Hello community, here is the log from the commit of package shorewall for openSUSE:Factory checked in at Mon Oct 10 14:12:25 CEST 2011.
-------- --- openSUSE:Factory/shorewall/shorewall.changes 2011-10-02 11:15:27.000000000 +0200 +++ /mounts/work_src_done/STABLE/shorewall/shorewall.changes 2011-10-10 09:27:19.000000000 +0200 @@ -1,0 +2,13 @@ +Mon Oct 10 07:17:47 UTC 2011 - [email protected] + +- Update to 4.4.24. For more details see changelog.txt and + releasenotes.txt + + * This release includes all problem corrections from releases + 4.4.23.1-4.4.23.3. + + * The 'fallback' option without =<weight> previously produced + invalid 'ip' commands. + + +------------------------------------------------------------------- calling whatdependson for head-i586 Old: ---- shorewall-4.4.23.3.tar.bz2 shorewall-docs-html-4.4.23.3.tar.bz2 shorewall-init-4.4.23.3.tar.bz2 shorewall-lite-4.4.23.3.tar.bz2 shorewall6-4.4.23.3.tar.bz2 shorewall6-lite-4.4.23.3.tar.bz2 New: ---- shorewall-4.4.24.tar.bz2 shorewall-docs-html-4.4.24.tar.bz2 shorewall-init-4.4.24.tar.bz2 shorewall-lite-4.4.24.tar.bz2 shorewall6-4.4.24.tar.bz2 shorewall6-lite-4.4.24.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shorewall.spec ++++++ --- /var/tmp/diff_new_pack.Oc3rWr/_old 2011-10-10 14:12:20.000000000 +0200 +++ /var/tmp/diff_new_pack.Oc3rWr/_new 2011-10-10 14:12:20.000000000 +0200 @@ -18,7 +18,7 @@ Name: shorewall -Version: 4.4.23.3 +Version: 4.4.24 Release: 1 License: GPL-2.0 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems ++++++ shorewall-4.4.23.3.tar.bz2 -> shorewall-4.4.24.tar.bz2 ++++++ ++++ 6053 lines of diff (skipped) ++++++ shorewall-docs-html-4.4.23.3.tar.bz2 -> shorewall-docs-html-4.4.24.tar.bz2 ++++++ ++++ 7961 lines of diff (skipped) ++++++ shorewall-init-4.4.23.3.tar.bz2 -> shorewall-init-4.4.24.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.4.23.3/changelog.txt new/shorewall-init-4.4.24/changelog.txt --- old/shorewall-init-4.4.23.3/changelog.txt 2011-09-16 15:58:08.000000000 +0200 +++ new/shorewall-init-4.4.24/changelog.txt 2011-10-09 23:52:34.000000000 +0200 @@ -1,8 +1,46 @@ -Changes in 4.4.23.3 +Changes in 4.4.24 Final -1) Fix providers without 'balance' or 'fallback'. +1) Clone TTL support to provide HL support in Shorewall6. -2) Fix TC_ENABLED=Shared +Changes in 4.4.24 RC 2 + +1) Fix 'fallback' without =<weight>. + +2) Add BALANCE_TABLE + +3) Fix RC 1 bugs reported by Steven Springl + + +Changes in 4.4.24 RC 1 + +1) Eliminate the 'mincolumn' and 'maxcolumns' arguments to the + split_line functions. + +2) Add IPTABLES_S capability. + +3) Support additional forms of column/value pair specification. + +Changes in 4.4.24 Beta 4 + +1) Rename condition->switch. + +2) Implement an alternate way to specify column contents. + +Changes in 4.4.24 Beta 3 + +1) Check validity of the NET2 column in IPv6 netmap. + +2) Implement support for condition match. + +Changes in 4.4.24 Beta 2 + +1) Support exclusion in the netmap file. + +Changes in 4.4.24 Beta 1 + +1) Externalize IPv6 Stateless NAT + +2) Fix providers without 'balance' or 'fallback'. Changes in 4.4.23.2 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.4.23.3/install.sh new/shorewall-init-4.4.24/install.sh --- old/shorewall-init-4.4.23.3/install.sh 2011-09-16 15:58:08.000000000 +0200 +++ new/shorewall-init-4.4.24/install.sh 2011-10-09 23:52:34.000000000 +0200 @@ -23,7 +23,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.23.3 +VERSION=4.4.24 usage() # $1 = exit status { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.4.23.3/releasenotes.txt new/shorewall-init-4.4.24/releasenotes.txt --- old/shorewall-init-4.4.23.3/releasenotes.txt 2011-09-16 15:58:08.000000000 +0200 +++ new/shorewall-init-4.4.24/releasenotes.txt 2011-10-09 23:52:34.000000000 +0200 @@ -1,6 +1,6 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 4 . 2 3 . 3 + S H O R E W A L L 4 . 4 . 2 4 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,63 +14,13 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -4.4.23.3 +1) This release includes all problem corrections from releases + 4.4.23.1-4.4.23.3. -1) When providers were present that specify neither 'balance' nor - 'fallback', then the following message was issued during - compilation and 'enable' of the interface would fail. +2) The 'fallback' option without =<weight> previously produced invalid + 'ip' commands. - Use of uninitialized value $weight in concatenation (.) or string - at /usr/share/shorewall/Shorewall/Providers.pm line 644. - - -2) TC_ENABLED=Shared was broken in Shorewall 4.4.23, 4.4.23.1 and - 4.4.23.2. It produced a shell script with syntax errors. - -4.4.23.2 - -1) Previously, environmental variables present at compile-time with - values containing double quotes could result in a run-time syntax - error in the generated shell script. Double quotes are now escaped - properly in the generated script. - -2) A defect in Shorewall 4.4.23 prevented DONT_LOAD from working on - systems with /sys support. - -4.4.23.1 - -1) After the last balanced or fallback interface had been disabled, - enable of any interface would fail. - -2) ROUTE_FILTER=On now suppresses hairpin filtering - (sfilter). Previously, sfilter was applied to all interfaces that - did not specify the 'routefilter' or 'routeback' option in - /etc/shorewall/interfaces. - -4.4.23 - -1) This release includes all problem corrections included in Shorewall - 4.4.22.1 - 4.4.22.3. - -2) Previously, the contents of the NET1 and NET2 columns in - /etc/shorewall/netmap were not validated by the rules compiler. As - a result, invalid entries in those columns could cause the compiled - script to fail while running iptables-restore. - -3) The 'hits' command could issue an 'invalid number' diagnostic when - run under busybox ash. That diagnostic has been eliminated. - -4) If a zone had multiple interfaces and neither 'routefilter' nor - 'routeback' was specified on the interfaces, then traffic between - the interfaces could fail with a log message such as this one: - - Sep 4 22:20:41 pilot kernel: [427181.381412] - Shorewall:sfilter1:DROP:IN=eth3 OUT=eth4 - MAC=fe:ff:ff:ff:ff:ff:00:16:3e:7f:a0:b9:08:00 SRC=192.168.2.2 - DST=192.168.2.3 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP - TYPE=8 CODE=0 ID=10893 SEQ=2 - --------------------------------------------------------------------------- +---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G ---------------------------------------------------------------------------- @@ -81,92 +31,48 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) The leading '#!/bin/sh' line has been deleted from non-executable - shell modules. - -2) When 'shorewall update' or 'shorewall6 update' results in no change - to the .conf file, a message is issued, the .bak file is removed - and the command terminates without error. - - Note: This change was also included in Shorewall 4.4.22.3. +1) Stateless NAT is now available in Shorewall6. See + shorewall6-netmap(5) for details. Beta 2 added the ability to use + exclusion in the NET1 column. + +2) /sbin/shorewall6 now supports the 'show rawpost' command. + +3) This release includes support for 'Condition Match' which is + included in xtables-addons. Condition match allows rules to be + predicated on the setting of a named switch in + /proc/net/nf_condition/. + + See + http://www.shorewall.net/configuration_file_basics.htm#Switches + for details. + +4) With the preceding change, the rules file now has 14 columns. That + makes it awkward to specify the last column as you have to insert + the correct number of '-' to get the right column. + + To make that easier, Shorewall now allows you to specify columns + using several (column-name,value) formats. See + http://www.shorewall.net/configuration_file_basics.htm#Pairs for + details. + +5) The generated script will now use the iptables/ip6tables -S command + if available. + +6) The implementation of USE_DEFAULT_RT=Yes has been changed + significantly. These changes include: + + a) A new BALANCE routing table with number 250 has been added. + b) Routes to providers with the 'balance' option are added to the + BALANCE table rather than the default table. + c) This allows 'fallback' to work with USE_DEFAULT_RT. + d) For optional interfaces, the 'fallback' option without a value + now works the same as if 'fallback=1' had been specified. -3) Support has been added for 'stateless NAT'. Stateless NAT is very - simmilar to NATMAP but differs from it in a couple of ways: + This change also corrected several problems with 'fallback' and + enable/disable. - a. It does not rely on connection tracking, but is rather - implemented in the Netfilter raw table. - - b. Both the source and destination address can be rewritten in all - three raw table chains: PREROUTING, OUTPUT and POSTROUTING. - - When used together with stateful NAT, it allows a single router to - handle a duplicate network address situation. - - Suppose that a VPN using interface tun0 is used to connect to - another organization, and that both intranets have network - 192.168.1.0/24. - - To allow the two organizations to communicate, they decide to use - 172.20.1.0/24 to address the other's 192.168.1.0/24. - - The following four entries are required in /etc/shorewall/netmap: - - #TYPE NET1 INTERFACE NET2 - SNAT 192.168.1.0/24 tun0 172.20.1.0/24 - DNAT 172.20.1.0/24 tun0 192.168.1.0/24 - DNAT:T 172.20.1.0/24 tun0 192.168.1.0.24 - SNAT:P 192.168.1.0/24 tun0 172.20.1.0/24 - - Stateless NAT entries differ from NETMAP entries in the TYPE - column. For stateless entries, both the type of address - translation (DNAT or SNAT) and the chain (O for OUTPUT, P for - PREROUTING and T for POSTROUTING) are given. - - In 4.4.23.2, the feature was extended to add PROTO, DEST PORT(S) - and SOURCE PORT(S) columns. - -4) A new section (ALL) has been added to /etc/shorewall/rules and to - /etc/shorwall6/rules. When present, the NEW section must be the - first section in the file and contains rules that are applied to - packets regardless of their connection tracking state. - -5) The generated script now detects and removes stale lock files. - -6) Jonathan Underwood has contributed Fedora/Redhat init script and - .service files. The .service files are used with systemd which - manages the startup sequence in Fedora 16. - - When installing using the install scripts: - - a) If /lib/systemd/system exists, the .service files are installed - there and are activated using /sbin/systemctl. When installing - into a directory, setting the SYSTEMD environmental variable to - a non-empty value will also trigger this behavior. - - b) If /etc/redhat-release exists, the Fedora/Redhat init script - will be installed in /etc/init.d. When installing into a - directory, setting the FEDORA environmental variable to a - non-empty value will also trigger this behavior. - -7) Previously, when a provider interface went 'soft down' (UP and - configured but not usable) or came back up from being 'soft down', - the firewall had to be reloaded ('/var/lib/shorewall/firewall - restart') to disable or enable the interface. - - Beginning with this release, the compiled IPv4 script supports two - new commands: - - - disable <interface> - - enable <interface> - - The 'disable' command removes all policy routing added as a result - of the interface's entry in /etc/shorewall/providers and and any - traffic shaping configuration on the interface. The 'enable' - command restores policy routing and traffic shaping and refreshes the - interfaces's entries in /proc. - -8) Shorewall now uses /sys/module/ to determine which modules are - loaded, thus speeding up start/restart. +7) Support has been added for TTL manipulation (HL in Shorewall6). + See shorewall-tcrules(5) or shorewall6-tcrules(5) for details. ---------------------------------------------------------------------------- I V. R E L E A S E 4 . 4 H I G H L I G H T S @@ -398,13 +304,58 @@ /etc/shorewall/params (/etc/shorewall6/params) at compile time are now available in the compiled firewall script. +18) The 'iprange' and 'ipaddr' commands require the 'bc' utility. + ---------------------------------------------------------------------------- V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S I N P R I O R R E L E A S E S ------------------------------------------------------------------------------ - P R O B L E M S C O R R E C T E D I N 4 . 4 . 2 2 + P R O B L E M S C O R R E C T E D I N 4 . 4 . 2 3 ---------------------------------------------------------------------------- +4.4.23.2 + +1) Previously, environmental variables present at compile-time with + values containing double quotes could result in a run-time syntax + error in the generated shell script. Double quotes are now escaped + properly in the generated script. + +2) A defect in Shorewall 4.4.23 prevented DONT_LOAD from working on + systems with /sys support. + +4.4.23.1 + +1) After the last balanced or fallback interface had been disabled, + enable of any interface would fail. + +2) ROUTE_FILTER=On now suppresses hairpin filtering + (sfilter). Previously, sfilter was applied to all interfaces that + did not specify the 'routefilter' or 'routeback' option in + /etc/shorewall/interfaces. + +4.4.23 + +1) This release includes all problem corrections included in Shorewall + 4.4.22.1 - 4.4.22.3. + +2) Previously, the contents of the NET1 and NET2 columns in + /etc/shorewall/netmap were not validated by the rules compiler. As + a result, invalid entries in those columns could cause the compiled + script to fail while running iptables-restore. + +3) The 'hits' command could issue an 'invalid number' diagnostic when + run under busybox ash. That diagnostic has been eliminated. + +4) If a zone had multiple interfaces and neither 'routefilter' nor + 'routeback' was specified on the interfaces, then traffic between + the interfaces could fail with a log message such as this one: + + Sep 4 22:20:41 pilot kernel: [427181.381412] + Shorewall:sfilter1:DROP:IN=eth3 OUT=eth4 + MAC=fe:ff:ff:ff:ff:ff:00:16:3e:7f:a0:b9:08:00 SRC=192.168.2.2 + DST=192.168.2.3 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP + TYPE=8 CODE=0 ID=10893 SEQ=2 + 4.4.11.3 1) On older distributions where 'shorewall show capabilities' @@ -442,6 +393,101 @@ #PROVIDER NUMBER MARK INTERFACE ... ISP1 1 1 ppp0 ... +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 4 . 2 3 +---------------------------------------------------------------------------- + +1) The leading '#!/bin/sh' line has been deleted from non-executable + shell modules. + +2) When 'shorewall update' or 'shorewall6 update' results in no change + to the .conf file, a message is issued, the .bak file is removed + and the command terminates without error. + + Note: This change was also included in Shorewall 4.4.22.3. + +3) Support has been added for 'stateless NAT'. Stateless NAT is very + simmilar to NATMAP but differs from it in a couple of ways: + + a. It does not rely on connection tracking, but is rather + implemented in the Netfilter raw table. + + b. Both the source and destination address can be rewritten in all + three raw table chains: PREROUTING, OUTPUT and POSTROUTING. + + When used together with stateful NAT, it allows a single router to + handle a duplicate network address situation. + + Suppose that a VPN using interface tun0 is used to connect to + another organization, and that both intranets have network + 192.168.1.0/24. + + To allow the two organizations to communicate, they decide to use + 172.20.1.0/24 to address the other's 192.168.1.0/24. + + The following four entries are required in /etc/shorewall/netmap: + + #TYPE NET1 INTERFACE NET2 + SNAT 192.168.1.0/24 tun0 172.20.1.0/24 + DNAT 172.20.1.0/24 tun0 192.168.1.0/24 + DNAT:T 172.20.1.0/24 tun0 192.168.1.0.24 + SNAT:P 192.168.1.0/24 tun0 172.20.1.0/24 + + Stateless NAT entries differ from NETMAP entries in the TYPE + column. For stateless entries, both the type of address + translation (DNAT or SNAT) and the chain (O for OUTPUT, P for + PREROUTING and T for POSTROUTING) are given. + + In 4.4.23.2, the feature was extended to add PROTO, DEST PORT(S) + and SOURCE PORT(S) columns. + +4) A new section (ALL) has been added to /etc/shorewall/rules and to + /etc/shorwall6/rules. When present, the NEW section must be the + first section in the file and contains rules that are applied to + packets regardless of their connection tracking state. + +5) The generated script now detects and removes stale lock files. + +6) Jonathan Underwood has contributed Fedora/Redhat init script and + .service files. The .service files are used with systemd which + manages the startup sequence in Fedora 16. + + When installing using the install scripts: + + a) If /lib/systemd/system exists, the .service files are installed + there and are activated using /sbin/systemctl. When installing + into a directory, setting the SYSTEMD environmental variable to + a non-empty value will also trigger this behavior. + + b) If /etc/redhat-release exists, the Fedora/Redhat init script + will be installed in /etc/init.d. When installing into a + directory, setting the FEDORA environmental variable to a + non-empty value will also trigger this behavior. + +7) Previously, when a provider interface went 'soft down' (UP and + configured but not usable) or came back up from being 'soft down', + the firewall had to be reloaded ('/var/lib/shorewall/firewall + restart') to disable or enable the interface. + + Beginning with this release, the compiled IPv4 script supports two + new commands: + + - disable <interface> + - enable <interface> + + The 'disable' command removes all policy routing added as a result + of the interface's entry in /etc/shorewall/providers and and any + traffic shaping configuration on the interface. The 'enable' + command restores policy routing and traffic shaping and refreshes the + interfaces's entries in /proc. + +8) Shorewall now uses /sys/module/ to determine which modules are + loaded, thus speeding up start/restart. + +------------------------------------------------------------------------------ + P R O B L E M S C O R R E C T E D I N 4 . 4 . 2 2 +---------------------------------------------------------------------------- + 4.4.22.2 1) On older distributions where 'shorewall show capabilities' diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.4.23.3/shorewall-init.spec new/shorewall-init-4.4.24/shorewall-init.spec --- old/shorewall-init-4.4.23.3/shorewall-init.spec 2011-09-16 15:58:08.000000000 +0200 +++ new/shorewall-init-4.4.24/shorewall-init.spec 2011-10-09 23:52:34.000000000 +0200 @@ -1,6 +1,6 @@ %define name shorewall-init -%define version 4.4.23 -%define release 3 +%define version 4.4.24 +%define release 0base Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall). Name: %{name} @@ -119,6 +119,20 @@ %doc COPYING changelog.txt releasenotes.txt %changelog +* Sun Oct 09 2011 Tom Eastep [email protected] +- Updated to 4.4.24-0base +* Sun Oct 09 2011 Tom Eastep [email protected] +- Updated to 4.4.24-0RC2 +* Sat Oct 01 2011 Tom Eastep [email protected] +- Updated to 4.4.24-0RC1 +* Mon Sep 26 2011 Tom Eastep [email protected] +- Updated to 4.4.24-0Beta4 +* Wed Sep 21 2011 Tom Eastep [email protected] +- Updated to 4.4.24-0Beta3 +* Sun Sep 18 2011 Tom Eastep [email protected] +- Updated to 4.4.24-0Beta2 +* Thu Sep 15 2011 Tom Eastep [email protected] +- Updated to 4.4.24-0Beta1 * Tue Sep 13 2011 Tom Eastep [email protected] - Updated to 4.4.23-3 * Fri Sep 09 2011 Tom Eastep [email protected] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.4.23.3/uninstall.sh new/shorewall-init-4.4.24/uninstall.sh --- old/shorewall-init-4.4.23.3/uninstall.sh 2011-09-16 15:58:08.000000000 +0200 +++ new/shorewall-init-4.4.24/uninstall.sh 2011-10-09 23:52:34.000000000 +0200 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.23.3 +VERSION=4.4.24 usage() # $1 = exit status { ++++++ shorewall-lite-4.4.23.3.tar.bz2 -> shorewall-lite-4.4.24.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.4.23.3/changelog.txt new/shorewall-lite-4.4.24/changelog.txt --- old/shorewall-lite-4.4.23.3/changelog.txt 2011-09-16 15:58:08.000000000 +0200 +++ new/shorewall-lite-4.4.24/changelog.txt 2011-10-09 23:52:34.000000000 +0200 @@ -1,8 +1,46 @@ -Changes in 4.4.23.3 +Changes in 4.4.24 Final -1) Fix providers without 'balance' or 'fallback'. +1) Clone TTL support to provide HL support in Shorewall6. -2) Fix TC_ENABLED=Shared +Changes in 4.4.24 RC 2 + +1) Fix 'fallback' without =<weight>. + +2) Add BALANCE_TABLE + +3) Fix RC 1 bugs reported by Steven Springl + + +Changes in 4.4.24 RC 1 + +1) Eliminate the 'mincolumn' and 'maxcolumns' arguments to the + split_line functions. + +2) Add IPTABLES_S capability. + +3) Support additional forms of column/value pair specification. + +Changes in 4.4.24 Beta 4 + +1) Rename condition->switch. + +2) Implement an alternate way to specify column contents. + +Changes in 4.4.24 Beta 3 + +1) Check validity of the NET2 column in IPv6 netmap. + +2) Implement support for condition match. + +Changes in 4.4.24 Beta 2 + +1) Support exclusion in the netmap file. + +Changes in 4.4.24 Beta 1 + +1) Externalize IPv6 Stateless NAT + +2) Fix providers without 'balance' or 'fallback'. Changes in 4.4.23.2 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.4.23.3/install.sh new/shorewall-lite-4.4.24/install.sh --- old/shorewall-lite-4.4.23.3/install.sh 2011-09-16 15:58:08.000000000 +0200 +++ new/shorewall-lite-4.4.24/install.sh 2011-10-09 23:52:34.000000000 +0200 @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.23.3 +VERSION=4.4.24 usage() # $1 = exit status { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.4.23.3/lib.base new/shorewall-lite-4.4.24/lib.base --- old/shorewall-lite-4.4.23.3/lib.base 2011-09-16 15:58:08.000000000 +0200 +++ new/shorewall-lite-4.4.24/lib.base 2011-10-09 23:52:34.000000000 +0200 @@ -28,7 +28,7 @@ # SHOREWALL_LIBVERSION=40407 -SHOREWALL_CAPVERSION=40423 +SHOREWALL_CAPVERSION=40424 [ -n "${VARDIR:=/var/lib/shorewall}" ] [ -n "${SHAREDIR:=/usr/share/shorewall}" ] @@ -121,8 +121,10 @@ fi if qt mywhich lockfile; then - lockfile -r${MUTEX_TIMEOUT} -s1 ${lockf} + lockfile -${MUTEX_TIMEOUT} -r1 ${lockf} + chmod u+w ${lockf} echo $$ > ${lockf} + chmod u-w ${lockf} else while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do sleep 1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.4.23.3/lib.cli new/shorewall-lite-4.4.24/lib.cli --- old/shorewall-lite-4.4.23.3/lib.cli 2011-09-16 15:58:08.000000000 +0200 +++ new/shorewall-lite-4.4.24/lib.cli 2011-10-09 23:52:34.000000000 +0200 @@ -1731,6 +1731,8 @@ HEADER_MATCH= ACCOUNT_TARGET= AUDIT_TARGET= + CONDITION_MATCH= + IPTABLES_S= chain=fooX$$ @@ -1881,6 +1883,8 @@ qt $IPTABLES -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes qt $IPTABLES -A $chain -j ACCOUNT --addr 192.168.1.0/29 --tname $chain && ACCOUNT_TARGET=Yes qt $IPTABLES -A $chain -j AUDIT --type drop && AUDIT_TARGET=Yes + qt $IPTABLES -A $chain -m condition --condition foo && CONDITION_MATCH=Yes + qt $IPTABLES -S INPUT && IPTABLES_S=Yes qt $IPTABLES -F $chain qt $IPTABLES -X $chain qt $IPTABLES -F $chain1 @@ -1975,6 +1979,8 @@ report_capability "ACCOUNT Target" $ACCOUNT_TARGET report_capability "AUDIT Target" $AUDIT_TARGET report_capability "ipset V5" $IPSET_V5 + report_capability "Condition Match" $CONDITION_MATCH + report_capability "iptables -S" $IPTABLES_S fi [ -n "$PKTTYPE" ] || USEPKTTYPE= @@ -2045,6 +2051,8 @@ report_capability1 ACCOUNT_TARGET report_capability1 AUDIT_TARGET report_capability1 IPSET_V5 + report_capability1 CONDITION_MATCH + report_capability1 IPTABLES_S echo CAPVERSION=$SHOREWALL_CAPVERSION echo KERNELVERSION=$KERNELVERSION diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.4.23.3/manpages/shorewall-lite-vardir.5 new/shorewall-lite-4.4.24/manpages/shorewall-lite-vardir.5 --- old/shorewall-lite-4.4.23.3/manpages/shorewall-lite-vardir.5 2011-09-16 16:03:21.000000000 +0200 +++ new/shorewall-lite-4.4.24/manpages/shorewall-lite-vardir.5 2011-10-09 23:57:49.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite-vardir .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/> -.\" Date: 09/16/2011 +.\" Date: 10/09/2011 .\" Manual: [FIXME: manual] .\" Source: [FIXME: source] .\" Language: English .\" -.TH "SHOREWALL\-LITE\-VAR" "5" "09/16/2011" "[FIXME: source]" "[FIXME: manual]" +.TH "SHOREWALL\-LITE\-VAR" "5" "10/09/2011" "[FIXME: source]" "[FIXME: manual]" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.4.23.3/manpages/shorewall-lite.8 new/shorewall-lite-4.4.24/manpages/shorewall-lite.8 --- old/shorewall-lite-4.4.23.3/manpages/shorewall-lite.8 2011-09-16 16:03:23.000000000 +0200 +++ new/shorewall-lite-4.4.24/manpages/shorewall-lite.8 2011-10-09 23:57:51.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/> -.\" Date: 09/16/2011 +.\" Date: 10/09/2011 .\" Manual: [FIXME: manual] .\" Source: [FIXME: source] .\" Language: English .\" -.TH "SHOREWALL\-LITE" "8" "09/16/2011" "[FIXME: source]" "[FIXME: manual]" +.TH "SHOREWALL\-LITE" "8" "10/09/2011" "[FIXME: source]" "[FIXME: manual]" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.4.23.3/manpages/shorewall-lite.conf.5 new/shorewall-lite-4.4.24/manpages/shorewall-lite.conf.5 --- old/shorewall-lite-4.4.23.3/manpages/shorewall-lite.conf.5 2011-09-16 16:03:19.000000000 +0200 +++ new/shorewall-lite-4.4.24/manpages/shorewall-lite.conf.5 2011-10-09 23:57:47.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite.conf .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/> -.\" Date: 09/16/2011 +.\" Date: 10/09/2011 .\" Manual: [FIXME: manual] .\" Source: [FIXME: source] .\" Language: English .\" -.TH "SHOREWALL\-LITE\&.CO" "5" "09/16/2011" "[FIXME: source]" "[FIXME: manual]" +.TH "SHOREWALL\-LITE\&.CO" "5" "10/09/2011" "[FIXME: source]" "[FIXME: manual]" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.4.23.3/releasenotes.txt new/shorewall-lite-4.4.24/releasenotes.txt --- old/shorewall-lite-4.4.23.3/releasenotes.txt 2011-09-16 15:58:08.000000000 +0200 +++ new/shorewall-lite-4.4.24/releasenotes.txt 2011-10-09 23:52:34.000000000 +0200 @@ -1,6 +1,6 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 4 . 2 3 . 3 + S H O R E W A L L 4 . 4 . 2 4 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,63 +14,13 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -4.4.23.3 +1) This release includes all problem corrections from releases + 4.4.23.1-4.4.23.3. -1) When providers were present that specify neither 'balance' nor - 'fallback', then the following message was issued during - compilation and 'enable' of the interface would fail. +2) The 'fallback' option without =<weight> previously produced invalid + 'ip' commands. - Use of uninitialized value $weight in concatenation (.) or string - at /usr/share/shorewall/Shorewall/Providers.pm line 644. - - -2) TC_ENABLED=Shared was broken in Shorewall 4.4.23, 4.4.23.1 and - 4.4.23.2. It produced a shell script with syntax errors. - -4.4.23.2 - -1) Previously, environmental variables present at compile-time with - values containing double quotes could result in a run-time syntax - error in the generated shell script. Double quotes are now escaped - properly in the generated script. - -2) A defect in Shorewall 4.4.23 prevented DONT_LOAD from working on - systems with /sys support. - -4.4.23.1 - -1) After the last balanced or fallback interface had been disabled, - enable of any interface would fail. - -2) ROUTE_FILTER=On now suppresses hairpin filtering - (sfilter). Previously, sfilter was applied to all interfaces that - did not specify the 'routefilter' or 'routeback' option in - /etc/shorewall/interfaces. - -4.4.23 - -1) This release includes all problem corrections included in Shorewall - 4.4.22.1 - 4.4.22.3. - -2) Previously, the contents of the NET1 and NET2 columns in - /etc/shorewall/netmap were not validated by the rules compiler. As - a result, invalid entries in those columns could cause the compiled - script to fail while running iptables-restore. - -3) The 'hits' command could issue an 'invalid number' diagnostic when - run under busybox ash. That diagnostic has been eliminated. - -4) If a zone had multiple interfaces and neither 'routefilter' nor - 'routeback' was specified on the interfaces, then traffic between - the interfaces could fail with a log message such as this one: - - Sep 4 22:20:41 pilot kernel: [427181.381412] - Shorewall:sfilter1:DROP:IN=eth3 OUT=eth4 - MAC=fe:ff:ff:ff:ff:ff:00:16:3e:7f:a0:b9:08:00 SRC=192.168.2.2 - DST=192.168.2.3 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP - TYPE=8 CODE=0 ID=10893 SEQ=2 - --------------------------------------------------------------------------- +---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G ---------------------------------------------------------------------------- @@ -81,92 +31,48 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) The leading '#!/bin/sh' line has been deleted from non-executable - shell modules. - -2) When 'shorewall update' or 'shorewall6 update' results in no change - to the .conf file, a message is issued, the .bak file is removed - and the command terminates without error. - - Note: This change was also included in Shorewall 4.4.22.3. +1) Stateless NAT is now available in Shorewall6. See + shorewall6-netmap(5) for details. Beta 2 added the ability to use + exclusion in the NET1 column. + +2) /sbin/shorewall6 now supports the 'show rawpost' command. + +3) This release includes support for 'Condition Match' which is + included in xtables-addons. Condition match allows rules to be + predicated on the setting of a named switch in + /proc/net/nf_condition/. + + See + http://www.shorewall.net/configuration_file_basics.htm#Switches + for details. + +4) With the preceding change, the rules file now has 14 columns. That + makes it awkward to specify the last column as you have to insert + the correct number of '-' to get the right column. + + To make that easier, Shorewall now allows you to specify columns + using several (column-name,value) formats. See + http://www.shorewall.net/configuration_file_basics.htm#Pairs for + details. + +5) The generated script will now use the iptables/ip6tables -S command + if available. + +6) The implementation of USE_DEFAULT_RT=Yes has been changed + significantly. These changes include: + + a) A new BALANCE routing table with number 250 has been added. + b) Routes to providers with the 'balance' option are added to the + BALANCE table rather than the default table. + c) This allows 'fallback' to work with USE_DEFAULT_RT. + d) For optional interfaces, the 'fallback' option without a value + now works the same as if 'fallback=1' had been specified. -3) Support has been added for 'stateless NAT'. Stateless NAT is very - simmilar to NATMAP but differs from it in a couple of ways: + This change also corrected several problems with 'fallback' and + enable/disable. - a. It does not rely on connection tracking, but is rather - implemented in the Netfilter raw table. - - b. Both the source and destination address can be rewritten in all - three raw table chains: PREROUTING, OUTPUT and POSTROUTING. - - When used together with stateful NAT, it allows a single router to - handle a duplicate network address situation. - - Suppose that a VPN using interface tun0 is used to connect to - another organization, and that both intranets have network - 192.168.1.0/24. - - To allow the two organizations to communicate, they decide to use - 172.20.1.0/24 to address the other's 192.168.1.0/24. - - The following four entries are required in /etc/shorewall/netmap: - - #TYPE NET1 INTERFACE NET2 - SNAT 192.168.1.0/24 tun0 172.20.1.0/24 - DNAT 172.20.1.0/24 tun0 192.168.1.0/24 - DNAT:T 172.20.1.0/24 tun0 192.168.1.0.24 - SNAT:P 192.168.1.0/24 tun0 172.20.1.0/24 - - Stateless NAT entries differ from NETMAP entries in the TYPE - column. For stateless entries, both the type of address - translation (DNAT or SNAT) and the chain (O for OUTPUT, P for - PREROUTING and T for POSTROUTING) are given. - - In 4.4.23.2, the feature was extended to add PROTO, DEST PORT(S) - and SOURCE PORT(S) columns. - -4) A new section (ALL) has been added to /etc/shorewall/rules and to - /etc/shorwall6/rules. When present, the NEW section must be the - first section in the file and contains rules that are applied to - packets regardless of their connection tracking state. - -5) The generated script now detects and removes stale lock files. - -6) Jonathan Underwood has contributed Fedora/Redhat init script and - .service files. The .service files are used with systemd which - manages the startup sequence in Fedora 16. - - When installing using the install scripts: - - a) If /lib/systemd/system exists, the .service files are installed - there and are activated using /sbin/systemctl. When installing - into a directory, setting the SYSTEMD environmental variable to - a non-empty value will also trigger this behavior. - - b) If /etc/redhat-release exists, the Fedora/Redhat init script - will be installed in /etc/init.d. When installing into a - directory, setting the FEDORA environmental variable to a - non-empty value will also trigger this behavior. - -7) Previously, when a provider interface went 'soft down' (UP and - configured but not usable) or came back up from being 'soft down', - the firewall had to be reloaded ('/var/lib/shorewall/firewall - restart') to disable or enable the interface. - - Beginning with this release, the compiled IPv4 script supports two - new commands: - - - disable <interface> - - enable <interface> - - The 'disable' command removes all policy routing added as a result - of the interface's entry in /etc/shorewall/providers and and any - traffic shaping configuration on the interface. The 'enable' - command restores policy routing and traffic shaping and refreshes the - interfaces's entries in /proc. - -8) Shorewall now uses /sys/module/ to determine which modules are - loaded, thus speeding up start/restart. +7) Support has been added for TTL manipulation (HL in Shorewall6). + See shorewall-tcrules(5) or shorewall6-tcrules(5) for details. ---------------------------------------------------------------------------- I V. R E L E A S E 4 . 4 H I G H L I G H T S @@ -398,13 +304,58 @@ /etc/shorewall/params (/etc/shorewall6/params) at compile time are now available in the compiled firewall script. +18) The 'iprange' and 'ipaddr' commands require the 'bc' utility. + ---------------------------------------------------------------------------- V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S I N P R I O R R E L E A S E S ------------------------------------------------------------------------------ - P R O B L E M S C O R R E C T E D I N 4 . 4 . 2 2 + P R O B L E M S C O R R E C T E D I N 4 . 4 . 2 3 ---------------------------------------------------------------------------- +4.4.23.2 + +1) Previously, environmental variables present at compile-time with + values containing double quotes could result in a run-time syntax + error in the generated shell script. Double quotes are now escaped + properly in the generated script. + +2) A defect in Shorewall 4.4.23 prevented DONT_LOAD from working on + systems with /sys support. + +4.4.23.1 + +1) After the last balanced or fallback interface had been disabled, + enable of any interface would fail. + +2) ROUTE_FILTER=On now suppresses hairpin filtering + (sfilter). Previously, sfilter was applied to all interfaces that + did not specify the 'routefilter' or 'routeback' option in + /etc/shorewall/interfaces. + +4.4.23 + +1) This release includes all problem corrections included in Shorewall + 4.4.22.1 - 4.4.22.3. + +2) Previously, the contents of the NET1 and NET2 columns in + /etc/shorewall/netmap were not validated by the rules compiler. As + a result, invalid entries in those columns could cause the compiled + script to fail while running iptables-restore. + +3) The 'hits' command could issue an 'invalid number' diagnostic when + run under busybox ash. That diagnostic has been eliminated. + +4) If a zone had multiple interfaces and neither 'routefilter' nor + 'routeback' was specified on the interfaces, then traffic between + the interfaces could fail with a log message such as this one: + + Sep 4 22:20:41 pilot kernel: [427181.381412] + Shorewall:sfilter1:DROP:IN=eth3 OUT=eth4 + MAC=fe:ff:ff:ff:ff:ff:00:16:3e:7f:a0:b9:08:00 SRC=192.168.2.2 + DST=192.168.2.3 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP + TYPE=8 CODE=0 ID=10893 SEQ=2 + 4.4.11.3 1) On older distributions where 'shorewall show capabilities' @@ -442,6 +393,101 @@ #PROVIDER NUMBER MARK INTERFACE ... ISP1 1 1 ppp0 ... +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 4 . 2 3 +---------------------------------------------------------------------------- + +1) The leading '#!/bin/sh' line has been deleted from non-executable + shell modules. + +2) When 'shorewall update' or 'shorewall6 update' results in no change + to the .conf file, a message is issued, the .bak file is removed + and the command terminates without error. + + Note: This change was also included in Shorewall 4.4.22.3. + +3) Support has been added for 'stateless NAT'. Stateless NAT is very + simmilar to NATMAP but differs from it in a couple of ways: + + a. It does not rely on connection tracking, but is rather + implemented in the Netfilter raw table. + + b. Both the source and destination address can be rewritten in all + three raw table chains: PREROUTING, OUTPUT and POSTROUTING. + + When used together with stateful NAT, it allows a single router to + handle a duplicate network address situation. + + Suppose that a VPN using interface tun0 is used to connect to + another organization, and that both intranets have network + 192.168.1.0/24. + + To allow the two organizations to communicate, they decide to use + 172.20.1.0/24 to address the other's 192.168.1.0/24. + + The following four entries are required in /etc/shorewall/netmap: + + #TYPE NET1 INTERFACE NET2 + SNAT 192.168.1.0/24 tun0 172.20.1.0/24 + DNAT 172.20.1.0/24 tun0 192.168.1.0/24 + DNAT:T 172.20.1.0/24 tun0 192.168.1.0.24 + SNAT:P 192.168.1.0/24 tun0 172.20.1.0/24 + + Stateless NAT entries differ from NETMAP entries in the TYPE + column. For stateless entries, both the type of address + translation (DNAT or SNAT) and the chain (O for OUTPUT, P for + PREROUTING and T for POSTROUTING) are given. + + In 4.4.23.2, the feature was extended to add PROTO, DEST PORT(S) + and SOURCE PORT(S) columns. + +4) A new section (ALL) has been added to /etc/shorewall/rules and to + /etc/shorwall6/rules. When present, the NEW section must be the + first section in the file and contains rules that are applied to + packets regardless of their connection tracking state. + +5) The generated script now detects and removes stale lock files. + +6) Jonathan Underwood has contributed Fedora/Redhat init script and + .service files. The .service files are used with systemd which + manages the startup sequence in Fedora 16. + + When installing using the install scripts: + + a) If /lib/systemd/system exists, the .service files are installed + there and are activated using /sbin/systemctl. When installing + into a directory, setting the SYSTEMD environmental variable to + a non-empty value will also trigger this behavior. + + b) If /etc/redhat-release exists, the Fedora/Redhat init script + will be installed in /etc/init.d. When installing into a + directory, setting the FEDORA environmental variable to a + non-empty value will also trigger this behavior. + +7) Previously, when a provider interface went 'soft down' (UP and + configured but not usable) or came back up from being 'soft down', + the firewall had to be reloaded ('/var/lib/shorewall/firewall + restart') to disable or enable the interface. + + Beginning with this release, the compiled IPv4 script supports two + new commands: + + - disable <interface> + - enable <interface> + + The 'disable' command removes all policy routing added as a result + of the interface's entry in /etc/shorewall/providers and and any + traffic shaping configuration on the interface. The 'enable' + command restores policy routing and traffic shaping and refreshes the + interfaces's entries in /proc. + +8) Shorewall now uses /sys/module/ to determine which modules are + loaded, thus speeding up start/restart. + +------------------------------------------------------------------------------ + P R O B L E M S C O R R E C T E D I N 4 . 4 . 2 2 +---------------------------------------------------------------------------- + 4.4.22.2 1) On older distributions where 'shorewall show capabilities' diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.4.23.3/shorewall-lite.spec new/shorewall-lite-4.4.24/shorewall-lite.spec --- old/shorewall-lite-4.4.23.3/shorewall-lite.spec 2011-09-16 15:58:08.000000000 +0200 +++ new/shorewall-lite-4.4.24/shorewall-lite.spec 2011-10-09 23:52:34.000000000 +0200 @@ -1,6 +1,6 @@ %define name shorewall-lite -%define version 4.4.23 -%define release 3 +%define version 4.4.24 +%define release 0base Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems. Name: %{name} @@ -103,6 +103,20 @@ %doc COPYING changelog.txt releasenotes.txt %changelog +* Sun Oct 09 2011 Tom Eastep [email protected] +- Updated to 4.4.24-0base +* Sun Oct 09 2011 Tom Eastep [email protected] +- Updated to 4.4.24-0RC2 +* Sat Oct 01 2011 Tom Eastep [email protected] +- Updated to 4.4.24-0RC1 +* Mon Sep 26 2011 Tom Eastep [email protected] +- Updated to 4.4.24-0Beta4 +* Wed Sep 21 2011 Tom Eastep [email protected] +- Updated to 4.4.24-0Beta3 +* Sun Sep 18 2011 Tom Eastep [email protected] +- Updated to 4.4.24-0Beta2 +* Thu Sep 15 2011 Tom Eastep [email protected] +- Updated to 4.4.24-0Beta1 * Tue Sep 13 2011 Tom Eastep [email protected] - Updated to 4.4.23-3 * Fri Sep 09 2011 Tom Eastep [email protected] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.4.23.3/uninstall.sh new/shorewall-lite-4.4.24/uninstall.sh --- old/shorewall-lite-4.4.23.3/uninstall.sh 2011-09-16 15:58:08.000000000 +0200 +++ new/shorewall-lite-4.4.24/uninstall.sh 2011-10-09 23:52:34.000000000 +0200 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.23.3 +VERSION=4.4.24 usage() # $1 = exit status { ++++++ shorewall-4.4.23.3.tar.bz2 -> shorewall6-4.4.24.tar.bz2 ++++++ ++++ 97243 lines of diff (skipped) ++++++ shorewall-lite-4.4.23.3.tar.bz2 -> shorewall6-lite-4.4.24.tar.bz2 ++++++ ++++ 9661 lines of diff (skipped) continue with "q"... Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
