should be 1/3
- port-unreachable was translated to 1/3; should be 1/4
-
- These translations have been corrected.
-
-12) If a TPROXY IPv6 address was specified in /etc/shorewall6/tcrules
- using the [<address>]/vlsm form (e.g.,
- 'TPROXY(0x100,3129,[2001:470:b:227::44]/64)') then an 'Invalid Address'
- error was issued. This has been corrected.
+ iptables: No chain/target/match by that name.
----------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G
@@ -98,81 +51,57 @@
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
-1) Route types 'blackhole', 'unreachable' and 'prohibit' are no longer
- copied to provider routing tables by default when
- USE_DEFAULT_RT=No. You may cause them to be copied by including
- 'blackhole', 'unreachable' and/or 'prohibit' in the COPY list along
- with interface names.
-
-2) Previously, the generated script always added a host route to a
- provider's gateway in the provider's routing table. Beginning with
- this release, the 'noautosrc' provider option can be used to
- inhibit this behavior. 'noautosrc' must be used with care since the
- absense of such a route can cause start/restart runtime failures.
+1) 'NONE' policies are now instantiated between 'local' zone and zones
+ other than the firewall. Similarly, 'NONE' policies are
+ instantiated between 'loopback' zones and zones other than $FW
+ and other 'loopback' zones.
+
+ This provides a cleaner implementation than the one provided in
+ Shorewall 4.5.17, and one that should be easier to maintain going
+ forward.
+
+2) James Shubin has contributed a Kerberos macro.
+
+3) A new 'unmanaged' interface option has been added. This option may
+ be used to define interfaces that allow all traffic to/from the
+ firewall but that's all. They are not accessible from hosts on
+ other interfaces nor can traffic from an unmanaged interface be
+ forwarded to hosts on other interfaces.
+
+ The following interface options are mutually-exclusive with
+ 'unmanaged':
+
+ - blacklist
+ - bridge
+ - destonly
+ - detectnets
+ - dhcp
+ - maclist
+ - nets
+ - norfc1918
+ - nosmurfs
+ - optional
+ - routeback
+ - rpfilter
+ - sfilter
+ - tcpflags
+ - upnp
+ - upnpclient
+
+ Unmanaged interfaces may not be associated with a zone in either
+ the interfaces or hosts files.
+
+ The 'lo' interface may not be unmanaged when there are vserver
+ zones defined.
+
+4) The value (0 or 1) for the 'routeback' interface option may now
+ be specified (e.g., 'routeback=0'). This allows overriding the
+ Shorewall default setting for bridge devices which is
+ 'routeback=1'.
-3) A '-c' (conditional) option has been added to the 'compile' command.
- This option causes compilation to proceed if:
+5) The ?SHELL, ?PERL, ?BEGIN SHELL, ?END SHELL, ?BEGIN PERL and ?END
+ PERL directives are now case-insensitive.
- a) The specified (or defaulted) firewall script does not exist; or
- b) A file on the CONFIG_PATH (including any directory specified in
- the command) is newer than the existing script.
-
-4) A new interface option has been added.
-
- destonly
-
- Causes the compiler to omit rules to handle traffic arriving on
- the interface.
-
-5) It is now possible to use 'all+' in the SOURCE and DEST columns of
- /etc/shorewall[6]/policy file. It has the same meaning as in the
- rules file in that it can override default intra-zone ACCEPT
- policies.
-
-6) Beginning with this release, most special handling of 'Auth' (TCP
- port 113) has been removed. In particular, the Drop default action
- will no longer default to silently REJECTing Auth requests but will
- rather simply process them like other tcp packets.
-
-7) Traditionally, Shorewall has treated the loopback interface ('lo')
- as follows:
-
- - It deals with firewall-to-firewall, firewall-to-vserver,
- vserver-to-firewall, and vserver-to-vserver traffic.
- - All filtering is done in the OUTPUT flow; all traffic arriving on
- 'lo' is silently accepted.
- - If no firewall-to-firewall policy or rules are defined, then
- a simple ACCEPT rule is also included in the OUTPUT chain for
- 'lo' (after any vserver-oriented jumps).
-
- Beginning with this release, the handling of firewall-to-firewall
- traffic can be altered by adding a zone of type 'loopback'.
-
- - 'loopback' zones must be associated with the loopback device in
- the interfaces and/or hosts file.
-
- /etc/shorewall/zones
-
- #ZONE TYPE
- loop loopback
-
- /etc/shorewall/interfaces
-
- ?FORMAT 2
- #ZONE INTERFACE OPTIONS
- loop lo ...
-
- When this is done, the ACCEPT jumps for 'lo' in the INPUT and
- OUTPUT chains are omitted and replaced with jumps to the loop2fw
- and fw2loop (loop-fw and fw-lop) chains respectively. This
- provides a model similar to other zones for fireall-to-firewall
- traffic.
-
-8) A new 'local' zone TYPE has been added to /etc/shorewall[6]/zones.
- A 'local' zone is similar to an 'ipv4' ('ipv6') zone, except that
- rules and policies to/from a 'local' zone may only be to/from the
- firewall zone and vserver zones.
-
----------------------------------------------------------------------------
V. M I G R A T I O N I S S U E S
----------------------------------------------------------------------------
@@ -376,6 +305,144 @@
----------------------------------------------------------------------------
V I. N O T E S F R O M O T H E R 4 . 5 R E L E A S E S
----------------------------------------------------------------------------
+ P R O B L E M S C O R R E C T E D I N 4 . 5 . 1 7
+----------------------------------------------------------------------------
+
+1) When INLINE was used in the tcrules file and no target ('-j' part)
+ is included in the free-form part of the rule, an invalid
+ iptables rule was generated.
+
+2) Thanks to Roberto Sanchez, many typos in the manpages have been
+ corrected.
+
+3) A number of issues have been corrected in the Debian and
+ Redhat/Fedora Shorewall-init SysV init scripts:
+
+ a) Settings in ${SHAREDIR}/vardir are now handled correctly.
+
+ b) Exit status is now returned correctly.
+
+ c) Stale lock files are avoided.
+
+4) When the compiled firewall script is run directly, it no longer
+ attempts to copy itself onto itself using the 'cp' utility.
+
+5) An optimizer defect that could leave unreferenced chains in the
+ configuration has been corrected.
+
+6) Unreferenced chains in the IPV6 nat table are now omitted.
+
+7) Rules with trivial exclusion (a single net or ipset preceded by
+ '!') now generate the iptables matches in the correct
+ order. Previously, the exclusion match(es) was(were) placed at the
+ end. This is important in rules that auto-increment nfacct objects.
+
+8) Previously, conntrack helpers were enabled by the 'stop'
+ command. Now, these helpers are only enabled by the 'clear'
+ command.
+
+9) Previously, an interface label (e.g., dev:N) could be specified
+ as the 'physical' interface in /etc/shorewall/interfaces. This
+ is now disallowed.
+
+10) The Perl function 'shorewall' was not previously exported by
+ Shorewall::Config, with the result that the function had
+ to be called as Shorewall::Config::shorewall(...). the function is
+ now exported and can be called from ?BEGIN PERL blocks as simply
+ shorewall(...).
+
+11) Previously, two ICMPv6 type names were mis-translated.
+
+ address-unreachable was translated to 1/2; should be 1/3
+ port-unreachable was translated to 1/3; should be 1/4
+
+ These translations have been corrected.
+
+12) If a TPROXY IPv6 address was specified in /etc/shorewall6/tcrules
+ using the [<address>]/vlsm form (e.g.,
+ 'TPROXY(0x100,3129,[2001:470:b:227::44]/64)') then an 'Invalid Address'
+ error was issued. This has been corrected.
+
+----------------------------------------------------------------------------
+ N E W F E A T U R E S I N 4 . 5 . 1 7
+----------------------------------------------------------------------------
+
+1) Route types 'blackhole', 'unreachable' and 'prohibit' are no longer
+ copied to provider routing tables by default when
+ USE_DEFAULT_RT=No. You may cause them to be copied by including
+ 'blackhole', 'unreachable' and/or 'prohibit' in the COPY list along
+ with interface names.
+
+2) Previously, the generated script always added a host route to a
+ provider's gateway in the provider's routing table. Beginning with
+ this release, the 'noautosrc' provider option can be used to
+ inhibit this behavior. 'noautosrc' must be used with care since the
+ absense of such a route can cause start/restart runtime failures.
+
+3) A '-c' (conditional) option has been added to the 'compile' command.
+ This option causes compilation to proceed if:
+
+ a) The specified (or defaulted) firewall script does not exist; or
+ b) A file on the CONFIG_PATH (including any directory specified in
+ the command) is newer than the existing script.
+
+4) A new interface option has been added.
+
+ destonly
+
+ Causes the compiler to omit rules to handle traffic arriving on
+ the interface.
+
+5) It is now possible to use 'all+' in the SOURCE and DEST columns of
+ /etc/shorewall[6]/policy file. It has the same meaning as in the
+ rules file in that it can override default intra-zone ACCEPT
+ policies.
+
+6) Beginning with this release, most special handling of 'Auth' (TCP
+ port 113) has been removed. In particular, the Drop default action
+ will no longer default to silently REJECTing Auth requests but will
+ rather simply process them like other tcp packets.
+
+7) Traditionally, Shorewall has treated the loopback interface ('lo')
+ as follows:
+
+ - It deals with firewall-to-firewall, firewall-to-vserver,
+ vserver-to-firewall, and vserver-to-vserver traffic.
+ - All filtering is done in the OUTPUT flow; all traffic arriving on
+ 'lo' is silently accepted.
+ - If no firewall-to-firewall policy or rules are defined, then
+ a simple ACCEPT rule is also included in the OUTPUT chain for
+ 'lo' (after any vserver-oriented jumps).
+
+ Beginning with this release, the handling of firewall-to-firewall
+ traffic can be altered by adding a zone of type 'loopback'.
+
+ - 'loopback' zones must be associated with the loopback device in
+ the interfaces and/or hosts file.
+
+ /etc/shorewall/zones
+
+ #ZONE TYPE
+ loop loopback
+
+ /etc/shorewall/interfaces
+
+ ?FORMAT 2
+ #ZONE INTERFACE OPTIONS
+ loop lo ...
+
+ When this is done, the ACCEPT jumps for 'lo' in the INPUT and
+ OUTPUT chains are omitted and replaced with jumps to the loop2fw
+ and fw2loop (loop-fw and fw-lop) chains respectively. This
+ provides a model similar to other zones for fireall-to-firewall
+ traffic.
+
+8) A new 'local' zone TYPE has been added to /etc/shorewall[6]/zones.
+ A 'local' zone is similar to an 'ipv4' ('ipv6') zone, except that
+ rules and policies to/from a 'local' zone may only be to/from the
+ firewall zone and vserver zones.
+
+----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 4 . 5 . 1 6
----------------------------------------------------------------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.17.1/shorewall-init.spec new/shorewall-init-4.5.18/shorewall-init.spec
--- old/shorewall-init-4.5.17.1/shorewall-init.spec 2013-06-02 23:05:16.000000000 +0200
+++ new/shorewall-init-4.5.18/shorewall-init.spec 2013-06-27 20:30:18.000000000 +0200
@@ -1,6 +1,6 @@
%define name shorewall-init
-%define version 4.5.17
-%define release 1
+%define version 4.5.18
+%define release 0base
Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
Name: %{name}
@@ -125,8 +125,18 @@
%doc COPYING changelog.txt releasenotes.txt
%changelog
-* Sat Jun 01 2013 Tom Eastep tom@shorewall.net
-- Updated to 4.5.17-1
+* Thu Jun 27 2013 Tom Eastep tom@shorewall.net
+- Updated to 4.5.18-0base
+* Mon Jun 24 2013 Tom Eastep tom@shorewall.net
+- Updated to 4.5.18-0RC2
+* Mon Jun 17 2013 Tom Eastep tom@shorewall.net
+- Updated to 4.5.18-0RC1
+* Tue Jun 11 2013 Tom Eastep tom@shorewall.net
+- Updated to 4.5.18-0Beta3
+* Tue Jun 04 2013 Tom Eastep tom@shorewall.net
+- Updated to 4.5.18-0Beta2
+* Thu May 30 2013 Tom Eastep tom@shorewall.net
+- Updated to 4.5.18-0Beta1
* Mon May 27 2013 Tom Eastep tom@shorewall.net
- Updated to 4.5.17-0base
* Sun May 26 2013 Tom Eastep tom@shorewall.net
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.17.1/uninstall.sh new/shorewall-init-4.5.18/uninstall.sh
--- old/shorewall-init-4.5.17.1/uninstall.sh 2013-06-02 23:05:16.000000000 +0200
+++ new/shorewall-init-4.5.18/uninstall.sh 2013-06-27 20:30:18.000000000 +0200
@@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
-VERSION=4.5.17.1
+VERSION=4.5.18
usage() # $1 = exit status
{
++++++ shorewall-lite-4.5.17.1.tar.bz2 -> shorewall-lite-4.5.18.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.17.1/changelog.txt new/shorewall-lite-4.5.18/changelog.txt
--- old/shorewall-lite-4.5.17.1/changelog.txt 2013-06-02 23:05:16.000000000 +0200
+++ new/shorewall-lite-4.5.18/changelog.txt 2013-06-27 20:30:18.000000000 +0200
@@ -1,13 +1,46 @@
-Changes in 4.5.17.1
+Changes in 4.5.18 Final
1) Update release documents.
-2) Don't issue 'unreachable" warnings.
+Changes in 4.5.18 RC 2
-3) Don't delete nfacct rules that have the same target as the
- terminating rule.
+1) Update release documents.
+
+2) Fix 'qt' and bridge detection.
+
+Changes in 4.5.18 RC 1
+
+1) Update release documents.
+
+2) Make ?...shell/perl directives case-insensitive.
+
+Changes in 4.5.18 Beta 3
+
+1) Update release documents.
+
+2) Reword 'unreachable' warning.
+
+3) Remove incorrect statement from the Macro article.
+
+4) Make 'routeback' a binary option.
-4) Corrent optimization of expensive matches
+Changes in 4.5.18 Beta 2
+
+1) Update release documents.
+
+2) Add Kerberos macro from James Shubin
+
+3) Allow 'unmanaged' interfaces.
+
+Changes in 4.5.18 Beta 1
+
+1) Update release documents.
+
+2) Merge 4.5.17.1 fixes.
+
+3) Re-implement 'discarded' message.
+
+4) Replace ersatz logic with NONE policies.
Changes in 4.5.17 Final
@@ -21,6 +54,10 @@
5) Fix minor IPv6 TPROXY bug.
+6) Rework 'unreachable' warning implementation.
+
+7) Don't drop 'nfacct' rules.
+
Changes in 4.5.17 RC 2
1) Update release documents.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.17.1/configure new/shorewall-lite-4.5.18/configure
--- old/shorewall-lite-4.5.17.1/configure 2013-06-02 23:05:16.000000000 +0200
+++ new/shorewall-lite-4.5.18/configure 2013-06-27 20:30:18.000000000 +0200
@@ -28,7 +28,7 @@
#
# Build updates this
#
-VERSION=4.5.17.1
+VERSION=4.5.18
case "$BASH_VERSION" in
[4-9].*)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.17.1/configure.pl new/shorewall-lite-4.5.18/configure.pl
--- old/shorewall-lite-4.5.17.1/configure.pl 2013-06-02 23:05:16.000000000 +0200
+++ new/shorewall-lite-4.5.18/configure.pl 2013-06-27 20:30:18.000000000 +0200
@@ -31,7 +31,7 @@
# Build updates this
#
use constant {
- VERSION => '4.5.17.1'
+ VERSION => '4.5.18'
};
my %params;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.17.1/install.sh new/shorewall-lite-4.5.18/install.sh
--- old/shorewall-lite-4.5.17.1/install.sh 2013-06-02 23:05:16.000000000 +0200
+++ new/shorewall-lite-4.5.18/install.sh 2013-06-27 20:30:18.000000000 +0200
@@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
-VERSION=4.5.17.1
+VERSION=4.5.18
usage() # $1 = exit status
{
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.17.1/manpages/shorewall-lite-vardir.5 new/shorewall-lite-4.5.18/manpages/shorewall-lite-vardir.5
--- old/shorewall-lite-4.5.17.1/manpages/shorewall-lite-vardir.5 2013-06-02 23:11:09.000000000 +0200
+++ new/shorewall-lite-4.5.18/manpages/shorewall-lite-vardir.5 2013-06-27 20:36:11.000000000 +0200
@@ -2,12 +2,12 @@
.\" Title: shorewall-lite-vardir
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.75.2 http://docbook.sf.net/
-.\" Date: 06/02/2013
+.\" Date: 06/27/2013
.\" Manual: [FIXME: manual]
.\" Source: [FIXME: source]
.\" Language: English
.\"
-.TH "SHOREWALL\-LITE\-VAR" "5" "06/02/2013" "[FIXME: source]" "[FIXME: manual]"
+.TH "SHOREWALL\-LITE\-VAR" "5" "06/27/2013" "[FIXME: source]" "[FIXME: manual]"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.17.1/manpages/shorewall-lite.8 new/shorewall-lite-4.5.18/manpages/shorewall-lite.8
--- old/shorewall-lite-4.5.17.1/manpages/shorewall-lite.8 2013-06-02 23:11:11.000000000 +0200
+++ new/shorewall-lite-4.5.18/manpages/shorewall-lite.8 2013-06-27 20:36:13.000000000 +0200
@@ -2,12 +2,12 @@
.\" Title: shorewall-lite
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.75.2 http://docbook.sf.net/
-.\" Date: 06/02/2013
+.\" Date: 06/27/2013
.\" Manual: [FIXME: manual]
.\" Source: [FIXME: source]
.\" Language: English
.\"
-.TH "SHOREWALL\-LITE" "8" "06/02/2013" "[FIXME: source]" "[FIXME: manual]"
+.TH "SHOREWALL\-LITE" "8" "06/27/2013" "[FIXME: source]" "[FIXME: manual]"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.17.1/manpages/shorewall-lite.conf.5 new/shorewall-lite-4.5.18/manpages/shorewall-lite.conf.5
--- old/shorewall-lite-4.5.17.1/manpages/shorewall-lite.conf.5 2013-06-02 23:11:07.000000000 +0200
+++ new/shorewall-lite-4.5.18/manpages/shorewall-lite.conf.5 2013-06-27 20:36:09.000000000 +0200
@@ -2,12 +2,12 @@
.\" Title: shorewall-lite.conf
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.75.2 http://docbook.sf.net/
-.\" Date: 06/02/2013
+.\" Date: 06/27/2013
.\" Manual: [FIXME: manual]
.\" Source: [FIXME: source]
.\" Language: English
.\"
-.TH "SHOREWALL\-LITE\&.CO" "5" "06/02/2013" "[FIXME: source]" "[FIXME: manual]"
+.TH "SHOREWALL\-LITE\&.CO" "5" "06/27/2013" "[FIXME: source]" "[FIXME: manual]"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.17.1/releasenotes.txt new/shorewall-lite-4.5.18/releasenotes.txt
--- old/shorewall-lite-4.5.17.1/releasenotes.txt 2013-06-02 23:05:16.000000000 +0200
+++ new/shorewall-lite-4.5.18/releasenotes.txt 2013-06-27 20:30:18.000000000 +0200
@@ -1,7 +1,7 @@
----------------------------------------------------------------------------
- S H O R E W A L L 4 . 5 . 1 7 . 1
+ S H O R E W A L L 4 . 5 . 1 8
------------------------------------
- J u n e 0 2 , 2 0 1 3
+ J u n e 2 8 , 2 0 1 3
----------------------------------------------------------------------------
I. PROBLEMS CORRECTED IN THIS RELEASE
@@ -15,77 +15,30 @@
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
-4.5.17.1
+1) This release includes all defect repair from Shorewall 4.5.17.1.
-1) The following warning message may be emitted inappropriately when
- running shorewall 4.5.17. The message is no longer issued.
-
+2) The following warning message could be emitted inappropriately when
+ running shorewall 4.5.17.
+
The rule(s) generated by this entry are unreachable and have been
discarded
-2) Rules intended to increment nfacct objects would previously be
- optimized away when they immediately preceded an unconditional jump
- to the same target. Such rules are now retained.
+ These warnings, which were disabled in Shorewall 4.5.17.1, are now
+ only emitted where appropriate. The message has also been reworded
+ to:
-3) A bug in the optimizer in 4.5.17 can cause 'set' and 'geoip'
- matches to be dropped. That has been corrected.
+ One or more unreachable rules in chain <name> have been discarded
-4.5.17
+ The message is issued a maximum of once per Netfilter chain.
-1) When INLINE was used in the tcrules file and no target ('-j' part)
- is included in the free-form part of the rule, an invalid
- iptables rule was generated.
-
-2) Thanks to Roberto Sanchez, many typos in the manpages have been
- corrected.
-
-3) A number of issues have been corrected in the Debian and
- Redhat/Fedora Shorewall-init SysV init scripts:
-
- a) Settings in ${SHAREDIR}/vardir are now handled correctly.
-
- b) Exit status is now returned correctly.
-
- c) Stale lock files are avoided.
-
-4) When the compiled firewall script is run directly, it no longer
- attempts to copy itself onto itself using the 'cp' utility.
-
-5) An optimizer defect that could leave unreferenced chains in the
- configuration has been corrected.
-
-6) Unreferenced chains in the IPV6 nat table are now omitted.
-
-7) Rules with trivial exclusion (a single net or ipset preceded by
- '!') now generate the iptables matches in the correct
- order. Previously, the exclusion match(es) was(were) placed at the
- end. This is important in rules that auto-increment nfacct objects.
-
-8) Previously, conntrack helpers were enabled by the 'stop'
- command. Now, these helpers are only enabled by the 'clear'
- command.
-
-9) Previously, an interface label (e.g., dev:N) could be specified
- as the 'physical' interface in /etc/shorewall/interfaces. This
- is now disallowed.
+3) A problem that could cause the 'trace' compiler option to produce
+ false error messages or to produce an altered generated firewall
+ script has been corrected.
-10) The Perl function 'shorewall' was not previously exported by
- Shorewall::Config, with the result that the function had
- to be called as Shorewall::Config::shorewall(...). the function is
- now exported and can be called from ?BEGIN PERL blocks as simply
- shorewall(...).
+4) If the 'Owner Name Match' capability was not available, the
+ following error message would previously appear during compilation:
-11) Previously, two ICMPv6 type names were mis-translated.
-
- address-unreachable was translated to 1/2; should be 1/3
- port-unreachable was translated to 1/3; should be 1/4
-
- These translations have been corrected.
-
-12) If a TPROXY IPv6 address was specified in /etc/shorewall6/tcrules
- using the [<address>]/vlsm form (e.g.,
- 'TPROXY(0x100,3129,[2001:470:b:227::44]/64)') then an 'Invalid Address'
- error was issued. This has been corrected.
+ iptables: No chain/target/match by that name.
----------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G
@@ -98,81 +51,57 @@
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
-1) Route types 'blackhole', 'unreachable' and 'prohibit' are no longer
- copied to provider routing tables by default when
- USE_DEFAULT_RT=No. You may cause them to be copied by including
- 'blackhole', 'unreachable' and/or 'prohibit' in the COPY list along
- with interface names.
-
-2) Previously, the generated script always added a host route to a
- provider's gateway in the provider's routing table. Beginning with
- this release, the 'noautosrc' provider option can be used to
- inhibit this behavior. 'noautosrc' must be used with care since the
- absense of such a route can cause start/restart runtime failures.
+1) 'NONE' policies are now instantiated between 'local' zone and zones
+ other than the firewall. Similarly, 'NONE' policies are
+ instantiated between 'loopback' zones and zones other than $FW
+ and other 'loopback' zones.
+
+ This provides a cleaner implementation than the one provided in
+ Shorewall 4.5.17, and one that should be easier to maintain going
+ forward.
+
+2) James Shubin has contributed a Kerberos macro.
+
+3) A new 'unmanaged' interface option has been added. This option may
+ be used to define interfaces that allow all traffic to/from the
+ firewall but that's all. They are not accessible from hosts on
+ other interfaces nor can traffic from an unmanaged interface be
+ forwarded to hosts on other interfaces.
+
+ The following interface options are mutually-exclusive with
+ 'unmanaged':
+
+ - blacklist
+ - bridge
+ - destonly
+ - detectnets
+ - dhcp
+ - maclist
+ - nets
+ - norfc1918
+ - nosmurfs
+ - optional
+ - routeback
+ - rpfilter
+ - sfilter
+ - tcpflags
+ - upnp
+ - upnpclient
+
+ Unmanaged interfaces may not be associated with a zone in either
+ the interfaces or hosts files.
+
+ The 'lo' interface may not be unmanaged when there are vserver
+ zones defined.
+
+4) The value (0 or 1) for the 'routeback' interface option may now
+ be specified (e.g., 'routeback=0'). This allows overriding the
+ Shorewall default setting for bridge devices which is
+ 'routeback=1'.
-3) A '-c' (conditional) option has been added to the 'compile' command.
- This option causes compilation to proceed if:
+5) The ?SHELL, ?PERL, ?BEGIN SHELL, ?END SHELL, ?BEGIN PERL and ?END
+ PERL directives are now case-insensitive.
- a) The specified (or defaulted) firewall script does not exist; or
- b) A file on the CONFIG_PATH (including any directory specified in
- the command) is newer than the existing script.
-
-4) A new interface option has been added.
-
- destonly
-
- Causes the compiler to omit rules to handle traffic arriving on
- the interface.
-
-5) It is now possible to use 'all+' in the SOURCE and DEST columns of
- /etc/shorewall[6]/policy file. It has the same meaning as in the
- rules file in that it can override default intra-zone ACCEPT
- policies.
-
-6) Beginning with this release, most special handling of 'Auth' (TCP
- port 113) has been removed. In particular, the Drop default action
- will no longer default to silently REJECTing Auth requests but will
- rather simply process them like other tcp packets.
-
-7) Traditionally, Shorewall has treated the loopback interface ('lo')
- as follows:
-
- - It deals with firewall-to-firewall, firewall-to-vserver,
- vserver-to-firewall, and vserver-to-vserver traffic.
- - All filtering is done in the OUTPUT flow; all traffic arriving on
- 'lo' is silently accepted.
- - If no firewall-to-firewall policy or rules are defined, then
- a simple ACCEPT rule is also included in the OUTPUT chain for
- 'lo' (after any vserver-oriented jumps).
-
- Beginning with this release, the handling of firewall-to-firewall
- traffic can be altered by adding a zone of type 'loopback'.
-
- - 'loopback' zones must be associated with the loopback device in
- the interfaces and/or hosts file.
-
- /etc/shorewall/zones
-
- #ZONE TYPE
- loop loopback
-
- /etc/shorewall/interfaces
-
- ?FORMAT 2
- #ZONE INTERFACE OPTIONS
- loop lo ...
-
- When this is done, the ACCEPT jumps for 'lo' in the INPUT and
- OUTPUT chains are omitted and replaced with jumps to the loop2fw
- and fw2loop (loop-fw and fw-lop) chains respectively. This
- provides a model similar to other zones for fireall-to-firewall
- traffic.
-
-8) A new 'local' zone TYPE has been added to /etc/shorewall[6]/zones.
- A 'local' zone is similar to an 'ipv4' ('ipv6') zone, except that
- rules and policies to/from a 'local' zone may only be to/from the
- firewall zone and vserver zones.
-
----------------------------------------------------------------------------
V. M I G R A T I O N I S S U E S
----------------------------------------------------------------------------
@@ -376,6 +305,144 @@
----------------------------------------------------------------------------
V I. N O T E S F R O M O T H E R 4 . 5 R E L E A S E S
----------------------------------------------------------------------------
+ P R O B L E M S C O R R E C T E D I N 4 . 5 . 1 7
+----------------------------------------------------------------------------
+
+1) When INLINE was used in the tcrules file and no target ('-j' part)
+ is included in the free-form part of the rule, an invalid
+ iptables rule was generated.
+
+2) Thanks to Roberto Sanchez, many typos in the manpages have been
+ corrected.
+
+3) A number of issues have been corrected in the Debian and
+ Redhat/Fedora Shorewall-init SysV init scripts:
+
+ a) Settings in ${SHAREDIR}/vardir are now handled correctly.
+
+ b) Exit status is now returned correctly.
+
+ c) Stale lock files are avoided.
+
+4) When the compiled firewall script is run directly, it no longer
+ attempts to copy itself onto itself using the 'cp' utility.
+
+5) An optimizer defect that could leave unreferenced chains in the
+ configuration has been corrected.
+
+6) Unreferenced chains in the IPV6 nat table are now omitted.
+
+7) Rules with trivial exclusion (a single net or ipset preceded by
+ '!') now generate the iptables matches in the correct
+ order. Previously, the exclusion match(es) was(were) placed at the
+ end. This is important in rules that auto-increment nfacct objects.
+
+8) Previously, conntrack helpers were enabled by the 'stop'
+ command. Now, these helpers are only enabled by the 'clear'
+ command.
+
+9) Previously, an interface label (e.g., dev:N) could be specified
+ as the 'physical' interface in /etc/shorewall/interfaces. This
+ is now disallowed.
+
+10) The Perl function 'shorewall' was not previously exported by
+ Shorewall::Config, with the result that the function had
+ to be called as Shorewall::Config::shorewall(...). the function is
+ now exported and can be called from ?BEGIN PERL blocks as simply
+ shorewall(...).
+
+11) Previously, two ICMPv6 type names were mis-translated.
+
+ address-unreachable was translated to 1/2; should be 1/3
+ port-unreachable was translated to 1/3; should be 1/4
+
+ These translations have been corrected.
+
+12) If a TPROXY IPv6 address was specified in /etc/shorewall6/tcrules
+ using the [<address>]/vlsm form (e.g.,
+ 'TPROXY(0x100,3129,[2001:470:b:227::44]/64)') then an 'Invalid Address'
+ error was issued. This has been corrected.
+
+----------------------------------------------------------------------------
+ N E W F E A T U R E S I N 4 . 5 . 1 7
+----------------------------------------------------------------------------
+
+1) Route types 'blackhole', 'unreachable' and 'prohibit' are no longer
+ copied to provider routing tables by default when
+ USE_DEFAULT_RT=No. You may cause them to be copied by including
+ 'blackhole', 'unreachable' and/or 'prohibit' in the COPY list along
+ with interface names.
+
+2) Previously, the generated script always added a host route to a
+ provider's gateway in the provider's routing table. Beginning with
+ this release, the 'noautosrc' provider option can be used to
+ inhibit this behavior. 'noautosrc' must be used with care since the
+ absense of such a route can cause start/restart runtime failures.
+
+3) A '-c' (conditional) option has been added to the 'compile' command.
+ This option causes compilation to proceed if:
+
+ a) The specified (or defaulted) firewall script does not exist; or
+ b) A file on the CONFIG_PATH (including any directory specified in
+ the command) is newer than the existing script.
+
+4) A new interface option has been added.
+
+ destonly
+
+ Causes the compiler to omit rules to handle traffic arriving on
+ the interface.
+
+5) It is now possible to use 'all+' in the SOURCE and DEST columns of
+ /etc/shorewall[6]/policy file. It has the same meaning as in the
+ rules file in that it can override default intra-zone ACCEPT
+ policies.
+
+6) Beginning with this release, most special handling of 'Auth' (TCP
+ port 113) has been removed. In particular, the Drop default action
+ will no longer default to silently REJECTing Auth requests but will
+ rather simply process them like other tcp packets.
+
+7) Traditionally, Shorewall has treated the loopback interface ('lo')
+ as follows:
+
+ - It deals with firewall-to-firewall, firewall-to-vserver,
+ vserver-to-firewall, and vserver-to-vserver traffic.
+ - All filtering is done in the OUTPUT flow; all traffic arriving on
+ 'lo' is silently accepted.
+ - If no firewall-to-firewall policy or rules are defined, then
+ a simple ACCEPT rule is also included in the OUTPUT chain for
+ 'lo' (after any vserver-oriented jumps).
+
+ Beginning with this release, the handling of firewall-to-firewall
+ traffic can be altered by adding a zone of type 'loopback'.
+
+ - 'loopback' zones must be associated with the loopback device in
+ the interfaces and/or hosts file.
+
+ /etc/shorewall/zones
+
+ #ZONE TYPE
+ loop loopback
+
+ /etc/shorewall/interfaces
+
+ ?FORMAT 2
+ #ZONE INTERFACE OPTIONS
+ loop lo ...
+
+ When this is done, the ACCEPT jumps for 'lo' in the INPUT and
+ OUTPUT chains are omitted and replaced with jumps to the loop2fw
+ and fw2loop (loop-fw and fw-lop) chains respectively. This
+ provides a model similar to other zones for fireall-to-firewall
+ traffic.
+
+8) A new 'local' zone TYPE has been added to /etc/shorewall[6]/zones.
+ A 'local' zone is similar to an 'ipv4' ('ipv6') zone, except that
+ rules and policies to/from a 'local' zone may only be to/from the
+ firewall zone and vserver zones.
+
+----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 4 . 5 . 1 6
----------------------------------------------------------------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.17.1/shorewall-lite.spec new/shorewall-lite-4.5.18/shorewall-lite.spec
--- old/shorewall-lite-4.5.17.1/shorewall-lite.spec 2013-06-02 23:05:16.000000000 +0200
+++ new/shorewall-lite-4.5.18/shorewall-lite.spec 2013-06-27 20:30:18.000000000 +0200
@@ -1,6 +1,6 @@
%define name shorewall-lite
-%define version 4.5.17
-%define release 1
+%define version 4.5.18
+%define release 0base
%define initdir /etc/init.d
Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
@@ -105,8 +105,18 @@
%doc COPYING changelog.txt releasenotes.txt
%changelog
-* Sat Jun 01 2013 Tom Eastep tom@shorewall.net
-- Updated to 4.5.17-1
+* Thu Jun 27 2013 Tom Eastep tom@shorewall.net
+- Updated to 4.5.18-0base
+* Mon Jun 24 2013 Tom Eastep tom@shorewall.net
+- Updated to 4.5.18-0RC2
+* Mon Jun 17 2013 Tom Eastep tom@shorewall.net
+- Updated to 4.5.18-0RC1
+* Tue Jun 11 2013 Tom Eastep tom@shorewall.net
+- Updated to 4.5.18-0Beta3
+* Tue Jun 04 2013 Tom Eastep tom@shorewall.net
+- Updated to 4.5.18-0Beta2
+* Thu May 30 2013 Tom Eastep tom@shorewall.net
+- Updated to 4.5.18-0Beta1
* Mon May 27 2013 Tom Eastep tom@shorewall.net
- Updated to 4.5.17-0base
* Sun May 26 2013 Tom Eastep tom@shorewall.net
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.17.1/uninstall.sh new/shorewall-lite-4.5.18/uninstall.sh
--- old/shorewall-lite-4.5.17.1/uninstall.sh 2013-06-02 23:05:16.000000000 +0200
+++ new/shorewall-lite-4.5.18/uninstall.sh 2013-06-27 20:30:18.000000000 +0200
@@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
-VERSION=4.5.17.1
+VERSION=4.5.18
usage() # $1 = exit status
{
++++++ shorewall-4.5.17.1.tar.bz2 -> shorewall6-4.5.18.tar.bz2 ++++++
++++ 116158 lines of diff (skipped)
++++++ shorewall-lite-4.5.17.1.tar.bz2 -> shorewall6-lite-4.5.18.tar.bz2 ++++++
++++ 7382 lines of diff (skipped)
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org