Hello community, here is the log from the commit of package shorewall for openSUSE:Factory checked in at 2013-07-24 23:40:45 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/shorewall (Old) and /work/SRC/openSUSE:Factory/.shorewall.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shorewall" Changes: -------- --- /work/SRC/openSUSE:Factory/shorewall/shorewall.changes 2013-07-02 07:46:03.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.shorewall.new/shorewall.changes 2013-07-24 23:40:48.000000000 +0200 @@ -1,0 +2,8 @@ +Wed Jul 24 15:00:21 UTC 2013 - [email protected] + +- Update to version 4.5.19 For more details see changelog.txt and + releasenotes.txt + * Previously, the '-q' option did not suppress all output from + certain commands such as 'check'. + +------------------------------------------------------------------- Old: ---- shorewall-4.5.18.tar.bz2 shorewall-core-4.5.18.tar.bz2 shorewall-docs-html-4.5.18.tar.bz2 shorewall-init-4.5.18.tar.bz2 shorewall-lite-4.5.18.tar.bz2 shorewall6-4.5.18.tar.bz2 shorewall6-lite-4.5.18.tar.bz2 New: ---- shorewall-4.5.19.tar.bz2 shorewall-core-4.5.19.tar.bz2 shorewall-docs-html-4.5.19.tar.bz2 shorewall-init-4.5.19.tar.bz2 shorewall-lite-4.5.19.tar.bz2 shorewall6-4.5.19.tar.bz2 shorewall6-lite-4.5.19.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shorewall.spec ++++++ --- /var/tmp/diff_new_pack.7ZTY4t/_old 2013-07-24 23:40:49.000000000 +0200 +++ /var/tmp/diff_new_pack.7ZTY4t/_new 2013-07-24 23:40:49.000000000 +0200 @@ -20,19 +20,19 @@ %define have_systemd 1 Name: shorewall -Version: 4.5.18 +Version: 4.5.19 Release: 0 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems License: GPL-2.0 Group: Productivity/Networking/Security Url: http://www.shorewall.net/ -Source: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.18/%name-%version.tar.bz2 -Source1: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.18/%name-core-%version.tar.bz2 -Source2: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.18/%name-lite-%version.tar.bz2 -Source3: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.18/%name-init-%version.tar.bz2 -Source4: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.18/%{name}6-lite-%version.tar.bz2 -Source5: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.18/%{name}6-%version.tar.bz2 -Source6: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.18/%name-docs-html-%version.tar.bz2 +Source: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.19/%name-%version.tar.bz2 +Source1: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.19/%name-core-%version.tar.bz2 +Source2: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.19/%name-lite-%version.tar.bz2 +Source3: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.19/%name-init-%version.tar.bz2 +Source4: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.19/%{name}6-lite-%version.tar.bz2 +Source5: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.19/%{name}6-%version.tar.bz2 +Source6: http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.19/%name-docs-html-%version.tar.bz2 Source7: %name-4.4.22.rpmlintrc Source8: README.openSUSE # PATCH-FIX-UPSTREAM [email protected] Shorewall-lite init.suse.sh Required Stop ++++++ shorewall-4.5.18.tar.bz2 -> shorewall-4.5.19.tar.bz2 ++++++ ++++ 3614 lines of diff (skipped) ++++++ shorewall-core-4.5.18.tar.bz2 -> shorewall-core-4.5.19.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.18/changelog.txt new/shorewall-core-4.5.19/changelog.txt --- old/shorewall-core-4.5.18/changelog.txt 2013-06-27 20:30:17.000000000 +0200 +++ new/shorewall-core-4.5.19/changelog.txt 2013-07-24 15:20:19.000000000 +0200 @@ -1,3 +1,43 @@ +Changes in 4.5.19 Final + +1) Update release documents. + +Changes in 4.5.19 RC 1 + +1) Update release documents. + +2) Add AutoBL action. + +3) Add warning to existing automatic blacklisting example. + +Changes in 4.5.19 Beta 3 + +1) Update release documents. + +2) Add 'show event' and 'show events' commands. + +3) Allow Events to be used in IPv6. + +Changes in 4.5.19 Beta 2 + +1) Update release documents. + +2) Allow logging rules with > 15 ports again. + +3) Implement triggers + +Changes in 4.5.19 Beta 1 + +1) Update release documents. + +2) Fix Shorewall-init service file. + +3) Allow -q to suppress 'Compiling...', etc. messages. + +4) Add warning in the Limit action. + +5) Re-implement logging rule generation. + Changes in 4.5.18 Final 1) Update release documents. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.18/configure new/shorewall-core-4.5.19/configure --- old/shorewall-core-4.5.18/configure 2013-06-27 20:30:17.000000000 +0200 +++ new/shorewall-core-4.5.19/configure 2013-07-24 15:20:19.000000000 +0200 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=4.5.18 +VERSION=4.5.19 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.18/configure.pl new/shorewall-core-4.5.19/configure.pl --- old/shorewall-core-4.5.18/configure.pl 2013-06-27 20:30:17.000000000 +0200 +++ new/shorewall-core-4.5.19/configure.pl 2013-07-24 15:20:19.000000000 +0200 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '4.5.18' + VERSION => '4.5.19' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.18/install.sh new/shorewall-core-4.5.19/install.sh --- old/shorewall-core-4.5.18/install.sh 2013-06-27 20:30:17.000000000 +0200 +++ new/shorewall-core-4.5.19/install.sh 2013-07-24 15:20:19.000000000 +0200 @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.5.18 +VERSION=4.5.19 usage() # $1 = exit status { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.18/lib.cli new/shorewall-core-4.5.19/lib.cli --- old/shorewall-core-4.5.18/lib.cli 2013-06-24 22:07:38.000000000 +0200 +++ new/shorewall-core-4.5.19/lib.cli 2013-07-22 16:54:45.000000000 +0200 @@ -728,6 +728,104 @@ echo fi } + +show_event() { + local address + local ttl_label + local ttl + local last_seen + local last + local oldest_pkt + local oldest + local intimes + local outtimes1 + local outtimes2 + local time + local count + + while read address ttl_label ttl last_seen last oldest_pkt oldest intimes; do + case $address in + *.*) + [ $g_family -eq 4 ] || continue + ;; + *:*) + [ $g_family -eq 6 ] || continue + ;; + *) + continue + ;; + esac + + outtimes1='' + outtimes2='' + count=0 + last=$((($currenttime - $last)/1000)) + for time in $intimes; do + time=${time%,} + time=$(($currenttime - $time)) + if [ $time -lt 10 ]; then + time="000$time" + elif [ $time -lt 100 ]; then + time="00$time" + elif [ $time -lt 1000 ]; then + time="0$time" + fi + + if [ $count -lt $oldest ]; then + outtimes2="$outtimes2 $time" + else + outtimes1="$outtimes1 $time" + fi + + count=$(($count + 1)) + done + + outtimes1="${outtimes1}${outtimes2}" + + [ -n "$outtimes1" ] && outtimes1=$(echo "$outtimes1 " | sed -r 's/([[:digit:]]{3}) /\.\1, /g') && outtimes1=${outtimes1%, } + + echo " $address : ${outtimes1}" + done < /proc/net/xt_recent/$1 +} + +show_events() { + local file + local base + local currenttime + + if [ -f /proc/net/xt_recent/%CURRENTTIME ]; then + echo -127.0.0.1 > /proc/net/xt_recent/%CURRENTTIME + echo +127.0.0.1 > /proc/net/xt_recent/%CURRENTTIME + currenttime=$(cat /proc/net/xt_recent/%CURRENTTIME | cut -d ' ' -f 5 -) + # echo Current time: $currenttime + # echo + else + currenttime=0 + fi + + if [ $# -gt 0 ]; then + for event in $@ ; do + if [ -f /proc/net/xt_recent/$event ]; then + echo $event: + show_event $event + echo + else + error_message "WARNING: Event $event not found" + fi + done + else + for file in /proc/net/xt_recent/*; do + base=$(basename $file) + + if [ $base != %CURRENTTIME ]; then + echo $base + show_event $base + echo + fi + done + fi +} + # # Show Command Executor # @@ -1066,6 +1164,19 @@ error_message "Cannot locate the arptables executable" fi ;; + event) + [ $# -gt 1 ] || usage 1 + echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)" + echo + shift + show_events $@ + ;; + events) + [ $# -gt 1 ] && usage 1 + echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)" + echo + show_events + ;; *) case "$g_program" in *-lite) @@ -1360,6 +1471,9 @@ heading "NF Accounting" show_nfacct + heading "Events" + show_events + if qt mywhich setkey; then heading "PFKEY SPD" setkey -DP @@ -2597,7 +2711,7 @@ report_capability "TPROXY Target (TPROXY_TARGET)" $TPROXY_TARGET report_capability "FLOW Classifier (FLOW_FILTER)" $FLOW_FILTER report_capability "fwmark route mask (FWMARK_RT_MASK)" $FWMARK_RT_MASK - report_capability "Mark in any table (MARK_ANYWHERE)" $MARK_ANYWHERE + report_capability "Mark in the filter table (MARK_ANYWHERE)" $MARK_ANYWHERE report_capability "Header Match (HEADER_MATCH)" $HEADER_MATCH report_capability "ACCOUNT Target (ACCOUNT_TARGET)" $ACCOUNT_TARGET report_capability "AUDIT Target (AUDIT_TARGET)" $AUDIT_TARGET @@ -3306,6 +3420,8 @@ echo " show classifiers" echo " show config" echo " show connections" + echo " show event [ <event> ...]" + echo " show events" echo " show filters" echo " show ip" @@ -3369,6 +3485,7 @@ g_haveconfig= g_conditional= g_file= + g_doing="Compiling" VERBOSE= VERBOSITY=1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.18/releasenotes.txt new/shorewall-core-4.5.19/releasenotes.txt --- old/shorewall-core-4.5.18/releasenotes.txt 2013-06-27 20:30:17.000000000 +0200 +++ new/shorewall-core-4.5.19/releasenotes.txt 2013-07-24 15:20:19.000000000 +0200 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 5 . 1 8 + S H O R E W A L L 4 . 5 . 1 9 ------------------------------------ - J u n e 2 8 , 2 0 1 3 + J u l y 2 4 , 2 0 1 3 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -15,30 +15,11 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) This release includes all defect repair from Shorewall 4.5.17.1. - -2) The following warning message could be emitted inappropriately when - running shorewall 4.5.17. - - The rule(s) generated by this entry are unreachable and have been - discarded - - These warnings, which were disabled in Shorewall 4.5.17.1, are now - only emitted where appropriate. The message has also been reworded - to: - - One or more unreachable rules in chain <name> have been discarded - - The message is issued a maximum of once per Netfilter chain. +1) The shorewall-init.service file previously specified an incorrect + path name for the shorewall-init utility -3) A problem that could cause the 'trace' compiler option to produce - false error messages or to produce an altered generated firewall - script has been corrected. - -4) If the 'Owner Name Match' capability was not available, the - following error message would previously appear during compilation: - - iptables: No chain/target/match by that name. +2) Previously, the '-q' option did not suppress all output from + certain commands such as 'check'. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -51,56 +32,49 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) 'NONE' policies are now instantiated between 'local' zone and zones - other than the firewall. Similarly, 'NONE' policies are - instantiated between 'loopback' zones and zones other than $FW - and other 'loopback' zones. +1) The 'Limit' action now produces a warning message stating that it + is deprecated in favor of per-IP limiting using the RATE LIMIT + column. - This provides a cleaner implementation than the one provided in - Shorewall 4.5.17, and one that should be easier to maintain going - forward. +2) Generation of logging rules has been largely re-written to directly + create rules in the compiler's internal representation. + Previously, such rules were created in iptables format then + translated into the internal form. -2) James Shubin has contributed a Kerberos macro. +3) A form of 'events' or 'triggers' is now available. Events are + implemented using the ip[6]tables 'recent' match so they are + actually lists of IP addresses with associated timestamps and + packet counts. They may be tested in a number of ways: -3) A new 'unmanaged' interface option has been added. This option may - be used to define interfaces that allow all traffic to/from the - firewall but that's all. They are not accessible from hosts on - other interfaces nor can traffic from an unmanaged interface be - forwarded to hosts on other interfaces. + - Any matching packets to/from an address ever? + - Any matching packets to/from an address in the last N seconds? + - M or more matching packets to/from an address? + - M or more matching packets to/from an address in the last N + seconds? - The following interface options are mutually-exclusive with - 'unmanaged': + See http://www.shorewall.net/Events.html for details and usage + examples. - - blacklist - - bridge - - destonly - - detectnets - - dhcp - - maclist - - nets - - norfc1918 - - nosmurfs - - optional - - routeback - - rpfilter - - sfilter - - tcpflags - - upnp - - upnpclient +4) As part of adding event support, the CLI programs now support + two new variants of the 'show' command. - Unmanaged interfaces may not be associated with a zone in either - the interfaces or hosts files. + show events - The 'lo' interface may not be unmanaged when there are vserver - zones defined. + Displays the contents of all events. -4) The value (0 or 1) for the 'routeback' interface option may now - be specified (e.g., 'routeback=0'). This allows overriding the - Shorewall default setting for bridge devices which is - 'routeback=1'. + show event <event> ... -5) The ?SHELL, ?PERL, ?BEGIN SHELL, ?END SHELL, ?BEGIN PERL and ?END - PERL directives are now case-insensitive. + Displays the contents of the listed events. + + Note that a given event can be used for both IPv4 and IPv6. So + /sbin/shorewall and /sbin/shorewall-lite will show entries that are + different from /sbin/shorewall6 and /sbin/shorewall6-lite. + +5) Using the event mechanism described above, Shorewall now supports a + form of automatic blacklisting when the number of connection + attempts in a given period of time is exceeded. + + See http://www.shorewall.net/Events.html for details. ---------------------------------------------------------------------------- V. M I G R A T I O N I S S U E S @@ -305,9 +279,110 @@ ---------------------------------------------------------------------------- V I. N O T E S F R O M O T H E R 4 . 5 R E L E A S E S ---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 5 . 1 8 +---------------------------------------------------------------------------- + +1) This release includes all defect repair from Shorewall 4.5.17.1. + +2) The following warning message could be emitted inappropriately when + running shorewall 4.5.17. + + The rule(s) generated by this entry are unreachable and have been + discarded + + These warnings, which were disabled in Shorewall 4.5.17.1, are now + only emitted where appropriate. The message has also been reworded + to: + + One or more unreachable rules in chain <name> have been discarded + + The message is issued a maximum of once per Netfilter chain. + +3) A problem that could cause the 'trace' compiler option to produce + false error messages or to produce an altered generated firewall + script has been corrected. + +4) If the 'Owner Name Match' capability was not available, the + following error message would previously appear during compilation: + + iptables: No chain/target/match by that name. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 5 . 1 8 +---------------------------------------------------------------------------- + +1) 'NONE' policies are now instantiated between 'local' zone and zones + other than the firewall. Similarly, 'NONE' policies are + instantiated between 'loopback' zones and zones other than $FW + and other 'loopback' zones. + + This provides a cleaner implementation than the one provided in + Shorewall 4.5.17, and one that should be easier to maintain going + forward. + +2) James Shubin has contributed a Kerberos macro. + +3) A new 'unmanaged' interface option has been added. This option may + be used to define interfaces that allow all traffic to/from the + firewall but that's all. They are not accessible from hosts on + other interfaces nor can traffic from an unmanaged interface be + forwarded to hosts on other interfaces. + + The following interface options are mutually-exclusive with + 'unmanaged': + + - blacklist + - bridge + - destonly + - detectnets + - dhcp + - maclist + - nets + - norfc1918 + - nosmurfs + - optional + - routeback + - rpfilter + - sfilter + - tcpflags + - upnp + - upnpclient + + Unmanaged interfaces may not be associated with a zone in either + the interfaces or hosts files. + + The 'lo' interface may not be unmanaged when there are vserver + zones defined. + +4) The value (0 or 1) for the 'routeback' interface option may now + be specified (e.g., 'routeback=0'). This allows overriding the + Shorewall default setting for bridge devices which is + 'routeback=1'. + +5) The ?SHELL, ?PERL, ?BEGIN SHELL, ?END SHELL, ?BEGIN PERL and ?END + PERL directives are now case-insensitive. + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 5 . 1 7 ---------------------------------------------------------------------------- +4.5.17.1 + +1) The following warning message may be emitted inappropriately when + running shorewall 4.5.17. The message is no longer issued. + + The rule(s) generated by this entry are unreachable and have been + discarded + +2) Rules intended to increment nfacct objects would previously be + optimized away when they immediately preceded an unconditional jump + to the same target. Such rules are now retained. + +3) A bug in the optimizer in 4.5.17 can cause 'set' and 'geoip' + matches to be dropped. That has been corrected. + +4.5.17 + 1) When INLINE was used in the tcrules file and no target ('-j' part) is included in the free-form part of the rule, an invalid iptables rule was generated. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.18/shorewall-core.spec new/shorewall-core-4.5.19/shorewall-core.spec --- old/shorewall-core-4.5.18/shorewall-core.spec 2013-06-27 20:30:17.000000000 +0200 +++ new/shorewall-core-4.5.19/shorewall-core.spec 2013-07-24 15:20:19.000000000 +0200 @@ -1,5 +1,5 @@ %define name shorewall-core -%define version 4.5.18 +%define version 4.5.19 %define release 0base Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. @@ -62,6 +62,16 @@ %doc COPYING INSTALL changelog.txt releasenotes.txt %changelog +* Sun Jul 21 2013 Tom Eastep [email protected] +- Updated to 4.5.19-0base +* Mon Jul 15 2013 Tom Eastep [email protected] +- Updated to 4.5.19-0RC1 +* Thu Jul 11 2013 Tom Eastep [email protected] +- Updated to 4.5.19-0Beta3 +* Mon Jul 08 2013 Tom Eastep [email protected] +- Updated to 4.5.19-0Beta2 +* Mon Jul 01 2013 Tom Eastep [email protected] +- Updated to 4.5.19-0Beta1 * Thu Jun 27 2013 Tom Eastep [email protected] - Updated to 4.5.18-0base * Mon Jun 24 2013 Tom Eastep [email protected] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.5.18/uninstall.sh new/shorewall-core-4.5.19/uninstall.sh --- old/shorewall-core-4.5.18/uninstall.sh 2013-06-27 20:30:17.000000000 +0200 +++ new/shorewall-core-4.5.19/uninstall.sh 2013-07-24 15:20:19.000000000 +0200 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.5.18 +VERSION=4.5.19 usage() # $1 = exit status { ++++++ shorewall-docs-html-4.5.18.tar.bz2 -> shorewall-docs-html-4.5.19.tar.bz2 ++++++ ++++ 7889 lines of diff (skipped) ++++++ shorewall-init-4.5.18.tar.bz2 -> shorewall-init-4.5.19.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.18/changelog.txt new/shorewall-init-4.5.19/changelog.txt --- old/shorewall-init-4.5.18/changelog.txt 2013-06-27 20:30:18.000000000 +0200 +++ new/shorewall-init-4.5.19/changelog.txt 2013-07-24 15:20:20.000000000 +0200 @@ -1,3 +1,43 @@ +Changes in 4.5.19 Final + +1) Update release documents. + +Changes in 4.5.19 RC 1 + +1) Update release documents. + +2) Add AutoBL action. + +3) Add warning to existing automatic blacklisting example. + +Changes in 4.5.19 Beta 3 + +1) Update release documents. + +2) Add 'show event' and 'show events' commands. + +3) Allow Events to be used in IPv6. + +Changes in 4.5.19 Beta 2 + +1) Update release documents. + +2) Allow logging rules with > 15 ports again. + +3) Implement triggers + +Changes in 4.5.19 Beta 1 + +1) Update release documents. + +2) Fix Shorewall-init service file. + +3) Allow -q to suppress 'Compiling...', etc. messages. + +4) Add warning in the Limit action. + +5) Re-implement logging rule generation. + Changes in 4.5.18 Final 1) Update release documents. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.18/configure new/shorewall-init-4.5.19/configure --- old/shorewall-init-4.5.18/configure 2013-06-27 20:30:18.000000000 +0200 +++ new/shorewall-init-4.5.19/configure 2013-07-24 15:20:20.000000000 +0200 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=4.5.18 +VERSION=4.5.19 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.18/configure.pl new/shorewall-init-4.5.19/configure.pl --- old/shorewall-init-4.5.18/configure.pl 2013-06-27 20:30:18.000000000 +0200 +++ new/shorewall-init-4.5.19/configure.pl 2013-07-24 15:20:20.000000000 +0200 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '4.5.18' + VERSION => '4.5.19' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.18/install.sh new/shorewall-init-4.5.19/install.sh --- old/shorewall-init-4.5.18/install.sh 2013-06-27 20:30:18.000000000 +0200 +++ new/shorewall-init-4.5.19/install.sh 2013-07-24 15:20:20.000000000 +0200 @@ -23,7 +23,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.5.18 +VERSION=4.5.19 usage() # $1 = exit status { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.18/releasenotes.txt new/shorewall-init-4.5.19/releasenotes.txt --- old/shorewall-init-4.5.18/releasenotes.txt 2013-06-27 20:30:18.000000000 +0200 +++ new/shorewall-init-4.5.19/releasenotes.txt 2013-07-24 15:20:20.000000000 +0200 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 5 . 1 8 + S H O R E W A L L 4 . 5 . 1 9 ------------------------------------ - J u n e 2 8 , 2 0 1 3 + J u l y 2 4 , 2 0 1 3 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -15,30 +15,11 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) This release includes all defect repair from Shorewall 4.5.17.1. - -2) The following warning message could be emitted inappropriately when - running shorewall 4.5.17. - - The rule(s) generated by this entry are unreachable and have been - discarded - - These warnings, which were disabled in Shorewall 4.5.17.1, are now - only emitted where appropriate. The message has also been reworded - to: - - One or more unreachable rules in chain <name> have been discarded - - The message is issued a maximum of once per Netfilter chain. +1) The shorewall-init.service file previously specified an incorrect + path name for the shorewall-init utility -3) A problem that could cause the 'trace' compiler option to produce - false error messages or to produce an altered generated firewall - script has been corrected. - -4) If the 'Owner Name Match' capability was not available, the - following error message would previously appear during compilation: - - iptables: No chain/target/match by that name. +2) Previously, the '-q' option did not suppress all output from + certain commands such as 'check'. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -51,56 +32,49 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) 'NONE' policies are now instantiated between 'local' zone and zones - other than the firewall. Similarly, 'NONE' policies are - instantiated between 'loopback' zones and zones other than $FW - and other 'loopback' zones. +1) The 'Limit' action now produces a warning message stating that it + is deprecated in favor of per-IP limiting using the RATE LIMIT + column. - This provides a cleaner implementation than the one provided in - Shorewall 4.5.17, and one that should be easier to maintain going - forward. +2) Generation of logging rules has been largely re-written to directly + create rules in the compiler's internal representation. + Previously, such rules were created in iptables format then + translated into the internal form. -2) James Shubin has contributed a Kerberos macro. +3) A form of 'events' or 'triggers' is now available. Events are + implemented using the ip[6]tables 'recent' match so they are + actually lists of IP addresses with associated timestamps and + packet counts. They may be tested in a number of ways: -3) A new 'unmanaged' interface option has been added. This option may - be used to define interfaces that allow all traffic to/from the - firewall but that's all. They are not accessible from hosts on - other interfaces nor can traffic from an unmanaged interface be - forwarded to hosts on other interfaces. + - Any matching packets to/from an address ever? + - Any matching packets to/from an address in the last N seconds? + - M or more matching packets to/from an address? + - M or more matching packets to/from an address in the last N + seconds? - The following interface options are mutually-exclusive with - 'unmanaged': + See http://www.shorewall.net/Events.html for details and usage + examples. - - blacklist - - bridge - - destonly - - detectnets - - dhcp - - maclist - - nets - - norfc1918 - - nosmurfs - - optional - - routeback - - rpfilter - - sfilter - - tcpflags - - upnp - - upnpclient +4) As part of adding event support, the CLI programs now support + two new variants of the 'show' command. - Unmanaged interfaces may not be associated with a zone in either - the interfaces or hosts files. + show events - The 'lo' interface may not be unmanaged when there are vserver - zones defined. + Displays the contents of all events. -4) The value (0 or 1) for the 'routeback' interface option may now - be specified (e.g., 'routeback=0'). This allows overriding the - Shorewall default setting for bridge devices which is - 'routeback=1'. + show event <event> ... -5) The ?SHELL, ?PERL, ?BEGIN SHELL, ?END SHELL, ?BEGIN PERL and ?END - PERL directives are now case-insensitive. + Displays the contents of the listed events. + + Note that a given event can be used for both IPv4 and IPv6. So + /sbin/shorewall and /sbin/shorewall-lite will show entries that are + different from /sbin/shorewall6 and /sbin/shorewall6-lite. + +5) Using the event mechanism described above, Shorewall now supports a + form of automatic blacklisting when the number of connection + attempts in a given period of time is exceeded. + + See http://www.shorewall.net/Events.html for details. ---------------------------------------------------------------------------- V. M I G R A T I O N I S S U E S @@ -305,9 +279,110 @@ ---------------------------------------------------------------------------- V I. N O T E S F R O M O T H E R 4 . 5 R E L E A S E S ---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 5 . 1 8 +---------------------------------------------------------------------------- + +1) This release includes all defect repair from Shorewall 4.5.17.1. + +2) The following warning message could be emitted inappropriately when + running shorewall 4.5.17. + + The rule(s) generated by this entry are unreachable and have been + discarded + + These warnings, which were disabled in Shorewall 4.5.17.1, are now + only emitted where appropriate. The message has also been reworded + to: + + One or more unreachable rules in chain <name> have been discarded + + The message is issued a maximum of once per Netfilter chain. + +3) A problem that could cause the 'trace' compiler option to produce + false error messages or to produce an altered generated firewall + script has been corrected. + +4) If the 'Owner Name Match' capability was not available, the + following error message would previously appear during compilation: + + iptables: No chain/target/match by that name. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 5 . 1 8 +---------------------------------------------------------------------------- + +1) 'NONE' policies are now instantiated between 'local' zone and zones + other than the firewall. Similarly, 'NONE' policies are + instantiated between 'loopback' zones and zones other than $FW + and other 'loopback' zones. + + This provides a cleaner implementation than the one provided in + Shorewall 4.5.17, and one that should be easier to maintain going + forward. + +2) James Shubin has contributed a Kerberos macro. + +3) A new 'unmanaged' interface option has been added. This option may + be used to define interfaces that allow all traffic to/from the + firewall but that's all. They are not accessible from hosts on + other interfaces nor can traffic from an unmanaged interface be + forwarded to hosts on other interfaces. + + The following interface options are mutually-exclusive with + 'unmanaged': + + - blacklist + - bridge + - destonly + - detectnets + - dhcp + - maclist + - nets + - norfc1918 + - nosmurfs + - optional + - routeback + - rpfilter + - sfilter + - tcpflags + - upnp + - upnpclient + + Unmanaged interfaces may not be associated with a zone in either + the interfaces or hosts files. + + The 'lo' interface may not be unmanaged when there are vserver + zones defined. + +4) The value (0 or 1) for the 'routeback' interface option may now + be specified (e.g., 'routeback=0'). This allows overriding the + Shorewall default setting for bridge devices which is + 'routeback=1'. + +5) The ?SHELL, ?PERL, ?BEGIN SHELL, ?END SHELL, ?BEGIN PERL and ?END + PERL directives are now case-insensitive. + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 5 . 1 7 ---------------------------------------------------------------------------- +4.5.17.1 + +1) The following warning message may be emitted inappropriately when + running shorewall 4.5.17. The message is no longer issued. + + The rule(s) generated by this entry are unreachable and have been + discarded + +2) Rules intended to increment nfacct objects would previously be + optimized away when they immediately preceded an unconditional jump + to the same target. Such rules are now retained. + +3) A bug in the optimizer in 4.5.17 can cause 'set' and 'geoip' + matches to be dropped. That has been corrected. + +4.5.17 + 1) When INLINE was used in the tcrules file and no target ('-j' part) is included in the free-form part of the rule, an invalid iptables rule was generated. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.18/shorewall-init.spec new/shorewall-init-4.5.19/shorewall-init.spec --- old/shorewall-init-4.5.18/shorewall-init.spec 2013-06-27 20:30:18.000000000 +0200 +++ new/shorewall-init-4.5.19/shorewall-init.spec 2013-07-24 15:20:20.000000000 +0200 @@ -1,5 +1,5 @@ %define name shorewall-init -%define version 4.5.18 +%define version 4.5.19 %define release 0base Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall). @@ -125,6 +125,16 @@ %doc COPYING changelog.txt releasenotes.txt %changelog +* Sun Jul 21 2013 Tom Eastep [email protected] +- Updated to 4.5.19-0base +* Mon Jul 15 2013 Tom Eastep [email protected] +- Updated to 4.5.19-0RC1 +* Thu Jul 11 2013 Tom Eastep [email protected] +- Updated to 4.5.19-0Beta3 +* Mon Jul 08 2013 Tom Eastep [email protected] +- Updated to 4.5.19-0Beta2 +* Mon Jul 01 2013 Tom Eastep [email protected] +- Updated to 4.5.19-0Beta1 * Thu Jun 27 2013 Tom Eastep [email protected] - Updated to 4.5.18-0base * Mon Jun 24 2013 Tom Eastep [email protected] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.5.18/uninstall.sh new/shorewall-init-4.5.19/uninstall.sh --- old/shorewall-init-4.5.18/uninstall.sh 2013-06-27 20:30:18.000000000 +0200 +++ new/shorewall-init-4.5.19/uninstall.sh 2013-07-24 15:20:20.000000000 +0200 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.5.18 +VERSION=4.5.19 usage() # $1 = exit status { ++++++ shorewall-lite-4.5.18.tar.bz2 -> shorewall-lite-4.5.19.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.18/changelog.txt new/shorewall-lite-4.5.19/changelog.txt --- old/shorewall-lite-4.5.18/changelog.txt 2013-06-27 20:30:18.000000000 +0200 +++ new/shorewall-lite-4.5.19/changelog.txt 2013-07-24 15:20:20.000000000 +0200 @@ -1,3 +1,43 @@ +Changes in 4.5.19 Final + +1) Update release documents. + +Changes in 4.5.19 RC 1 + +1) Update release documents. + +2) Add AutoBL action. + +3) Add warning to existing automatic blacklisting example. + +Changes in 4.5.19 Beta 3 + +1) Update release documents. + +2) Add 'show event' and 'show events' commands. + +3) Allow Events to be used in IPv6. + +Changes in 4.5.19 Beta 2 + +1) Update release documents. + +2) Allow logging rules with > 15 ports again. + +3) Implement triggers + +Changes in 4.5.19 Beta 1 + +1) Update release documents. + +2) Fix Shorewall-init service file. + +3) Allow -q to suppress 'Compiling...', etc. messages. + +4) Add warning in the Limit action. + +5) Re-implement logging rule generation. + Changes in 4.5.18 Final 1) Update release documents. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.18/configure new/shorewall-lite-4.5.19/configure --- old/shorewall-lite-4.5.18/configure 2013-06-27 20:30:18.000000000 +0200 +++ new/shorewall-lite-4.5.19/configure 2013-07-24 15:20:20.000000000 +0200 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=4.5.18 +VERSION=4.5.19 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.18/configure.pl new/shorewall-lite-4.5.19/configure.pl --- old/shorewall-lite-4.5.18/configure.pl 2013-06-27 20:30:18.000000000 +0200 +++ new/shorewall-lite-4.5.19/configure.pl 2013-07-24 15:20:20.000000000 +0200 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '4.5.18' + VERSION => '4.5.19' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.18/install.sh new/shorewall-lite-4.5.19/install.sh --- old/shorewall-lite-4.5.18/install.sh 2013-06-27 20:30:18.000000000 +0200 +++ new/shorewall-lite-4.5.19/install.sh 2013-07-24 15:20:20.000000000 +0200 @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.5.18 +VERSION=4.5.19 usage() # $1 = exit status { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.18/manpages/shorewall-lite-vardir.5 new/shorewall-lite-4.5.19/manpages/shorewall-lite-vardir.5 --- old/shorewall-lite-4.5.18/manpages/shorewall-lite-vardir.5 2013-06-27 20:36:11.000000000 +0200 +++ new/shorewall-lite-4.5.19/manpages/shorewall-lite-vardir.5 2013-07-24 15:23:30.000000000 +0200 @@ -1,13 +1,13 @@ '\" t .\" Title: shorewall-lite-vardir .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] -.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/> -.\" Date: 06/27/2013 +.\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> +.\" Date: 07/24/2013 .\" Manual: [FIXME: manual] .\" Source: [FIXME: source] .\" Language: English .\" -.TH "SHOREWALL\-LITE\-VAR" "5" "06/27/2013" "[FIXME: source]" "[FIXME: manual]" +.TH "SHOREWALL\-LITE\-VAR" "5" "07/24/2013" "[FIXME: source]" "[FIXME: manual]" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.18/manpages/shorewall-lite.8 new/shorewall-lite-4.5.19/manpages/shorewall-lite.8 --- old/shorewall-lite-4.5.18/manpages/shorewall-lite.8 2013-06-27 20:36:13.000000000 +0200 +++ new/shorewall-lite-4.5.19/manpages/shorewall-lite.8 2013-07-24 15:23:31.000000000 +0200 @@ -1,13 +1,13 @@ '\" t .\" Title: shorewall-lite .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] -.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/> -.\" Date: 06/27/2013 +.\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> +.\" Date: 07/24/2013 .\" Manual: [FIXME: manual] .\" Source: [FIXME: source] .\" Language: English .\" -.TH "SHOREWALL\-LITE" "8" "06/27/2013" "[FIXME: source]" "[FIXME: manual]" +.TH "SHOREWALL\-LITE" "8" "07/24/2013" "[FIXME: source]" "[FIXME: manual]" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -81,7 +81,9 @@ .HP \w'\fBshorewall\-lite\fR\ 'u \fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR] [\-\fIoptions\fR] \fBshow\fR [\fB\-f\fR] \fBcapabilities\fR .HP \w'\fBshorewall\-lite\fR\ 'u -\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR] [\-\fIoptions\fR] \fBshow\fR {\fBclassifiers|connections|config|filters|ip|ipa|zones|policies|marks\fR} +\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR] [\-\fIoptions\fR] \fBshow\fR {\fBclassifiers|connections|config|events|filters|ip|ipa|zones|policies|marks\fR} +.HP \w'\fBshorewall\-lite\fR\ 'u +\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR] [\-\fIoptions\fR] \fBshow\fR \fBevent\fR\ \fIevent\fR .HP \w'\fBshorewall\-lite\fR\ 'u \fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR] [\-\fIoptions\fR] \fBshow\fR [\fB\-x\fR] {\fBmangle|nat|routing|raw|rawpost\fR} .HP \w'\fBshorewall\-lite\fR\ 'u @@ -442,6 +444,16 @@ Displays the IP connections currently being tracked by the firewall\&. .RE .PP +\fBevent\fR\fI event\fR +.RS 4 +Added in Shorewall 4\&.5\&.19\&. Displays the named event\&. +.RE +.PP +\fBevents\fR +.RS 4 +Added in Shorewall 4\&.5\&.19\&. Displays all events\&. +.RE +.PP \fBip\fR .RS 4 Displays the system\*(Aqs IPv4 configuration\&. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.18/manpages/shorewall-lite.conf.5 new/shorewall-lite-4.5.19/manpages/shorewall-lite.conf.5 --- old/shorewall-lite-4.5.18/manpages/shorewall-lite.conf.5 2013-06-27 20:36:09.000000000 +0200 +++ new/shorewall-lite-4.5.19/manpages/shorewall-lite.conf.5 2013-07-24 15:23:28.000000000 +0200 @@ -1,13 +1,13 @@ '\" t .\" Title: shorewall-lite.conf .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] -.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/> -.\" Date: 06/27/2013 +.\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> +.\" Date: 07/24/2013 .\" Manual: [FIXME: manual] .\" Source: [FIXME: source] .\" Language: English .\" -.TH "SHOREWALL\-LITE\&.CO" "5" "06/27/2013" "[FIXME: source]" "[FIXME: manual]" +.TH "SHOREWALL\-LITE\&.CO" "5" "07/24/2013" "[FIXME: source]" "[FIXME: manual]" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.18/manpages/shorewall-lite.xml new/shorewall-lite-4.5.19/manpages/shorewall-lite.xml --- old/shorewall-lite-4.5.18/manpages/shorewall-lite.xml 2013-06-27 20:36:14.000000000 +0200 +++ new/shorewall-lite-4.5.19/manpages/shorewall-lite.xml 2013-07-24 15:23:31.000000000 +0200 @@ -374,7 +374,20 @@ <arg choice="plain"><option>show</option></arg> <arg - choice="req"><option>classifiers|connections|config|filters|ip|ipa|zones|policies|marks</option></arg> + choice="req"><option>classifiers|connections|config|events|filters|ip|ipa|zones|policies|marks</option></arg> + </cmdsynopsis> + + <cmdsynopsis> + <command>shorewall-lite</command> + + <arg choice="opt"><option>trace</option>|<option>debug</option></arg> + + <arg>-<replaceable>options</replaceable></arg> + + <arg choice="plain"><option>show</option></arg> + + <arg choice="plain"><option>event</option><arg + choice="plain"><replaceable>event</replaceable></arg></arg> </cmdsynopsis> <cmdsynopsis> @@ -888,6 +901,24 @@ </listitem> </varlistentry> + <varlistentry> + <term><emphasis role="bold">event</emphasis><replaceable> + event</replaceable></term> + + <listitem> + <para>Added in Shorewall 4.5.19. Displays the named + event.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis role="bold">events</emphasis></term> + + <listitem> + <para>Added in Shorewall 4.5.19. Displays all events.</para> + </listitem> + </varlistentry> + <varlistentry> <term><emphasis role="bold">ip</emphasis></term> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.18/releasenotes.txt new/shorewall-lite-4.5.19/releasenotes.txt --- old/shorewall-lite-4.5.18/releasenotes.txt 2013-06-27 20:30:18.000000000 +0200 +++ new/shorewall-lite-4.5.19/releasenotes.txt 2013-07-24 15:20:20.000000000 +0200 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 5 . 1 8 + S H O R E W A L L 4 . 5 . 1 9 ------------------------------------ - J u n e 2 8 , 2 0 1 3 + J u l y 2 4 , 2 0 1 3 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -15,30 +15,11 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) This release includes all defect repair from Shorewall 4.5.17.1. - -2) The following warning message could be emitted inappropriately when - running shorewall 4.5.17. - - The rule(s) generated by this entry are unreachable and have been - discarded - - These warnings, which were disabled in Shorewall 4.5.17.1, are now - only emitted where appropriate. The message has also been reworded - to: - - One or more unreachable rules in chain <name> have been discarded - - The message is issued a maximum of once per Netfilter chain. +1) The shorewall-init.service file previously specified an incorrect + path name for the shorewall-init utility -3) A problem that could cause the 'trace' compiler option to produce - false error messages or to produce an altered generated firewall - script has been corrected. - -4) If the 'Owner Name Match' capability was not available, the - following error message would previously appear during compilation: - - iptables: No chain/target/match by that name. +2) Previously, the '-q' option did not suppress all output from + certain commands such as 'check'. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -51,56 +32,49 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) 'NONE' policies are now instantiated between 'local' zone and zones - other than the firewall. Similarly, 'NONE' policies are - instantiated between 'loopback' zones and zones other than $FW - and other 'loopback' zones. +1) The 'Limit' action now produces a warning message stating that it + is deprecated in favor of per-IP limiting using the RATE LIMIT + column. - This provides a cleaner implementation than the one provided in - Shorewall 4.5.17, and one that should be easier to maintain going - forward. +2) Generation of logging rules has been largely re-written to directly + create rules in the compiler's internal representation. + Previously, such rules were created in iptables format then + translated into the internal form. -2) James Shubin has contributed a Kerberos macro. +3) A form of 'events' or 'triggers' is now available. Events are + implemented using the ip[6]tables 'recent' match so they are + actually lists of IP addresses with associated timestamps and + packet counts. They may be tested in a number of ways: -3) A new 'unmanaged' interface option has been added. This option may - be used to define interfaces that allow all traffic to/from the - firewall but that's all. They are not accessible from hosts on - other interfaces nor can traffic from an unmanaged interface be - forwarded to hosts on other interfaces. + - Any matching packets to/from an address ever? + - Any matching packets to/from an address in the last N seconds? + - M or more matching packets to/from an address? + - M or more matching packets to/from an address in the last N + seconds? - The following interface options are mutually-exclusive with - 'unmanaged': + See http://www.shorewall.net/Events.html for details and usage + examples. - - blacklist - - bridge - - destonly - - detectnets - - dhcp - - maclist - - nets - - norfc1918 - - nosmurfs - - optional - - routeback - - rpfilter - - sfilter - - tcpflags - - upnp - - upnpclient +4) As part of adding event support, the CLI programs now support + two new variants of the 'show' command. - Unmanaged interfaces may not be associated with a zone in either - the interfaces or hosts files. + show events - The 'lo' interface may not be unmanaged when there are vserver - zones defined. + Displays the contents of all events. -4) The value (0 or 1) for the 'routeback' interface option may now - be specified (e.g., 'routeback=0'). This allows overriding the - Shorewall default setting for bridge devices which is - 'routeback=1'. + show event <event> ... -5) The ?SHELL, ?PERL, ?BEGIN SHELL, ?END SHELL, ?BEGIN PERL and ?END - PERL directives are now case-insensitive. + Displays the contents of the listed events. + + Note that a given event can be used for both IPv4 and IPv6. So + /sbin/shorewall and /sbin/shorewall-lite will show entries that are + different from /sbin/shorewall6 and /sbin/shorewall6-lite. + +5) Using the event mechanism described above, Shorewall now supports a + form of automatic blacklisting when the number of connection + attempts in a given period of time is exceeded. + + See http://www.shorewall.net/Events.html for details. ---------------------------------------------------------------------------- V. M I G R A T I O N I S S U E S @@ -305,9 +279,110 @@ ---------------------------------------------------------------------------- V I. N O T E S F R O M O T H E R 4 . 5 R E L E A S E S ---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 5 . 1 8 +---------------------------------------------------------------------------- + +1) This release includes all defect repair from Shorewall 4.5.17.1. + +2) The following warning message could be emitted inappropriately when + running shorewall 4.5.17. + + The rule(s) generated by this entry are unreachable and have been + discarded + + These warnings, which were disabled in Shorewall 4.5.17.1, are now + only emitted where appropriate. The message has also been reworded + to: + + One or more unreachable rules in chain <name> have been discarded + + The message is issued a maximum of once per Netfilter chain. + +3) A problem that could cause the 'trace' compiler option to produce + false error messages or to produce an altered generated firewall + script has been corrected. + +4) If the 'Owner Name Match' capability was not available, the + following error message would previously appear during compilation: + + iptables: No chain/target/match by that name. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 5 . 1 8 +---------------------------------------------------------------------------- + +1) 'NONE' policies are now instantiated between 'local' zone and zones + other than the firewall. Similarly, 'NONE' policies are + instantiated between 'loopback' zones and zones other than $FW + and other 'loopback' zones. + + This provides a cleaner implementation than the one provided in + Shorewall 4.5.17, and one that should be easier to maintain going + forward. + +2) James Shubin has contributed a Kerberos macro. + +3) A new 'unmanaged' interface option has been added. This option may + be used to define interfaces that allow all traffic to/from the + firewall but that's all. They are not accessible from hosts on + other interfaces nor can traffic from an unmanaged interface be + forwarded to hosts on other interfaces. + + The following interface options are mutually-exclusive with + 'unmanaged': + + - blacklist + - bridge + - destonly + - detectnets + - dhcp + - maclist + - nets + - norfc1918 + - nosmurfs + - optional + - routeback + - rpfilter + - sfilter + - tcpflags + - upnp + - upnpclient + + Unmanaged interfaces may not be associated with a zone in either + the interfaces or hosts files. + + The 'lo' interface may not be unmanaged when there are vserver + zones defined. + +4) The value (0 or 1) for the 'routeback' interface option may now + be specified (e.g., 'routeback=0'). This allows overriding the + Shorewall default setting for bridge devices which is + 'routeback=1'. + +5) The ?SHELL, ?PERL, ?BEGIN SHELL, ?END SHELL, ?BEGIN PERL and ?END + PERL directives are now case-insensitive. + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 5 . 1 7 ---------------------------------------------------------------------------- +4.5.17.1 + +1) The following warning message may be emitted inappropriately when + running shorewall 4.5.17. The message is no longer issued. + + The rule(s) generated by this entry are unreachable and have been + discarded + +2) Rules intended to increment nfacct objects would previously be + optimized away when they immediately preceded an unconditional jump + to the same target. Such rules are now retained. + +3) A bug in the optimizer in 4.5.17 can cause 'set' and 'geoip' + matches to be dropped. That has been corrected. + +4.5.17 + 1) When INLINE was used in the tcrules file and no target ('-j' part) is included in the free-form part of the rule, an invalid iptables rule was generated. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.18/shorewall-lite.spec new/shorewall-lite-4.5.19/shorewall-lite.spec --- old/shorewall-lite-4.5.18/shorewall-lite.spec 2013-06-27 20:30:18.000000000 +0200 +++ new/shorewall-lite-4.5.19/shorewall-lite.spec 2013-07-24 15:20:20.000000000 +0200 @@ -1,5 +1,5 @@ %define name shorewall-lite -%define version 4.5.18 +%define version 4.5.19 %define release 0base %define initdir /etc/init.d @@ -105,6 +105,16 @@ %doc COPYING changelog.txt releasenotes.txt %changelog +* Sun Jul 21 2013 Tom Eastep [email protected] +- Updated to 4.5.19-0base +* Mon Jul 15 2013 Tom Eastep [email protected] +- Updated to 4.5.19-0RC1 +* Thu Jul 11 2013 Tom Eastep [email protected] +- Updated to 4.5.19-0Beta3 +* Mon Jul 08 2013 Tom Eastep [email protected] +- Updated to 4.5.19-0Beta2 +* Mon Jul 01 2013 Tom Eastep [email protected] +- Updated to 4.5.19-0Beta1 * Thu Jun 27 2013 Tom Eastep [email protected] - Updated to 4.5.18-0base * Mon Jun 24 2013 Tom Eastep [email protected] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.5.18/uninstall.sh new/shorewall-lite-4.5.19/uninstall.sh --- old/shorewall-lite-4.5.18/uninstall.sh 2013-06-27 20:30:18.000000000 +0200 +++ new/shorewall-lite-4.5.19/uninstall.sh 2013-07-24 15:20:20.000000000 +0200 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.5.18 +VERSION=4.5.19 usage() # $1 = exit status { ++++++ shorewall-4.5.18.tar.bz2 -> shorewall6-4.5.19.tar.bz2 ++++++ ++++ 116393 lines of diff (skipped) ++++++ shorewall-lite-4.5.18.tar.bz2 -> shorewall6-lite-4.5.19.tar.bz2 ++++++ ++++ 7294 lines of diff (skipped) -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
