Hello community,
here is the log from the commit of package shorewall for openSUSE:Factory checked in at 2015-09-17 09:21:02
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/shorewall (Old)
and /work/SRC/openSUSE:Factory/.shorewall.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shorewall"
Changes:
--------
--- /work/SRC/openSUSE:Factory/shorewall/shorewall.changes 2015-08-05 06:49:58.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.shorewall.new/shorewall.changes 2015-09-17 09:21:04.000000000 +0200
@@ -1,0 +2,40 @@
+Tue Sep 15 09:22:51 UTC 2015 - toganm@opensuse.org
+
+- Update to version 4.6.13 For more details see changelog.txt and
+ realeasenotes.txt
+
+ * The 'rules' file manpages have been corrected regarding the
+ packets that are processed by rules in the NEW section.
+
+ * Parsing of IPv6 address ranges has been corrected. Previously,
+ use of ranges resulted in 'Invalid IPv6 Address' errors.
+
+ * The shorewall6-hosts man page has been corrected to show the
+ proper contents of the HOST(S) column.
+
+ * Previously, INLINE statements in the mangle file were not
+ recognized if a chain designator (:F, :P, etc.) followingowed
+ INLINE(...). As a consequence, additional matches following
+ a semicolon were interpreted as column/value pairs unless
+ INLINE_MATCHES=Yes, resulting in compilation failure.
+
+ * Inline matches on IP[6]TABLE rules could be ignored if
+ INLINE_MATCHES=No. They are now recognized.
+
+ * Specifying an action with a logging level in one of the
+ _DEFAULT options in shorewall[6].conf
+ (e.g., REJECT_DEFAULT=Reject:info) produced a compilation error:
+
+ ERROR: Invalid value (:info) for first Reject parameter
+ /usr/share/shorewall/action.Rejectect (line 52)
+
+ That has been corrected. Note, however, that specifying logging
+ with a default action tends to defeat one of the main purposes
+ of default actions which is to suppress logging.
+
+ * Previously, it was necessary to set TC_EXPERT=Yes to have full
+ access to the user mark in fw marks. That has been corrected so
+ that any place that a mark or mask can be specified, both the
+ TC mark and the User mark are accessible.
+
+-------------------------------------------------------------------
Old:
----
shorewall-4.6.11.tar.bz2
shorewall-core-4.6.11.tar.bz2
shorewall-docs-html-4.6.11.tar.bz2
shorewall-init-4.6.11.tar.bz2
shorewall-lite-4.6.11.tar.bz2
shorewall6-4.6.11.tar.bz2
shorewall6-lite-4.6.11.tar.bz2
New:
----
shorewall-4.6.13.tar.bz2
shorewall-core-4.6.13.tar.bz2
shorewall-docs-html-4.6.13.tar.bz2
shorewall-init-4.6.13.tar.bz2
shorewall-lite-4.6.13.tar.bz2
shorewall6-4.6.13.tar.bz2
shorewall6-lite-4.6.13.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ shorewall.spec ++++++
--- /var/tmp/diff_new_pack.pk5nzQ/_old 2015-09-17 09:21:06.000000000 +0200
+++ /var/tmp/diff_new_pack.pk5nzQ/_new 2015-09-17 09:21:06.000000000 +0200
@@ -20,19 +20,19 @@
%define have_systemd 1
Name: shorewall
-Version: 4.6.11
+Version: 4.6.13
Release: 0
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems
License: GPL-2.0
Group: Productivity/Networking/Security
Url: http://www.shorewall.net/
-Source: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.11/%{name}-%version.tar.bz2
-Source1: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.11/%{name}-core-%version.tar.bz2
-Source2: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.11/%{name}-lite-%version.tar.bz2
-Source3: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.11/%{name}-init-%version.tar.bz2
-Source4: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.11/%{name}6-lite-%version.tar.bz2
-Source5: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.11/%{name}6-%version.tar.bz2
-Source6: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.11/%{name}-docs-html-%version.tar.bz2
+Source: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.13/%{name}-%version.tar.bz2
+Source1: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.13/%{name}-core-%version.tar.bz2
+Source2: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.13/%{name}-lite-%version.tar.bz2
+Source3: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.13/%{name}-init-%version.tar.bz2
+Source4: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.13/%{name}6-lite-%version.tar.bz2
+Source5: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.13/%{name}6-%version.tar.bz2
+Source6: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.13/%{name}-docs-html-%version.tar.bz2
Source7: %{name}-4.4.22.rpmlintrc
Source8: README.openSUSE
# PATCH-FIX-UPSTREAM toganm@opensuse.org Shorewall-lite init.suse.sh Required Stop
++++++ shorewall-4.6.11.tar.bz2 -> shorewall-4.6.13.tar.bz2 ++++++
++++ 4182 lines of diff (skipped)
++++++ shorewall-core-4.6.11.tar.bz2 -> shorewall-core-4.6.13.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.11/changelog.txt new/shorewall-core-4.6.13/changelog.txt
--- old/shorewall-core-4.6.11/changelog.txt 2015-07-06 23:57:57.000000000 +0200
+++ new/shorewall-core-4.6.13/changelog.txt 2015-09-08 20:10:31.000000000 +0200
@@ -1,9 +1,93 @@
+Changes in 4.6.13 Final
+
+1) Allow non-expoerts access to the user bits in the fw mark.
+
+Changes in 4.6.13 RC 1
+
+1) Update release documents.
+
+2) Unconditionally get inline matches.
+
+Changes in 4.6.13 Beta 2
+
+1) Update release documents.
+
+2) Restore tcrules conversion.
+
+3) Place a header on a newly-created mangle file.
+
+Changes in 4.6.13 Beta 1
+
+1) Update release documents.
+
+2) Correct 'rules' man pages.
+
+3) Correct parsing of IPv6 ranges
+
+4) Correct the shorewall6-hosts(5) manpage.
+
+6) Improve update
+
+7) Allow 'second' and 'minute' in LOGLIMIT specifications
+
+8) Update -t also converts the TOS file
+
+9) Fix INLINE(...):...
+
+Changes in 4.6.12.1
+
+1) Update release documents.
+
+2) Correct a warning message.
+
+3) Attempt a 'restore' after a fatal error during start/restart.
+
+Changes in 4.6.12 Final
+
+1) Update release documents.
+
+2) Correct an error message.
+
+3) Use NYTProf as the profiler
+
+Changes in 4.6.12 RC 3
+
+1) Fully activate the new update options.
+
+Changes in 4.6.12 RC 2
+
+1) Update release documents.
+
+2) Update module versions.
+
+3) Allow =0 on multi-zone interfaces
+
+4) Port 'update' improvements from 5.0.0.
+
+Changes in 4.6.12 RC 1
+
+1) Update release documents.
+
+2) Add Debian-specific .service files
+
+3) Create dual shorewallrc files for Debian
+
+Changes in 4.6.12 Beta 1
+
+1) Update release documents.
+
+2) Enhance compiler() progress message.
+
+3) Make script generations repeatable.
+
Changes in 4.6.11 Final
1) Update release documents.
2) Clean up PATH fix.
+3) Change shorewall6.conf to specify INLINE_MATCHES=No.
+
Changes in 4.6.11 RC 1
1) Update release documents.
@@ -696,5 +780,3 @@
6) Implement INLINE_MATCHES
7) Implement IP[6]TABLES actions in several files.
-
-
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.11/configure new/shorewall-core-4.6.13/configure
--- old/shorewall-core-4.6.11/configure 2015-07-06 23:57:57.000000000 +0200
+++ new/shorewall-core-4.6.13/configure 2015-09-08 20:10:31.000000000 +0200
@@ -28,7 +28,7 @@
#
# Build updates this
#
-VERSION=4.6.11
+VERSION=4.6.13
case "$BASH_VERSION" in
[4-9].*)
@@ -102,7 +102,7 @@
vendor=redhat
;;
debian|ubuntu)
- vendor=debian
+ ls -l /sbin/init |fgrep -q systemd | vendor=debian.systemd | vendor=debian.sysvinit
;;
opensuse)
vendor=suse
@@ -130,7 +130,7 @@
*)
if [ -f /etc/debian_version ]; then
params[HOST]=debian
- rcfile=shorewallrc.debian
+ rcfile=shorewallrc.debian.sysvinit
elif [ -f /etc/redhat-release ]; then
params[HOST]=redhat
rcfile=shorewallrc.redhat
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.11/configure.pl new/shorewall-core-4.6.13/configure.pl
--- old/shorewall-core-4.6.11/configure.pl 2015-07-06 23:57:57.000000000 +0200
+++ new/shorewall-core-4.6.13/configure.pl 2015-09-08 20:10:31.000000000 +0200
@@ -31,7 +31,7 @@
# Build updates this
#
use constant {
- VERSION => '4.6.11'
+ VERSION => '4.6.13'
};
my %params;
@@ -68,14 +68,16 @@
$vendor = 'redhat';
} elsif ( $id eq 'opensuse' ) {
$vendor = 'suse';
- } elsif ( $id eq 'ubuntu' ) {
- $vendor = 'debian';
+ } elsif ( $id eq 'ubuntu' || $id eq 'debian' ) {
+ my $init = `ls -l /sbin/init`;
+ $vendor = $init =~ /systemd/ ? 'debian.systemd' : 'debian.sysvinit';
} else {
$vendor = $id;
}
}
$params{HOST} = $vendor;
+ $params{HOST} =~ s/\..*//;
}
if ( defined $vendor ) {
@@ -84,7 +86,7 @@
} else {
if ( -f '/etc/debian_version' ) {
$vendor = 'debian';
- $rcfilename = 'shorewallrc.debian';
+ $rcfilename = 'shorewallrc.debian.sysvinit';
} elsif ( -f '/etc/redhat-release' ){
$vendor = 'redhat';
$rcfilename = 'shorewallrc.redhat';
@@ -117,7 +119,7 @@
if ( $vendor eq 'linux' ) {
printf "INFO: Creating a generic Linux installation - %s %2d %04d %02d:%02d:%02d\n\n", $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];;
} else {
- printf "INFO: Creating a %s-specific installation - %s %2d %04d %02d:%02d:%02d\n\n", $vendor, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];;
+ printf "INFO: Creating a %s-specific installation - %s %2d %04d %02d:%02d:%02d\n\n", $params{HOST}, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];;
}
open $rcfile, '<', $rcfilename or die "Unable to open $rcfilename for input: $!";
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.11/install.sh new/shorewall-core-4.6.13/install.sh
--- old/shorewall-core-4.6.11/install.sh 2015-07-06 23:57:57.000000000 +0200
+++ new/shorewall-core-4.6.13/install.sh 2015-09-08 20:10:31.000000000 +0200
@@ -22,7 +22,7 @@
# along with this program; if not, see http://www.gnu.org/licenses/.
#
-VERSION=4.6.11
+VERSION=4.6.13
usage() # $1 = exit status
{
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.11/lib.base new/shorewall-core-4.6.13/lib.base
--- old/shorewall-core-4.6.11/lib.base 2015-07-06 23:49:20.000000000 +0200
+++ new/shorewall-core-4.6.13/lib.base 2015-09-07 20:35:47.000000000 +0200
@@ -76,6 +76,24 @@
fi
#
+# Fatal Error
+#
+fatal_error() # $@ = Message
+{
+ echo " ERROR: $@" >&2
+ exit 2
+}
+
+#
+# Not configured Error
+#
+not_configured_error() # $@ = Message
+{
+ echo " ERROR: $@" >&2
+ exit 6
+}
+
+#
# Conditionally produce message
#
progress_message() # $* = Message
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.11/lib.cli new/shorewall-core-4.6.13/lib.cli
--- old/shorewall-core-4.6.11/lib.cli 2015-07-06 23:49:20.000000000 +0200
+++ new/shorewall-core-4.6.13/lib.cli 2015-09-07 20:35:47.000000000 +0200
@@ -1012,7 +1012,6 @@
case "$1" in
connections)
- show_connections
if [ $g_family -eq 4 ]; then
if [ -d /proc/sys/net/netfilter/ ]; then
local count
@@ -3975,7 +3974,7 @@
echo " status [ -i ]"
echo " stop"
ecko " try <directory> [ <timeout> ]"
- ecko " update [ -a ] [ -b ] [ -r ] [ -T ] [ -D ] [ -i ] [-t] [-A] [ <directory> ]"
+ ecko " update [ -a ] [ -b ] [ -r ] [ -T ] [ -D ] [ -i ] [-t] [-s] [-n] [-A] [ <directory> ]"
echo " version [ -a ]"
echo
exit $1
@@ -4028,6 +4027,8 @@
g_counters=
g_loopback=
g_compiled=
+ g_routestopped=
+ g_notrack=
VERBOSE=
VERBOSITY=1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.11/lib.common new/shorewall-core-4.6.13/lib.common
--- old/shorewall-core-4.6.11/lib.common 2015-07-06 23:49:20.000000000 +0200
+++ new/shorewall-core-4.6.13/lib.common 2015-09-07 20:35:47.000000000 +0200
@@ -71,24 +71,6 @@
}
#
-# Fatal Error
-#
-fatal_error() # $@ = Message
-{
- echo " ERROR: $@" >&2
- exit 2
-}
-
-#
-# Not configured Error
-#
-not_configured_error() # $@ = Message
-{
- echo " ERROR: $@" >&2
- exit 6
-}
-
-#
# Get the Shorewall version of the passed script
#
get_script_version() { # $1 = script
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.11/releasenotes.txt new/shorewall-core-4.6.13/releasenotes.txt
--- old/shorewall-core-4.6.11/releasenotes.txt 2015-07-06 23:57:57.000000000 +0200
+++ new/shorewall-core-4.6.13/releasenotes.txt 2015-09-08 20:10:31.000000000 +0200
@@ -1,7 +1,7 @@
----------------------------------------------------------------------------
- S H O R E W A L L 4 . 6 . 1 1
- ----------------------------
- J u l y 0 7 , 2 0 1 5
+ S H O R E W A L L 4 . 6 . 1 3
+ ------------------------------
+ S e p t e m b e r 0 9 , 2 0 1 5
----------------------------------------------------------------------------
I. PROBLEMS CORRECTED IN THIS RELEASE
@@ -11,28 +11,50 @@
V. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
----------------------------------------------------------------------------
+ N O T I C E
+
+Shorewall 4.6.13 is scheduled to be the last 4.6 release. In
+the fall of 2015, Shorewall 5.0.0 will be available. Please see
+http://www.shorewall.org/Shorewall-5.html for information about
+preparing to migrate to Shorewall 5.
+
+----------------------------------------------------------------------------
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
-1. This release includes defect repair up to and including Shorewall
- 4.6.10.1.
-
-2. Previously, when the -c option was given to the 'compile' command,
- the progress message "Compiling..." was issued before it was
- determined if compilation was necessary. Now, that message is
- suppressed when re-compilation is not required.
+1) The 'rules' file manpages have been corrected regarding the packets
+ that are processed by rules in the NEW section.
-3. Previously, when the -c option was given to the 'compile' command,
- the 'postcompile' extension script was executed even when there was
- no (re-)compilation. Now, the 'postcompile' script is only invoked
- when a new script is generated.
+2) Parsing of IPv6 address ranges has been corrected. Previously, use
+ of ranges resulted in 'Invalid IPv6 Address' errors.
-4. If CONFDIR was other than /etc, then ordinary users would not
- receive a clear error message when they attempted to execute one of
- the commands that change the firewall state.
+3) The shorewall6-hosts man page has been corrected to show the
+ proper contents of the HOST(S) column.
-5. Previously, IPv4 DHCP client broadcasts were blocked by the
- 'rpfilter' interface option. That has been corrected.
+4) Previously, INLINE statements in the mangle file were not
+ recognized if a chain designator (:F, :P, etc.) followed
+ INLINE(...). As a consequence, additional matches following a
+ semicolon were interpreted as column/value pairs unless
+ INLINE_MATCHES=Yes, resulting in compilation failure.
+
+5) Inline matches on IP[6]TABLE rules could be ignored if
+ INLINE_MATCHES=No. They are now recognized.
+
+6) Specifying an action with a logging level in one of the _DEFAULT
+ options in shorewall[6].conf (e.g., REJECT_DEFAULT=Reject:info)
+ produced a compilation error:
+
+ ERROR: Invalid value (:info) for first Reject parameter
+ /usr/share/shorewall/action.Reject (line 52)
+
+ That has been corrected. Note, however, that specifying logging
+ with a default action tends to defeat one of the main purposes of
+ default actions which is to suppress logging.
+
+7) Previously, it was necessary to set TC_EXPERT=Yes to have full
+ access to the user mark in fw marks. That has been corrected so
+ that any place that a mark or mask can be specified, both the TC
+ mark and the User mark are accessible.
----------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G
@@ -45,44 +67,40 @@
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
-1) Over the years, a number of changes have been added to Shorewall
- that work around defects in other products. When running a current
- distribution, these workarounds are unnecessary and add to the time
- required for normal Shorewall operations.
+1) 'update -t' now converts both the tcrules and tos files.
- Beginning in this release, those workarounds may be disabled by
- setting WORKAROUNDS=No in shorewall.conf.
-
-2) Previously, both lib.cli and lib.cli-std included nearly-identical
- usage() functions. Now, only lib.cli includes the function which
- produces its output based on which product's CLI is invoking it.
+2) 'second' and 'minute' are now allowed in the LOGLIMIT
+ specification in place of 'sec' and 'min' respectively.
-3) To accomodate compiled scripts produced by Shorewall versions
- before 4.4.8, Shorewall products from 4.4.8 onward have run scripts
- twice. The first time is simply to capture the output of the
- 'version' command. Based on the script's version, it is then invoked
- to execute the requested command.
+3) The 'update' command now converts additional deprecated option
+ settings:
- Beginning in this release, scripts will only be run once if:
+ - LOGRATE/LOGBURST are converted to the equivalent LOGLIMIT
+ setting.
- - WORKAROUNDS=No, or
- - the script was compiled as part of executing the command, or
- - AUTOMAKE=Yes and it was determined that re-compilation was not
- required.
+ - BLACKLISTNEWONLY is now converted to the equivalent BLACKLIST
+ setting.
-4) When the 'conntrack' utility program is installed, the 'show
- connections' command can now display a subset of the entire
- conntrack table by simply following the 'connections' keyword with
- one or more conntrack filter parameters.
+4) Two settings now have more reasonable defaults if they don't appear
+ in the .conf file being updated:
- For example, to display all http connections:
+ - USE_DEFAULT_RT now defaults to No
+ - EXPORTMODULES now defaults to No.
- shorewall show connections -p tcp --dport 80
+5) When the 'update' command is converting a deprecated file, it now
+ makes additional checks when it finds a target file (mangle,
+ stoppedrules or blrules) to append the converted rules to:
- See conntrack(8) for a description of the available parameters.
+ - If the file is in the directory $SHAREDIR/$product/configfiles/,
+ the file is not opened.
+ - If the file is in the directory
+ $SHAREDIR/doc/$product/default-config/, the file is not opened.
+ - If the file is not writable, the file is not opened.
-5) To ensure that the compiler has an adequate PATH, the default
- Shorewall PATH is now appended to the compiler's active PATH.
+ When the file isn't opened because of one of these checks, an
+ attempt is made to create a new file in either the directory
+ specified on the command line (if any) or in the first directory
+ listed in the CONFIG_PATH setting.
----------------------------------------------------------------------------
I V. M I G R A T I O N I S S U E S
@@ -375,7 +393,158 @@
See shorewall[6].conf(5) for additional details.
----------------------------------------------------------------------------
- V. N O T E S F R O M O T H E R 4 . 6 R E L E A S E S
+ V. N O T E S F R O M O T H E R 4 . 6 R E L E A S E S
+----------------------------------------------------------------------------
+ P R O B L E M S C O R R E C T E D I N 4 . 6 . 1 2
+----------------------------------------------------------------------------
+
+4.6.12.1
+
+1) Beginning with Shorewall 4.6.10, a fatal error during a start or
+ restart operation can leave the firewall in an indeterminent state.
+ That problem has been corrected so that the intended action takes
+ place:
+
+ - If there is a current executable RESTOREFILE, then the firewall
+ is restored using that file.
+
+ - Otherwise, the firewall is placed in the stopped state.
+
+2) Previously, if 'none' were passed as the log level argument to the
+ AutoBL action, compilation failed silently. Now, the intended
+ behavior (no logging) is produced.
+
+4.6.12
+
+1) This release includes defect repair up through Shorewall 4.6.11.1.
+
+2) Previously, when Perl 5.18.0 or later was used with Shorewall,
+ multiple compilations of an unchanging configuration could produce
+ different but equivalent script files. Now, the script files
+ produced will be identical (except for dates and times) for any
+ given Shorewall version.
+
+3) Previously, if a binary interface option (those that have a value
+ of zero or 1) was specified with a value of zero on such an
+ interface, compilation failed.
+
+ For example, this interface definition:
+
+ - eth2 arp_filter=0,routeback=0,tcpflags=0,proxyarp=0
+
+ would generate the following error message:
+
+ ERROR: The "routeback" option may not be specified on a
+ multi-zone interface
+
+ Now, the option is allowed.
+
+4) Several issues with 'update -b' have been corrected.
+
+----------------------------------------------------------------------------
+ N E W F E A T U R E S I N 4 . 6 . 1 2
+----------------------------------------------------------------------------
+
+1) The initial 'Compiling...', 'Checking...' and 'Updating..."
+ progress messages now include the Product name and version.
+
+2) Debian-specific .service files have been added.
+
+3) There are now two shorewallrc files for Debian - one for sysvinit
+ and one for systemd. The configure and configure.pl scrips
+ determine which to use by examining /sbin/init.
+
+4) Two new options are available for the 'update' command:
+
+ -r converts a routestopped file to an equivalent stoppedrules file.
+
+ -n converts a notrack file to an equivalent conntrack file. If
+ there is already an existing conntrack file, the converted rules
+ are appended to the existing file.
+
+ WARNING: If you include /usr/share/shorewall/configfiles (or
+ wherever your distro places empty files) in your CONFIG_FILE
+ setting and there is no new file in your config directory (such as
+ /etc/shorewall), then the 'update' command will update the copy of
+ the file in /usr/share/shorewall/configfiles. This is probably not
+ what you want, since files in that directory (or your distro's
+ corresponding directory) will be overwritten by the next upgrade.
+
+5) Shorewall now uses NYTProf as its profiler rather than the
+ deprecated DProf.
+
+----------------------------------------------------------------------------
+ P R O B L E M S C O R R E C T E D I N 4 . 6 . 1 1
+----------------------------------------------------------------------------
+
+1. This release includes defect repair up to and including Shorewall
+ 4.6.10.1.
+
+2. Previously, when the -c option was given to the 'compile' command,
+ the progress message "Compiling..." was issued before it was
+ determined if compilation was necessary. Now, that message is
+ suppressed when re-compilation is not required.
+
+3. Previously, when the -c option was given to the 'compile' command,
+ the 'postcompile' extension script was executed even when there was
+ no (re-)compilation. Now, the 'postcompile' script is only invoked
+ when a new script is generated.
+
+4. If CONFDIR was other than /etc, then ordinary users would not
+ receive a clear error message when they attempted to execute one of
+ the commands that change the firewall state.
+
+5. Previously, IPv4 DHCP client broadcasts were blocked by the
+ 'rpfilter' interface option. That has been corrected.
+
+6) The 'update' command incorrectly added the INLINE_MATCHES option
+ to shorewall6.conf with a default value of 'Yes'. This caused
+ 'start' to fail with invalid ip6tables rules when the alternate
+ input format using ';' is used.
+
+----------------------------------------------------------------------------
+ N E W F E A T U R E S I N 4 . 6 . 1 1
+----------------------------------------------------------------------------
+
+1) Over the years, a number of changes have been added to Shorewall
+ that work around defects in other products. When running a current
+ distribution, these workarounds are unnecessary and add to the time
+ required for normal Shorewall operations.
+
+ Beginning in this release, those workarounds may be disabled by
+ setting WORKAROUNDS=No in shorewall.conf.
+
+2) Previously, both lib.cli and lib.cli-std included nearly-identical
+ usage() functions. Now, only lib.cli includes the function which
+ produces its output based on which product's CLI is invoking it.
+
+3) To accomodate compiled scripts produced by Shorewall versions
+ before 4.4.8, Shorewall products from 4.4.8 onward have run scripts
+ twice. The first time is simply to capture the output of the
+ 'version' command. Based on the script's version, it is then invoked
+ to execute the requested command.
+
+ Beginning in this release, scripts will only be run once if:
+
+ - WORKAROUNDS=No, or
+ - the script was compiled as part of executing the command, or
+ - AUTOMAKE=Yes and it was determined that re-compilation was not
+ required.
+
+4) When the 'conntrack' utility program is installed, the 'show
+ connections' command can now display a subset of the entire
+ conntrack table by simply following the 'connections' keyword with
+ one or more conntrack filter parameters.
+
+ For example, to display all http connections:
+
+ shorewall show connections -p tcp --dport 80
+
+ See conntrack(8) for a description of the available parameters.
+
+5) To ensure that the compiler has an adequate PATH, the default
+ Shorewall PATH is now appended to the compiler's active PATH.
+
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 4 . 6 . 1 0
----------------------------------------------------------------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.11/shorewall-core.spec new/shorewall-core-4.6.13/shorewall-core.spec
--- old/shorewall-core-4.6.11/shorewall-core.spec 2015-07-06 23:57:57.000000000 +0200
+++ new/shorewall-core-4.6.13/shorewall-core.spec 2015-09-08 20:10:31.000000000 +0200
@@ -1,5 +1,5 @@
%define name shorewall-core
-%define version 4.6.11
+%define version 4.6.13
%define release 0base
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@@ -63,6 +63,30 @@
%doc COPYING INSTALL changelog.txt releasenotes.txt
%changelog
+* Mon Sep 07 2015 Tom Eastep tom@shorewall.net
+- Updated to 4.6.13-0base
+* Sun Aug 30 2015 Tom Eastep tom@shorewall.net
+- Updated to 4.6.13-0RC1
+* Fri Aug 28 2015 Tom Eastep tom@shorewall.net
+- Updated to 4.6.13-0Beta2
+* Thu Aug 27 2015 Tom Eastep tom@shorewall.net
+- Updated to 4.6.13-0Beta1
+* Sat Aug 22 2015 Tom Eastep tom@shorewall.net
+- Updated to 4.6.12-2
+* Fri Aug 21 2015 Tom Eastep tom@shorewall.net
+- Updated to 4.6.12-1
+* Mon Aug 17 2015 Tom Eastep tom@shorewall.net
+- Updated to 4.6.12-0base
+* Sun Aug 16 2015 Tom Eastep tom@shorewall.net
+- Updated to 4.6.12-0RC3
+* Thu Aug 13 2015 Tom Eastep tom@shorewall.net
+- Updated to 4.6.12-0RC2
+* Thu Jul 30 2015 Tom Eastep tom@shorewall.net
+- Updated to 4.6.12-0RC1
+* Mon Jul 13 2015 Tom Eastep tom@shorewall.net
+- Updated to 4.6.12-0Beta2
+* Wed Jul 08 2015 Tom Eastep tom@shorewall.net
+- Updated to 4.6.12-0Beta1
* Fri Jul 03 2015 Tom Eastep tom@shorewall.net
- Updated to 4.6.11-0base
* Mon Jun 29 2015 Tom Eastep tom@shorewall.net
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.11/shorewallrc.debian new/shorewall-core-4.6.13/shorewallrc.debian
--- old/shorewall-core-4.6.11/shorewallrc.debian 2015-07-06 23:49:20.000000000 +0200
+++ new/shorewall-core-4.6.13/shorewallrc.debian 1970-01-01 01:00:00.000000000 +0100
@@ -1,23 +0,0 @@
-#
-# Debian Shorewall 4.5 rc file
-#
-BUILD= #Default is to detect the build system
-HOST=debian
-PREFIX=/usr #Top-level directory for shared files, libraries, etc.
-SHAREDIR=${PREFIX}/share #Directory for arch-neutral files.
-LIBEXECDIR=${PREFIX}/share #Directory for executable scripts.
-PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory
-CONFDIR=/etc #Directory where subsystem configurations are installed
-SBINDIR=/sbin #Directory where system administration programs are installed
-MANDIR=${PREFIX}/share/man #Directory where manpages are installed.
-INITDIR=/etc/init.d #Directory where SysV init scripts are installed.
-INITFILE=$PRODUCT #Name of the product's installed SysV init script
-INITSOURCE=init.debian.sh #Name of the distributed file to be installed as the SysV init script
-ANNOTATED= #If non-zero, annotated configuration files are installed
-SYSCONFFILE=default.debian #Name of the distributed file to be installed in $SYSCONFDIR
-SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
-SYSCONFDIR=/etc/default #Directory where SysV init parameter files are installed
-SERVICEDIR= #Directory where .service files are installed (systems running systemd only)
-SPARSE=Yes #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
-VARLIB=/var/lib #Directory where product variable data is stored.
-VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.11/shorewallrc.debian.systemd new/shorewall-core-4.6.13/shorewallrc.debian.systemd
--- old/shorewall-core-4.6.11/shorewallrc.debian.systemd 1970-01-01 01:00:00.000000000 +0100
+++ new/shorewall-core-4.6.13/shorewallrc.debian.systemd 2015-09-07 20:35:47.000000000 +0200
@@ -0,0 +1,23 @@
+#
+# Debian Shorewall 4.5 rc file
+#
+BUILD= #Default is to detect the build system
+HOST=debian
+PREFIX=/usr #Top-level directory for shared files, libraries, etc.
+SHAREDIR=${PREFIX}/share #Directory for arch-neutral files.
+LIBEXECDIR=${PREFIX}/share #Directory for executable scripts.
+PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory
+CONFDIR=/etc #Directory where subsystem configurations are installed
+SBINDIR=/sbin #Directory where system administration programs are installed
+MANDIR=${PREFIX}/share/man #Directory where manpages are installed.
+INITDIR= #Directory where SysV init scripts are installed.
+INITFILE= #Name of the product's installed SysV init script
+INITSOURCE=init.debian.sh #Name of the distributed file to be installed as the SysV init script
+ANNOTATED= #If non-zero, annotated configuration files are installed
+SYSCONFFILE=default.debian #Name of the distributed file to be installed in $SYSCONFDIR
+SERVICEFILE=$PRODUCT.service.debian #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
+SYSCONFDIR=/etc/default #Directory where SysV init parameter files are installed
+SERVICEDIR=/lib/systemd/system #Directory where .service files are installed (systems running systemd only)
+SPARSE=Yes #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
+VARLIB=/var/lib #Directory where product variable data is stored.
+VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.11/shorewallrc.debian.sysvinit new/shorewall-core-4.6.13/shorewallrc.debian.sysvinit
--- old/shorewall-core-4.6.11/shorewallrc.debian.sysvinit 1970-01-01 01:00:00.000000000 +0100
+++ new/shorewall-core-4.6.13/shorewallrc.debian.sysvinit 2015-09-07 20:35:47.000000000 +0200
@@ -0,0 +1,23 @@
+#
+# Debian Shorewall 4.5 rc file
+#
+BUILD= #Default is to detect the build system
+HOST=debian
+PREFIX=/usr #Top-level directory for shared files, libraries, etc.
+SHAREDIR=${PREFIX}/share #Directory for arch-neutral files.
+LIBEXECDIR=${PREFIX}/share #Directory for executable scripts.
+PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory
+CONFDIR=/etc #Directory where subsystem configurations are installed
+SBINDIR=/sbin #Directory where system administration programs are installed
+MANDIR=${PREFIX}/share/man #Directory where manpages are installed.
+INITDIR=/etc/init.d #Directory where SysV init scripts are installed.
+INITFILE=$PRODUCT #Name of the product's installed SysV init script
+INITSOURCE=init.debian.sh #Name of the distributed file to be installed as the SysV init script
+ANNOTATED= #If non-zero, annotated configuration files are installed
+SYSCONFFILE=default.debian #Name of the distributed file to be installed in $SYSCONFDIR
+SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
+SYSCONFDIR=/etc/default #Directory where SysV init parameter files are installed
+SERVICEDIR= #Directory where .service files are installed (systems running systemd only)
+SPARSE=Yes #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
+VARLIB=/var/lib #Directory where product variable data is stored.
+VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.11/uninstall.sh new/shorewall-core-4.6.13/uninstall.sh
--- old/shorewall-core-4.6.11/uninstall.sh 2015-07-06 23:57:57.000000000 +0200
+++ new/shorewall-core-4.6.13/uninstall.sh 2015-09-08 20:10:31.000000000 +0200
@@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
-VERSION=4.6.11
+VERSION=4.6.13
usage() # $1 = exit status
{
++++++ shorewall-docs-html-4.6.11.tar.bz2 -> shorewall-docs-html-4.6.13.tar.bz2 ++++++
++++ 8296 lines of diff (skipped)
++++++ shorewall-init-4.6.11.tar.bz2 -> shorewall-init-4.6.13.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.11/changelog.txt new/shorewall-init-4.6.13/changelog.txt
--- old/shorewall-init-4.6.11/changelog.txt 2015-07-06 23:57:57.000000000 +0200
+++ new/shorewall-init-4.6.13/changelog.txt 2015-09-08 20:10:32.000000000 +0200
@@ -1,9 +1,93 @@
+Changes in 4.6.13 Final
+
+1) Allow non-expoerts access to the user bits in the fw mark.
+
+Changes in 4.6.13 RC 1
+
+1) Update release documents.
+
+2) Unconditionally get inline matches.
+
+Changes in 4.6.13 Beta 2
+
+1) Update release documents.
+
+2) Restore tcrules conversion.
+
+3) Place a header on a newly-created mangle file.
+
+Changes in 4.6.13 Beta 1
+
+1) Update release documents.
+
+2) Correct 'rules' man pages.
+
+3) Correct parsing of IPv6 ranges
+
+4) Correct the shorewall6-hosts(5) manpage.
+
+6) Improve update
+
+7) Allow 'second' and 'minute' in LOGLIMIT specifications
+
+8) Update -t also converts the TOS file
+
+9) Fix INLINE(...):...
+
+Changes in 4.6.12.1
+
+1) Update release documents.
+
+2) Correct a warning message.
+
+3) Attempt a 'restore' after a fatal error during start/restart.
+
+Changes in 4.6.12 Final
+
+1) Update release documents.
+
+2) Correct an error message.
+
+3) Use NYTProf as the profiler
+
+Changes in 4.6.12 RC 3
+
+1) Fully activate the new update options.
+
+Changes in 4.6.12 RC 2
+
+1) Update release documents.
+
+2) Update module versions.
+
+3) Allow =0 on multi-zone interfaces
+
+4) Port 'update' improvements from 5.0.0.
+
+Changes in 4.6.12 RC 1
+
+1) Update release documents.
+
+2) Add Debian-specific .service files
+
+3) Create dual shorewallrc files for Debian
+
+Changes in 4.6.12 Beta 1
+
+1) Update release documents.
+
+2) Enhance compiler() progress message.
+
+3) Make script generations repeatable.
+
Changes in 4.6.11 Final
1) Update release documents.
2) Clean up PATH fix.
+3) Change shorewall6.conf to specify INLINE_MATCHES=No.
+
Changes in 4.6.11 RC 1
1) Update release documents.
@@ -696,5 +780,3 @@
6) Implement INLINE_MATCHES
7) Implement IP[6]TABLES actions in several files.
-
-
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.11/configure new/shorewall-init-4.6.13/configure
--- old/shorewall-init-4.6.11/configure 2015-07-06 23:57:57.000000000 +0200
+++ new/shorewall-init-4.6.13/configure 2015-09-08 20:10:32.000000000 +0200
@@ -28,7 +28,7 @@
#
# Build updates this
#
-VERSION=4.6.11
+VERSION=4.6.13
case "$BASH_VERSION" in
[4-9].*)
@@ -102,7 +102,7 @@
vendor=redhat
;;
debian|ubuntu)
- vendor=debian
+ ls -l /sbin/init |fgrep -q systemd | vendor=debian.systemd | vendor=debian.sysvinit
;;
opensuse)
vendor=suse
@@ -130,7 +130,7 @@
*)
if [ -f /etc/debian_version ]; then
params[HOST]=debian
- rcfile=shorewallrc.debian
+ rcfile=shorewallrc.debian.sysvinit
elif [ -f /etc/redhat-release ]; then
params[HOST]=redhat
rcfile=shorewallrc.redhat
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.11/configure.pl new/shorewall-init-4.6.13/configure.pl
--- old/shorewall-init-4.6.11/configure.pl 2015-07-06 23:57:57.000000000 +0200
+++ new/shorewall-init-4.6.13/configure.pl 2015-09-08 20:10:32.000000000 +0200
@@ -31,7 +31,7 @@
# Build updates this
#
use constant {
- VERSION => '4.6.11'
+ VERSION => '4.6.13'
};
my %params;
@@ -68,14 +68,16 @@
$vendor = 'redhat';
} elsif ( $id eq 'opensuse' ) {
$vendor = 'suse';
- } elsif ( $id eq 'ubuntu' ) {
- $vendor = 'debian';
+ } elsif ( $id eq 'ubuntu' || $id eq 'debian' ) {
+ my $init = `ls -l /sbin/init`;
+ $vendor = $init =~ /systemd/ ? 'debian.systemd' : 'debian.sysvinit';
} else {
$vendor = $id;
}
}
$params{HOST} = $vendor;
+ $params{HOST} =~ s/\..*//;
}
if ( defined $vendor ) {
@@ -84,7 +86,7 @@
} else {
if ( -f '/etc/debian_version' ) {
$vendor = 'debian';
- $rcfilename = 'shorewallrc.debian';
+ $rcfilename = 'shorewallrc.debian.sysvinit';
} elsif ( -f '/etc/redhat-release' ){
$vendor = 'redhat';
$rcfilename = 'shorewallrc.redhat';
@@ -117,7 +119,7 @@
if ( $vendor eq 'linux' ) {
printf "INFO: Creating a generic Linux installation - %s %2d %04d %02d:%02d:%02d\n\n", $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];;
} else {
- printf "INFO: Creating a %s-specific installation - %s %2d %04d %02d:%02d:%02d\n\n", $vendor, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];;
+ printf "INFO: Creating a %s-specific installation - %s %2d %04d %02d:%02d:%02d\n\n", $params{HOST}, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];;
}
open $rcfile, '<', $rcfilename or die "Unable to open $rcfilename for input: $!";
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.11/install.sh new/shorewall-init-4.6.13/install.sh
--- old/shorewall-init-4.6.11/install.sh 2015-07-06 23:57:57.000000000 +0200
+++ new/shorewall-init-4.6.13/install.sh 2015-09-08 20:10:32.000000000 +0200
@@ -27,7 +27,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
-VERSION=4.6.11
+VERSION=4.6.13
usage() # $1 = exit status
{
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.11/releasenotes.txt new/shorewall-init-4.6.13/releasenotes.txt
--- old/shorewall-init-4.6.11/releasenotes.txt 2015-07-06 23:57:57.000000000 +0200
+++ new/shorewall-init-4.6.13/releasenotes.txt 2015-09-08 20:10:32.000000000 +0200
@@ -1,7 +1,7 @@
----------------------------------------------------------------------------
- S H O R E W A L L 4 . 6 . 1 1
- ----------------------------
- J u l y 0 7 , 2 0 1 5
+ S H O R E W A L L 4 . 6 . 1 3
+ ------------------------------
+ S e p t e m b e r 0 9 , 2 0 1 5
----------------------------------------------------------------------------
I. PROBLEMS CORRECTED IN THIS RELEASE
@@ -11,28 +11,50 @@
V. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
----------------------------------------------------------------------------
+ N O T I C E
+
+Shorewall 4.6.13 is scheduled to be the last 4.6 release. In
+the fall of 2015, Shorewall 5.0.0 will be available. Please see
+http://www.shorewall.org/Shorewall-5.html for information about
+preparing to migrate to Shorewall 5.
+
+----------------------------------------------------------------------------
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
-1. This release includes defect repair up to and including Shorewall
- 4.6.10.1.
-
-2. Previously, when the -c option was given to the 'compile' command,
- the progress message "Compiling..." was issued before it was
- determined if compilation was necessary. Now, that message is
- suppressed when re-compilation is not required.
+1) The 'rules' file manpages have been corrected regarding the packets
+ that are processed by rules in the NEW section.
-3. Previously, when the -c option was given to the 'compile' command,
- the 'postcompile' extension script was executed even when there was
- no (re-)compilation. Now, the 'postcompile' script is only invoked
- when a new script is generated.
+2) Parsing of IPv6 address ranges has been corrected. Previously, use
+ of ranges resulted in 'Invalid IPv6 Address' errors.
-4. If CONFDIR was other than /etc, then ordinary users would not
- receive a clear error message when they attempted to execute one of
- the commands that change the firewall state.
+3) The shorewall6-hosts man page has been corrected to show the
+ proper contents of the HOST(S) column.
-5. Previously, IPv4 DHCP client broadcasts were blocked by the
- 'rpfilter' interface option. That has been corrected.
+4) Previously, INLINE statements in the mangle file were not
+ recognized if a chain designator (:F, :P, etc.) followed
+ INLINE(...). As a consequence, additional matches following a
+ semicolon were interpreted as column/value pairs unless
+ INLINE_MATCHES=Yes, resulting in compilation failure.
+
+5) Inline matches on IP[6]TABLE rules could be ignored if
+ INLINE_MATCHES=No. They are now recognized.
+
+6) Specifying an action with a logging level in one of the _DEFAULT
+ options in shorewall[6].conf (e.g., REJECT_DEFAULT=Reject:info)
+ produced a compilation error:
+
+ ERROR: Invalid value (:info) for first Reject parameter
+ /usr/share/shorewall/action.Reject (line 52)
+
+ That has been corrected. Note, however, that specifying logging
+ with a default action tends to defeat one of the main purposes of
+ default actions which is to suppress logging.
+
+7) Previously, it was necessary to set TC_EXPERT=Yes to have full
+ access to the user mark in fw marks. That has been corrected so
+ that any place that a mark or mask can be specified, both the TC
+ mark and the User mark are accessible.
----------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G
@@ -45,44 +67,40 @@
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
-1) Over the years, a number of changes have been added to Shorewall
- that work around defects in other products. When running a current
- distribution, these workarounds are unnecessary and add to the time
- required for normal Shorewall operations.
+1) 'update -t' now converts both the tcrules and tos files.
- Beginning in this release, those workarounds may be disabled by
- setting WORKAROUNDS=No in shorewall.conf.
-
-2) Previously, both lib.cli and lib.cli-std included nearly-identical
- usage() functions. Now, only lib.cli includes the function which
- produces its output based on which product's CLI is invoking it.
+2) 'second' and 'minute' are now allowed in the LOGLIMIT
+ specification in place of 'sec' and 'min' respectively.
-3) To accomodate compiled scripts produced by Shorewall versions
- before 4.4.8, Shorewall products from 4.4.8 onward have run scripts
- twice. The first time is simply to capture the output of the
- 'version' command. Based on the script's version, it is then invoked
- to execute the requested command.
+3) The 'update' command now converts additional deprecated option
+ settings:
- Beginning in this release, scripts will only be run once if:
+ - LOGRATE/LOGBURST are converted to the equivalent LOGLIMIT
+ setting.
- - WORKAROUNDS=No, or
- - the script was compiled as part of executing the command, or
- - AUTOMAKE=Yes and it was determined that re-compilation was not
- required.
+ - BLACKLISTNEWONLY is now converted to the equivalent BLACKLIST
+ setting.
-4) When the 'conntrack' utility program is installed, the 'show
- connections' command can now display a subset of the entire
- conntrack table by simply following the 'connections' keyword with
- one or more conntrack filter parameters.
+4) Two settings now have more reasonable defaults if they don't appear
+ in the .conf file being updated:
- For example, to display all http connections:
+ - USE_DEFAULT_RT now defaults to No
+ - EXPORTMODULES now defaults to No.
- shorewall show connections -p tcp --dport 80
+5) When the 'update' command is converting a deprecated file, it now
+ makes additional checks when it finds a target file (mangle,
+ stoppedrules or blrules) to append the converted rules to:
- See conntrack(8) for a description of the available parameters.
+ - If the file is in the directory $SHAREDIR/$product/configfiles/,
+ the file is not opened.
+ - If the file is in the directory
+ $SHAREDIR/doc/$product/default-config/, the file is not opened.
+ - If the file is not writable, the file is not opened.
-5) To ensure that the compiler has an adequate PATH, the default
- Shorewall PATH is now appended to the compiler's active PATH.
+ When the file isn't opened because of one of these checks, an
+ attempt is made to create a new file in either the directory
+ specified on the command line (if any) or in the first directory
+ listed in the CONFIG_PATH setting.
----------------------------------------------------------------------------
I V. M I G R A T I O N I S S U E S
@@ -375,7 +393,158 @@
See shorewall[6].conf(5) for additional details.
----------------------------------------------------------------------------
- V. N O T E S F R O M O T H E R 4 . 6 R E L E A S E S
+ V. N O T E S F R O M O T H E R 4 . 6 R E L E A S E S
+----------------------------------------------------------------------------
+ P R O B L E M S C O R R E C T E D I N 4 . 6 . 1 2
+----------------------------------------------------------------------------
+
+4.6.12.1
+
+1) Beginning with Shorewall 4.6.10, a fatal error during a start or
+ restart operation can leave the firewall in an indeterminent state.
+ That problem has been corrected so that the intended action takes
+ place:
+
+ - If there is a current executable RESTOREFILE, then the firewall
+ is restored using that file.
+
+ - Otherwise, the firewall is placed in the stopped state.
+
+2) Previously, if 'none' were passed as the log level argument to the
+ AutoBL action, compilation failed silently. Now, the intended
+ behavior (no logging) is produced.
+
+4.6.12
+
+1) This release includes defect repair up through Shorewall 4.6.11.1.
+
+2) Previously, when Perl 5.18.0 or later was used with Shorewall,
+ multiple compilations of an unchanging configuration could produce
+ different but equivalent script files. Now, the script files
+ produced will be identical (except for dates and times) for any
+ given Shorewall version.
+
+3) Previously, if a binary interface option (those that have a value
+ of zero or 1) was specified with a value of zero on such an
+ interface, compilation failed.
+
+ For example, this interface definition:
+
+ - eth2 arp_filter=0,routeback=0,tcpflags=0,proxyarp=0
+
+ would generate the following error message:
+
+ ERROR: The "routeback" option may not be specified on a
+ multi-zone interface
+
+ Now, the option is allowed.
+
+4) Several issues with 'update -b' have been corrected.
+
+----------------------------------------------------------------------------
+ N E W F E A T U R E S I N 4 . 6 . 1 2
+----------------------------------------------------------------------------
+
+1) The initial 'Compiling...', 'Checking...' and 'Updating..."
+ progress messages now include the Product name and version.
+
+2) Debian-specific .service files have been added.
+
+3) There are now two shorewallrc files for Debian - one for sysvinit
+ and one for systemd. The configure and configure.pl scrips
+ determine which to use by examining /sbin/init.
+
+4) Two new options are available for the 'update' command:
+
+ -r converts a routestopped file to an equivalent stoppedrules file.
+
+ -n converts a notrack file to an equivalent conntrack file. If
+ there is already an existing conntrack file, the converted rules
+ are appended to the existing file.
+
+ WARNING: If you include /usr/share/shorewall/configfiles (or
+ wherever your distro places empty files) in your CONFIG_FILE
+ setting and there is no new file in your config directory (such as
+ /etc/shorewall), then the 'update' command will update the copy of
+ the file in /usr/share/shorewall/configfiles. This is probably not
+ what you want, since files in that directory (or your distro's
+ corresponding directory) will be overwritten by the next upgrade.
+
+5) Shorewall now uses NYTProf as its profiler rather than the
+ deprecated DProf.
+
+----------------------------------------------------------------------------
+ P R O B L E M S C O R R E C T E D I N 4 . 6 . 1 1
+----------------------------------------------------------------------------
+
+1. This release includes defect repair up to and including Shorewall
+ 4.6.10.1.
+
+2. Previously, when the -c option was given to the 'compile' command,
+ the progress message "Compiling..." was issued before it was
+ determined if compilation was necessary. Now, that message is
+ suppressed when re-compilation is not required.
+
+3. Previously, when the -c option was given to the 'compile' command,
+ the 'postcompile' extension script was executed even when there was
+ no (re-)compilation. Now, the 'postcompile' script is only invoked
+ when a new script is generated.
+
+4. If CONFDIR was other than /etc, then ordinary users would not
+ receive a clear error message when they attempted to execute one of
+ the commands that change the firewall state.
+
+5. Previously, IPv4 DHCP client broadcasts were blocked by the
+ 'rpfilter' interface option. That has been corrected.
+
+6) The 'update' command incorrectly added the INLINE_MATCHES option
+ to shorewall6.conf with a default value of 'Yes'. This caused
+ 'start' to fail with invalid ip6tables rules when the alternate
+ input format using ';' is used.
+
+----------------------------------------------------------------------------
+ N E W F E A T U R E S I N 4 . 6 . 1 1
+----------------------------------------------------------------------------
+
+1) Over the years, a number of changes have been added to Shorewall
+ that work around defects in other products. When running a current
+ distribution, these workarounds are unnecessary and add to the time
+ required for normal Shorewall operations.
+
+ Beginning in this release, those workarounds may be disabled by
+ setting WORKAROUNDS=No in shorewall.conf.
+
+2) Previously, both lib.cli and lib.cli-std included nearly-identical
+ usage() functions. Now, only lib.cli includes the function which
+ produces its output based on which product's CLI is invoking it.
+
+3) To accomodate compiled scripts produced by Shorewall versions
+ before 4.4.8, Shorewall products from 4.4.8 onward have run scripts
+ twice. The first time is simply to capture the output of the
+ 'version' command. Based on the script's version, it is then invoked
+ to execute the requested command.
+
+ Beginning in this release, scripts will only be run once if:
+
+ - WORKAROUNDS=No, or
+ - the script was compiled as part of executing the command, or
+ - AUTOMAKE=Yes and it was determined that re-compilation was not
+ required.
+
+4) When the 'conntrack' utility program is installed, the 'show
+ connections' command can now display a subset of the entire
+ conntrack table by simply following the 'connections' keyword with
+ one or more conntrack filter parameters.
+
+ For example, to display all http connections:
+
+ shorewall show connections -p tcp --dport 80
+
+ See conntrack(8) for a description of the available parameters.
+
+5) To ensure that the compiler has an adequate PATH, the default
+ Shorewall PATH is now appended to the compiler's active PATH.
+
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 4 . 6 . 1 0
----------------------------------------------------------------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.11/shorewall-init.service new/shorewall-init-4.6.13/shorewall-init.service
--- old/shorewall-init-4.6.11/shorewall-init.service 2015-07-06 23:49:20.000000000 +0200
+++ new/shorewall-init-4.6.13/shorewall-init.service 2015-09-07 20:35:47.000000000 +0200
@@ -6,7 +6,6 @@
[Unit]
Description=Shorewall firewall (bootup security)
Before=network.target
-Conflicts=iptables.service ip6tables.service firewalld.service
[Service]
Type=oneshot
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.11/shorewall-init.service.214 new/shorewall-init-4.6.13/shorewall-init.service.214
--- old/shorewall-init-4.6.11/shorewall-init.service.214 2015-07-06 23:49:20.000000000 +0200
+++ new/shorewall-init-4.6.13/shorewall-init.service.214 2015-09-07 20:35:47.000000000 +0200
@@ -7,7 +7,6 @@
Description=Shorewall firewall (bootup security)
Before=network-pre.target
Wants=network-pre.target
-Conflicts=iptables.service firewalld.service
[Service]
Type=oneshot
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.11/shorewall-init.service.214.debian new/shorewall-init-4.6.13/shorewall-init.service.214.debian
--- old/shorewall-init-4.6.11/shorewall-init.service.214.debian 1970-01-01 01:00:00.000000000 +0100
+++ new/shorewall-init-4.6.13/shorewall-init.service.214.debian 2015-09-07 20:35:47.000000000 +0200
@@ -0,0 +1,21 @@
+#
+# The Shoreline Firewall (Shorewall) Packet Filtering Firewall
+#
+# Copyright 2011 Jonathan Underwood