Hello community, here is the log from the commit of package shorewall for openSUSE:Factory checked in at 2011-11-02 12:18:19 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/shorewall (Old) and /work/SRC/openSUSE:Factory/.shorewall.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shorewall", Maintainer is "" Changes: -------- --- /work/SRC/openSUSE:Factory/shorewall/shorewall.changes 2011-10-16 12:59:16.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.shorewall.new/shorewall.changes 2011-11-02 12:18:21.000000000 +0100 @@ -1,0 +2,47 @@ +Tue Nov 1 18:16:52 UTC 2011 - [email protected] + +- Update to 4.4.25.1 For more details see changelog.txt and + releasenotes.txt + + * A'refresh' command with no chains or tables specified will + now reload chains created by entries in the BLACKLIST section of + the rules file. + * The rules compiler previously failed to detect the 'Flow + Filter' capability. That capability is now correctly detected. + * The IN_BANDWIDTH handling changes in 4.4.25 was incompatible + with moribund distributions such as RHEL4. Restoring IN_BANDWIDTH + functionality on those releases required a new 'Basic Filter' + capability. + + +------------------------------------------------------------------- +Sun Oct 30 09:47:11 UTC 2011 - [email protected] + +- Update to 4.4.25 For more details see changelog.txt and + releasenotes.txt + + * A defect in the optimizer that allowed incompatible rules to be + combined has been corrected. + * Routes and rules added as a result of entries in + /etc/shorewall6/providers were previously not deleted by + 'stop' or 'restart'. Repeated 'restart' commands could + therefore lead to an incorrect routing configuration. + * Previously, capital letters were disallowed in IPv6 addresses. + They are now permitted. + * If the COPY column in /etc/shorewall6/providers was non-empty, + previously a run-time error could occur when copying a table. + The diagnostic produced by ip was: + + Either "to" is duplicate, or "cache" is garbage + + * When copying IPv6 routes, the generated script previously + attempted to copy 'cache' entries. Those entries are now omitted. + * Previously, the use of large provider numbers could cause some + Shorewall-generated routing rules to be ineffective. + * In some contexts, IPv6 addresses of the form ::i.j.k.l were + incorrectly classified as invalid by the configuration compile + * New blacklisting facility implemented. For this and other new + features please refer to the releasenotes.txt + + +------------------------------------------------------------------- Old: ---- shorewall-4.4.24.1.tar.bz2 shorewall-docs-html-4.4.24.1.tar.bz2 shorewall-init-4.4.24.1.tar.bz2 shorewall-lite-4.4.24.1.tar.bz2 shorewall6-4.4.24.1.tar.bz2 shorewall6-lite-4.4.24.1.tar.bz2 New: ---- shorewall-4.4.25.1.tar.bz2 shorewall-docs-html-4.4.25.1.tar.bz2 shorewall-init-4.4.25.1.tar.bz2 shorewall-lite-4.4.25.1.tar.bz2 shorewall6-4.4.25.1.tar.bz2 shorewall6-lite-4.4.25.1.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shorewall.spec ++++++ --- /var/tmp/diff_new_pack.Afk44c/_old 2011-11-02 12:18:24.000000000 +0100 +++ /var/tmp/diff_new_pack.Afk44c/_new 2011-11-02 12:18:24.000000000 +0100 @@ -18,7 +18,7 @@ Name: shorewall -Version: 4.4.24.1 +Version: 4.4.25.1 Release: 1 License: GPL-2.0 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems ++++++ shorewall-4.4.24.1.tar.bz2 -> shorewall-4.4.25.1.tar.bz2 ++++++ ++++ 4706 lines of diff (skipped) ++++++ shorewall-docs-html-4.4.24.1.tar.bz2 -> shorewall-docs-html-4.4.25.1.tar.bz2 ++++++ ++++ 6779 lines of diff (skipped) ++++++ shorewall-init-4.4.24.1.tar.bz2 -> shorewall-init-4.4.25.1.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.4.24.1/changelog.txt new/shorewall-init-4.4.25.1/changelog.txt --- old/shorewall-init-4.4.24.1/changelog.txt 2011-10-15 15:53:53.000000000 +0200 +++ new/shorewall-init-4.4.25.1/changelog.txt 2011-11-01 16:35:31.000000000 +0100 @@ -1,19 +1,46 @@ -Changes in 4.4.24.1 +Changes in 4.4.25.1 -1) Restore complex TC functionality. +1) Reload 'blacklistsection' chains during 'refresh'. -Changes in 4.4.24 Final +Changes in 4.4.25 Final -1) Clone TTL support to provide HL support in Shorewall6. +1) Evaluate a variable at compile-time rather than run-time. -Changes in 4.4.24 RC 2 +Changes in 4.4.25 RC 1 -1) Fix 'fallback' without =<weight>. +1) Add MARK column to the route_rules file. -2) Add BALANCE_TABLE +2) Place all ip-address route rules at priority 20000. -3) Fix RC 1 bugs reported by Steven Springl +3) Ensure that a 'lookup default prio 32767' rule exists. +4) Correct validation of 4in6 addresses. + +Changes in 4.4.25 Beta 4 + +1) Fix optimizer bug. + +2) Fix 'undo' of Shorewall6 routing. + +3) Don't copy cache routes. + +4) Balance and Fallback routes in Shorewall6. + +5) enable/disable in Shorewall6. + +Changes in 4.4.25 Beta 3 + +1) Allow explicit rate estimation. + +Changes in 4.4.25 Beta 2 + +1) Add rate estimation to input bandwidth policing. + +Changes in 4.4.25 Beta 1 + +1) Add BLACKLIST section to the rules file. + +2) Add '6in4' as a synonym for '6to4'. Changes in 4.4.24 RC 1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.4.24.1/install.sh new/shorewall-init-4.4.25.1/install.sh --- old/shorewall-init-4.4.24.1/install.sh 2011-10-15 15:53:53.000000000 +0200 +++ new/shorewall-init-4.4.25.1/install.sh 2011-11-01 16:35:31.000000000 +0100 @@ -23,7 +23,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.24.1 +VERSION=4.4.25.1 usage() # $1 = exit status { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.4.24.1/releasenotes.txt new/shorewall-init-4.4.25.1/releasenotes.txt --- old/shorewall-init-4.4.24.1/releasenotes.txt 2011-10-15 15:53:53.000000000 +0200 +++ new/shorewall-init-4.4.25.1/releasenotes.txt 2011-11-01 16:35:31.000000000 +0100 @@ -1,6 +1,6 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 4 . 2 4 . 1 + S H O R E W A L L 4 . 4 . 2 5 . 1 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,20 +14,82 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -4.4.24.1 +4.4.25.1 -1) When the logical and physical name of an interface were different, - including the logical name in the tcdevices file caused the - device's classes to be ignored. This defect was introduced in - Shorewall 4.4.23. +1) A 'refresh' command with no chains or tables specified will now + reload chains created by entries in the BLACKLIST section of the + rules file. + +2) The 'refresh' command did not automatically reload the rules from + the BLACKLIST section of the rules file. Now such rules are + reloaded by 'refresh'. + +3) The rules compiler previously failed to detect the 'Flow Filter' + capability. That capability is now correctly detected. + +4) The IN_BANDWIDTH handling changes in 4.4.25 was incompatible with + moribund distributions such as RHEL4. Restoring IN_BANDWIDTH + functionality on those releases required a new 'Basic Filter' + capability. + +4.4.25 + +1) A defect in the optimizer that allowed incompatible rules to be + combined has been corrected. + + Example: + + Rule1: -i eth1 -j chainx + Rule in chainx: -i eth2 -j ACCEPT + Incorrect result: -i eth2 -j ACCEPT + + With the change in this release, Rule1 will remain as it is. + +2) Routes and rules added as a result of entries in + /etc/shorewall6/providers were previously not deleted by + 'stop' or 'restart'. Repeated 'restart' commands could therefore + lead to an incorrect routing configuration. + +3) Previously, capital letters were disallowed in IPv6 addresses. They + are now permitted. + +4) If the COPY column in /etc/shorewall6/providers was non-empty, + previously a run-time error could occur when copying a table. The + diagnostic produced by ip was: + + Either "to" is duplicate, or "cache" is garbage + +5) When copying IPv6 routes, the generated script previously attempted + to copy 'cache' entries. Those entries are now omitted. + +6) Previously, the use of large provider numbers could cause some + Shorewall-generated routing rules to be ineffective. + + Example (provider numbers 110 and 120): + + 0: from all lookup local + 10109: from all fwmark 0x6e/0xff lookup 110 + 10119: from all fwmark 0x78/0xff lookup 120 + 11000: from 2001:470:1f04:262::1/64 lookup 110 + 11001: from 2001:470:c:316::1/64 lookup 120 + 32766: from all lookup main + 47904: from 2001:470:8388::1 lookup 110 <=========== + 50464: from 2001:470:f032::1 lookup 120 <=========== + + Now, all routing rules generated by provider interface IP (and IP6) + addresses are created at priority 20000. + + 0: from all lookup local + 10109: from all fwmark 0x6e/0xff lookup 110 + 10119: from all fwmark 0x78/0xff lookup 120 + 11000: from 2001:470:1f04:262::1/64 lookup 110 + 11001: from 2001:470:c:316::1/64 lookup 120 + 20000: from 2001:470:8388::1 lookup 110 <=========== + 20000: from 2001:470:f032::1 lookup 120 <=========== + 32766: from all lookup main -4.4.24 - -1) This release includes all problem corrections from releases - 4.4.23.1-4.4.23.3. - -2) The 'fallback' option without =<weight> previously produced invalid - 'ip' commands. +7) In some contexts, IPv6 addresses of the form ::i.j.k.l were + incorrectly classified as invalid by the configuration compiler. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -40,49 +102,128 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) Stateless NAT is now available in Shorewall6. See - shorewall6-netmap(5) for details. Beta 2 added the ability to use - exclusion in the NET1 column. +1) The original static blacklisting implementation was + interface-oriented and only handled blacklisting by source + address. In Shorewall 4.4.12, the ability to blacklist by + destination address was added and blacklisting could be specified + as a ZONE option. This change, plus additional changes in + subsequent releases has lead to an implementation that is complex + and hard to extend. + + In this release, a new static blacklisting facility has been + implemented. This facility is separate from the legacy facility, so + existing configurations will continue to work without change. + + A BLACKLIST section has been added to the rules file. This section + is now the first section, having been added ahead of the ALL + section. The set of packets that are subject to blacklisting is + still governed by the setting of BLACKLISTNEWONLY in + shorewall.conf. The settings of BLACKLIST_LOGLEVEL and + BLACKLIST_DISPOSITION are not relevant to the new implementation. + Most of the actions available in other sections of the rules file + are available in the BLACKLIST section and logging is specified on + a rule-by-rule basis in the normal way. + + In addition to the other actions available, a WHITELIST action has + been added which exempts matching packets from being passed to the + remaining rules in the section. + + Each "zone2zone" chain (e.g., net2fw) that has blacklist rules has + a companion blacklisting chain. The name of the blacklisting chain + is formed by appending "~" to the zone2zone chain. For example, + 'net2fw' blacklist rules appear in the chain net2fw~. + + There is a likelihood that multiple blacklisting chains will have + exactly the same rules. This is especially true when 'all' is used + as the zone name in the SOURCE and/or DEST columns. When + optimization level 8 is used, these identical chains are combined + into a single chain with the name ~blacklistN, where N is a number + (possibly with multiple digits). + + The 'nosurfs' and 'tcpflags' interface options generate rules that + will be traversed prior to those in the BLACKLIST section. If you + want similar rules to be travered on packets that were not dropped + or rejected in the BLACKLIST chain, you can use the new + 'DropSmurfs' and/or 'TCPFlags' standard actions. + + The DropSmurfs action has a single parameter whose default value + is '-'. The action silently drops smurfs without auditing. If you + want to audit these drops, use DropSmurfs(audit). Logging can be + specified in the normal way (e.g., DropSmurfs:info). + + The TCPFlags action has two parameters whose default values are + DROP and -. The first action determines what is to be done with + matching packets and can have the values DROP, REJECT or ACCEPT. If + you want the action to be audited, pass 'audit' in the second + parameter. + + Example: TCPFlags(REJECT,audit) + + Again, logging is specified in the normal way. + + The 'maclist' interface option can also generate rules that are + traversed prior to those in the BLACKLIST section. If you want them + to come after the the blacklist rules, simply recode your maclist + rules in the NEW section of the rules file. The 'macipmap' ipset + type is ideally suited for this task. + + Example: assumes the ipset name is macipmap and that the + zone to be verified is named wlan + + /etc/shorewall/rules: + + SECTION NEW + DROP:info wlan:!+macipmap all + +2) '6in4' has been added as a synonum for '6to4' in the TYPE column of + the tunnels file. + +3) The handling of IN_BANDWIDTH in both /etc/shorewall/tcdevices and + /etc/shorewall/tcinterfaces has been changed. Previously: + + a) Simple rate/burst policing was applied using the value(s) + supplied. + + b) IPv4 and IPv6 were policed separately. + + Beginning with this release, you have the option of configuring a + rate estimated policing filter. This type of filter is discussed at + http://ace-host.stuart.id.au/russell/files/tc/doc/extimators.txt. + + You specify an estimeting filter by preceding the IN-BANDWIDTH with + a tilde ('~'). + + Example: ~40mbit + + This example limits incoming traffic to an *average* rate of 40mbit. + + There are two other other parameters that can be specified, in + addition to the average rate - <interval> and + <decay_interval>. There is an excellent description of these + parameters in the document referenced above. + + Example: ~40mbit:1sec:8sec + + In that example, the <interval> is 1 second and the + <decay_interval> is 8 seconds. If not given, the default values are + 250ms and 4 seconds. Both parameters must be supplied if either is + supplied. + + Also in this release, the policing of IPv4 and IPv6 has been + combined so a single filter is applied to all traffic on a + configured interface. + +4) Shorewall6 now supports the 'balance' and 'fallback' provider + options. These options are restricted to one interface per + configuration for each option. -2) /sbin/shorewall6 now supports the 'show rawpost' command. - -3) This release includes support for 'Condition Match' which is - included in xtables-addons. Condition match allows rules to be - predicated on the setting of a named switch in - /proc/net/nf_condition/. +5) The scripts generated by Shorewall6 now support the 'enable' and + 'disable' commands. - See - http://www.shorewall.net/configuration_file_basics.htm#Switches - for details. - -4) With the preceding change, the rules file now has 14 columns. That - makes it awkward to specify the last column as you have to insert - the correct number of '-' to get the right column. - - To make that easier, Shorewall now allows you to specify columns - using several (column-name,value) formats. See - http://www.shorewall.net/configuration_file_basics.htm#Pairs for +6) A 'MARK' column has been added to the route_rules file. See + shorewall-route_rules (5) and shorewall6-route_rules (5) for details. -5) The generated script will now use the iptables/ip6tables -S command - if available. - -6) The implementation of USE_DEFAULT_RT=Yes has been changed - significantly. These changes include: - - a) A new BALANCE routing table with number 250 has been added. - b) Routes to providers with the 'balance' option are added to the - BALANCE table rather than the default table. - c) This allows 'fallback' to work with USE_DEFAULT_RT. - d) For optional interfaces, the 'fallback' option without a value - now works the same as if 'fallback=1' had been specified. - - This change also corrected several problems with 'fallback' and - enable/disable. - -7) Support has been added for TTL manipulation (HL in Shorewall6). - See shorewall-tcrules(5) or shorewall6-tcrules(5) for details. - ---------------------------------------------------------------------------- I V. R E L E A S E 4 . 4 H I G H L I G H T S ---------------------------------------------------------------------------- @@ -318,7 +459,63 @@ ---------------------------------------------------------------------------- V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S I N P R I O R R E L E A S E S ------------------------------------------------------------------------------- +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 4 . 2 4 +---------------------------------------------------------------------------- + +1) Includes all problem corrections from versions 4.4.23.1 - 4.4.23.3. + +2) The 'fallback' option without =<weight> previously produced invalid + 'ip' commands. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 4 . 2 4 +---------------------------------------------------------------------------- + +1) Stateless NAT is now available in Shorewall6. See + shorewall6-netmap(5) for details. Beta 2 added the ability to use + exclusion in the NET1 column. + +2) /sbin/shorewall6 now supports the 'show rawpost' command. + +3) This release includes support for 'Condition Match' which is + included in xtables-addons. Condition match allows rules to be + predicated on the setting of a named switch in + /proc/net/nf_condition/. + + See + http://www.shorewall.net/configuration_file_basics.htm#Switches + for details. + +4) With the preceding change, the rules file now has 14 columns. That + makes it awkward to specify the last column as you have to insert + the correct number of '-' to get the right column. + + To make that easier, Shorewall now allows you to specify columns + using several (column-name,value) formats. See + http://www.shorewall.net/configuration_file_basics.htm#Pairs for + details. + +5) The generated script will now use the iptables/ip6tables -S command + if available. + +6) The implementation of USE_DEFAULT_RT=Yes has been changed + significantly. These changes include: + + a) A new BALANCE routing table with number 250 has been added. + b) Routes to providers with the 'balance' option are added to the + BALANCE table rather than the default table. + c) This allows 'fallback' to work with USE_DEFAULT_RT. + d) For optional interfaces, the 'fallback' option without a value + now works the same as if 'fallback=1' had been specified. + + This change also corrected several problems with 'fallback' and + enable/disable. + +7) Support has been added for TTL manipulation (HL in Shorewall6). + See shorewall-tcrules(5) or shorewall6-tcrules(5) for details. + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 4 . 2 3 ---------------------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.4.24.1/shorewall-init.spec new/shorewall-init-4.4.25.1/shorewall-init.spec --- old/shorewall-init-4.4.24.1/shorewall-init.spec 2011-10-15 15:53:53.000000000 +0200 +++ new/shorewall-init-4.4.25.1/shorewall-init.spec 2011-11-01 16:35:31.000000000 +0100 @@ -1,5 +1,5 @@ %define name shorewall-init -%define version 4.4.24 +%define version 4.4.25 %define release 1 Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall). @@ -119,12 +119,20 @@ %doc COPYING changelog.txt releasenotes.txt %changelog +* Sun Oct 30 2011 Tom Eastep [email protected] +- Updated to 4.4.25-1 +* Thu Oct 27 2011 Tom Eastep [email protected] +- Updated to 4.4.25-0base +* Sun Oct 23 2011 Tom Eastep [email protected] +- Updated to 4.4.25-0RC1 +* Sat Oct 22 2011 Tom Eastep [email protected] +- Updated to 4.4.25-0Beta4 +* Tue Oct 18 2011 Tom Eastep [email protected] +- Updated to 4.4.25-0Beta3 * Tue Oct 11 2011 Tom Eastep [email protected] -- Updated to 4.4.24-1 -* Sun Oct 09 2011 Tom Eastep [email protected] -- Updated to 4.4.24-0base -* Sun Oct 09 2011 Tom Eastep [email protected] -- Updated to 4.4.24-0RC2 +- Updated to 4.4.25-0Beta2 +* Tue Oct 04 2011 Tom Eastep [email protected] +- Updated to 4.4.25-0Beta1 * Sat Oct 01 2011 Tom Eastep [email protected] - Updated to 4.4.24-0RC1 * Mon Sep 26 2011 Tom Eastep [email protected] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.4.24.1/uninstall.sh new/shorewall-init-4.4.25.1/uninstall.sh --- old/shorewall-init-4.4.24.1/uninstall.sh 2011-10-15 15:53:53.000000000 +0200 +++ new/shorewall-init-4.4.25.1/uninstall.sh 2011-11-01 16:35:31.000000000 +0100 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.24.1 +VERSION=4.4.25.1 usage() # $1 = exit status { ++++++ shorewall-lite-4.4.24.1.tar.bz2 -> shorewall-lite-4.4.25.1.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.4.24.1/changelog.txt new/shorewall-lite-4.4.25.1/changelog.txt --- old/shorewall-lite-4.4.24.1/changelog.txt 2011-10-15 15:53:53.000000000 +0200 +++ new/shorewall-lite-4.4.25.1/changelog.txt 2011-11-01 16:35:31.000000000 +0100 @@ -1,19 +1,46 @@ -Changes in 4.4.24.1 +Changes in 4.4.25.1 -1) Restore complex TC functionality. +1) Reload 'blacklistsection' chains during 'refresh'. -Changes in 4.4.24 Final +Changes in 4.4.25 Final -1) Clone TTL support to provide HL support in Shorewall6. +1) Evaluate a variable at compile-time rather than run-time. -Changes in 4.4.24 RC 2 +Changes in 4.4.25 RC 1 -1) Fix 'fallback' without =<weight>. +1) Add MARK column to the route_rules file. -2) Add BALANCE_TABLE +2) Place all ip-address route rules at priority 20000. -3) Fix RC 1 bugs reported by Steven Springl +3) Ensure that a 'lookup default prio 32767' rule exists. +4) Correct validation of 4in6 addresses. + +Changes in 4.4.25 Beta 4 + +1) Fix optimizer bug. + +2) Fix 'undo' of Shorewall6 routing. + +3) Don't copy cache routes. + +4) Balance and Fallback routes in Shorewall6. + +5) enable/disable in Shorewall6. + +Changes in 4.4.25 Beta 3 + +1) Allow explicit rate estimation. + +Changes in 4.4.25 Beta 2 + +1) Add rate estimation to input bandwidth policing. + +Changes in 4.4.25 Beta 1 + +1) Add BLACKLIST section to the rules file. + +2) Add '6in4' as a synonym for '6to4'. Changes in 4.4.24 RC 1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.4.24.1/install.sh new/shorewall-lite-4.4.25.1/install.sh --- old/shorewall-lite-4.4.24.1/install.sh 2011-10-15 15:53:53.000000000 +0200 +++ new/shorewall-lite-4.4.25.1/install.sh 2011-11-01 16:35:31.000000000 +0100 @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.24.1 +VERSION=4.4.25.1 usage() # $1 = exit status { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.4.24.1/lib.base new/shorewall-lite-4.4.25.1/lib.base --- old/shorewall-lite-4.4.24.1/lib.base 2011-10-15 15:53:53.000000000 +0200 +++ new/shorewall-lite-4.4.25.1/lib.base 2011-11-01 16:35:31.000000000 +0100 @@ -28,7 +28,7 @@ # SHOREWALL_LIBVERSION=40407 -SHOREWALL_CAPVERSION=40424 +SHOREWALL_CAPVERSION=40425 [ -n "${VARDIR:=/var/lib/shorewall}" ] [ -n "${SHAREDIR:=/usr/share/shorewall}" ] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.4.24.1/lib.cli new/shorewall-lite-4.4.25.1/lib.cli --- old/shorewall-lite-4.4.24.1/lib.cli 2011-10-15 15:53:53.000000000 +0200 +++ new/shorewall-lite-4.4.25.1/lib.cli 2011-11-01 16:35:31.000000000 +0100 @@ -1733,6 +1733,7 @@ AUDIT_TARGET= CONDITION_MATCH= IPTABLES_S= + BASIC_FILTER= chain=fooX$$ @@ -1891,6 +1892,7 @@ qt $IPTABLES -X $chain1 [ -n "$TC" ] && $TC filter add flow help 2>&1 | grep -q ^Usage && FLOW_FILTER=Yes + [ -n "$TC" ] && $TC filter add basic help 2>&1 | grep -q ^Usage && BASIC_FILTER=Yes [ -n "$IP" ] && $IP rule add help 2>&1 | grep -q /MASK && FWMARK_RT_MASK=Yes CAPVERSION=$SHOREWALL_CAPVERSION @@ -1981,6 +1983,7 @@ report_capability "ipset V5" $IPSET_V5 report_capability "Condition Match" $CONDITION_MATCH report_capability "iptables -S" $IPTABLES_S + report_capability "Basic Filter" $BASIC_FILTER fi [ -n "$PKTTYPE" ] || USEPKTTYPE= @@ -2053,6 +2056,7 @@ report_capability1 IPSET_V5 report_capability1 CONDITION_MATCH report_capability1 IPTABLES_S + report_capability1 BASIC_FILTER echo CAPVERSION=$SHOREWALL_CAPVERSION echo KERNELVERSION=$KERNELVERSION diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.4.24.1/manpages/shorewall-lite-vardir.5 new/shorewall-lite-4.4.25.1/manpages/shorewall-lite-vardir.5 --- old/shorewall-lite-4.4.24.1/manpages/shorewall-lite-vardir.5 2011-10-15 15:59:12.000000000 +0200 +++ new/shorewall-lite-4.4.25.1/manpages/shorewall-lite-vardir.5 2011-11-01 16:40:54.000000000 +0100 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite-vardir .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/> -.\" Date: 10/15/2011 +.\" Date: 11/01/2011 .\" Manual: [FIXME: manual] .\" Source: [FIXME: source] .\" Language: English .\" -.TH "SHOREWALL\-LITE\-VAR" "5" "10/15/2011" "[FIXME: source]" "[FIXME: manual]" +.TH "SHOREWALL\-LITE\-VAR" "5" "11/01/2011" "[FIXME: source]" "[FIXME: manual]" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.4.24.1/manpages/shorewall-lite.8 new/shorewall-lite-4.4.25.1/manpages/shorewall-lite.8 --- old/shorewall-lite-4.4.24.1/manpages/shorewall-lite.8 2011-10-15 15:59:14.000000000 +0200 +++ new/shorewall-lite-4.4.25.1/manpages/shorewall-lite.8 2011-11-01 16:40:56.000000000 +0100 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/> -.\" Date: 10/15/2011 +.\" Date: 11/01/2011 .\" Manual: [FIXME: manual] .\" Source: [FIXME: source] .\" Language: English .\" -.TH "SHOREWALL\-LITE" "8" "10/15/2011" "[FIXME: source]" "[FIXME: manual]" +.TH "SHOREWALL\-LITE" "8" "11/01/2011" "[FIXME: source]" "[FIXME: manual]" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.4.24.1/manpages/shorewall-lite.conf.5 new/shorewall-lite-4.4.25.1/manpages/shorewall-lite.conf.5 --- old/shorewall-lite-4.4.24.1/manpages/shorewall-lite.conf.5 2011-10-15 15:59:10.000000000 +0200 +++ new/shorewall-lite-4.4.25.1/manpages/shorewall-lite.conf.5 2011-11-01 16:40:52.000000000 +0100 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite.conf .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/> -.\" Date: 10/15/2011 +.\" Date: 11/01/2011 .\" Manual: [FIXME: manual] .\" Source: [FIXME: source] .\" Language: English .\" -.TH "SHOREWALL\-LITE\&.CO" "5" "10/15/2011" "[FIXME: source]" "[FIXME: manual]" +.TH "SHOREWALL\-LITE\&.CO" "5" "11/01/2011" "[FIXME: source]" "[FIXME: manual]" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.4.24.1/modules.tc new/shorewall-lite-4.4.25.1/modules.tc --- old/shorewall-lite-4.4.24.1/modules.tc 2011-10-15 15:53:53.000000000 +0200 +++ new/shorewall-lite-4.4.25.1/modules.tc 2011-11-01 16:35:31.000000000 +0100 @@ -22,4 +22,5 @@ loadmodule cls_u32 loadmodule cls_fw loadmodule cls_flow +loadmodule cls_basic loadmodule act_police diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.4.24.1/releasenotes.txt new/shorewall-lite-4.4.25.1/releasenotes.txt --- old/shorewall-lite-4.4.24.1/releasenotes.txt 2011-10-15 15:53:53.000000000 +0200 +++ new/shorewall-lite-4.4.25.1/releasenotes.txt 2011-11-01 16:35:31.000000000 +0100 @@ -1,6 +1,6 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 4 . 2 4 . 1 + S H O R E W A L L 4 . 4 . 2 5 . 1 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,20 +14,82 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -4.4.24.1 +4.4.25.1 -1) When the logical and physical name of an interface were different, - including the logical name in the tcdevices file caused the - device's classes to be ignored. This defect was introduced in - Shorewall 4.4.23. +1) A 'refresh' command with no chains or tables specified will now + reload chains created by entries in the BLACKLIST section of the + rules file. + +2) The 'refresh' command did not automatically reload the rules from + the BLACKLIST section of the rules file. Now such rules are + reloaded by 'refresh'. + +3) The rules compiler previously failed to detect the 'Flow Filter' + capability. That capability is now correctly detected. + +4) The IN_BANDWIDTH handling changes in 4.4.25 was incompatible with + moribund distributions such as RHEL4. Restoring IN_BANDWIDTH + functionality on those releases required a new 'Basic Filter' + capability. + +4.4.25 + +1) A defect in the optimizer that allowed incompatible rules to be + combined has been corrected. + + Example: + + Rule1: -i eth1 -j chainx + Rule in chainx: -i eth2 -j ACCEPT + Incorrect result: -i eth2 -j ACCEPT + + With the change in this release, Rule1 will remain as it is. + +2) Routes and rules added as a result of entries in + /etc/shorewall6/providers were previously not deleted by + 'stop' or 'restart'. Repeated 'restart' commands could therefore + lead to an incorrect routing configuration. + +3) Previously, capital letters were disallowed in IPv6 addresses. They + are now permitted. + +4) If the COPY column in /etc/shorewall6/providers was non-empty, + previously a run-time error could occur when copying a table. The + diagnostic produced by ip was: + + Either "to" is duplicate, or "cache" is garbage + +5) When copying IPv6 routes, the generated script previously attempted + to copy 'cache' entries. Those entries are now omitted. + +6) Previously, the use of large provider numbers could cause some + Shorewall-generated routing rules to be ineffective. + + Example (provider numbers 110 and 120): + + 0: from all lookup local + 10109: from all fwmark 0x6e/0xff lookup 110 + 10119: from all fwmark 0x78/0xff lookup 120 + 11000: from 2001:470:1f04:262::1/64 lookup 110 + 11001: from 2001:470:c:316::1/64 lookup 120 + 32766: from all lookup main + 47904: from 2001:470:8388::1 lookup 110 <=========== + 50464: from 2001:470:f032::1 lookup 120 <=========== + + Now, all routing rules generated by provider interface IP (and IP6) + addresses are created at priority 20000. + + 0: from all lookup local + 10109: from all fwmark 0x6e/0xff lookup 110 + 10119: from all fwmark 0x78/0xff lookup 120 + 11000: from 2001:470:1f04:262::1/64 lookup 110 + 11001: from 2001:470:c:316::1/64 lookup 120 + 20000: from 2001:470:8388::1 lookup 110 <=========== + 20000: from 2001:470:f032::1 lookup 120 <=========== + 32766: from all lookup main -4.4.24 - -1) This release includes all problem corrections from releases - 4.4.23.1-4.4.23.3. - -2) The 'fallback' option without =<weight> previously produced invalid - 'ip' commands. +7) In some contexts, IPv6 addresses of the form ::i.j.k.l were + incorrectly classified as invalid by the configuration compiler. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -40,49 +102,128 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) Stateless NAT is now available in Shorewall6. See - shorewall6-netmap(5) for details. Beta 2 added the ability to use - exclusion in the NET1 column. +1) The original static blacklisting implementation was + interface-oriented and only handled blacklisting by source + address. In Shorewall 4.4.12, the ability to blacklist by + destination address was added and blacklisting could be specified + as a ZONE option. This change, plus additional changes in + subsequent releases has lead to an implementation that is complex + and hard to extend. + + In this release, a new static blacklisting facility has been + implemented. This facility is separate from the legacy facility, so + existing configurations will continue to work without change. + + A BLACKLIST section has been added to the rules file. This section + is now the first section, having been added ahead of the ALL + section. The set of packets that are subject to blacklisting is + still governed by the setting of BLACKLISTNEWONLY in + shorewall.conf. The settings of BLACKLIST_LOGLEVEL and + BLACKLIST_DISPOSITION are not relevant to the new implementation. + Most of the actions available in other sections of the rules file + are available in the BLACKLIST section and logging is specified on + a rule-by-rule basis in the normal way. + + In addition to the other actions available, a WHITELIST action has + been added which exempts matching packets from being passed to the + remaining rules in the section. + + Each "zone2zone" chain (e.g., net2fw) that has blacklist rules has + a companion blacklisting chain. The name of the blacklisting chain + is formed by appending "~" to the zone2zone chain. For example, + 'net2fw' blacklist rules appear in the chain net2fw~. + + There is a likelihood that multiple blacklisting chains will have + exactly the same rules. This is especially true when 'all' is used + as the zone name in the SOURCE and/or DEST columns. When + optimization level 8 is used, these identical chains are combined + into a single chain with the name ~blacklistN, where N is a number + (possibly with multiple digits). + + The 'nosurfs' and 'tcpflags' interface options generate rules that + will be traversed prior to those in the BLACKLIST section. If you + want similar rules to be travered on packets that were not dropped + or rejected in the BLACKLIST chain, you can use the new + 'DropSmurfs' and/or 'TCPFlags' standard actions. + + The DropSmurfs action has a single parameter whose default value + is '-'. The action silently drops smurfs without auditing. If you + want to audit these drops, use DropSmurfs(audit). Logging can be + specified in the normal way (e.g., DropSmurfs:info). + + The TCPFlags action has two parameters whose default values are + DROP and -. The first action determines what is to be done with + matching packets and can have the values DROP, REJECT or ACCEPT. If + you want the action to be audited, pass 'audit' in the second + parameter. + + Example: TCPFlags(REJECT,audit) + + Again, logging is specified in the normal way. + + The 'maclist' interface option can also generate rules that are + traversed prior to those in the BLACKLIST section. If you want them + to come after the the blacklist rules, simply recode your maclist + rules in the NEW section of the rules file. The 'macipmap' ipset + type is ideally suited for this task. + + Example: assumes the ipset name is macipmap and that the + zone to be verified is named wlan + + /etc/shorewall/rules: + + SECTION NEW + DROP:info wlan:!+macipmap all + +2) '6in4' has been added as a synonum for '6to4' in the TYPE column of + the tunnels file. + +3) The handling of IN_BANDWIDTH in both /etc/shorewall/tcdevices and + /etc/shorewall/tcinterfaces has been changed. Previously: + + a) Simple rate/burst policing was applied using the value(s) + supplied. + + b) IPv4 and IPv6 were policed separately. + + Beginning with this release, you have the option of configuring a + rate estimated policing filter. This type of filter is discussed at + http://ace-host.stuart.id.au/russell/files/tc/doc/extimators.txt. + + You specify an estimeting filter by preceding the IN-BANDWIDTH with + a tilde ('~'). + + Example: ~40mbit + + This example limits incoming traffic to an *average* rate of 40mbit. + + There are two other other parameters that can be specified, in + addition to the average rate - <interval> and + <decay_interval>. There is an excellent description of these + parameters in the document referenced above. + + Example: ~40mbit:1sec:8sec + + In that example, the <interval> is 1 second and the + <decay_interval> is 8 seconds. If not given, the default values are + 250ms and 4 seconds. Both parameters must be supplied if either is + supplied. + + Also in this release, the policing of IPv4 and IPv6 has been + combined so a single filter is applied to all traffic on a + configured interface. + +4) Shorewall6 now supports the 'balance' and 'fallback' provider + options. These options are restricted to one interface per + configuration for each option. -2) /sbin/shorewall6 now supports the 'show rawpost' command. - -3) This release includes support for 'Condition Match' which is - included in xtables-addons. Condition match allows rules to be - predicated on the setting of a named switch in - /proc/net/nf_condition/. +5) The scripts generated by Shorewall6 now support the 'enable' and + 'disable' commands. - See - http://www.shorewall.net/configuration_file_basics.htm#Switches - for details. - -4) With the preceding change, the rules file now has 14 columns. That - makes it awkward to specify the last column as you have to insert - the correct number of '-' to get the right column. - - To make that easier, Shorewall now allows you to specify columns - using several (column-name,value) formats. See - http://www.shorewall.net/configuration_file_basics.htm#Pairs for +6) A 'MARK' column has been added to the route_rules file. See + shorewall-route_rules (5) and shorewall6-route_rules (5) for details. -5) The generated script will now use the iptables/ip6tables -S command - if available. - -6) The implementation of USE_DEFAULT_RT=Yes has been changed - significantly. These changes include: - - a) A new BALANCE routing table with number 250 has been added. - b) Routes to providers with the 'balance' option are added to the - BALANCE table rather than the default table. - c) This allows 'fallback' to work with USE_DEFAULT_RT. - d) For optional interfaces, the 'fallback' option without a value - now works the same as if 'fallback=1' had been specified. - - This change also corrected several problems with 'fallback' and - enable/disable. - -7) Support has been added for TTL manipulation (HL in Shorewall6). - See shorewall-tcrules(5) or shorewall6-tcrules(5) for details. - ---------------------------------------------------------------------------- I V. R E L E A S E 4 . 4 H I G H L I G H T S ---------------------------------------------------------------------------- @@ -318,7 +459,63 @@ ---------------------------------------------------------------------------- V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S I N P R I O R R E L E A S E S ------------------------------------------------------------------------------- +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 4 . 2 4 +---------------------------------------------------------------------------- + +1) Includes all problem corrections from versions 4.4.23.1 - 4.4.23.3. + +2) The 'fallback' option without =<weight> previously produced invalid + 'ip' commands. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 4 . 2 4 +---------------------------------------------------------------------------- + +1) Stateless NAT is now available in Shorewall6. See + shorewall6-netmap(5) for details. Beta 2 added the ability to use + exclusion in the NET1 column. + +2) /sbin/shorewall6 now supports the 'show rawpost' command. + +3) This release includes support for 'Condition Match' which is + included in xtables-addons. Condition match allows rules to be + predicated on the setting of a named switch in + /proc/net/nf_condition/. + + See + http://www.shorewall.net/configuration_file_basics.htm#Switches + for details. + +4) With the preceding change, the rules file now has 14 columns. That + makes it awkward to specify the last column as you have to insert + the correct number of '-' to get the right column. + + To make that easier, Shorewall now allows you to specify columns + using several (column-name,value) formats. See + http://www.shorewall.net/configuration_file_basics.htm#Pairs for + details. + +5) The generated script will now use the iptables/ip6tables -S command + if available. + +6) The implementation of USE_DEFAULT_RT=Yes has been changed + significantly. These changes include: + + a) A new BALANCE routing table with number 250 has been added. + b) Routes to providers with the 'balance' option are added to the + BALANCE table rather than the default table. + c) This allows 'fallback' to work with USE_DEFAULT_RT. + d) For optional interfaces, the 'fallback' option without a value + now works the same as if 'fallback=1' had been specified. + + This change also corrected several problems with 'fallback' and + enable/disable. + +7) Support has been added for TTL manipulation (HL in Shorewall6). + See shorewall-tcrules(5) or shorewall6-tcrules(5) for details. + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 4 . 2 3 ---------------------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.4.24.1/shorewall-lite.spec new/shorewall-lite-4.4.25.1/shorewall-lite.spec --- old/shorewall-lite-4.4.24.1/shorewall-lite.spec 2011-10-15 15:53:53.000000000 +0200 +++ new/shorewall-lite-4.4.25.1/shorewall-lite.spec 2011-11-01 16:35:31.000000000 +0100 @@ -1,5 +1,5 @@ %define name shorewall-lite -%define version 4.4.24 +%define version 4.4.25 %define release 1 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems. @@ -103,12 +103,20 @@ %doc COPYING changelog.txt releasenotes.txt %changelog +* Sun Oct 30 2011 Tom Eastep [email protected] +- Updated to 4.4.25-1 +* Thu Oct 27 2011 Tom Eastep [email protected] +- Updated to 4.4.25-0base +* Sun Oct 23 2011 Tom Eastep [email protected] +- Updated to 4.4.25-0RC1 +* Sat Oct 22 2011 Tom Eastep [email protected] +- Updated to 4.4.25-0Beta4 +* Tue Oct 18 2011 Tom Eastep [email protected] +- Updated to 4.4.25-0Beta3 * Tue Oct 11 2011 Tom Eastep [email protected] -- Updated to 4.4.24-1 -* Sun Oct 09 2011 Tom Eastep [email protected] -- Updated to 4.4.24-0base -* Sun Oct 09 2011 Tom Eastep [email protected] -- Updated to 4.4.24-0RC2 +- Updated to 4.4.25-0Beta2 +* Tue Oct 04 2011 Tom Eastep [email protected] +- Updated to 4.4.25-0Beta1 * Sat Oct 01 2011 Tom Eastep [email protected] - Updated to 4.4.24-0RC1 * Mon Sep 26 2011 Tom Eastep [email protected] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.4.24.1/uninstall.sh new/shorewall-lite-4.4.25.1/uninstall.sh --- old/shorewall-lite-4.4.24.1/uninstall.sh 2011-10-15 15:53:53.000000000 +0200 +++ new/shorewall-lite-4.4.25.1/uninstall.sh 2011-11-01 16:35:31.000000000 +0100 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.24.1 +VERSION=4.4.25.1 usage() # $1 = exit status { ++++++ shorewall-4.4.24.1.tar.bz2 -> shorewall6-4.4.25.1.tar.bz2 ++++++ ++++ 98282 lines of diff (skipped) ++++++ shorewall-lite-4.4.24.1.tar.bz2 -> shorewall6-lite-4.4.25.1.tar.bz2 ++++++ ++++ 9651 lines of diff (skipped) -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
