Hello community,
here is the log from the commit of package shorewall for openSUSE:Factory checked in at 2013-10-04 12:13:34
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/shorewall (Old)
and /work/SRC/openSUSE:Factory/.shorewall.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shorewall"
Changes:
--------
--- /work/SRC/openSUSE:Factory/shorewall/shorewall.changes 2013-08-30 11:49:25.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.shorewall.new/shorewall.changes 2013-10-04 12:13:37.000000000 +0200
@@ -1,0 +2,48 @@
+Thu Oct 3 17:23:05 UTC 2013 - toganm@opensuse.org
+
+- Update to version 4.5.21 For more details see changelog.txt and
+ releasenotes.txt
+
+ * ip[6]tables 1.4.20 introduced an incompatible change that
+ causes the program to fail if there is another instance of either
+ iptables or ip6tables already running. This behavior can be avoided
+ if the new -w option is specified.
+
+ To work around this problem, the compiler now uses the -w
+ option (when available) during capabilities determination so that
+ shorewall and shorewall6 compilations can proceed in parallel.
+
+ * Previously, the Shorewall-init installer unconditionally
+ installed the sysconfig file even when a different SYSCONFFILE was
+ specified. (Thomas D).
+
+ * /sbin/shorewall-init now includes the correct SYSCONFDIR name
+ in its error message that reports the absense of
+ ${SYSCONFDIR}/shorewall-init. (Thomas D).
+
+ * /sbin/shorewall-init and the Shorewall-init SysV init scripts
+ now honor the setting of $OPTIONS.
+
+ * The -lite installers now look in ${SHAREDIR} for the
+ coreversion file rather than in /usr/share/.
+
+ * If a Shorewall-lite installation used an
+ /etc/shorewall-lite/vardir file to set a non-standard state
+ directory, the administrative system would send the firewall
+ and firewall.conf files to the wrong directory on the firewall
+ system.
+
+ * Previously, the compiler verified 'monthdays' specifications in
+ the rules TIME column, but failed to include --monthdays in the
+ generated rule. That omission has been corrected.
+
+ * The Multicast DNS macros (mDNS and mDNSbi) now allow the entire
+ non-priv port range (1024-65535) for the the dynamic unicast
+ port. Previously, only the Linux 2.6+ dynamic port range
+ (32768-65535) were allowed.
+
+- Spec file changes
+ * Add 0001-fillup-install.patch
+ * Remove shorewall-init-4.5.15-install.patch
+
+-------------------------------------------------------------------
Old:
----
shorewall-4.5.20.tar.bz2
shorewall-core-4.5.20.tar.bz2
shorewall-docs-html-4.5.20.tar.bz2
shorewall-init-4.5.15-install.patch
shorewall-init-4.5.20.tar.bz2
shorewall-lite-4.5.20.tar.bz2
shorewall6-4.5.20.tar.bz2
shorewall6-lite-4.5.20.tar.bz2
New:
----
0001-fillup-install.patch
shorewall-4.5.21.tar.bz2
shorewall-core-4.5.21.tar.bz2
shorewall-docs-html-4.5.21.tar.bz2
shorewall-init-4.5.21.tar.bz2
shorewall-lite-4.5.21.tar.bz2
shorewall6-4.5.21.tar.bz2
shorewall6-lite-4.5.21.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ shorewall.spec ++++++
--- /var/tmp/diff_new_pack.abeskA/_old 2013-10-04 12:13:38.000000000 +0200
+++ /var/tmp/diff_new_pack.abeskA/_new 2013-10-04 12:13:38.000000000 +0200
@@ -20,25 +20,25 @@
%define have_systemd 1
Name: shorewall
-Version: 4.5.20
+Version: 4.5.21
Release: 0
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems
License: GPL-2.0
Group: Productivity/Networking/Security
Url: http://www.shorewall.net/
-Source: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.20/%name-%version.t...
-Source1: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.20/%name-core-%vers...
-Source2: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.20/%name-lite-%vers...
-Source3: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.20/%name-init-%vers...
-Source4: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.20/%{name}6-lite-%version.tar.bz2
-Source5: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.20/%{name}6-%version.tar.bz2
-Source6: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.20/%name-docs-html-...
+Source: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.21/%name-%version.t...
+Source1: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.21/%name-core-%vers...
+Source2: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.21/%name-lite-%vers...
+Source3: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.21/%name-init-%vers...
+Source4: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.21/%{name}6-lite-%version.tar.bz2
+Source5: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.21/%{name}6-%version.tar.bz2
+Source6: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.21/%name-docs-html-...
Source7: %name-4.4.22.rpmlintrc
Source8: README.openSUSE
# PATCH-FIX-UPSTREAM toganm@opensuse.org Shorewall-lite init.suse.sh Required Stop
Patch0: 0001-required-stop-fix.patch
-# PATCH-FIX-OPENSUSE shorewall-init-4.5.15-install.patch toganm@opensuse.org -- use of fillup template
-Patch1: shorewall-init-4.5.15-install.patch
+# PATCH-FIX-OPENSUSE Shorewall-init install toganm@opensuse.org -- use of fillup template
+Patch1: 0001-fillup-install.patch
# PATCH-FIX-UPSTREAM toganm@opensuse.org Shorewall-init init.suse.sh Required Start
Patch2: 0001-remote_fs.patch
%if 0%{?suse_version} >= 1210 || 0%{?fedora_version}
++++++ 0001-fillup-install.patch ++++++
From ed7338223d29d91b5d4dc2e6ab09c650286136f1 Mon Sep 17 00:00:00 2001
From: Togan Muftuoglu
Date: Thu, 3 Oct 2013 19:49:17 +0200
Subject: [PATCH] fillup install
openSUSE uses fillup to add or remove /etc/sysconfig/ items. This commit
provides this approach to Shorewall-init install file
Signed-off-by: Togan Muftuoglu
---
install.sh | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/install.sh b/install.sh
index 4b659df..30fc80e 100755
--- a/install.sh
+++ b/install.sh
@@ -392,10 +392,16 @@ else
fi
fi
+ if [ $HOST = suse ]; then
+ mkdir -p ${DESTDIR}/var/adm/fillup-templates
+ install_file sysconfig ${DESTDIR}/var/adm/fillup-templates/sysconfig.shorewall-init 0644
+ else
+
if [ -n "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PRODUCT} ]; then
run_install $OWNERSHIP -m 0644 ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/$PRODUCT
echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
fi
+ fi
[ $HOST = suse ] && IFUPDOWN=ifupdown.suse.sh || IFUPDOWN=ifupdown.fedora.sh
fi
--
1.8.4
++++++ shorewall-4.5.20.tar.bz2 -> shorewall-4.5.21.tar.bz2 ++++++
++++ 3131 lines of diff (skipped)
++++++ shorewall-core-4.5.20.tar.bz2 -> shorewall-core-4.5.21.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.20/changelog.txt new/shorewall-core-4.5.21/changelog.txt
--- old/shorewall-core-4.5.20/changelog.txt 2013-08-26 19:19:17.000000000 +0200
+++ new/shorewall-core-4.5.21/changelog.txt 2013-10-03 16:59:42.000000000 +0200
@@ -1,3 +1,57 @@
+Changes in 4.5.21 Final
+
+1) Update release documents.
+
+2) Enable 'monthdays' in the TIME column.
+
+3) Use insserv on Debian.
+
+4) Clean up uninstall.sh scripts
+
+5) Display firewall's compiled version in status and version output.
+
+Changes in 4.5.21-RC1
+
+1) Update release documents.
+
+2) Correct handling of litedir
+
+3) Add 'nostroute' and 'nohostroute' options to providers.
+
+4) Fix some broken links in the Howtos.
+
+5) Allow Perl code in an action to manipulate the current rule comment.
+
+Changes in 4.5.21-Beta3
+
+1) Update release documents.
+
+2) Apply Martin Gignac's ss/arp patch
+
+3) Apply Thommas D's Gentoo installer patch
+
+Changes in 4.5.21-Beta2
+
+1) Update release documents.
+
+2) Validate default log levels to catch absense of LOG_TARGET support.
+
+3) Apply several Shorewall-init patches from Thomas D.
+
+4) Make Shorewall-init obey OPTIONS setting.
+
+5) Modify /sbin/shorewall-init when $SHAREDIR isn't /usr/share
+
+6) Correct -lite installer's checks for coreversion
+
+Changes in 4.5.21-Beta1
+
+1) Update release documents.
+
+2) Implement REJECT_ACTION option.
+
+3) Use the ip[6]tables -w option when available.
+
Changes in 4.5.20 Final
1) Update release documents.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.20/configure new/shorewall-core-4.5.21/configure
--- old/shorewall-core-4.5.20/configure 2013-08-26 19:19:16.000000000 +0200
+++ new/shorewall-core-4.5.21/configure 2013-10-03 16:59:41.000000000 +0200
@@ -28,7 +28,7 @@
#
# Build updates this
#
-VERSION=4.5.20
+VERSION=4.5.21
case "$BASH_VERSION" in
[4-9].*)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.20/configure.pl new/shorewall-core-4.5.21/configure.pl
--- old/shorewall-core-4.5.20/configure.pl 2013-08-26 19:19:16.000000000 +0200
+++ new/shorewall-core-4.5.21/configure.pl 2013-10-03 16:59:41.000000000 +0200
@@ -31,7 +31,7 @@
# Build updates this
#
use constant {
- VERSION => '4.5.20'
+ VERSION => '4.5.21'
};
my %params;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.20/install.sh new/shorewall-core-4.5.21/install.sh
--- old/shorewall-core-4.5.20/install.sh 2013-08-26 19:19:16.000000000 +0200
+++ new/shorewall-core-4.5.21/install.sh 2013-10-03 16:59:41.000000000 +0200
@@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
-VERSION=4.5.20
+VERSION=4.5.21
usage() # $1 = exit status
{
@@ -204,6 +204,9 @@
debian)
BUILD=debian
;;
+ gentoo)
+ BUILD=gentoo
+ ;;
opensuse)
BUILD=suse
;;
@@ -213,6 +216,8 @@
esac
elif [ -f /etc/debian_version ]; then
BUILD=debian
+ elif [ -f /etc/gentoo-release ]; then
+ BUILD=gentoo
elif [ -f /etc/redhat-release ]; then
BUILD=redhat
elif [ -f /etc/slackware-version ] ; then
@@ -271,7 +276,7 @@
apple)
echo "Installing Mac-specific configuration...";
;;
- debian|redhat|slackware|archlinux|linux|suse)
+ debian|gentoo|redhat|slackware|archlinux|linux|suse)
;;
*)
echo "ERROR: Unknown HOST \"$HOST\"" >&2
@@ -342,7 +347,7 @@
if [ -n "$AUXINITSOURCE" -a -f "$AUXINITSOURCE" ]; then
install_file $AUXINITSOURCE ${DESTDIR}${INITDIR}/$AUXINITFILE 0544
[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${INITDIR}/$AUXINITFILE
- echo "$Product script installed in ${DESTDIR}${INITDIR}/$AUXINITFILE"
+ echo "SysV init script $AUXINITSOURCE installed in ${DESTDIR}${INITDIR}/$AUXINITFILE"
fi
fi
#
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.20/lib.cli new/shorewall-core-4.5.21/lib.cli
--- old/shorewall-core-4.5.20/lib.cli 2013-08-24 18:37:56.000000000 +0200
+++ new/shorewall-core-4.5.21/lib.cli 2013-10-01 00:59:42.000000000 +0200
@@ -679,6 +679,11 @@
echo "$product: $(cat ${SHAREDIR}/$product/version)"
fi
done
+
+ if [ -f $g_firewall ]; then
+ echo $g_echo_n "$g_firewall was compiled by Shorewall version "
+ $g_firewall version
+ fi
else
echo $SHOREWALL_VERSION
fi
@@ -1503,7 +1508,12 @@
if [ $g_family -eq 4 ]; then
heading "ARP"
- arp -na
+ if qt mywhich arp; then
+ arp -na
+ else
+ ip -4 neigh ls
+ ip -4 neigh ls proxy
+ fi
else
heading "Neighbors"
ip -6 neigh ls
@@ -1525,11 +1535,7 @@
echo
- if qt netstat -4; then
- netstat -${g_family}tunap
- else
- netstat -tunap
- fi
+ ss -${g_family}tunap
if [ -n "$TC_ENABLED" ]; then
heading "Traffic Control"
@@ -2898,7 +2904,15 @@
else
state=Unknown
fi
- [ $VERBOSITY -ge 1 ] && echo "State:$state"
+
+ if [ $VERBOSITY -ge 1 ]; then
+ echo "State:$state"
+ if [ -f $g_firewall ]; then
+ echo $g_echo_n "$g_firewall was compiled by Shorewall version "
+ $g_firewall version
+ fi
+ fi
+
}
status_command() {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.20/releasenotes.txt new/shorewall-core-4.5.21/releasenotes.txt
--- old/shorewall-core-4.5.20/releasenotes.txt 2013-08-26 19:19:17.000000000 +0200
+++ new/shorewall-core-4.5.21/releasenotes.txt 2013-10-03 16:59:42.000000000 +0200
@@ -1,7 +1,7 @@
----------------------------------------------------------------------------
- S H O R E W A L L 4 . 5 . 2 0
+ S H O R E W A L L 4 . 5 . 2 1
------------------------------------
- A u g u s t 2 5 , 2 0 1 3
+ O c t o b e r 0 4 , 2 0 1 3
----------------------------------------------------------------------------
I. PROBLEMS CORRECTED IN THIS RELEASE
@@ -14,18 +14,46 @@
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
-1) On some distributions, the shorewall-lite and shorewall6-lite
- uninstallers could fail with a syntax error.
-
-2) A typographical error in the usage text produced by the -h command
- in the compiled firewall script has been corrected.
-
-3) The handling of INITSOURCE is now uniform between the standard and
- the -lite installers.
-
-4) Previously, when SYSCONFFILE was specified in shorewallrc, the
- installers would always install default.debian rather than the
- named file. That has been corrected.
+1) ip[6]tables 1.4.20 introduced an incompatible change that causes
+ the program to fail if there is another instance of either iptables
+ or ip6tables already running. This behavior can be avoided if the
+ new -w option is specified.
+
+ To work around this problem, the compiler now uses the -w option
+ (when available) during capabilities determination so that
+ shorewall and shorewall6 compilations can proceed in parallel.
+
+2) Previously, the Shorewall-init installer unconditionally installed
+ the sysconfig file even when a different SYSCONFFILE was specified.
+ (Thomas D).
+
+3) /sbin/shorewall-init now includes the correct SYSCONFDIR name in
+ its error message that reports the absense of
+ ${SYSCONFDIR}/shorewall-init. (Thomas D).
+
+4) /sbin/shorewall-init and the Shorewall-init SysV init scripts now
+ honor the setting of $OPTIONS.
+
+5) The -lite installers now look in ${SHAREDIR} for the coreversion
+ file rather than in /usr/share/.
+
+6) If a Shorewall-lite installation used an /etc/shorewall-lite/vardir
+ file to set a non-standard state directory, the administrative
+ system would send the firewall and firewall.conf files to the wrong
+ directory on the firewall system.
+
+7) Previously, the compiler verified 'monthdays' specifications in the
+ rules TIME column, but failed to include --monthdays in the
+ generated rule. That omission has been corrected.
+
+8) The installers now use 'insserv' on Debian systems to update the
+ SysV init symlinks. Previously, update-rc.d was used but that
+ approach fails on Debian 7.
+
+9) The Multicast DNS macros (mDNS and mDNSbi) now allow the entire
+ non-priv port range (1024-65535) for the the dynamic unicast
+ port. Previously, only the Linux 2.6+ dynamic port range
+ (32768-65535) were allowed.
----------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G
@@ -38,44 +66,126 @@
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
-1) A new TRACK_RULES option has been added to shorewall[6].conf. When
- set to 'Yes', this option causes most rules to be tagged with a
- comment which gives the configuration file name and line number
- that caused the rule to be generated. These comments replace any
- comments added via AUTOCOMMENT=Yes and ?COMMENT entries.
-
- Setting this option to 'Yes' requires the 'Comments' capability in
- your kernel and ip[6]tables.
+1) When a REJECT target is specified, Shorewall normally handles the
+ packet as follows:
-2) You may now specify 'OPTIMIZE=All' in shorewall[6].conf to enable
- all optimizations. If new optimization levels are added in the
- future, OPTIMIZE=All will automatically enable those optimizations.
+ - If the destination address is a broadcast or multicast address,
+ the packet is dropped.
- For completeness, 'OPTIMIZE=None' disables all optimizations.
+ - If the protocol is IGMP (1), then the packet is dropped.
-3) 'list' and 'ls' are now documented alternatives for 'show' in the
- CLI programs. /sbin/shorewall and /sbin/shorewall6 now accept 'ck'
- as an abbreviation for 'check' and 'co' as an abbreviation for
- 'compile'.
-
-4) Beginning with this release, if /etc/os-release exists during
- installation, then the ID setting in that file will be used to
- determine which Linux distribution is running on the system.
-
-5) The 'status' command now obeys the effective VERBOSITY and will
- produce no output when the effective VERBOSITY is less than 1.
-
-6) The CLI exit status codes are now documented in the manpages
- (shorewall(8), shorewall6(8), etc.).
-
-7) Beginning with this release, the shorewallrc file supports a
- SERVICEFILE variable. SERVICEFILE is only relevant when SERVERD is
- non-empty, in which case it names the file to be installed as the
- product's .service file. If SERVERD is specified but SERVICEFILE is
- not, the assumed value of SERVERFILE is $PRODUCT.service.
-
-8) The ${SBINDIR}/shorewall-init utility will now compile
- configurations if needed
+ - If the protocol is TCP (6) then the packet is rejected with an
+ RST.
+
+ - If the protocol is UDP (17) then the packet is rejected with
+ a 'port-unreachable' ICMP (ICMP6).
+
+ - If the protocol is ICMP (ICMP6), then the packet is rejected
+ with a 'host-unreachable' ('addr-unreachable') ICMP (ICMP6).
+
+ - Otherwise, the packet is rejected with a 'host-prohibited'
+ (adm-prohibited) ICMP (ICMP6).
+
+ Beginning with this release, this behavior may be modified using
+ the new REJECT_ACTION option in shorewall.conf (shorewall6.conf).
+
+ REJECT_ACTION=<action>
+
+ where <action> is the name of an action that implements your
+ alternative handling. The 'nolog' and 'inline' options are
+ automatically assumed for the named <action>.
+
+ The following action implements the standard behavior described
+ above:
+
+ ?format 2
+ #TARGET SOURCE DEST PROTO
+ Broadcast(DROP) - - -
+ DROP - - 2
+ INLINE - - 6 ; -j REJECT --reject-with tcp-reset
+ ?if __ENHANCED_REJECT
+ INLINE - - 17 ; -j REJECT
+ ?if __IPV4
+ INLINE - - 1 ; -j REJECT --reject-with icmp-host-unreachable
+ INLINE - - - ; -j REJECT --reject-with icmp-host-prohibited
+ ?else
+ INLINE - - 58 ; -j REJECT --reject-with icmp6-addr-unreachable
+ INLINE - - - ; -j REJECT --reject-with icmp6-adm-prohibited
+ ?endif
+ ?else
+ INLINE - - - ; -j REJECT
+ ?endif
+
+2) In earlier versions, default log levels in shorewall.conf
+ (shorewall6.conf) were not validated, making it difficult to
+ determine what setting was causing the following error message:
+
+ ERROR: Log level INFO requires LOG Target support in your kernel
+ and iptables
+
+ This change will make log level errors from shorewall.conf and
+ shorewall6.conf easier to isolate by including the option name.
+
+ Example:
+
+ ERROR: Log level INFO for option SFILTER_LOG_LEVEL requires LOG
+ Target support in your kernel and iptables
+
+3) The 'shorewall dump' command now uses 'ss' rather than 'netstat' to
+ produce socket-related information. By Martin Gignac.
+
+4) Thomas D has provided installer support for Gentoo. Thank you
+ Thomas!
+
+5) The generated firewall script inserts a host route for each
+ provider gateway into both the main routing table and into the
+ provider's routing table. This is necessary on older kernels to
+ avoid failure of default route insertion into the tables.
+
+ It has been discovered, however, that these host routes prevent
+ Zebra from being able to add routes on some distributions, most
+ notably Debian 7.0. To work around this issue, two new provider
+ options are now available:
+
+ hostroute This is the default and causes the host routes
+ described above to be inserted.
+
+ nohostroute Prevents the host routes from being inserted.
+
+6) It was previously not possible for Perl code in an action file to
+ change the rule comment as is done using the ?COMMENT directive
+ outside of Perl.
+
+ To allow actions to manipulate the current comment, two functions
+ are made available:
+
+ push_comment() Clears the current rule comment and returns
+ that comment to the caller.
+
+ set_comment($) Sets the current rule comment to the passed
+ string.
+
+ Typical usage would be:
+
+ ?BEGIN PERL
+ use Shorewall::Config;
+ ...
+ my $oldcomment = push_comment(); #Save and clear current
+ #current rule comment
+ ...
+ set_comment('This is a comment');
+ add_ijump(....); #This rule will have comment
+ # /* This is a comment */
+ set_comment(''); #Clear current rule comment
+ add_ijump(....); #This rule has no comment
+ ...
+ set_comment($oldcomment) #Restore caller's comment
+ #if any.
+ ?END PERL
+
+7) The compiler version used to create the current firewall script is
+ now displayed in the output of the 'status' and 'version -a'
+ commands.
----------------------------------------------------------------------------
I V. M I G R A T I O N I S S U E S
@@ -280,6 +390,66 @@
----------------------------------------------------------------------------
V. N O T E S F R O M O T H E R 4 . 5 R E L E A S E S
----------------------------------------------------------------------------
+ P R O B L E M S C O R R E C T E D I N 4 . 5 . 2 0
+----------------------------------------------------------------------------
+
+1) On some distributions, the shorewall-lite and shorewall6-lite
+ uninstallers could fail with a syntax error.
+
+2) A typographical error in the usage text produced by the -h command
+ in the compiled firewall script has been corrected.
+
+3) The handling of INITSOURCE is now uniform between the standard and
+ the -lite installers.
+
+4) Previously, when SYSCONFFILE was specified in shorewallrc, the
+ installers would always install default.debian rather than the
+ named file. That has been corrected.
+
+----------------------------------------------------------------------------
+ N E W F E A T U R E S I N 4 . 5 . 2 0
+----------------------------------------------------------------------------
+
+1) A new TRACK_RULES option has been added to shorewall[6].conf. When
+ set to 'Yes', this option causes most rules to be tagged with a
+ comment which gives the configuration file name and line number
+ that caused the rule to be generated. These comments replace any
+ comments added via AUTOCOMMENT=Yes and ?COMMENT entries.
+
+ Setting this option to 'Yes' requires the 'Comments' capability in
+ your kernel and ip[6]tables.
+
+2) You may now specify 'OPTIMIZE=All' in shorewall[6].conf to enable
+ all optimizations. If new optimization levels are added in the
+ future, OPTIMIZE=All will automatically enable those optimizations.
+
+ For completeness, 'OPTIMIZE=None' disables all optimizations.
+
+3) 'list' and 'ls' are now documented alternatives for 'show' in the
+ CLI programs. /sbin/shorewall and /sbin/shorewall6 now accept 'ck'
+ as an abbreviation for 'check' and 'co' as an abbreviation for
+ 'compile'.
+
+4) Beginning with this release, if /etc/os-release exists during
+ installation, then the ID setting in that file will be used to
+ determine which Linux distribution is running on the system.
+
+5) The 'status' command now obeys the effective VERBOSITY and will
+ produce no output when the effective VERBOSITY is less than 1.
+
+6) The CLI exit status codes are now documented in the manpages
+ (shorewall(8), shorewall6(8), etc.).
+
+7) Beginning with this release, the shorewallrc file supports a
+ SERVICEFILE variable. SERVICEFILE is only relevant when SERVERD is
+ non-empty, in which case it names the file to be installed as the
+ product's .service file. If SERVERD is specified but SERVICEFILE is
+ not, the assumed value of SERVERFILE is $PRODUCT.service.
+
+8) The ${SBINDIR}/shorewall-init utility will now compile
+ configurations if needed
+
+----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 4 . 5 . 1 9
----------------------------------------------------------------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.20/shorewall-core.spec new/shorewall-core-4.5.21/shorewall-core.spec
--- old/shorewall-core-4.5.20/shorewall-core.spec 2013-08-26 19:19:17.000000000 +0200
+++ new/shorewall-core-4.5.21/shorewall-core.spec 2013-10-03 16:59:42.000000000 +0200
@@ -1,5 +1,5 @@
%define name shorewall-core
-%define version 4.5.20
+%define version 4.5.21
%define release 0base
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@@ -62,6 +62,16 @@
%doc COPYING INSTALL changelog.txt releasenotes.txt
%changelog
+* Fri Sep 27 2013 Tom Eastep tom@shorewall.net
+- Updated to 4.5.21-0base
+* Thu Sep 19 2013 Tom Eastep tom@shorewall.net
+- Updated to 4.5.21-0RC1
+* Thu Sep 12 2013 Tom Eastep tom@shorewall.net
+- Updated to 4.5.21-0Beta3
+* Fri Sep 06 2013 Tom Eastep tom@shorewall.net
+- Updated to 4.5.21-0Beta2
+* Sun Sep 01 2013 Tom Eastep tom@shorewall.net
+- Updated to 4.5.21-0Beta1
* Sun Aug 18 2013 Tom Eastep tom@shorewall.net
- Updated to 4.5.20-0base
* Sun Aug 11 2013 Tom Eastep tom@shorewall.net
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.20/shorewallrc.suse new/shorewall-core-4.5.21/shorewallrc.suse
--- old/shorewall-core-4.5.20/shorewallrc.suse 2013-08-24 18:37:56.000000000 +0200
+++ new/shorewall-core-4.5.21/shorewallrc.suse 2013-10-01 00:59:42.000000000 +0200
@@ -16,7 +16,7 @@
ANNOTATED= #If non-zero, annotated configuration files are installed
SYSTEMD= #Directory where .service files are installed (systems running systemd only)
SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
-SYSCONFFILE= #Name of the distributed file to be installed in $SYSCONFDIR
+SYSCONFFILE=sysconfig #Name of the distributed file to be installed in $SYSCONFDIR
SYSCONFDIR=/etc/sysconfig/ #Directory where SysV init parameter files are installed
SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
VARLIB=/var/lib #Directory where persistent product data is stored.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.20/uninstall.sh new/shorewall-core-4.5.21/uninstall.sh
--- old/shorewall-core-4.5.20/uninstall.sh 2013-08-26 19:19:16.000000000 +0200
+++ new/shorewall-core-4.5.21/uninstall.sh 2013-10-03 16:59:41.000000000 +0200
@@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
-VERSION=4.5.20
+VERSION=4.5.21
usage() # $1 = exit status
{
++++++ shorewall-docs-html-4.5.20.tar.bz2 -> shorewall-docs-html-4.5.21.tar.bz2 ++++++
++++ 6854 lines of diff (skipped)
++++++ shorewall-init-4.5.20.tar.bz2 -> shorewall-init-4.5.21.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.20/changelog.txt new/shorewall-init-4.5.21/changelog.txt
--- old/shorewall-init-4.5.20/changelog.txt 2013-08-26 19:19:18.000000000 +0200
+++ new/shorewall-init-4.5.21/changelog.txt 2013-10-03 16:59:42.000000000 +0200
@@ -1,3 +1,57 @@
+Changes in 4.5.21 Final
+
+1) Update release documents.
+
+2) Enable 'monthdays' in the TIME column.
+
+3) Use insserv on Debian.
+
+4) Clean up uninstall.sh scripts
+
+5) Display firewall's compiled version in status and version output.
+
+Changes in 4.5.21-RC1
+
+1) Update release documents.
+
+2) Correct handling of litedir
+
+3) Add 'nostroute' and 'nohostroute' options to providers.
+
+4) Fix some broken links in the Howtos.
+
+5) Allow Perl code in an action to manipulate the current rule comment.
+
+Changes in 4.5.21-Beta3
+
+1) Update release documents.
+
+2) Apply Martin Gignac's ss/arp patch
+
+3) Apply Thommas D's Gentoo installer patch
+
+Changes in 4.5.21-Beta2
+
+1) Update release documents.
+
+2) Validate default log levels to catch absense of LOG_TARGET support.
+
+3) Apply several Shorewall-init patches from Thomas D.
+
+4) Make Shorewall-init obey OPTIONS setting.
+
+5) Modify /sbin/shorewall-init when $SHAREDIR isn't /usr/share
+
+6) Correct -lite installer's checks for coreversion
+
+Changes in 4.5.21-Beta1
+
+1) Update release documents.
+
+2) Implement REJECT_ACTION option.
+
+3) Use the ip[6]tables -w option when available.
+
Changes in 4.5.20 Final
1) Update release documents.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.20/configure new/shorewall-init-4.5.21/configure
--- old/shorewall-init-4.5.20/configure 2013-08-26 19:19:18.000000000 +0200
+++ new/shorewall-init-4.5.21/configure 2013-10-03 16:59:42.000000000 +0200
@@ -28,7 +28,7 @@
#
# Build updates this
#
-VERSION=4.5.20
+VERSION=4.5.21
case "$BASH_VERSION" in
[4-9].*)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.20/configure.pl new/shorewall-init-4.5.21/configure.pl
--- old/shorewall-init-4.5.20/configure.pl 2013-08-26 19:19:18.000000000 +0200
+++ new/shorewall-init-4.5.21/configure.pl 2013-10-03 16:59:42.000000000 +0200
@@ -31,7 +31,7 @@
# Build updates this
#
use constant {
- VERSION => '4.5.20'
+ VERSION => '4.5.21'
};
my %params;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.20/init.debian.sh new/shorewall-init-4.5.21/init.debian.sh
--- old/shorewall-init-4.5.20/init.debian.sh 2013-08-24 18:37:56.000000000 +0200
+++ new/shorewall-init-4.5.21/init.debian.sh 2013-10-01 00:59:42.000000000 +0200
@@ -72,7 +72,7 @@
[ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
- ${SBINDIR}/$PRODUCT compile -c || echo_notdone
+ ${SBINDIR}/$PRODUCT ${OPTIONS} compile -c || echo_notdone
fi
}
@@ -109,7 +109,7 @@
#
(
if ! ${STATEDIR}/$PRODUCT/firewall status > /dev/null 2>&1; then
- ${STATEDIR}/$PRODUCT/firewall stop || echo_notdone
+ ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} stop || echo_notdone
else
echo_notdone
fi
@@ -134,7 +134,7 @@
setstatedir
if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
- ${STATEDIR}/$PRODUCT/firewall clear || echo_notdone
+ ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} clear || echo_notdone
fi
done
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.20/init.fedora.sh new/shorewall-init-4.5.21/init.fedora.sh
--- old/shorewall-init-4.5.20/init.fedora.sh 2013-08-24 18:37:56.000000000 +0200
+++ new/shorewall-init-4.5.21/init.fedora.sh 2013-10-01 00:59:42.000000000 +0200
@@ -70,7 +70,7 @@
if [ $retval -eq 0 ]; then
if [ -x "${STATEDIR}/firewall" ]; then
- ${STATEDIR}/firewall stop 2>&1 | $logger
+ ${STATEDIR}/firewall ${OPTIONS} stop 2>&1 | $logger
retval=${PIPESTATUS[0]}
[ $retval -ne 0 ] && break
else
@@ -105,7 +105,7 @@
if [ $retval -eq 0 ]; then
if [ -x "${STATEDIR}/firewall" ]; then
- ${STATEDIR}/firewall clear 2>&1 | $logger
+ ${STATEDIR}/firewall ${OPTIONS} clear 2>&1 | $logger
retval=${PIPESTATUS[0]}
[ $retval -ne 0 ] && break
else
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.20/init.sh new/shorewall-init-4.5.21/init.sh
--- old/shorewall-init-4.5.20/init.sh 2013-08-24 18:37:56.000000000 +0200
+++ new/shorewall-init-4.5.21/init.sh 2013-10-01 00:59:42.000000000 +0200
@@ -69,7 +69,7 @@
if [ ! -x $STATEDIR/firewall ]; then
if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
- ${SBINDIR}/$PRODUCT compile $STATEDIR/firewall
+ ${SBINDIR}/$PRODUCT ${OPTIONS} compile $STATEDIR/firewall
fi
fi
}
@@ -85,7 +85,7 @@
if [ -x ${STATEDIR}/firewall ]; then
if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
- ${STATEDIR}/firewall stop || exit 1
+ ${STATEDIR}/firewall ${OPTIONS} stop || exit 1
fi
fi
done
@@ -106,14 +106,8 @@
for PRODUCT in $PRODUCTS; do
setstatedir
- if [ ! -x ${STATEDIR}/firewall ]; then
- if [ $PRODUCT = shorewall -o $product = shorewall6 ]; then
- ${SBINDIR}/$PRODUCT compile
- fi
- fi
-
if [ -x ${STATEDIR}/firewall ]; then
- ${STATEDIR}/firewall clear || exit 1
+ ${STATEDIR}/firewall ${OPTIONS} clear || exit 1
fi
done
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.20/init.suse.sh new/shorewall-init-4.5.21/init.suse.sh
--- old/shorewall-init-4.5.20/init.suse.sh 2013-08-24 18:37:56.000000000 +0200
+++ new/shorewall-init-4.5.21/init.suse.sh 2013-10-01 00:59:42.000000000 +0200
@@ -80,7 +80,7 @@
[ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
- ${SBINDIR}/$PRODUCT compile -c || exit
+ ${SBINDIR}/$PRODUCT ${OPTIONS} compile -c || exit
fi
}
@@ -95,7 +95,7 @@
if [ -x $STATEDIR/firewall ]; then
if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
- $STATEDIR/$PRODUCT/firewall stop || exit
+ $STATEDIR/$PRODUCT/firewall ${OPTIONS} stop || exit
fi
else
exit 6
@@ -117,7 +117,7 @@
setstatedir
if [ -x ${STATEDIR}/firewall ]; then
- ${STATEDIR}/firewall clear || exit
+ ${STATEDIR}/firewall ${OPTIONS} clear || exit
else
exit 6
fi
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.20/install.sh new/shorewall-init-4.5.21/install.sh
--- old/shorewall-init-4.5.20/install.sh 2013-08-26 19:19:18.000000000 +0200
+++ new/shorewall-init-4.5.21/install.sh 2013-10-03 16:59:42.000000000 +0200
@@ -23,7 +23,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
-VERSION=4.5.20
+VERSION=4.5.21
usage() # $1 = exit status
{
@@ -99,6 +99,8 @@
#
# Parse the run line
#
+T='-T'
+
finished=0
while [ $finished -eq 0 ] ; do
@@ -192,6 +194,9 @@
debian)
BUILD=debian
;;
+ gentoo)
+ BUILD=gentoo
+ ;;
opensuse)
BUILD=suse
;;
@@ -201,6 +206,8 @@
esac
elif [ -f /etc/debian_version ]; then
BUILD=debian
+ elif [ -f /etc/gentoo-release ]; then
+ BUILD=gentoo
elif [ -f /etc/redhat-release ]; then
BUILD=redhat
elif [ -f /etc/SuSE-release ]; then
@@ -223,7 +230,7 @@
apple)
T=
;;
- debian|redhat|suse|slackware|archlinux)
+ debian|gentoo|redhat|suse|slackware|archlinux)
;;
*)
[ -n "$BUILD" ] && echo "ERROR: Unknown BUILD environment ($BUILD)" >&2 || echo "ERROR: Unknown BUILD environment"
@@ -239,6 +246,9 @@
debian)
echo "Installing Debian-specific configuration..."
;;
+ gentoo)
+ echo "Installing Gentoo-specific configuration..."
+ ;;
redhat)
echo "Installing Redhat/Fedora-specific configuration..."
;;
@@ -255,6 +265,7 @@
;;
linux)
echo "ERROR: Shorewall-init is not supported on this system" >&2
+ exit 1
;;
*)
echo "ERROR: Unsupported HOST distribution: \"$HOST\"" >&2
@@ -300,7 +311,7 @@
install_file $INITSOURCE ${DESTDIR}${INITDIR}/$AUXINITFILE 0544
fi
- echo "Shorewall-init script installed in ${DESTDIR}${INITDIR}/$INITFILE"
+ echo "SysV init script $INITSOURCE installed in ${DESTDIR}${INITDIR}/$INITFILE"
fi
#
@@ -317,6 +328,7 @@
chmod 755 ${DESTDIR}${SBINDIR}
fi
run_install $OWNERSHIP -m 700 shorewall-init ${DESTDIR}${SBINDIR}/shorewall-init
+ [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/shorewall-init
echo "CLI installed as ${DESTDIR}${SBINDIR}/shorewall-init"
fi
@@ -371,14 +383,18 @@
if [ $HOST = suse ]; then
mkdir -p ${DESTDIR}/etc/sysconfig/network/if-up.d
mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-down.d
+ elif [ $HOST = gentoo ]; then
+ # Gentoo does not support if-{up,down}.d
+ return
else
mkdir -p ${DESTDIR}/etc/NetworkManager/dispatcher.d
fi
fi
fi
- if [ -d ${DESTDIR}${SYSCONFDIR} -a ! -f ${DESTDIR}${SYSCONFDIR}/shorewall-init ]; then
- install_file sysconfig ${DESTDIR}${SYSCONFDIR}/shorewall-init 0644
+ if [ -n "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PRODUCT} ]; then
+ run_install $OWNERSHIP -m 0644 ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/$PRODUCT
+ echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
fi
[ $HOST = suse ] && IFUPDOWN=ifupdown.suse.sh || IFUPDOWN=ifupdown.fedora.sh
@@ -437,10 +453,21 @@
if [ -z "$DESTDIR" ]; then
if [ -n "$first_install" ]; then
if [ $HOST = debian ]; then
-
- update-rc.d shorewall-init enable
-
- echo "Shorewall Init will start automatically at boot"
+ if mywhich insserv; then
+ if insserv enable; then
+ echo "Shorewall Init will start automatically at boot"
+ else
+ cant_autostart
+ fi
+ elif rc-update add $PRODUCT default; then
+ echo "Shorewall Init will start automatically at boot"
+ else
+ cant_autostart
+ fi
+ elif [ $HOST = gentoo ]; then
+ # On Gentoo, a service must be enabled manually by the user,
+ # not by the installer
+ return
else
if [ -n "$SYSTEMD" ]; then
if systemctl enable shorewall-init.service; then
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.20/releasenotes.txt new/shorewall-init-4.5.21/releasenotes.txt
--- old/shorewall-init-4.5.20/releasenotes.txt 2013-08-26 19:19:18.000000000 +0200
+++ new/shorewall-init-4.5.21/releasenotes.txt 2013-10-03 16:59:42.000000000 +0200
@@ -1,7 +1,7 @@
----------------------------------------------------------------------------
- S H O R E W A L L 4 . 5 . 2 0
+ S H O R E W A L L 4 . 5 . 2 1
------------------------------------
- A u g u s t 2 5 , 2 0 1 3
+ O c t o b e r 0 4 , 2 0 1 3
----------------------------------------------------------------------------
I. PROBLEMS CORRECTED IN THIS RELEASE
@@ -14,18 +14,46 @@
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
-1) On some distributions, the shorewall-lite and shorewall6-lite
- uninstallers could fail with a syntax error.
-
-2) A typographical error in the usage text produced by the -h command
- in the compiled firewall script has been corrected.
-
-3) The handling of INITSOURCE is now uniform between the standard and
- the -lite installers.
-
-4) Previously, when SYSCONFFILE was specified in shorewallrc, the
- installers would always install default.debian rather than the
- named file. That has been corrected.
+1) ip[6]tables 1.4.20 introduced an incompatible change that causes
+ the program to fail if there is another instance of either iptables
+ or ip6tables already running. This behavior can be avoided if the
+ new -w option is specified.
+
+ To work around this problem, the compiler now uses the -w option
+ (when available) during capabilities determination so that
+ shorewall and shorewall6 compilations can proceed in parallel.
+
+2) Previously, the Shorewall-init installer unconditionally installed
+ the sysconfig file even when a different SYSCONFFILE was specified.
+ (Thomas D).
+
+3) /sbin/shorewall-init now includes the correct SYSCONFDIR name in
+ its error message that reports the absense of
+ ${SYSCONFDIR}/shorewall-init. (Thomas D).
+
+4) /sbin/shorewall-init and the Shorewall-init SysV init scripts now
+ honor the setting of $OPTIONS.
+
+5) The -lite installers now look in ${SHAREDIR} for the coreversion
+ file rather than in /usr/share/.
+
+6) If a Shorewall-lite installation used an /etc/shorewall-lite/vardir
+ file to set a non-standard state directory, the administrative
+ system would send the firewall and firewall.conf files to the wrong
+ directory on the firewall system.
+
+7) Previously, the compiler verified 'monthdays' specifications in the
+ rules TIME column, but failed to include --monthdays in the
+ generated rule. That omission has been corrected.
+
+8) The installers now use 'insserv' on Debian systems to update the
+ SysV init symlinks. Previously, update-rc.d was used but that
+ approach fails on Debian 7.
+
+9) The Multicast DNS macros (mDNS and mDNSbi) now allow the entire
+ non-priv port range (1024-65535) for the the dynamic unicast
+ port. Previously, only the Linux 2.6+ dynamic port range
+ (32768-65535) were allowed.
----------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G
@@ -38,44 +66,126 @@
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
-1) A new TRACK_RULES option has been added to shorewall[6].conf. When
- set to 'Yes', this option causes most rules to be tagged with a
- comment which gives the configuration file name and line number
- that caused the rule to be generated. These comments replace any
- comments added via AUTOCOMMENT=Yes and ?COMMENT entries.
-
- Setting this option to 'Yes' requires the 'Comments' capability in
- your kernel and ip[6]tables.
+1) When a REJECT target is specified, Shorewall normally handles the
+ packet as follows:
-2) You may now specify 'OPTIMIZE=All' in shorewall[6].conf to enable
- all optimizations. If new optimization levels are added in the
- future, OPTIMIZE=All will automatically enable those optimizations.
+ - If the destination address is a broadcast or multicast address,
+ the packet is dropped.
- For completeness, 'OPTIMIZE=None' disables all optimizations.
+ - If the protocol is IGMP (1), then the packet is dropped.
-3) 'list' and 'ls' are now documented alternatives for 'show' in the
- CLI programs. /sbin/shorewall and /sbin/shorewall6 now accept 'ck'
- as an abbreviation for 'check' and 'co' as an abbreviation for
- 'compile'.
-
-4) Beginning with this release, if /etc/os-release exists during
- installation, then the ID setting in that file will be used to
- determine which Linux distribution is running on the system.
-
-5) The 'status' command now obeys the effective VERBOSITY and will
- produce no output when the effective VERBOSITY is less than 1.
-
-6) The CLI exit status codes are now documented in the manpages
- (shorewall(8), shorewall6(8), etc.).
-
-7) Beginning with this release, the shorewallrc file supports a
- SERVICEFILE variable. SERVICEFILE is only relevant when SERVERD is
- non-empty, in which case it names the file to be installed as the
- product's .service file. If SERVERD is specified but SERVICEFILE is
- not, the assumed value of SERVERFILE is $PRODUCT.service.
-
-8) The ${SBINDIR}/shorewall-init utility will now compile
- configurations if needed
+ - If the protocol is TCP (6) then the packet is rejected with an
+ RST.
+
+ - If the protocol is UDP (17) then the packet is rejected with
+ a 'port-unreachable' ICMP (ICMP6).
+
+ - If the protocol is ICMP (ICMP6), then the packet is rejected
+ with a 'host-unreachable' ('addr-unreachable') ICMP (ICMP6).
+
+ - Otherwise, the packet is rejected with a 'host-prohibited'
+ (adm-prohibited) ICMP (ICMP6).
+
+ Beginning with this release, this behavior may be modified using
+ the new REJECT_ACTION option in shorewall.conf (shorewall6.conf).
+
+ REJECT_ACTION=<action>
+
+ where <action> is the name of an action that implements your
+ alternative handling. The 'nolog' and 'inline' options are
+ automatically assumed for the named <action>.
+
+ The following action implements the standard behavior described
+ above:
+
+ ?format 2
+ #TARGET SOURCE DEST PROTO
+ Broadcast(DROP) - - -
+ DROP - - 2
+ INLINE - - 6 ; -j REJECT --reject-with tcp-reset
+ ?if __ENHANCED_REJECT
+ INLINE - - 17 ; -j REJECT
+ ?if __IPV4
+ INLINE - - 1 ; -j REJECT --reject-with icmp-host-unreachable
+ INLINE - - - ; -j REJECT --reject-with icmp-host-prohibited
+ ?else
+ INLINE - - 58 ; -j REJECT --reject-with icmp6-addr-unreachable
+ INLINE - - - ; -j REJECT --reject-with icmp6-adm-prohibited
+ ?endif
+ ?else
+ INLINE - - - ; -j REJECT
+ ?endif
+
+2) In earlier versions, default log levels in shorewall.conf
+ (shorewall6.conf) were not validated, making it difficult to
+ determine what setting was causing the following error message:
+
+ ERROR: Log level INFO requires LOG Target support in your kernel
+ and iptables
+
+ This change will make log level errors from shorewall.conf and
+ shorewall6.conf easier to isolate by including the option name.
+
+ Example:
+
+ ERROR: Log level INFO for option SFILTER_LOG_LEVEL requires LOG
+ Target support in your kernel and iptables
+
+3) The 'shorewall dump' command now uses 'ss' rather than 'netstat' to
+ produce socket-related information. By Martin Gignac.
+
+4) Thomas D has provided installer support for Gentoo. Thank you
+ Thomas!
+
+5) The generated firewall script inserts a host route for each
+ provider gateway into both the main routing table and into the
+ provider's routing table. This is necessary on older kernels to
+ avoid failure of default route insertion into the tables.
+
+ It has been discovered, however, that these host routes prevent
+ Zebra from being able to add routes on some distributions, most
+ notably Debian 7.0. To work around this issue, two new provider
+ options are now available:
+
+ hostroute This is the default and causes the host routes
+ described above to be inserted.
+
+ nohostroute Prevents the host routes from being inserted.
+
+6) It was previously not possible for Perl code in an action file to
+ change the rule comment as is done using the ?COMMENT directive
+ outside of Perl.
+
+ To allow actions to manipulate the current comment, two functions
+ are made available:
+
+ push_comment() Clears the current rule comment and returns
+ that comment to the caller.
+
+ set_comment($) Sets the current rule comment to the passed
+ string.
+
+ Typical usage would be:
+
+ ?BEGIN PERL
+ use Shorewall::Config;
+ ...
+ my $oldcomment = push_comment(); #Save and clear current
+ #current rule comment
+ ...
+ set_comment('This is a comment');
+ add_ijump(....); #This rule will have comment
+ # /* This is a comment */
+ set_comment(''); #Clear current rule comment
+ add_ijump(....); #This rule has no comment
+ ...
+ set_comment($oldcomment) #Restore caller's comment
+ #if any.
+ ?END PERL
+
+7) The compiler version used to create the current firewall script is
+ now displayed in the output of the 'status' and 'version -a'
+ commands.
----------------------------------------------------------------------------
I V. M I G R A T I O N I S S U E S
@@ -280,6 +390,66 @@
----------------------------------------------------------------------------
V. N O T E S F R O M O T H E R 4 . 5 R E L E A S E S
----------------------------------------------------------------------------
+ P R O B L E M S C O R R E C T E D I N 4 . 5 . 2 0
+----------------------------------------------------------------------------
+
+1) On some distributions, the shorewall-lite and shorewall6-lite
+ uninstallers could fail with a syntax error.
+
+2) A typographical error in the usage text produced by the -h command
+ in the compiled firewall script has been corrected.
+
+3) The handling of INITSOURCE is now uniform between the standard and
+ the -lite installers.
+
+4) Previously, when SYSCONFFILE was specified in shorewallrc, the
+ installers would always install default.debian rather than the
+ named file. That has been corrected.
+
+----------------------------------------------------------------------------
+ N E W F E A T U R E S I N 4 . 5 . 2 0
+----------------------------------------------------------------------------
+
+1) A new TRACK_RULES option has been added to shorewall[6].conf. When
+ set to 'Yes', this option causes most rules to be tagged with a
+ comment which gives the configuration file name and line number
+ that caused the rule to be generated. These comments replace any
+ comments added via AUTOCOMMENT=Yes and ?COMMENT entries.
+
+ Setting this option to 'Yes' requires the 'Comments' capability in
+ your kernel and ip[6]tables.
+
+2) You may now specify 'OPTIMIZE=All' in shorewall[6].conf to enable
+ all optimizations. If new optimization levels are added in the
+ future, OPTIMIZE=All will automatically enable those optimizations.
+
+ For completeness, 'OPTIMIZE=None' disables all optimizations.
+
+3) 'list' and 'ls' are now documented alternatives for 'show' in the
+ CLI programs. /sbin/shorewall and /sbin/shorewall6 now accept 'ck'
+ as an abbreviation for 'check' and 'co' as an abbreviation for
+ 'compile'.
+
+4) Beginning with this release, if /etc/os-release exists during
+ installation, then the ID setting in that file will be used to
+ determine which Linux distribution is running on the system.
+
+5) The 'status' command now obeys the effective VERBOSITY and will
+ produce no output when the effective VERBOSITY is less than 1.
+
+6) The CLI exit status codes are now documented in the manpages
+ (shorewall(8), shorewall6(8), etc.).
+
+7) Beginning with this release, the shorewallrc file supports a
+ SERVICEFILE variable. SERVICEFILE is only relevant when SERVERD is
+ non-empty, in which case it names the file to be installed as the
+ product's .service file. If SERVERD is specified but SERVICEFILE is
+ not, the assumed value of SERVERFILE is $PRODUCT.service.
+
+8) The ${SBINDIR}/shorewall-init utility will now compile
+ configurations if needed
+
+----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 4 . 5 . 1 9
----------------------------------------------------------------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.20/shorewall-init new/shorewall-init-4.5.21/shorewall-init
--- old/shorewall-init-4.5.20/shorewall-init 2013-08-24 18:37:56.000000000 +0200
+++ new/shorewall-init-4.5.21/shorewall-init 2013-10-01 00:59:42.000000000 +0200
@@ -33,7 +33,7 @@
[ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
- ${SBINDIR}/$PRODUCT compile -c || exit 1
+ ${SBINDIR}/$PRODUCT ${OPTIONS} compile -c || exit 1
fi
}
@@ -50,7 +50,7 @@
exit 1
fi
else
- echo "ERROR: /etc/sysconfig/shorewall-init not found" >&2
+ echo "ERROR: ${SYSCONFDIR}/shorewall-init not found" >&2
exit 1
fi
@@ -69,7 +69,7 @@
#
(
if ! ${STATEDIR}/$PRODUCT/firewall status > /dev/null 2>&1; then
- ${STATEDIR}/$PRODUCT/firewall stop || exit 1
+ ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} stop || exit 1
else
exit 1
fi
@@ -96,7 +96,7 @@
setstatedir
if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
- ${STATEDIR}/$PRODUCT/firewall clear || exit 1
+ ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} clear || exit 1
fi
done
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.20/shorewall-init.spec new/shorewall-init-4.5.21/shorewall-init.spec
--- old/shorewall-init-4.5.20/shorewall-init.spec 2013-08-26 19:19:18.000000000 +0200
+++ new/shorewall-init-4.5.21/shorewall-init.spec 2013-10-03 16:59:42.000000000 +0200
@@ -1,5 +1,5 @@
%define name shorewall-init
-%define version 4.5.20
+%define version 4.5.21
%define release 0base
Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
@@ -125,6 +125,16 @@
%doc COPYING changelog.txt releasenotes.txt
%changelog
+* Fri Sep 27 2013 Tom Eastep tom@shorewall.net
+- Updated to 4.5.21-0base
+* Thu Sep 19 2013 Tom Eastep tom@shorewall.net
+- Updated to 4.5.21-0RC1
+* Thu Sep 12 2013 Tom Eastep tom@shorewall.net
+- Updated to 4.5.21-0Beta3
+* Fri Sep 06 2013 Tom Eastep tom@shorewall.net
+- Updated to 4.5.21-0Beta2
+* Sun Sep 01 2013 Tom Eastep tom@shorewall.net
+- Updated to 4.5.21-0Beta1
* Sun Aug 18 2013 Tom Eastep tom@shorewall.net
- Updated to 4.5.20-0base
* Sun Aug 11 2013 Tom Eastep tom@shorewall.net
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.20/shorewallrc.suse new/shorewall-init-4.5.21/shorewallrc.suse
--- old/shorewall-init-4.5.20/shorewallrc.suse 2013-08-26 19:19:18.000000000 +0200
+++ new/shorewall-init-4.5.21/shorewallrc.suse 2013-10-03 16:59:42.000000000 +0200
@@ -16,7 +16,7 @@
ANNOTATED= #If non-zero, annotated configuration files are installed
SYSTEMD= #Directory where .service files are installed (systems running systemd only)
SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
-SYSCONFFILE= #Name of the distributed file to be installed in $SYSCONFDIR
+SYSCONFFILE=sysconfig #Name of the distributed file to be installed in $SYSCONFDIR
SYSCONFDIR=/etc/sysconfig/ #Directory where SysV init parameter files are installed
SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
VARLIB=/var/lib #Directory where persistent product data is stored.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.20/uninstall.sh new/shorewall-init-4.5.21/uninstall.sh
--- old/shorewall-init-4.5.20/uninstall.sh 2013-08-26 19:19:18.000000000 +0200
+++ new/shorewall-init-4.5.21/uninstall.sh 2013-10-03 16:59:42.000000000 +0200
@@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
-VERSION=4.5.20
+VERSION=4.5.21
usage() # $1 = exit status
{
@@ -140,6 +140,7 @@
remove_file ${CONFDIR}/network/if-up.d/shorewall
remove_file ${CONFDIR}/network/if-down.d/shorewall
+remove_file ${CONFDIR}/network/if-post-down.d/shorewall
remove_file ${CONFDIR}/sysconfig/network/if-up.d/shorewall
remove_file ${CONFDIR}/sysconfig/network/if-down.d/shorewall
++++++ shorewall-lite-4.5.20.tar.bz2 -> shorewall-lite-4.5.21.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.20/changelog.txt new/shorewall-lite-4.5.21/changelog.txt
--- old/shorewall-lite-4.5.20/changelog.txt 2013-08-26 19:19:18.000000000 +0200
+++ new/shorewall-lite-4.5.21/changelog.txt 2013-10-03 16:59:42.000000000 +0200
@@ -1,3 +1,57 @@
+Changes in 4.5.21 Final
+
+1) Update release documents.
+
+2) Enable 'monthdays' in the TIME column.
+
+3) Use insserv on Debian.
+
+4) Clean up uninstall.sh scripts
+
+5) Display firewall's compiled version in status and version output.
+
+Changes in 4.5.21-RC1
+
+1) Update release documents.
+
+2) Correct handling of litedir
+
+3) Add 'nostroute' and 'nohostroute' options to providers.
+
+4) Fix some broken links in the Howtos.
+
+5) Allow Perl code in an action to manipulate the current rule comment.
+
+Changes in 4.5.21-Beta3
+
+1) Update release documents.
+
+2) Apply Martin Gignac's ss/arp patch
+
+3) Apply Thommas D's Gentoo installer patch
+
+Changes in 4.5.21-Beta2
+
+1) Update release documents.
+
+2) Validate default log levels to catch absense of LOG_TARGET support.
+
+3) Apply several Shorewall-init patches from Thomas D.
+
+4) Make Shorewall-init obey OPTIONS setting.
+
+5) Modify /sbin/shorewall-init when $SHAREDIR isn't /usr/share
+
+6) Correct -lite installer's checks for coreversion
+
+Changes in 4.5.21-Beta1
+
+1) Update release documents.
+
+2) Implement REJECT_ACTION option.
+
+3) Use the ip[6]tables -w option when available.
+
Changes in 4.5.20 Final
1) Update release documents.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.20/configure new/shorewall-lite-4.5.21/configure
--- old/shorewall-lite-4.5.20/configure 2013-08-26 19:19:18.000000000 +0200
+++ new/shorewall-lite-4.5.21/configure 2013-10-03 16:59:42.000000000 +0200
@@ -28,7 +28,7 @@
#
# Build updates this
#
-VERSION=4.5.20
+VERSION=4.5.21
case "$BASH_VERSION" in
[4-9].*)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.20/configure.pl new/shorewall-lite-4.5.21/configure.pl
--- old/shorewall-lite-4.5.20/configure.pl 2013-08-26 19:19:18.000000000 +0200
+++ new/shorewall-lite-4.5.21/configure.pl 2013-10-03 16:59:42.000000000 +0200
@@ -31,7 +31,7 @@
# Build updates this
#
use constant {
- VERSION => '4.5.20'
+ VERSION => '4.5.21'
};
my %params;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.20/install.sh new/shorewall-lite-4.5.21/install.sh
--- old/shorewall-lite-4.5.20/install.sh 2013-08-26 19:19:18.000000000 +0200
+++ new/shorewall-lite-4.5.21/install.sh 2013-10-03 16:59:42.000000000 +0200
@@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
-VERSION=4.5.20
+VERSION=4.5.21
usage() # $1 = exit status
{
@@ -212,6 +212,9 @@
debian)
BUILD=debian
;;
+ gentoo)
+ BUILD=gentoo
+ ;;
opensuse)
BUILD=suse
;;
@@ -221,6 +224,8 @@
esac
elif [ -f ${CONFDIR}/debian_version ]; then
BUILD=debian
+ elif [ -f /etc/gentoo-release ]; then
+ BUILD=gentoo
elif [ -f ${CONFDIR}/redhat-release ]; then
BUILD=redhat
elif [ -f ${CONFDIR}/SuSE-release ]; then
@@ -269,6 +274,9 @@
debian)
echo "Installing Debian-specific configuration..."
;;
+ gentoo)
+ echo "Installing Gentoo-specific configuration..."
+ ;;
redhat)
echo "Installing Redhat/Fedora-specific configuration..."
;;
@@ -300,7 +308,7 @@
install -d $OWNERSHIP -m 755 ${DESTDIR}/${SBINDIR}
install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR}
else
- if [ ! -f /usr/share/shorewall/coreversion ]; then
+ if [ ! -f ${SHAREDIR}/shorewall/coreversion ]; then
echo "$PRODUCT $VERSION requires Shorewall Core which does not appear to be installed" >&2
exit 1
fi
@@ -312,7 +320,7 @@
# Check for ${CONFDIR}/$PRODUCT
#
if [ -z "$DESTDIR" -a -d ${CONFDIR}/$PRODUCT ]; then
- if [ ! -f /usr/share/shorewall/coreversion ]; then
+ if [ ! -f ${SHAREDIR}/shorewall/coreversion ]; then
echo "$PRODUCT $VERSION requires Shorewall Core which does not appear to be installed" >&2
exit 1
fi
@@ -366,7 +374,7 @@
[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' "$initfile"
- echo "$Product init script installed in $initfile"
+ echo "SysV init script $INITSOURCE installed in $initfile"
fi
fi
#
@@ -389,6 +397,9 @@
if [ $HOST = archlinux ] ; then
sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf
+elif [ $HOST = gentoo ]; then
+ # Adjust SUBSYSLOCK path (see https://bugs.gentoo.org/show_bug.cgi?id=459316)
+ perl -p -w -i -e "s|^SUBSYSLOCK=.*|SUBSYSLOCK=/run/lock/$PRODUCT|;" ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf
fi
#
@@ -497,7 +508,10 @@
delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/lib.cli
delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/wait4ifup
-if [ -n "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PRODUCT} ]; then
+#
+# Note -- not all packages will have the SYSCONFFILE so we need to check for its existance here
+#
+if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PRODUCT} ]; then
if [ ${DESTDIR} ]; then
mkdir -p ${DESTDIR}${SYSCONFDIR}
chmod 755 ${DESTDIR}${SYSCONFDIR}
@@ -513,20 +527,20 @@
fi
if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
- if mywhich update-rc.d ; then
- echo "$PRODUCT will start automatically at boot"
- echo "Set startup=1 in ${SYSCONFDIR}/$PRODUCT to enable"
- touch /var/log/$PRODUCT-init.log
- perl -p -w -i -e 's/^STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/;s/^IP_FORWARDING=On/IP_FORWARDING=Keep/;s/^SUBSYSLOCK=.*/SUBSYSLOCK=/;' ${CONFDIR}/${PRODUCT}/${PRODUCT}.conf
- update-rc.d $PRODUCT enable defaults
- elif [ -n "$SYSTEMD" ]; then
+ if [ -n "$SYSTEMD" ]; then
if systemctl enable ${PRODUCT}.service; then
echo "$Product will start automatically at boot"
fi
elif mywhich insserv; then
if insserv ${INITDIR}/${INITFILE} ; then
echo "$PRODUCT will start automatically at boot"
- echo "Set STARTUP_ENABLED=Yes in ${CONFDIR}/$PRODUCT/${PRODUCT}.conf to enable"
+ if [ $HOST = debian ]; then
+ echo "Set startup=1 in ${CONFDIR}/default/$PRODUCT to enable"
+ touch /var/log/$PRODUCT-init.log
+ perl -p -w -i -e 's/^STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/;s/^IP_FORWARDING=On/IP_FORWARDING=Keep/;s/^SUBSYSLOCK=.*/SUBSYSLOCK=/;' ${CONFDIR}/$PRODUCT/$PRODUCT.conf
+ else
+ echo "Set STARTUP_ENABLED=Yes in ${CONFDIR}/$PRODUCT/$PRODUCT.conf to enable"
+ fi
else
cant_autostart
fi
@@ -541,7 +555,13 @@
elif mywhich rc-update ; then
if rc-update add $PRODUCT default; then
echo "$PRODUCT will start automatically at boot"
- echo "Set STARTUP_ENABLED=Yes in ${CONFDIR}/$PRODUCT/$PRODUCT.conf to enable"
+ if [ $HOST = debian ]; then
+ echo "Set startup=1 in ${CONFDIR}/default/$PRODUCT to enable"
+ touch /var/log/$PRODUCT-init.log
+ perl -p -w -i -e 's/^STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/;s/^IP_FORWARDING=On/IP_FORWARDING=Keep/;s/^SUBSYSLOCK=.*/SUBSYSLOCK=/;' ${CONFDIR}/$PRODUCT/$PRODUCT.conf
+ else
+ echo "Set STARTUP_ENABLED=Yes in ${CONFDIR}/$PRODUCT/$PRODUCT.conf to enable"
+ fi
else
cant_autostart
fi
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.20/manpages/shorewall-lite-vardir.5 new/shorewall-lite-4.5.21/manpages/shorewall-lite-vardir.5
--- old/shorewall-lite-4.5.20/manpages/shorewall-lite-vardir.5 2013-08-26 19:22:29.000000000 +0200
+++ new/shorewall-lite-4.5.21/manpages/shorewall-lite-vardir.5 2013-10-03 17:02:53.000000000 +0200
@@ -2,12 +2,12 @@
.\" Title: shorewall-lite-vardir
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.76.1 http://docbook.sf.net/
-.\" Date: 08/26/2013
+.\" Date: 10/03/2013
.\" Manual: [FIXME: manual]
.\" Source: [FIXME: source]
.\" Language: English
.\"
-.TH "SHOREWALL\-LITE\-VAR" "5" "08/26/2013" "[FIXME: source]" "[FIXME: manual]"
+.TH "SHOREWALL\-LITE\-VAR" "5" "10/03/2013" "[FIXME: source]" "[FIXME: manual]"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.20/manpages/shorewall-lite.8 new/shorewall-lite-4.5.21/manpages/shorewall-lite.8
--- old/shorewall-lite-4.5.20/manpages/shorewall-lite.8 2013-08-26 19:22:31.000000000 +0200
+++ new/shorewall-lite-4.5.21/manpages/shorewall-lite.8 2013-10-03 17:02:55.000000000 +0200
@@ -2,12 +2,12 @@
.\" Title: shorewall-lite
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.76.1 http://docbook.sf.net/
-.\" Date: 08/26/2013
+.\" Date: 10/03/2013
.\" Manual: [FIXME: manual]
.\" Source: [FIXME: source]
.\" Language: English
.\"
-.TH "SHOREWALL\-LITE" "8" "08/26/2013" "[FIXME: source]" "[FIXME: manual]"
+.TH "SHOREWALL\-LITE" "8" "10/03/2013" "[FIXME: source]" "[FIXME: manual]"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.20/manpages/shorewall-lite.conf.5 new/shorewall-lite-4.5.21/manpages/shorewall-lite.conf.5
--- old/shorewall-lite-4.5.20/manpages/shorewall-lite.conf.5 2013-08-26 19:22:28.000000000 +0200
+++ new/shorewall-lite-4.5.21/manpages/shorewall-lite.conf.5 2013-10-03 17:02:52.000000000 +0200
@@ -2,12 +2,12 @@
.\" Title: shorewall-lite.conf
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.76.1 http://docbook.sf.net/
-.\" Date: 08/26/2013
+.\" Date: 10/03/2013
.\" Manual: [FIXME: manual]
.\" Source: [FIXME: source]
.\" Language: English
.\"
-.TH "SHOREWALL\-LITE\&.CO" "5" "08/26/2013" "[FIXME: source]" "[FIXME: manual]"
+.TH "SHOREWALL\-LITE\&.CO" "5" "10/03/2013" "[FIXME: source]" "[FIXME: manual]"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.20/releasenotes.txt new/shorewall-lite-4.5.21/releasenotes.txt
--- old/shorewall-lite-4.5.20/releasenotes.txt 2013-08-26 19:19:18.000000000 +0200
+++ new/shorewall-lite-4.5.21/releasenotes.txt 2013-10-03 16:59:42.000000000 +0200
@@ -1,7 +1,7 @@
----------------------------------------------------------------------------
- S H O R E W A L L 4 . 5 . 2 0
+ S H O R E W A L L 4 . 5 . 2 1
------------------------------------
- A u g u s t 2 5 , 2 0 1 3
+ O c t o b e r 0 4 , 2 0 1 3
----------------------------------------------------------------------------
I. PROBLEMS CORRECTED IN THIS RELEASE
@@ -14,18 +14,46 @@
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
-1) On some distributions, the shorewall-lite and shorewall6-lite
- uninstallers could fail with a syntax error.
-
-2) A typographical error in the usage text produced by the -h command
- in the compiled firewall script has been corrected.
-
-3) The handling of INITSOURCE is now uniform between the standard and
- the -lite installers.
-
-4) Previously, when SYSCONFFILE was specified in shorewallrc, the
- installers would always install default.debian rather than the
- named file. That has been corrected.
+1) ip[6]tables 1.4.20 introduced an incompatible change that causes
+ the program to fail if there is another instance of either iptables
+ or ip6tables already running. This behavior can be avoided if the
+ new -w option is specified.
+
+ To work around this problem, the compiler now uses the -w option
+ (when available) during capabilities determination so that
+ shorewall and shorewall6 compilations can proceed in parallel.
+
+2) Previously, the Shorewall-init installer unconditionally installed
+ the sysconfig file even when a different SYSCONFFILE was specified.
+ (Thomas D).
+
+3) /sbin/shorewall-init now includes the correct SYSCONFDIR name in
+ its error message that reports the absense of
+ ${SYSCONFDIR}/shorewall-init. (Thomas D).
+
+4) /sbin/shorewall-init and the Shorewall-init SysV init scripts now
+ honor the setting of $OPTIONS.
+
+5) The -lite installers now look in ${SHAREDIR} for the coreversion
+ file rather than in /usr/share/.
+
+6) If a Shorewall-lite installation used an /etc/shorewall-lite/vardir
+ file to set a non-standard state directory, the administrative
+ system would send the firewall and firewall.conf files to the wrong
+ directory on the firewall system.
+
+7) Previously, the compiler verified 'monthdays' specifications in the
+ rules TIME column, but failed to include --monthdays in the
+ generated rule. That omission has been corrected.
+
+8) The installers now use 'insserv' on Debian systems to update the
+ SysV init symlinks. Previously, update-rc.d was used but that
+ approach fails on Debian 7.
+
+9) The Multicast DNS macros (mDNS and mDNSbi) now allow the entire
+ non-priv port range (1024-65535) for the the dynamic unicast
+ port. Previously, only the Linux 2.6+ dynamic port range
+ (32768-65535) were allowed.
----------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G
@@ -38,44 +66,126 @@
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
-1) A new TRACK_RULES option has been added to shorewall[6].conf. When
- set to 'Yes', this option causes most rules to be tagged with a
- comment which gives the configuration file name and line number
- that caused the rule to be generated. These comments replace any
- comments added via AUTOCOMMENT=Yes and ?COMMENT entries.
-
- Setting this option to 'Yes' requires the 'Comments' capability in
- your kernel and ip[6]tables.
+1) When a REJECT target is specified, Shorewall normally handles the
+ packet as follows:
-2) You may now specify 'OPTIMIZE=All' in shorewall[6].conf to enable
- all optimizations. If new optimization levels are added in the
- future, OPTIMIZE=All will automatically enable those optimizations.
+ - If the destination address is a broadcast or multicast address,
+ the packet is dropped.
- For completeness, 'OPTIMIZE=None' disables all optimizations.
+ - If the protocol is IGMP (1), then the packet is dropped.
-3) 'list' and 'ls' are now documented alternatives for 'show' in the
- CLI programs. /sbin/shorewall and /sbin/shorewall6 now accept 'ck'
- as an abbreviation for 'check' and 'co' as an abbreviation for
- 'compile'.
-
-4) Beginning with this release, if /etc/os-release exists during
- installation, then the ID setting in that file will be used to
- determine which Linux distribution is running on the system.
-
-5) The 'status' command now obeys the effective VERBOSITY and will
- produce no output when the effective VERBOSITY is less than 1.
-
-6) The CLI exit status codes are now documented in the manpages
- (shorewall(8), shorewall6(8), etc.).
-
-7) Beginning with this release, the shorewallrc file supports a
- SERVICEFILE variable. SERVICEFILE is only relevant when SERVERD is
- non-empty, in which case it names the file to be installed as the
- product's .service file. If SERVERD is specified but SERVICEFILE is
- not, the assumed value of SERVERFILE is $PRODUCT.service.
-
-8) The ${SBINDIR}/shorewall-init utility will now compile
- configurations if needed
+ - If the protocol is TCP (6) then the packet is rejected with an
+ RST.
+
+ - If the protocol is UDP (17) then the packet is rejected with
+ a 'port-unreachable' ICMP (ICMP6).
+
+ - If the protocol is ICMP (ICMP6), then the packet is rejected
+ with a 'host-unreachable' ('addr-unreachable') ICMP (ICMP6).
+
+ - Otherwise, the packet is rejected with a 'host-prohibited'
+ (adm-prohibited) ICMP (ICMP6).
+
+ Beginning with this release, this behavior may be modified using
+ the new REJECT_ACTION option in shorewall.conf (shorewall6.conf).
+
+ REJECT_ACTION=<action>
+
+ where <action> is the name of an action that implements your
+ alternative handling. The 'nolog' and 'inline' options are
+ automatically assumed for the named <action>.
+
+ The following action implements the standard behavior described
+ above:
+
+ ?format 2
+ #TARGET SOURCE DEST PROTO
+ Broadcast(DROP) - - -
+ DROP - - 2
+ INLINE - - 6 ; -j REJECT --reject-with tcp-reset
+ ?if __ENHANCED_REJECT
+ INLINE - - 17 ; -j REJECT
+ ?if __IPV4
+ INLINE - - 1 ; -j REJECT --reject-with icmp-host-unreachable
+ INLINE - - - ; -j REJECT --reject-with icmp-host-prohibited
+ ?else
+ INLINE - - 58 ; -j REJECT --reject-with icmp6-addr-unreachable
+ INLINE - - - ; -j REJECT --reject-with icmp6-adm-prohibited
+ ?endif
+ ?else
+ INLINE - - - ; -j REJECT
+ ?endif
+
+2) In earlier versions, default log levels in shorewall.conf
+ (shorewall6.conf) were not validated, making it difficult to
+ determine what setting was causing the following error message:
+
+ ERROR: Log level INFO requires LOG Target support in your kernel
+ and iptables
+
+ This change will make log level errors from shorewall.conf and
+ shorewall6.conf easier to isolate by including the option name.
+
+ Example:
+
+ ERROR: Log level INFO for option SFILTER_LOG_LEVEL requires LOG
+ Target support in your kernel and iptables
+
+3) The 'shorewall dump' command now uses 'ss' rather than 'netstat' to
+ produce socket-related information. By Martin Gignac.
+
+4) Thomas D has provided installer support for Gentoo. Thank you
+ Thomas!
+
+5) The generated firewall script inserts a host route for each
+ provider gateway into both the main routing table and into the
+ provider's routing table. This is necessary on older kernels to
+ avoid failure of default route insertion into the tables.
+
+ It has been discovered, however, that these host routes prevent
+ Zebra from being able to add routes on some distributions, most
+ notably Debian 7.0. To work around this issue, two new provider
+ options are now available:
+
+ hostroute This is the default and causes the host routes
+ described above to be inserted.
+
+ nohostroute Prevents the host routes from being inserted.
+
+6) It was previously not possible for Perl code in an action file to
+ change the rule comment as is done using the ?COMMENT directive
+ outside of Perl.
+
+ To allow actions to manipulate the current comment, two functions
+ are made available:
+
+ push_comment() Clears the current rule comment and returns
+ that comment to the caller.
+
+ set_comment($) Sets the current rule comment to the passed
+ string.
+
+ Typical usage would be:
+
+ ?BEGIN PERL
+ use Shorewall::Config;
+ ...
+ my $oldcomment = push_comment(); #Save and clear current
+ #current rule comment
+ ...
+ set_comment('This is a comment');
+ add_ijump(....); #This rule will have comment
+ # /* This is a comment */
+ set_comment(''); #Clear current rule comment
+ add_ijump(....); #This rule has no comment
+ ...
+ set_comment($oldcomment) #Restore caller's comment
+ #if any.
+ ?END PERL
+
+7) The compiler version used to create the current firewall script is
+ now displayed in the output of the 'status' and 'version -a'
+ commands.
----------------------------------------------------------------------------
I V. M I G R A T I O N I S S U E S
@@ -280,6 +390,66 @@
----------------------------------------------------------------------------
V. N O T E S F R O M O T H E R 4 . 5 R E L E A S E S
----------------------------------------------------------------------------
+ P R O B L E M S C O R R E C T E D I N 4 . 5 . 2 0
+----------------------------------------------------------------------------
+
+1) On some distributions, the shorewall-lite and shorewall6-lite
+ uninstallers could fail with a syntax error.
+
+2) A typographical error in the usage text produced by the -h command
+ in the compiled firewall script has been corrected.
+
+3) The handling of INITSOURCE is now uniform between the standard and
+ the -lite installers.
+
+4) Previously, when SYSCONFFILE was specified in shorewallrc, the
+ installers would always install default.debian rather than the
+ named file. That has been corrected.
+
+----------------------------------------------------------------------------
+ N E W F E A T U R E S I N 4 . 5 . 2 0
+----------------------------------------------------------------------------
+
+1) A new TRACK_RULES option has been added to shorewall[6].conf. When
+ set to 'Yes', this option causes most rules to be tagged with a
+ comment which gives the configuration file name and line number
+ that caused the rule to be generated. These comments replace any
+ comments added via AUTOCOMMENT=Yes and ?COMMENT entries.
+
+ Setting this option to 'Yes' requires the 'Comments' capability in
+ your kernel and ip[6]tables.
+
+2) You may now specify 'OPTIMIZE=All' in shorewall[6].conf to enable
+ all optimizations. If new optimization levels are added in the
+ future, OPTIMIZE=All will automatically enable those optimizations.
+
+ For completeness, 'OPTIMIZE=None' disables all optimizations.
+
+3) 'list' and 'ls' are now documented alternatives for 'show' in the
+ CLI programs. /sbin/shorewall and /sbin/shorewall6 now accept 'ck'
+ as an abbreviation for 'check' and 'co' as an abbreviation for
+ 'compile'.
+
+4) Beginning with this release, if /etc/os-release exists during
+ installation, then the ID setting in that file will be used to
+ determine which Linux distribution is running on the system.
+
+5) The 'status' command now obeys the effective VERBOSITY and will
+ produce no output when the effective VERBOSITY is less than 1.
+
+6) The CLI exit status codes are now documented in the manpages
+ (shorewall(8), shorewall6(8), etc.).
+
+7) Beginning with this release, the shorewallrc file supports a
+ SERVICEFILE variable. SERVICEFILE is only relevant when SERVERD is
+ non-empty, in which case it names the file to be installed as the
+ product's .service file. If SERVERD is specified but SERVICEFILE is
+ not, the assumed value of SERVERFILE is $PRODUCT.service.
+
+8) The ${SBINDIR}/shorewall-init utility will now compile
+ configurations if needed
+
+----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 4 . 5 . 1 9
----------------------------------------------------------------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.20/shorewall-lite.spec new/shorewall-lite-4.5.21/shorewall-lite.spec
--- old/shorewall-lite-4.5.20/shorewall-lite.spec 2013-08-26 19:19:18.000000000 +0200
+++ new/shorewall-lite-4.5.21/shorewall-lite.spec 2013-10-03 16:59:42.000000000 +0200
@@ -1,5 +1,5 @@
%define name shorewall-lite
-%define version 4.5.20
+%define version 4.5.21
%define release 0base
%define initdir /etc/init.d
@@ -105,6 +105,16 @@
%doc COPYING changelog.txt releasenotes.txt
%changelog
+* Fri Sep 27 2013 Tom Eastep tom@shorewall.net
+- Updated to 4.5.21-0base
+* Thu Sep 19 2013 Tom Eastep tom@shorewall.net
+- Updated to 4.5.21-0RC1
+* Thu Sep 12 2013 Tom Eastep tom@shorewall.net
+- Updated to 4.5.21-0Beta3
+* Fri Sep 06 2013 Tom Eastep tom@shorewall.net
+- Updated to 4.5.21-0Beta2
+* Sun Sep 01 2013 Tom Eastep tom@shorewall.net
+- Updated to 4.5.21-0Beta1
* Sun Aug 18 2013 Tom Eastep tom@shorewall.net
- Updated to 4.5.20-0base
* Sun Aug 11 2013 Tom Eastep tom@shorewall.net
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.20/shorewallrc.suse new/shorewall-lite-4.5.21/shorewallrc.suse
--- old/shorewall-lite-4.5.20/shorewallrc.suse 2013-08-26 19:19:18.000000000 +0200
+++ new/shorewall-lite-4.5.21/shorewallrc.suse 2013-10-03 16:59:42.000000000 +0200
@@ -16,7 +16,7 @@
ANNOTATED= #If non-zero, annotated configuration files are installed
SYSTEMD= #Directory where .service files are installed (systems running systemd only)
SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
-SYSCONFFILE= #Name of the distributed file to be installed in $SYSCONFDIR
+SYSCONFFILE=sysconfig #Name of the distributed file to be installed in $SYSCONFDIR
SYSCONFDIR=/etc/sysconfig/ #Directory where SysV init parameter files are installed
SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
VARLIB=/var/lib #Directory where persistent product data is stored.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.20/uninstall.sh new/shorewall-lite-4.5.21/uninstall.sh
--- old/shorewall-lite-4.5.20/uninstall.sh 2013-08-26 19:19:18.000000000 +0200
+++ new/shorewall-lite-4.5.21/uninstall.sh 2013-10-03 16:59:42.000000000 +0200
@@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
-VERSION=4.5.20
+VERSION=4.5.21
usage() # $1 = exit status
{
++++++ shorewall-4.5.20.tar.bz2 -> shorewall6-4.5.21.tar.bz2 ++++++
++++ 118006 lines of diff (skipped)
++++++ shorewall-lite-4.5.20.tar.bz2 -> shorewall6-lite-4.5.21.tar.bz2 ++++++
++++ 7625 lines of diff (skipped)
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org