Hello community, here is the log from the commit of package shorewall for openSUSE:Factory checked in at 2014-11-06 16:50:17 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/shorewall (Old) and /work/SRC/openSUSE:Factory/.shorewall.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shorewall" Changes: -------- --- /work/SRC/openSUSE:Factory/shorewall/shorewall.changes 2014-09-22 18:50:50.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.shorewall.new/shorewall.changes 2014-11-06 16:51:01.000000000 +0100 @@ -1,0 +2,10 @@ +Wed Nov 5 07:45:56 UTC 2014 - [email protected] + +- Update to versioin 4.6.4.3 For more details see changelog.txt and + releasenotes.txt + + * The fix for LOG_BACKEND in 4.6.4.2 worked on some older + distributions but not on newer ones. This release fixes the + problem in the remaining cases. + +------------------------------------------------------------------- Old: ---- shorewall-4.6.3.4.tar.bz2 shorewall-core-4.6.3.4.tar.bz2 shorewall-docs-html-4.6.3.4.tar.bz2 shorewall-init-4.6.3.4.tar.bz2 shorewall-lite-4.6.3.4.tar.bz2 shorewall6-4.6.3.4.tar.bz2 shorewall6-lite-4.6.3.4.tar.bz2 New: ---- shorewall-4.6.4.3.tar.bz2 shorewall-core-4.6.4.3.tar.bz2 shorewall-docs-html-4.6.4.3.tar.bz2 shorewall-init-4.6.4.3.tar.bz2 shorewall-lite-4.6.4.3.tar.bz2 shorewall6-4.6.4.3.tar.bz2 shorewall6-lite-4.6.4.3.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shorewall.spec ++++++ --- /var/tmp/diff_new_pack.9jfBuN/_old 2014-11-06 16:51:04.000000000 +0100 +++ /var/tmp/diff_new_pack.9jfBuN/_new 2014-11-06 16:51:04.000000000 +0100 @@ -20,19 +20,19 @@ %define have_systemd 1 Name: shorewall -Version: 4.6.3.4 +Version: 4.6.4.3 Release: 0 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems License: GPL-2.0 Group: Productivity/Networking/Security Url: http://www.shorewall.net/ -Source: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.3/%{name}-%version.tar.bz2 -Source1: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.3/%{name}-core-%version.tar.bz2 -Source2: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.3/%{name}-lite-%version.tar.bz2 -Source3: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.3/%{name}-init-%version.tar.bz2 -Source4: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.3/%{name}6-lite-%version.tar.bz2 -Source5: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.3/%{name}6-%version.tar.bz2 -Source6: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.3/%{name}-docs-html-%version.tar.bz2 +Source: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.4/%{name}-%version.tar.bz2 +Source1: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.4/%{name}-core-%version.tar.bz2 +Source2: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.4/%{name}-lite-%version.tar.bz2 +Source3: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.4/%{name}-init-%version.tar.bz2 +Source4: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.4/%{name}6-lite-%version.tar.bz2 +Source5: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.4/%{name}6-%version.tar.bz2 +Source6: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.4/%{name}-docs-html-%version.tar.bz2 Source7: %{name}-4.4.22.rpmlintrc Source8: README.openSUSE # PATCH-FIX-UPSTREAM [email protected] Shorewall-lite init.suse.sh Required Stop ++++++ shorewall-4.6.3.4.tar.bz2 -> shorewall-4.6.4.3.tar.bz2 ++++++ ++++ 3229 lines of diff (skipped) ++++++ shorewall-core-4.6.3.4.tar.bz2 -> shorewall-core-4.6.4.3.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.3.4/changelog.txt new/shorewall-core-4.6.4.3/changelog.txt --- old/shorewall-core-4.6.3.4/changelog.txt 2014-09-16 17:18:06.000000000 +0200 +++ new/shorewall-core-4.6.4.3/changelog.txt 2014-10-19 16:59:58.000000000 +0200 @@ -1,3 +1,72 @@ +Changes in 4.6.4.3 + +1) Update release documents + +2) Add xt_LOG to the helpers files. + +Changes in 4.6.4.2 + +1) Update release documents + +2) Add ipt_LOG to the helpers files. + +Changes in 4.6.4.1 + +1) Update release documents + +2) Eliminate confusing output during 'save', 'safe-*' and 'try' + commands. + +3) Remove 'optional' from the Universal interfaces file. + +Changes in 4.6.4 Final + +1) Update release documents + +Changes in 4.6.4 RC 1 + +1) Update release documents + +2) Added FAQ 104 (kernel log messages during compile). + +3) Create INITD in the -lite installer. + +4) Don't link init script if there is none. + +5) Add -n option to the installers and uninstallers. + +6) Support SANDBOX in the installers and uninstallers. + +7) Correct many defects in the uninstallers. + +Changes in 4.6.4 Beta 3 + +1) Update release documents + +2) Allow SAVE_IPSETS to specify a list of ipset names. + +3) Document .spec and actions.std fixes. + +3) Packaging changes. + +Changes in 4.6.4-Beta 2 + +1) Update release documents + +2) Correct minor issue in a warning message. + +3) Implement LOG_BACKEND. + +4) Correct stoppedrules/ADMINISABSENTMINDED=No + +Changes in 4.6.4-Beta 1 + +1) Update release documents + +2) Install support for Centos 7 and Foobar 7 + +3) Tweaks to .service files. + Changes in 4.6.3.4 1) Update release documents diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.3.4/configure new/shorewall-core-4.6.4.3/configure --- old/shorewall-core-4.6.3.4/configure 2014-09-16 17:18:05.000000000 +0200 +++ new/shorewall-core-4.6.4.3/configure 2014-10-19 16:59:57.000000000 +0200 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=4.6.3.4 +VERSION=4.6.4.3 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.3.4/configure.pl new/shorewall-core-4.6.4.3/configure.pl --- old/shorewall-core-4.6.3.4/configure.pl 2014-09-16 17:18:05.000000000 +0200 +++ new/shorewall-core-4.6.4.3/configure.pl 2014-10-19 16:59:57.000000000 +0200 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '4.6.3.4' + VERSION => '4.6.4.3' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.3.4/install.sh new/shorewall-core-4.6.4.3/install.sh --- old/shorewall-core-4.6.3.4/install.sh 2014-09-16 17:18:05.000000000 +0200 +++ new/shorewall-core-4.6.4.3/install.sh 2014-10-19 16:59:57.000000000 +0200 @@ -22,7 +22,7 @@ # along with this program; if not, see <http://www.gnu.org/licenses/>. # -VERSION=4.6.3.4 +VERSION=4.6.4.3 usage() # $1 = exit status { @@ -198,7 +198,7 @@ eval $(cat /etc/os-release | grep ^ID) case $ID in - fedora|rhel) + fedora|rhel|centos|foobar) BUILD=redhat ;; debian) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.3.4/known_problems.txt new/shorewall-core-4.6.4.3/known_problems.txt --- old/shorewall-core-4.6.3.4/known_problems.txt 2014-09-16 17:18:06.000000000 +0200 +++ new/shorewall-core-4.6.4.3/known_problems.txt 2014-10-19 16:59:58.000000000 +0200 @@ -1,69 +1,74 @@ 1) On systems running Upstart, shorewall-init cannot reliably secure the firewall before interfaces are brought up. -2) The DNSAmp action released in 4.6.3 matches more packets than it - should. - - Workaround: Change the single rule in - /usr/share/shorewall/action.DNSAmp to: - - IPTABLES(@1) - - udp 53 ; -m u32 --u32 "0>>22&0x3C\@8&0xffff=0x0100 && 0>>22&0x3C\@12&0xffff0000=0x00010000" - - Corrected in 4.6.3.1. - -3) A typo results in the following misleading error message: - - ERROR: The xxx TARGET is now allowed in the filter table - - The message should read: - - ERROR: The xxx TARGET is not allowed in the filter table - - Corrected in 4.6.3.1. - -4) The shorewall[6]-actions manpages contain incorrect examples - of the usage of table names with builtin actions. - - Incorrect: - - FOOBAR,filter,mangle - - Correct: - - FOOBAR builtin,filter,mangle - - The online versions of the manpages have been corrected. - - Corrected in 4.6.3.2. - -5) Including a PREROUTING SECTION in the accounting file - unconditionally results in a fatal error: - - ERROR: The PREROUTING SECTION is not allowed when - ACCOUNTING_TABLE=filter - - Corrected in 4.6.3.3. - -6) The Universal configuration fails to start with the error: - - ERROR: No network interface available: Firewall state not changed - - Workaround: Remove the 'optional' option from the 'net' entry in - /etc/shorewall/interfaces. - - Corrected in 4.6.3.4. - -7) When required interfaces are present, Shorewall-init will fail to - start. This defect was introduced in Shorewall 4.6.3. - - Corrected in 4.6.3.4. - -8) The defect repair from 4.6.2.5 was inadvertently omitted from - 4.6.3. - - Corrected in 4.6.3.4. - - +2) If you install 4.6.4 and then use the 'safe-restart' command to + restart your firewall, confusing output is produced: + # shorewall safe-restart + Compiling... + Processing /etc/shorewall/params ... + Processing /etc/shorewall/shorewall.conf... + ... + Optimizing Ruleset... + Creating iptables-restore input... + Shorewall configuration compiled to /var/lib/shorewall/.restart + Currently-running Configuration Saved to /var/lib/shorewall/.safe + Usage: /var/lib/shorewall/firewall [ options ] <command> + + <command> is one of: + start + stop + clear + disable <interface> + down <interface> + enable <interface> + reset + refresh + restart + run <command> [ <parameter> ... ] + status + up <interface> + version + + Options are: + + -v and -q Standard Shorewall verbosity controls + -n Don't update routing configuration + -p Purge Conntrack Table + -t Timestamp progress Messages + -V <verbosity> Set verbosity explicitly + -R <file> Override RESTOREFILE setting + Restarting... + Restarting Shorewall.... + Initializing... + Processing /etc/shorewall/init ... + ... + Processing /etc/shorewall/start ... + Processing /etc/shorewall/started ... + done. + Do you want to accept the new firewall configuration? [y/n] + + The above 'usage' information, while confusing, does not represent a + problem and it is safe to answer 'y'. + + + Corrected in Shorewall 4.6.4.1. + +3) The 'Universal' sample configuration fails to start. + + Workaround: Remove the 'optional' option from the interfaces file + entry. + + Corrected in Shorewall 4.6.4.1. + +4) Setting LOGBACKEND=ipt_LOG may result in the following startup + failure at boot: + + Starting shorewall ... + /var/lib/shorewall/firewall: line 2080: echo: write error: No such file or directory + WARNING: Unable to set log backend to ipt_LOG + Partially corrected in Shorewall 4.6.4.2. Fixed on Squeeze and + RHEL6 (and derivatives). Not fixed on Fedora, Ubuntu and OpenSuSE. + Corrected on other distros in 4.6.4.3. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.3.4/lib.cli new/shorewall-core-4.6.4.3/lib.cli --- old/shorewall-core-4.6.3.4/lib.cli 2014-09-16 17:09:20.000000000 +0200 +++ new/shorewall-core-4.6.4.3/lib.cli 2014-10-19 16:44:01.000000000 +0200 @@ -368,6 +368,17 @@ } # +# Try to run the 'savesets' command +# +savesets() { + local supported + + supported=$(run_it ${VARDIR}/firewall help | fgrep savesets ) + + [ -n "$supported" ] && run_it ${VARDIR}/firewall savesets ${g_restorepath}-ipsets +} + +# # Save currently running configuration # do_save() { @@ -428,45 +439,47 @@ ;; esac - case ${SAVE_IPSETS:=No} in - [Yy]es) - case ${IPSET:=ipset} in - */*) - if [ ! -x "$IPSET" ]; then - error_message "ERROR: IPSET=$IPSET does not exist or is not executable - ipsets are not saved" - IPSET= - fi - ;; - *) - IPSET="$(mywhich $IPSET)" - [ -n "$IPSET" ] || error_message "ERROR: The ipset utility cannot be located - ipsets are not saved" - ;; - esac + if ! savesets; then + case ${SAVE_IPSETS:=No} in + [Yy]es) + case ${IPSET:=ipset} in + */*) + if [ ! -x "$IPSET" ]; then + error_message "ERROR: IPSET=$IPSET does not exist or is not executable - ipsets are not saved" + IPSET= + fi + ;; + *) + IPSET="$(mywhich $IPSET)" + [ -n "$IPSET" ] || error_message "ERROR: The ipset utility cannot be located - ipsets are not saved" + ;; + esac - if [ -n "$IPSET" ]; then - if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then - # - # The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny - # - hack='| grep -v /31' - else - hack= - fi + if [ -n "$IPSET" ]; then + if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then + # + # The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny + # + hack='| grep -v /31' + else + hack= + fi - if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then - # - # Don't save an 'empty' file - # - grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets + if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then + # + # Don't save an 'empty' file + # + grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets + fi fi - fi - ;; - [Nn]o) - ;; - *) - error_message "WARNING: Invalid value ($SAVE_IPSETS) for SAVE_IPSETS" - ;; - esac + ;; + [Nn]o) + ;; + *) + error_message "WARNING: Invalid value ($SAVE_IPSETS) for SAVE_IPSETS" + ;; + esac + fi return $status } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.3.4/releasenotes.txt new/shorewall-core-4.6.4.3/releasenotes.txt --- old/shorewall-core-4.6.3.4/releasenotes.txt 2014-09-16 17:18:06.000000000 +0200 +++ new/shorewall-core-4.6.4.3/releasenotes.txt 2014-10-19 16:59:58.000000000 +0200 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 6 . 3 . 4 + S H O R E W A L L 4 . 6 . 4 . 3 ------------------------------------ - S e p t e m b e r 1 6 , 2 0 1 4 + O c t o b e r 2 0 , 2 0 1 4 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,81 +14,82 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -4.6.3.4 +4.6.4.3 -1) The 'Universal' configurations previously failed to start with the - diagnostic +1) The fix for LOGBACKEND in 4.6.4.2 worked on some older + distributions but not on newer ones. This release fixes the problem + in the remaining cases. - ERROR: No network interface available: Firewall state not changed +4.6.4.2 -2) A defect introduced in 4.6.3 prevented Shorewall-init from starting - when required interfaces were present. +1) Setting LOGBACKEND=ipt_LOG could result in the following startup + failure at boot: -3) The defect repair from 4.6.2.5 (see below) was inadvertently - omitted from 4.6.3. It has now been merged into this release. + Starting shorewall ... + /var/lib/shorewall/firewall: line 2080: echo: write error: No such file or directory + WARNING: Unable to set log backend to ipt_LOG -4.6.3.3 +4.6.4.1 -1) Including a PREROUTING SECTION in the accounting file - unconditionally resulted in a fatal error: +1) Confusing 'usage' output was produced under the following + conditions: - ERROR: The PREROUTING SECTION is not allowed when - ACCOUNTING_TABLE=filter + a) 4.6.4 installed -2) Previously, the compiler could generate many superfluous rules to - enforce the 'tcpflags', 'nosmurfs' and 'maclist' interface options. + b) The running firewall was compiled on an earlier release. -4.6.3.2 + c) A 'safe-start', 'save-restart', 'save' or 'try' command is + executed. -1) The shorewall[6]-actions manpages previously contained incorrect - examples of the usage of table names with builtin actions. + This problem has been corrected. - Incorrect: +2) The 'optional' option has been removed from the IPv4 Universal + interfaces file, as that option caused startup failures. - FOOBAR,filter,mangle +4.6.4 Final. - Correct: +1) This release includes defect repair through release 4.6.3.4. - FOOBAR builtin,filter,mangle +2) Two corrections have been made to the .service files: -2) Previously, if /etc/iproute2/rt_tables was not writeable, then - KEEP_RT_TABLES=No behaved like KEEP_RT_TABLES=Yes. Now, a warning - message is issued if that file is not writeable and KEEP_RT_TABLES - is set to No. + - The .service files now correctly specify - WARNING: /etc/iproute2/rt_tables is missing or is not writeable + WantedBy=basic.target -3) In earlier 4.6.3 versions, the help text from shorewall-lite and - shorewall6-lite included two versions of the 'run' command. + - Conflicting services have been added. - run <command> [ <parameter> ... ] - .. - run <function> [ <parameter> ... ] +3) A warning message generated during stoppedrules processing + previously referred to the file as routestopped. - The second one has now been deleted. +4) Previously, the stoppedrules file did not work properly when + ADMINISABSENTMINDED=No. -4.6.3.1 - -1) The DNSAmp action released in 4.6.3 matched more packets than it - should have. That has now been corrected. + - A warning message was issued stating that the file would be + processed as if ADMINISABSENTMINDED=Yes, and it was. -2) The handling of REJECT in IP[6]TABLES rules has been clarified in - the shorewall-rules(5) and shorewall6-rules(5) manpages. + - Unfortunately, part of the surrounding rule-generating logic + proceded as if ADMINISABSENTMINDED=No, leading to an unusable + ruleset. -3) The following misleading error message has now been corrected: + This problem has been corrected by changing the way that + stoppedrules works with ADMINISABSENTMINDED=No. In the new + implementation: - ERROR: The xxx TARGET is now allowed in the filter table + - All existing connections continue to work. + - Response packets and related connection requests to new accepted + connections are accepted (in other words, the resulting ruleset + is stateful). - The message now reads: + See shorewall[6].conf(5) for additional details. - ERROR: The xxx TARGET is not allowed in the filter table +5) The .spec files now set SBINDIR correctly. -4.6.3 +6) The -lite installers now create INITDIR if it doesn't exist. -1) This release contains defect repair up through release 4.6.2.5. +7) The installers no longer attempt to create a symbolic link to the + init script when no init script is installed. -2) The SAVE_IPSETS option in the Debian version of Shorewall-init now - works correctly. Thomas D. +8) A large number of defects in the uninstallers have been corrected. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -101,25 +102,39 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -4.6.3.2 - -1) Eric Teeter has contributed a Citrix Goto Meeting macro. - -4.6.3 - -1) A new 'run' command has been implemented. This command allows you - to run an arbitrary command in the context of the generated - script. - - shorewall[6][-lite] run <command> [ <parameter> ... ] +1) Install support for Centos 7 and Foobar 7 has been added (Tuomo + Soini). - Normally, <command> will be a function declared in lib.private. - -2) A DNSAmp action has been added. This action matches recursive UDP - DNS queries. The default disposition is DROP which can be - overridden by the single action parameter (e.g, 'DNSAmp(REJECT)' - will reject these queries). Recursive DNS queries are the basis for - 'DNS Amplification' attacks; hence the action name. +2) A 'terminating' option has been added to shorewall[6].actions. + this option, when used with the 'builtin' option, indicates to the + compiler that the built-in action is terminating. This allows the + optimizer to omit rules after an unconditional jump to the + built-in. + +3) A LOG_BACKEND option has been added to allow specification of the + default logging backends. See shorewall.conf(5) and + shorewall6.conf(5) for details. + +4) The SAVE_IPSETS option may now specify a list of ipsets to be + saved. When such a list is specified, only those ipsets together + with the ipsets supporting dynamic zones are saved. + + Shorewall6 now supports the SAVE_IPSETS option. When + SAVE_IPSETS=Yes, only ipv6 ipsets are saved. For Shorewall, if + SAVE_IPSETS=ipv4, then only ipv4 ipsets are saved. Both features + require ipset version 5 or later. + + Note that shorewall.conf and shorewall6.conf may now both specify + SAVE_IPSETS. + +5) The SBINDIR setting for SuSE now defaults to /usr/sbin/. + +6) With the exception of Shorewall-core, the tarball installers and + uninstallers now support a -n option which inhibits any attempt to + change the startup configuration. The -n option can be + automatically invoked by setting the SANDBOX variable to a + non-empty value, either in the environment or in your shorewallrc + file. ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -390,9 +405,64 @@ CONDITION HELPER +17) Prior to Shorewall 4.6.4, the stoppedrules file did not work + properly when ADMINISABSENTMINDED=No. + + - A warning message was issued stating that the file would be + processed as if ADMINISABSENTMINDED=Yes, and it was. + + - Unfortunately, part of the surrounding rule-generating logic + proceded as if ADMINISABSENTMINDED=No, leading to an unusable + ruleset. + + In Shorewall 4.6.4, this problem was corrected by changing the way + that stoppedrules works with ADMINISABSENTMINDED=No. In the new + implementation: + + - All existing connections continue to work. + - Response packets and related connection requests to new accepted + connections are accepted (in other words, the resulting ruleset + is stateful). + + See shorewall[6].conf(5) for additional details. + ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 4 . 6 R E L E A S E S ---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 6 . 3 +---------------------------------------------------------------------------- + +4.6.3.1 + +1) The DNSAmp action released in 4.6.3 matched more packets than it + should have. That has now been corrected. + +4.6.3 + +1) This release contains defect repair up through release 4.6.2.5. + +2) The SAVE_IPSETS option in the Debian version of Shorewall-init now + works correctly. Thomas D. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 6 . 3 +---------------------------------------------------------------------------- + +1) A new 'run' command has been implemented. This command allows you + to run an arbitrary command in the context of the generated + script. + + shorewall[6][-lite] run <command> [ <parameter> ... ] + + Normally, <command> will be a function declared in lib.private. + +2) A DNSAmp action has been added. This action matches recursive UDP + DNS queries. The default disposition is DROP which can be + overridden by the single action parameter (e.g, 'DNSAmp(REJECT)' + will reject these queries). Recursive DNS queries are the basis for + 'DNS Amplification' attacks; hence the action name. + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 6 . 2 ---------------------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.3.4/shorewall-core.spec new/shorewall-core-4.6.4.3/shorewall-core.spec --- old/shorewall-core-4.6.3.4/shorewall-core.spec 2014-09-16 17:18:06.000000000 +0200 +++ new/shorewall-core-4.6.4.3/shorewall-core.spec 2014-10-19 16:59:58.000000000 +0200 @@ -1,6 +1,6 @@ %define name shorewall-core -%define version 4.6.3 -%define release 4 +%define version 4.6.4 +%define release 3 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. Name: %{name} @@ -33,7 +33,8 @@ --prefix=%{_prefix} \ --tmpdir=%{_tmpdir} \ --perllibdir=%{perl_vendorlib} \ - --libexecdir=%{_libexecdir} + --libexecdir=%{_libexecdir} \ + --sbindir=%{_sbindir} DESTDIR=%{buildroot} ./install.sh @@ -62,12 +63,22 @@ %doc COPYING INSTALL changelog.txt releasenotes.txt %changelog -* Sun Sep 14 2014 Tom Eastep [email protected] -- Updated to 4.6.3-4 -* Wed Sep 10 2014 Tom Eastep [email protected] -- Updated to 4.6.3-3 -* Sat Aug 30 2014 Tom Eastep [email protected] -- Updated to 4.6.3-2 +* Sun Oct 19 2014 Tom Eastep [email protected] +- Updated to 4.6.4-3 +* Wed Oct 15 2014 Tom Eastep [email protected] +- Updated to 4.6.4-2 +* Fri Oct 10 2014 Tom Eastep [email protected] +- Updated to 4.6.4-1 +* Mon Oct 06 2014 Tom Eastep [email protected] +- Updated to 4.6.4-0base +* Thu Oct 02 2014 Tom Eastep [email protected] +- Updated to 4.6.4-0RC1 +* Sun Sep 28 2014 Tom Eastep [email protected] +- Updated to 4.6.4-0Beta3 +* Wed Sep 24 2014 Tom Eastep [email protected] +- Updated to 4.6.4-0Beta2 +* Sun Aug 24 2014 Tom Eastep [email protected] +- Updated to 4.6.4-0Beta1 * Thu Aug 21 2014 Tom Eastep [email protected] - Updated to 4.6.3-1 * Thu Aug 14 2014 Tom Eastep [email protected] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.3.4/shorewallrc.suse new/shorewall-core-4.6.4.3/shorewallrc.suse --- old/shorewall-core-4.6.3.4/shorewallrc.suse 2014-09-16 17:09:20.000000000 +0200 +++ new/shorewall-core-4.6.4.3/shorewallrc.suse 2014-10-19 16:44:01.000000000 +0200 @@ -8,7 +8,7 @@ SHAREDIR=${PREFIX}/share #Directory for arch-neutral files. LIBEXECDIR=${PREFIX}/lib #Directory for executable scripts. PERLLIBDIR=${PREFIX}/lib/perl5/vendor_perl/5.14.2 #Directory to install Shorewall Perl module directory -SBINDIR=/sbin #Directory where system administration programs are installed +SBINDIR=/usr/sbin #Directory where system administration programs are installed MANDIR=${SHAREDIR}/man/ #Directory where manpages are installed. INITDIR=/etc/init.d #Directory where SysV init scripts are installed. INITFILE=$PRODUCT #Name of the product's SysV init script diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.3.4/uninstall.sh new/shorewall-core-4.6.4.3/uninstall.sh --- old/shorewall-core-4.6.3.4/uninstall.sh 2014-09-16 17:18:05.000000000 +0200 +++ new/shorewall-core-4.6.4.3/uninstall.sh 2014-10-19 16:59:57.000000000 +0200 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.6.3.4 +VERSION=4.6.4.3 usage() # $1 = exit status { ++++++ shorewall-docs-html-4.6.3.4.tar.bz2 -> shorewall-docs-html-4.6.4.3.tar.bz2 ++++++ ++++ 7147 lines of diff (skipped) ++++++ shorewall-init-4.6.3.4.tar.bz2 -> shorewall-init-4.6.4.3.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.3.4/changelog.txt new/shorewall-init-4.6.4.3/changelog.txt --- old/shorewall-init-4.6.3.4/changelog.txt 2014-09-16 17:18:06.000000000 +0200 +++ new/shorewall-init-4.6.4.3/changelog.txt 2014-10-19 17:16:42.000000000 +0200 @@ -1,3 +1,72 @@ +Changes in 4.6.4.3 + +1) Update release documents + +2) Add xt_LOG to the helpers files. + +Changes in 4.6.4.2 + +1) Update release documents + +2) Add ipt_LOG to the helpers files. + +Changes in 4.6.4.1 + +1) Update release documents + +2) Eliminate confusing output during 'save', 'safe-*' and 'try' + commands. + +3) Remove 'optional' from the Universal interfaces file. + +Changes in 4.6.4 Final + +1) Update release documents + +Changes in 4.6.4 RC 1 + +1) Update release documents + +2) Added FAQ 104 (kernel log messages during compile). + +3) Create INITD in the -lite installer. + +4) Don't link init script if there is none. + +5) Add -n option to the installers and uninstallers. + +6) Support SANDBOX in the installers and uninstallers. + +7) Correct many defects in the uninstallers. + +Changes in 4.6.4 Beta 3 + +1) Update release documents + +2) Allow SAVE_IPSETS to specify a list of ipset names. + +3) Document .spec and actions.std fixes. + +3) Packaging changes. + +Changes in 4.6.4-Beta 2 + +1) Update release documents + +2) Correct minor issue in a warning message. + +3) Implement LOG_BACKEND. + +4) Correct stoppedrules/ADMINISABSENTMINDED=No + +Changes in 4.6.4-Beta 1 + +1) Update release documents + +2) Install support for Centos 7 and Foobar 7 + +3) Tweaks to .service files. + Changes in 4.6.3.4 1) Update release documents diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.3.4/configure new/shorewall-init-4.6.4.3/configure --- old/shorewall-init-4.6.3.4/configure 2014-09-16 17:18:06.000000000 +0200 +++ new/shorewall-init-4.6.4.3/configure 2014-10-19 17:16:42.000000000 +0200 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=4.6.3.4 +VERSION=4.6.4.3 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.3.4/configure.pl new/shorewall-init-4.6.4.3/configure.pl --- old/shorewall-init-4.6.3.4/configure.pl 2014-09-16 17:18:06.000000000 +0200 +++ new/shorewall-init-4.6.4.3/configure.pl 2014-10-19 17:16:42.000000000 +0200 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '4.6.3.4' + VERSION => '4.6.4.3' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.3.4/install.sh new/shorewall-init-4.6.4.3/install.sh --- old/shorewall-init-4.6.3.4/install.sh 2014-09-16 17:18:06.000000000 +0200 +++ new/shorewall-init-4.6.4.3/install.sh 2014-10-19 17:16:42.000000000 +0200 @@ -27,7 +27,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.6.3.4 +VERSION=4.6.4.3 usage() # $1 = exit status { @@ -35,6 +35,7 @@ echo "usage: $ME [ <configuration-file> ]" echo " $ME -v" echo " $ME -h" + echo " $ME -n" exit $1 } @@ -105,9 +106,12 @@ T='-T' finished=0 +configure=1 while [ $finished -eq 0 ] ; do - case "$1" in + option="$1" + + case "$option" in -*) option=${option#-} @@ -120,6 +124,10 @@ echo "Shorewall-init Firewall Installer Version $VERSION" exit 0 ;; + n*) + configure=0 + option=${option#n} + ;; *) usage 1 ;; @@ -176,6 +184,8 @@ require $var done +[ -n "$SANDBOX" ] && configure=0 + PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin if [ -z "$BUILD" ]; then @@ -191,7 +201,7 @@ eval $(cat /etc/os-release | grep ^ID=) case $ID in - fedora|rhel) + fedora|rhel|centos|foobar) BUILD=redhat ;; debian|ubuntu) @@ -306,6 +316,7 @@ # Install the Firewall Script # if [ -n "$INITFILE" ]; then + mkdir -p ${DESTDIR}${INITDIR} install_file $INITSOURCE ${DESTDIR}${INITDIR}/$INITFILE 0544 [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${INITDIR}/$INITFILE @@ -325,7 +336,7 @@ run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SYSTEMD}/$PRODUCT.service [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service echo "Service file $SERVICEFILE installed as ${DESTDIR}${SYSTEMD}/$PRODUCT.service" - if [ -n "$DESTDIR" ]; then + if [ -n "$DESTDIR" -o $configure -eq 0 ]; then mkdir -p ${DESTDIR}${SBINDIR} chmod 755 ${DESTDIR}${SBINDIR} fi @@ -366,14 +377,24 @@ if [ -n "${DESTDIR}" ]; then mkdir -p ${DESTDIR}/etc/network/if-up.d/ mkdir -p ${DESTDIR}/etc/network/if-down.d/ + mkdir -p ${DESTDIR}/etc/network/if-post-down.d/ + elif [ $configure -eq 0 ]; then + mkdir -p ${DESTDIR}${CONFDIR}/network/if-up.d/ + mkdir -p ${DESTDIR}${CONFDIR}/network/if-down.d/ + mkdir -p ${DESTDIR}${CONFDIR}/network/if-post-down.d/ fi - if [ ! -f ${DESTDIR}/etc/default/shorewall-init ]; then + if [ ! -f ${DESTDIR}${CONFDIR}/default/shorewall-init ]; then if [ -n "${DESTDIR}" ]; then mkdir ${DESTDIR}/etc/default fi - install_file sysconfig ${DESTDIR}/etc/default/shorewall-init 0644 + if [ $configure -eq 1 ]; then + install_file sysconfig ${DESTDIR}/etc/default/shorewall-init 0644 + else + mkdir -p ${DESTDIR}${CONFDIR}/default + install_file sysconfig ${DESTDIR}${CONFDIR}/default/shorewall-init 0644 + fi fi IFUPDOWN=ifupdown.debian.sh @@ -384,7 +405,7 @@ if [ -z "$RPM" ]; then if [ $HOST = suse ]; then mkdir -p ${DESTDIR}/etc/sysconfig/network/if-up.d - mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-down.d + mkdir -p ${DESTDIR}/etc/sysconfig/network/if-down.d elif [ $HOST = gentoo ]; then # Gentoo does not support if-{up,down}.d /bin/true @@ -415,17 +436,33 @@ install_file ifupdown ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown 0544 if [ -d ${DESTDIR}/etc/NetworkManager ]; then - install_file ifupdown ${DESTDIR}/etc/NetworkManager/dispatcher.d/01-shorewall 0544 + if [ $configure -eq 1 ]; then + install_file ifupdown ${DESTDIR}/etc/NetworkManager/dispatcher.d/01-shorewall 0544 + else + mkdir -p ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/ + install_file ifupdown ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/01-shorewall 0544 + fi fi case $HOST in debian) - install_file ifupdown ${DESTDIR}/etc/network/if-up.d/shorewall 0544 - install_file ifupdown ${DESTDIR}/etc/network/if-down.d/shorewall 0544 - install_file ifupdown ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544 + if [ $configure -eq 1 ]; then + install_file ifupdown ${DESTDIR}/etc/network/if-up.d/shorewall 0544 + install_file ifupdown ${DESTDIR}/etc/network/if-down.d/shorewall 0544 + install_file ifupdown ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544 + else + install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-up.d/shorewall 0544 + install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-down.d/shorewall 0544 + install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-post-down.d/shorewall 0544 + fi ;; suse) if [ -z "$RPM" ]; then + if [ $configure -eq 0 ]; then + mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-up.d/ + mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-down.d/ + fi + install_file ifupdown ${DESTDIR}${SYSCONFDIR}/network/if-up.d/shorewall 0544 install_file ifupdown ${DESTDIR}${SYSCONFDIR}/network/if-down.d/shorewall 0544 fi @@ -453,7 +490,7 @@ esac if [ -z "$DESTDIR" ]; then - if [ -n "$first_install" ]; then + if [ $configure -eq 1 -a -n "$first_install" ]; then if [ $HOST = debian ]; then if mywhich insserv; then if insserv ${INITDIR}/shorewall-init; then @@ -505,7 +542,7 @@ fi fi else - if [ -n "$first_install" ]; then + if [ $configure -eq 1 -a -n "$first_install" ]; then if [ $HOST = debian ]; then if [ -n "${DESTDIR}" ]; then mkdir -p ${DESTDIR}/etc/rcS.d diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.3.4/releasenotes.txt new/shorewall-init-4.6.4.3/releasenotes.txt --- old/shorewall-init-4.6.3.4/releasenotes.txt 2014-09-16 17:18:06.000000000 +0200 +++ new/shorewall-init-4.6.4.3/releasenotes.txt 2014-10-19 17:16:42.000000000 +0200 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 6 . 3 . 4 + S H O R E W A L L 4 . 6 . 4 . 3 ------------------------------------ - S e p t e m b e r 1 6 , 2 0 1 4 + O c t o b e r 2 0 , 2 0 1 4 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,81 +14,82 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -4.6.3.4 +4.6.4.3 -1) The 'Universal' configurations previously failed to start with the - diagnostic +1) The fix for LOGBACKEND in 4.6.4.2 worked on some older + distributions but not on newer ones. This release fixes the problem + in the remaining cases. - ERROR: No network interface available: Firewall state not changed +4.6.4.2 -2) A defect introduced in 4.6.3 prevented Shorewall-init from starting - when required interfaces were present. +1) Setting LOGBACKEND=ipt_LOG could result in the following startup + failure at boot: -3) The defect repair from 4.6.2.5 (see below) was inadvertently - omitted from 4.6.3. It has now been merged into this release. + Starting shorewall ... + /var/lib/shorewall/firewall: line 2080: echo: write error: No such file or directory + WARNING: Unable to set log backend to ipt_LOG -4.6.3.3 +4.6.4.1 -1) Including a PREROUTING SECTION in the accounting file - unconditionally resulted in a fatal error: +1) Confusing 'usage' output was produced under the following + conditions: - ERROR: The PREROUTING SECTION is not allowed when - ACCOUNTING_TABLE=filter + a) 4.6.4 installed -2) Previously, the compiler could generate many superfluous rules to - enforce the 'tcpflags', 'nosmurfs' and 'maclist' interface options. + b) The running firewall was compiled on an earlier release. -4.6.3.2 + c) A 'safe-start', 'save-restart', 'save' or 'try' command is + executed. -1) The shorewall[6]-actions manpages previously contained incorrect - examples of the usage of table names with builtin actions. + This problem has been corrected. - Incorrect: +2) The 'optional' option has been removed from the IPv4 Universal + interfaces file, as that option caused startup failures. - FOOBAR,filter,mangle +4.6.4 Final. - Correct: +1) This release includes defect repair through release 4.6.3.4. - FOOBAR builtin,filter,mangle +2) Two corrections have been made to the .service files: -2) Previously, if /etc/iproute2/rt_tables was not writeable, then - KEEP_RT_TABLES=No behaved like KEEP_RT_TABLES=Yes. Now, a warning - message is issued if that file is not writeable and KEEP_RT_TABLES - is set to No. + - The .service files now correctly specify - WARNING: /etc/iproute2/rt_tables is missing or is not writeable + WantedBy=basic.target -3) In earlier 4.6.3 versions, the help text from shorewall-lite and - shorewall6-lite included two versions of the 'run' command. + - Conflicting services have been added. - run <command> [ <parameter> ... ] - .. - run <function> [ <parameter> ... ] +3) A warning message generated during stoppedrules processing + previously referred to the file as routestopped. - The second one has now been deleted. +4) Previously, the stoppedrules file did not work properly when + ADMINISABSENTMINDED=No. -4.6.3.1 - -1) The DNSAmp action released in 4.6.3 matched more packets than it - should have. That has now been corrected. + - A warning message was issued stating that the file would be + processed as if ADMINISABSENTMINDED=Yes, and it was. -2) The handling of REJECT in IP[6]TABLES rules has been clarified in - the shorewall-rules(5) and shorewall6-rules(5) manpages. + - Unfortunately, part of the surrounding rule-generating logic + proceded as if ADMINISABSENTMINDED=No, leading to an unusable + ruleset. -3) The following misleading error message has now been corrected: + This problem has been corrected by changing the way that + stoppedrules works with ADMINISABSENTMINDED=No. In the new + implementation: - ERROR: The xxx TARGET is now allowed in the filter table + - All existing connections continue to work. + - Response packets and related connection requests to new accepted + connections are accepted (in other words, the resulting ruleset + is stateful). - The message now reads: + See shorewall[6].conf(5) for additional details. - ERROR: The xxx TARGET is not allowed in the filter table +5) The .spec files now set SBINDIR correctly. -4.6.3 +6) The -lite installers now create INITDIR if it doesn't exist. -1) This release contains defect repair up through release 4.6.2.5. +7) The installers no longer attempt to create a symbolic link to the + init script when no init script is installed. -2) The SAVE_IPSETS option in the Debian version of Shorewall-init now - works correctly. Thomas D. +8) A large number of defects in the uninstallers have been corrected. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -101,25 +102,39 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -4.6.3.2 - -1) Eric Teeter has contributed a Citrix Goto Meeting macro. - -4.6.3 - -1) A new 'run' command has been implemented. This command allows you - to run an arbitrary command in the context of the generated - script. - - shorewall[6][-lite] run <command> [ <parameter> ... ] +1) Install support for Centos 7 and Foobar 7 has been added (Tuomo + Soini). - Normally, <command> will be a function declared in lib.private. - -2) A DNSAmp action has been added. This action matches recursive UDP - DNS queries. The default disposition is DROP which can be - overridden by the single action parameter (e.g, 'DNSAmp(REJECT)' - will reject these queries). Recursive DNS queries are the basis for - 'DNS Amplification' attacks; hence the action name. +2) A 'terminating' option has been added to shorewall[6].actions. + this option, when used with the 'builtin' option, indicates to the + compiler that the built-in action is terminating. This allows the + optimizer to omit rules after an unconditional jump to the + built-in. + +3) A LOG_BACKEND option has been added to allow specification of the + default logging backends. See shorewall.conf(5) and + shorewall6.conf(5) for details. + +4) The SAVE_IPSETS option may now specify a list of ipsets to be + saved. When such a list is specified, only those ipsets together + with the ipsets supporting dynamic zones are saved. + + Shorewall6 now supports the SAVE_IPSETS option. When + SAVE_IPSETS=Yes, only ipv6 ipsets are saved. For Shorewall, if + SAVE_IPSETS=ipv4, then only ipv4 ipsets are saved. Both features + require ipset version 5 or later. + + Note that shorewall.conf and shorewall6.conf may now both specify + SAVE_IPSETS. + +5) The SBINDIR setting for SuSE now defaults to /usr/sbin/. + +6) With the exception of Shorewall-core, the tarball installers and + uninstallers now support a -n option which inhibits any attempt to + change the startup configuration. The -n option can be + automatically invoked by setting the SANDBOX variable to a + non-empty value, either in the environment or in your shorewallrc + file. ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -390,9 +405,64 @@ CONDITION HELPER +17) Prior to Shorewall 4.6.4, the stoppedrules file did not work + properly when ADMINISABSENTMINDED=No. + + - A warning message was issued stating that the file would be + processed as if ADMINISABSENTMINDED=Yes, and it was. + + - Unfortunately, part of the surrounding rule-generating logic + proceded as if ADMINISABSENTMINDED=No, leading to an unusable + ruleset. + + In Shorewall 4.6.4, this problem was corrected by changing the way + that stoppedrules works with ADMINISABSENTMINDED=No. In the new + implementation: + + - All existing connections continue to work. + - Response packets and related connection requests to new accepted + connections are accepted (in other words, the resulting ruleset + is stateful). + + See shorewall[6].conf(5) for additional details. + ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 4 . 6 R E L E A S E S ---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 6 . 3 +---------------------------------------------------------------------------- + +4.6.3.1 + +1) The DNSAmp action released in 4.6.3 matched more packets than it + should have. That has now been corrected. + +4.6.3 + +1) This release contains defect repair up through release 4.6.2.5. + +2) The SAVE_IPSETS option in the Debian version of Shorewall-init now + works correctly. Thomas D. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 6 . 3 +---------------------------------------------------------------------------- + +1) A new 'run' command has been implemented. This command allows you + to run an arbitrary command in the context of the generated + script. + + shorewall[6][-lite] run <command> [ <parameter> ... ] + + Normally, <command> will be a function declared in lib.private. + +2) A DNSAmp action has been added. This action matches recursive UDP + DNS queries. The default disposition is DROP which can be + overridden by the single action parameter (e.g, 'DNSAmp(REJECT)' + will reject these queries). Recursive DNS queries are the basis for + 'DNS Amplification' attacks; hence the action name. + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 6 . 2 ---------------------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.3.4/shorewall-init.service new/shorewall-init-4.6.4.3/shorewall-init.service --- old/shorewall-init-4.6.3.4/shorewall-init.service 2014-09-16 17:09:20.000000000 +0200 +++ new/shorewall-init-4.6.4.3/shorewall-init.service 2014-10-19 17:16:02.000000000 +0200 @@ -1,12 +1,12 @@ # -# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4 +# The Shoreline Firewall (Shorewall) Packet Filtering Firewall # -# Copyright 2011 Jonathan Underwood ([email protected]) +# Copyright 2011 Jonathan Underwood <[email protected]> # [Unit] -Description=Shorewall IPv4 firewall -After=syslog.target +Description=Shorewall IPv4 firewall (bootup security) Before=network.target +Conflicts=iptables.service firewalld.service [Service] Type=oneshot @@ -17,4 +17,4 @@ ExecStop=/sbin/shorewall-init $OPTIONS stop [Install] -WantedBy=multi-user.target +WantedBy=basic.target diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.3.4/shorewall-init.spec new/shorewall-init-4.6.4.3/shorewall-init.spec --- old/shorewall-init-4.6.3.4/shorewall-init.spec 2014-09-16 17:18:06.000000000 +0200 +++ new/shorewall-init-4.6.4.3/shorewall-init.spec 2014-10-19 17:16:42.000000000 +0200 @@ -1,6 +1,6 @@ %define name shorewall-init -%define version 4.6.3 -%define release 4 +%define version 4.6.4 +%define release 3 Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall). Name: %{name} @@ -37,7 +37,8 @@ --prefix=%{_prefix} \ --tmpdir=%{_tmpdir} \ --perllibdir=%{perl_vendorlib} \ - --libexecdir=%{_libexecdir} + --libexecdir=%{_libexecdir} \ + --sbindir=%{_sbindir} DESTDIR=%{buildroot} ./install.sh @@ -47,10 +48,10 @@ %post if [ $1 -eq 1 ]; then - if [ -x /sbin/insserv ]; then - /sbin/insserv %{_initddir}/shorewall-init - elif [ -x /sbin/chkconfig ]; then - /sbin/chkconfig --add shorewall-init; + if [ -x %{_sbindir}/insserv ]; then + %{_sbindir}/insserv %{_initddir}/shorewall-init + elif [ -x %{_sbindir}/chkconfig ]; then + %{_sbindir}/chkconfig --add shorewall-init; fi fi @@ -64,16 +65,16 @@ done fi else - if [ -f /sbin/ifup-local -o -f /sbin/ifdown-local ]; then - if ! grep -q Shorewall /sbin/ifup-local || ! grep -q Shorewall /sbin/ifdown-local; then - echo "WARNING: /sbin/ifup-local and/or /sbin/ifdown-local already exist; ifup/ifdown events will not be handled" >&2 + if [ -f %{_sbindir}/ifup-local -o -f %{_sbindir}/ifdown-local ]; then + if ! grep -q Shorewall %{_sbindir}/ifup-local || ! grep -q Shorewall %{_sbindir}/ifdown-local; then + echo "WARNING: %{_sbindir}/ifup-local and/or %{_sbindir}/ifdown-local already exist; ifup/ifdown events will not be handled" >&2 else - cp -pf %{_libexecdir}/shorewall-init/ifupdown /sbin/ifup-local - cp -pf %{_libexecdir}/shorewall-init/ifupdown /sbin/ifdown-local + cp -pf %{_libexecdir}/shorewall-init/ifupdown %{_sbindir}/ifup-local + cp -pf %{_libexecdir}/shorewall-init/ifupdown %{_sbindir}/ifdown-local fi else - cp -pf %{_libexecdir}/shorewall-init/ifupdown /sbin/ifup-local - cp -pf %{_libexecdir}/shorewall-init/ifupdown /sbin/ifdown-local + cp -pf %{_libexecdir}/shorewall-init/ifupdown %{_sbindir}/ifup-local + cp -pf %{_libexecdir}/shorewall-init/ifupdown %{_sbindir}/ifdown-local fi if [ -d /etc/ppp ]; then @@ -95,14 +96,14 @@ %preun if [ $1 -eq 0 ]; then - if [ -x /sbin/insserv ]; then - /sbin/insserv -r %{_initddir}/shorewall-init - elif [ -x /sbin/chkconfig ]; then - /sbin/chkconfig --del shorewall-init + if [ -x %{_sbindir}/insserv ]; then + %{_sbindir}/insserv -r %{_initddir}/shorewall-init + elif [ -x %{_sbindir}/chkconfig ]; then + %{_sbindir}/chkconfig --del shorewall-init fi - [ -f /sbin/ifup-local ] && grep -q Shorewall /sbin/ifup-local && rm -f /sbin/ifup-local - [ -f /sbin/ifdown-local ] && grep -q Shorewall /sbin/ifdown-local && rm -f /sbin/ifdown-local + [ -f %{_sbindir}/ifup-local ] && grep -q Shorewall %{_sbindir}/ifup-local && rm -f %{_sbindir}/ifup-local + [ -f %{_sbindir}/ifdown-local ] && grep -q Shorewall %{_sbindir}/ifdown-local && rm -f %{_sbindir}/ifdown-local [ -f /etc/ppp/ip-up.local ] && grep -q Shorewall-based /etc/ppp/ip-up.local && rm -f /etc/ppp/ip-up.local [ -f /etc/ppp/ip-down.local ] && grep -q Shorewall-based /etc/ppp/ip-down.local && rm -f /etc/ppp/ip-down.local @@ -125,12 +126,22 @@ %doc COPYING changelog.txt releasenotes.txt %changelog -* Sun Sep 14 2014 Tom Eastep [email protected] -- Updated to 4.6.3-4 -* Wed Sep 10 2014 Tom Eastep [email protected] -- Updated to 4.6.3-3 -* Sat Aug 30 2014 Tom Eastep [email protected] -- Updated to 4.6.3-2 +* Sun Oct 19 2014 Tom Eastep [email protected] +- Updated to 4.6.4-3 +* Wed Oct 15 2014 Tom Eastep [email protected] +- Updated to 4.6.4-2 +* Fri Oct 10 2014 Tom Eastep [email protected] +- Updated to 4.6.4-1 +* Mon Oct 06 2014 Tom Eastep [email protected] +- Updated to 4.6.4-0base +* Thu Oct 02 2014 Tom Eastep [email protected] +- Updated to 4.6.4-0RC1 +* Sun Sep 28 2014 Tom Eastep [email protected] +- Updated to 4.6.4-0Beta3 +* Wed Sep 24 2014 Tom Eastep [email protected] +- Updated to 4.6.4-0Beta2 +* Sun Aug 24 2014 Tom Eastep [email protected] +- Updated to 4.6.4-0Beta1 * Thu Aug 21 2014 Tom Eastep [email protected] - Updated to 4.6.3-1 * Thu Aug 14 2014 Tom Eastep [email protected] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.3.4/shorewallrc.suse new/shorewall-init-4.6.4.3/shorewallrc.suse --- old/shorewall-init-4.6.3.4/shorewallrc.suse 2014-09-16 17:18:06.000000000 +0200 +++ new/shorewall-init-4.6.4.3/shorewallrc.suse 2014-10-19 17:16:42.000000000 +0200 @@ -8,7 +8,7 @@ SHAREDIR=${PREFIX}/share #Directory for arch-neutral files. LIBEXECDIR=${PREFIX}/lib #Directory for executable scripts. PERLLIBDIR=${PREFIX}/lib/perl5/vendor_perl/5.14.2 #Directory to install Shorewall Perl module directory -SBINDIR=/sbin #Directory where system administration programs are installed +SBINDIR=/usr/sbin #Directory where system administration programs are installed MANDIR=${SHAREDIR}/man/ #Directory where manpages are installed. INITDIR=/etc/init.d #Directory where SysV init scripts are installed. INITFILE=$PRODUCT #Name of the product's SysV init script diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.3.4/uninstall.sh new/shorewall-init-4.6.4.3/uninstall.sh --- old/shorewall-init-4.6.3.4/uninstall.sh 2014-09-16 17:18:06.000000000 +0200 +++ new/shorewall-init-4.6.4.3/uninstall.sh 2014-10-19 17:16:42.000000000 +0200 @@ -1,4 +1,4 @@ -\#!/bin/sh +#!/bin/sh # # Script to back uninstall Shoreline Firewall # @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.6.3.4 +VERSION=4.6.4.3 usage() # $1 = exit status { @@ -69,6 +69,42 @@ fi } +finished=0 +configure=1 + +while [ $finished -eq 0 ]; do + option=$1 + + case "$option" in + -*) + option=${option#-} + + while [ -n "$option" ]; do + case $option in + h) + usage 0 + ;; + v) + echo "$Product Firewall Installer Version $VERSION" + exit 0 + ;; + n*) + configure=0 + option=${option#n} + ;; + *) + usage 1 + ;; + esac + done + + shift + ;; + *) + finished=1 + ;; + esac +done # # Read the RC file # @@ -114,22 +150,29 @@ echo "Uninstalling Shorewall Init $VERSION" +[ -n "$SANDBOX" ] && configure=0 + INITSCRIPT=${CONFDIR}/init.d/shorewall-init if [ -f "$INITSCRIPT" ]; then - if mywhich updaterc.d ; then - updaterc.d shorewall-init remove - elif mywhich insserv ; then - insserv -r $INITSCRIPT - elif mywhich chkconfig ; then - chkconfig --del $(basename $INITSCRIPT) - elif mywhich systemctl ; then - systemctl disable shorewall-init + if [ $configure -eq 1 ]; then + if mywhich updaterc.d ; then + updaterc.d shorewall-init remove + elif mywhich insserv ; then + insserv -r $INITSCRIPT + elif mywhich chkconfig ; then + chkconfig --del $(basename $INITSCRIPT) + fi fi remove_file $INITSCRIPT fi +if [ -n "$SYSTEMD" ]; then + [ $configure -eq 1 ] && systemctl disable shorewall-init.service + rm -f $SYSTEMD/shorewall-init.service +fi + [ "$(readlink -m -q ${SBINDIR}/ifup-local)" = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifup-local [ "$(readlink -m -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifdown-local @@ -159,8 +202,9 @@ done fi +rm -f ${SBINDIR}/shorewall-init rm -rf ${SHAREDIR}/shorewall-init -rm -rf ${LIBEXEC}/shorewall-init +rm -rf ${LIBEXECDIR}/shorewall-init echo "Shorewall Init Uninstalled" ++++++ shorewall-lite-4.6.3.4.tar.bz2 -> shorewall-lite-4.6.4.3.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.3.4/changelog.txt new/shorewall-lite-4.6.4.3/changelog.txt --- old/shorewall-lite-4.6.3.4/changelog.txt 2014-09-16 17:18:06.000000000 +0200 +++ new/shorewall-lite-4.6.4.3/changelog.txt 2014-10-19 16:59:58.000000000 +0200 @@ -1,3 +1,72 @@ +Changes in 4.6.4.3 + +1) Update release documents + +2) Add xt_LOG to the helpers files. + +Changes in 4.6.4.2 + +1) Update release documents + +2) Add ipt_LOG to the helpers files. + +Changes in 4.6.4.1 + +1) Update release documents + +2) Eliminate confusing output during 'save', 'safe-*' and 'try' + commands. + +3) Remove 'optional' from the Universal interfaces file. + +Changes in 4.6.4 Final + +1) Update release documents + +Changes in 4.6.4 RC 1 + +1) Update release documents + +2) Added FAQ 104 (kernel log messages during compile). + +3) Create INITD in the -lite installer. + +4) Don't link init script if there is none. + +5) Add -n option to the installers and uninstallers. + +6) Support SANDBOX in the installers and uninstallers. + +7) Correct many defects in the uninstallers. + +Changes in 4.6.4 Beta 3 + +1) Update release documents + +2) Allow SAVE_IPSETS to specify a list of ipset names. + +3) Document .spec and actions.std fixes. + +3) Packaging changes. + +Changes in 4.6.4-Beta 2 + +1) Update release documents + +2) Correct minor issue in a warning message. + +3) Implement LOG_BACKEND. + +4) Correct stoppedrules/ADMINISABSENTMINDED=No + +Changes in 4.6.4-Beta 1 + +1) Update release documents + +2) Install support for Centos 7 and Foobar 7 + +3) Tweaks to .service files. + Changes in 4.6.3.4 1) Update release documents diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.3.4/configure new/shorewall-lite-4.6.4.3/configure --- old/shorewall-lite-4.6.3.4/configure 2014-09-16 17:18:06.000000000 +0200 +++ new/shorewall-lite-4.6.4.3/configure 2014-10-19 16:59:59.000000000 +0200 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=4.6.3.4 +VERSION=4.6.4.3 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.3.4/configure.pl new/shorewall-lite-4.6.4.3/configure.pl --- old/shorewall-lite-4.6.3.4/configure.pl 2014-09-16 17:18:06.000000000 +0200 +++ new/shorewall-lite-4.6.4.3/configure.pl 2014-10-19 16:59:59.000000000 +0200 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '4.6.3.4' + VERSION => '4.6.4.3' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.3.4/helpers new/shorewall-lite-4.6.4.3/helpers --- old/shorewall-lite-4.6.3.4/helpers 2014-09-16 17:18:06.000000000 +0200 +++ new/shorewall-lite-4.6.4.3/helpers 2014-10-19 16:59:58.000000000 +0200 @@ -57,3 +57,13 @@ loadmodule nf_nat_sip loadmodule nf_nat_snmp_basic loadmodule nf_nat_tftp +# +# While not actually helpers, these are handy to have. Not +# all of these will be found on any given system, since +# some are aliases on later kernels. +# +loadmodule ipt_LOG +loadmodule xt_LOG +loadmodule xt_NFLOG +loadmodule ipt_ULOG +loadmodule nfnetlink_log diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.3.4/install.sh new/shorewall-lite-4.6.4.3/install.sh --- old/shorewall-lite-4.6.3.4/install.sh 2014-09-16 17:18:06.000000000 +0200 +++ new/shorewall-lite-4.6.4.3/install.sh 2014-10-19 16:59:58.000000000 +0200 @@ -22,7 +22,7 @@ # along with this program; if not, see <http://www.gnu.org/licenses/>. # -VERSION=4.6.3.4 +VERSION=4.6.4.3 usage() # $1 = exit status { @@ -30,6 +30,7 @@ echo "usage: $ME [ <configuration-file> ]" echo " $ME -v" echo " $ME -h" + echo " $ME -n" exit $1 } @@ -113,9 +114,13 @@ # Parse the run line # finished=0 +configure=1 while [ $finished -eq 0 ] ; do - case "$1" in + + option=$1 + + case "$option" in -*) option=${option#-} @@ -128,6 +133,10 @@ echo "$Product Firewall Installer Version $VERSION" exit 0 ;; + n*) + configure=0 + option=${option#n} + ;; *) usage 1 ;; @@ -186,6 +195,8 @@ PATH=${SBINDIR}:/bin:/usr${SBINDIR}:/usr/bin:/usr/local/bin:/usr/local${SBINDIR} +[ -n "$SANDBOX" ] && configure=0 + # # Determine where to install the firewall script # @@ -206,7 +217,7 @@ eval $(cat /etc/os-release | grep ^ID) case $ID in - fedora|rhel) + fedora|rhel|centos|foobar) BUILD=redhat ;; debian) @@ -346,6 +357,7 @@ delete_file ${DESTDIR}/usr/share/$PRODUCT/xmodules install_file $PRODUCT ${DESTDIR}${SBINDIR}/$PRODUCT 0544 +[ -n "${INITFILE}" ] && install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR} echo "$Product control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT" @@ -358,7 +370,7 @@ mkdir -p ${DESTDIR}${VARDIR} chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT -chmod 755 ${DESTDIR}/usr/share/$PRODUCT +chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT if [ -n "$DESTDIR" ]; then mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d @@ -466,18 +478,18 @@ if [ -d manpages ]; then cd manpages - [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${SHAREDIR}/man/man5/ ${DESTDIR}${SHAREDIR}/man/man8/ + [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/ for f in *.5; do gzip -c $f > $f.gz - run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}${SHAREDIR}/man/man5/$f.gz - echo "Man page $f.gz installed to ${DESTDIR}${SHAREDIR}/man/man5/$f.gz" + run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}${MANDIR}/man5/$f.gz + echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz" done for f in *.8; do gzip -c $f > $f.gz - run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}${SHAREDIR}/man/man8/$f.gz - echo "Man page $f.gz installed to ${DESTDIR}${SHAREDIR}/man/man8/$f.gz" + run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz + echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz" done cd .. @@ -499,7 +511,7 @@ # Remove and create the symbolic link to the init script # -if [ -z "$DESTDIR" ]; then +if [ -z "${DESTDIR}" -a -n "${INITFILE}" ]; then rm -f ${SHAREDIR}/$PRODUCT/init ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/$PRODUCT/init fi @@ -526,7 +538,7 @@ eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SBINDIR}/$PRODUCT fi -if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then +if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then if [ -n "$SYSTEMD" ]; then if systemctl enable ${PRODUCT}.service; then echo "$Product will start automatically at boot" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.3.4/manpages/shorewall-lite-vardir.5 new/shorewall-lite-4.6.4.3/manpages/shorewall-lite-vardir.5 --- old/shorewall-lite-4.6.3.4/manpages/shorewall-lite-vardir.5 2014-09-16 17:21:26.000000000 +0200 +++ new/shorewall-lite-4.6.4.3/manpages/shorewall-lite-vardir.5 2014-10-19 17:03:23.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite-vardir .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 09/16/2014 +.\" Date: 10/19/2014 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-LITE\-VAR" "5" "09/16/2014" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-LITE\-VAR" "5" "10/19/2014" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.3.4/manpages/shorewall-lite.8 new/shorewall-lite-4.6.4.3/manpages/shorewall-lite.8 --- old/shorewall-lite-4.6.3.4/manpages/shorewall-lite.8 2014-09-16 17:21:27.000000000 +0200 +++ new/shorewall-lite-4.6.4.3/manpages/shorewall-lite.8 2014-10-19 17:03:24.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 09/16/2014 +.\" Date: 10/19/2014 .\" Manual: Administrative Commands .\" Source: Administrative Commands .\" Language: English .\" -.TH "SHOREWALL\-LITE" "8" "09/16/2014" "Administrative Commands" "Administrative Commands" +.TH "SHOREWALL\-LITE" "8" "10/19/2014" "Administrative Commands" "Administrative Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.3.4/manpages/shorewall-lite.conf.5 new/shorewall-lite-4.6.4.3/manpages/shorewall-lite.conf.5 --- old/shorewall-lite-4.6.3.4/manpages/shorewall-lite.conf.5 2014-09-16 17:21:24.000000000 +0200 +++ new/shorewall-lite-4.6.4.3/manpages/shorewall-lite.conf.5 2014-10-19 17:03:21.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite.conf .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 09/16/2014 +.\" Date: 10/19/2014 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-LITE\&.CO" "5" "09/16/2014" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-LITE\&.CO" "5" "10/19/2014" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.3.4/releasenotes.txt new/shorewall-lite-4.6.4.3/releasenotes.txt --- old/shorewall-lite-4.6.3.4/releasenotes.txt 2014-09-16 17:18:06.000000000 +0200 +++ new/shorewall-lite-4.6.4.3/releasenotes.txt 2014-10-19 16:59:58.000000000 +0200 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 6 . 3 . 4 + S H O R E W A L L 4 . 6 . 4 . 3 ------------------------------------ - S e p t e m b e r 1 6 , 2 0 1 4 + O c t o b e r 2 0 , 2 0 1 4 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,81 +14,82 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -4.6.3.4 +4.6.4.3 -1) The 'Universal' configurations previously failed to start with the - diagnostic +1) The fix for LOGBACKEND in 4.6.4.2 worked on some older + distributions but not on newer ones. This release fixes the problem + in the remaining cases. - ERROR: No network interface available: Firewall state not changed +4.6.4.2 -2) A defect introduced in 4.6.3 prevented Shorewall-init from starting - when required interfaces were present. +1) Setting LOGBACKEND=ipt_LOG could result in the following startup + failure at boot: -3) The defect repair from 4.6.2.5 (see below) was inadvertently - omitted from 4.6.3. It has now been merged into this release. + Starting shorewall ... + /var/lib/shorewall/firewall: line 2080: echo: write error: No such file or directory + WARNING: Unable to set log backend to ipt_LOG -4.6.3.3 +4.6.4.1 -1) Including a PREROUTING SECTION in the accounting file - unconditionally resulted in a fatal error: +1) Confusing 'usage' output was produced under the following + conditions: - ERROR: The PREROUTING SECTION is not allowed when - ACCOUNTING_TABLE=filter + a) 4.6.4 installed -2) Previously, the compiler could generate many superfluous rules to - enforce the 'tcpflags', 'nosmurfs' and 'maclist' interface options. + b) The running firewall was compiled on an earlier release. -4.6.3.2 + c) A 'safe-start', 'save-restart', 'save' or 'try' command is + executed. -1) The shorewall[6]-actions manpages previously contained incorrect - examples of the usage of table names with builtin actions. + This problem has been corrected. - Incorrect: +2) The 'optional' option has been removed from the IPv4 Universal + interfaces file, as that option caused startup failures. - FOOBAR,filter,mangle +4.6.4 Final. - Correct: +1) This release includes defect repair through release 4.6.3.4. - FOOBAR builtin,filter,mangle +2) Two corrections have been made to the .service files: -2) Previously, if /etc/iproute2/rt_tables was not writeable, then - KEEP_RT_TABLES=No behaved like KEEP_RT_TABLES=Yes. Now, a warning - message is issued if that file is not writeable and KEEP_RT_TABLES - is set to No. + - The .service files now correctly specify - WARNING: /etc/iproute2/rt_tables is missing or is not writeable + WantedBy=basic.target -3) In earlier 4.6.3 versions, the help text from shorewall-lite and - shorewall6-lite included two versions of the 'run' command. + - Conflicting services have been added. - run <command> [ <parameter> ... ] - .. - run <function> [ <parameter> ... ] +3) A warning message generated during stoppedrules processing + previously referred to the file as routestopped. - The second one has now been deleted. +4) Previously, the stoppedrules file did not work properly when + ADMINISABSENTMINDED=No. -4.6.3.1 - -1) The DNSAmp action released in 4.6.3 matched more packets than it - should have. That has now been corrected. + - A warning message was issued stating that the file would be + processed as if ADMINISABSENTMINDED=Yes, and it was. -2) The handling of REJECT in IP[6]TABLES rules has been clarified in - the shorewall-rules(5) and shorewall6-rules(5) manpages. + - Unfortunately, part of the surrounding rule-generating logic + proceded as if ADMINISABSENTMINDED=No, leading to an unusable + ruleset. -3) The following misleading error message has now been corrected: + This problem has been corrected by changing the way that + stoppedrules works with ADMINISABSENTMINDED=No. In the new + implementation: - ERROR: The xxx TARGET is now allowed in the filter table + - All existing connections continue to work. + - Response packets and related connection requests to new accepted + connections are accepted (in other words, the resulting ruleset + is stateful). - The message now reads: + See shorewall[6].conf(5) for additional details. - ERROR: The xxx TARGET is not allowed in the filter table +5) The .spec files now set SBINDIR correctly. -4.6.3 +6) The -lite installers now create INITDIR if it doesn't exist. -1) This release contains defect repair up through release 4.6.2.5. +7) The installers no longer attempt to create a symbolic link to the + init script when no init script is installed. -2) The SAVE_IPSETS option in the Debian version of Shorewall-init now - works correctly. Thomas D. +8) A large number of defects in the uninstallers have been corrected. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -101,25 +102,39 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -4.6.3.2 - -1) Eric Teeter has contributed a Citrix Goto Meeting macro. - -4.6.3 - -1) A new 'run' command has been implemented. This command allows you - to run an arbitrary command in the context of the generated - script. - - shorewall[6][-lite] run <command> [ <parameter> ... ] +1) Install support for Centos 7 and Foobar 7 has been added (Tuomo + Soini). - Normally, <command> will be a function declared in lib.private. - -2) A DNSAmp action has been added. This action matches recursive UDP - DNS queries. The default disposition is DROP which can be - overridden by the single action parameter (e.g, 'DNSAmp(REJECT)' - will reject these queries). Recursive DNS queries are the basis for - 'DNS Amplification' attacks; hence the action name. +2) A 'terminating' option has been added to shorewall[6].actions. + this option, when used with the 'builtin' option, indicates to the + compiler that the built-in action is terminating. This allows the + optimizer to omit rules after an unconditional jump to the + built-in. + +3) A LOG_BACKEND option has been added to allow specification of the + default logging backends. See shorewall.conf(5) and + shorewall6.conf(5) for details. + +4) The SAVE_IPSETS option may now specify a list of ipsets to be + saved. When such a list is specified, only those ipsets together + with the ipsets supporting dynamic zones are saved. + + Shorewall6 now supports the SAVE_IPSETS option. When + SAVE_IPSETS=Yes, only ipv6 ipsets are saved. For Shorewall, if + SAVE_IPSETS=ipv4, then only ipv4 ipsets are saved. Both features + require ipset version 5 or later. + + Note that shorewall.conf and shorewall6.conf may now both specify + SAVE_IPSETS. + +5) The SBINDIR setting for SuSE now defaults to /usr/sbin/. + +6) With the exception of Shorewall-core, the tarball installers and + uninstallers now support a -n option which inhibits any attempt to + change the startup configuration. The -n option can be + automatically invoked by setting the SANDBOX variable to a + non-empty value, either in the environment or in your shorewallrc + file. ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -390,9 +405,64 @@ CONDITION HELPER +17) Prior to Shorewall 4.6.4, the stoppedrules file did not work + properly when ADMINISABSENTMINDED=No. + + - A warning message was issued stating that the file would be + processed as if ADMINISABSENTMINDED=Yes, and it was. + + - Unfortunately, part of the surrounding rule-generating logic + proceded as if ADMINISABSENTMINDED=No, leading to an unusable + ruleset. + + In Shorewall 4.6.4, this problem was corrected by changing the way + that stoppedrules works with ADMINISABSENTMINDED=No. In the new + implementation: + + - All existing connections continue to work. + - Response packets and related connection requests to new accepted + connections are accepted (in other words, the resulting ruleset + is stateful). + + See shorewall[6].conf(5) for additional details. + ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 4 . 6 R E L E A S E S ---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 6 . 3 +---------------------------------------------------------------------------- + +4.6.3.1 + +1) The DNSAmp action released in 4.6.3 matched more packets than it + should have. That has now been corrected. + +4.6.3 + +1) This release contains defect repair up through release 4.6.2.5. + +2) The SAVE_IPSETS option in the Debian version of Shorewall-init now + works correctly. Thomas D. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 6 . 3 +---------------------------------------------------------------------------- + +1) A new 'run' command has been implemented. This command allows you + to run an arbitrary command in the context of the generated + script. + + shorewall[6][-lite] run <command> [ <parameter> ... ] + + Normally, <command> will be a function declared in lib.private. + +2) A DNSAmp action has been added. This action matches recursive UDP + DNS queries. The default disposition is DROP which can be + overridden by the single action parameter (e.g, 'DNSAmp(REJECT)' + will reject these queries). Recursive DNS queries are the basis for + 'DNS Amplification' attacks; hence the action name. + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 6 . 2 ---------------------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.3.4/shorewall-lite.service new/shorewall-lite-4.6.4.3/shorewall-lite.service --- old/shorewall-lite-4.6.3.4/shorewall-lite.service 2014-09-16 17:09:20.000000000 +0200 +++ new/shorewall-lite-4.6.4.3/shorewall-lite.service 2014-10-19 16:44:01.000000000 +0200 @@ -1,12 +1,12 @@ # -# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4 +# The Shoreline Firewall (Shorewall) Packet Filtering Firewall # -# Copyright 2011 Jonathan Underwood ([email protected]) +# Copyright 2011 Jonathan Underwood <[email protected]> # [Unit] Description=Shorewall IPv4 firewall (lite) -After=syslog.target After=network.target +Conflicts=iptables.service firewalld.service [Service] Type=oneshot @@ -17,4 +17,4 @@ ExecStop=/sbin/shorewall-lite $OPTIONS stop [Install] -WantedBy=multi-user.target +WantedBy=basic.target diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.3.4/shorewall-lite.spec new/shorewall-lite-4.6.4.3/shorewall-lite.spec --- old/shorewall-lite-4.6.3.4/shorewall-lite.spec 2014-09-16 17:18:06.000000000 +0200 +++ new/shorewall-lite-4.6.4.3/shorewall-lite.spec 2014-10-19 16:59:58.000000000 +0200 @@ -1,6 +1,6 @@ %define name shorewall-lite -%define version 4.6.3 -%define release 4 +%define version 4.6.4 +%define release 3 %define initdir /etc/init.d Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems. @@ -38,7 +38,8 @@ --prefix=%{_prefix} \ --tmpdir=%{_tmpdir} \ --perllibdir=%{perl_vendorlib} \ - --libexecdir=%{_libexecdir} + --libexecdir=%{_libexecdir} \ + --sbindir=%{_sbindir} DESTDIR=%{buildroot} ./install.sh @@ -54,10 +55,10 @@ %post if [ $1 -eq 1 ]; then - if [ -x /sbin/insserv ]; then - /sbin/insserv %{_initddir}/shorewall-lite - elif [ -x /sbin/chkconfig ]; then - /sbin/chkconfig --add shorewall-lite; + if [ -x %{_sbindir}/insserv ]; then + %{_sbindir}/insserv %{_initddir}/shorewall-lite + elif [ -x %{_sbindir}/chkconfig ]; then + %{_sbindir}/chkconfig --add shorewall-lite; fi elif [ -f /etc/shorewall-lite/shorewall.conf.rpmsave ]; then mv -f /etc/shorewall-lite/shorewall-lite.conf /etc/shorewall-lite/shorewall-lite.conf.rpmnew @@ -69,10 +70,10 @@ %preun if [ $1 -eq 0 ]; then - if [ -x /sbin/insserv ]; then - /sbin/insserv -r %{_initddir}/shorewall-lite - elif [ -x /sbin/chkconfig ]; then - /sbin/chkconfig --del shorewall-lite + if [ -x %{_sbindir}/insserv ]; then + %{_sbindir}/insserv -r %{_initddir}/shorewall-lite + elif [ -x %{_sbindir}/chkconfig ]; then + %{_sbindir}/chkconfig --del shorewall-lite fi fi @@ -87,7 +88,7 @@ %attr(0644,root,root) /etc/logrotate.d/shorewall-lite -%attr(0755,root,root) /sbin/shorewall-lite +%attr(0755,root,root) %{_sbindir}/shorewall-lite %attr(0644,root,root) /usr/share/shorewall-lite/version %attr(0644,root,root) /usr/share/shorewall-lite/configpath @@ -105,12 +106,22 @@ %doc COPYING changelog.txt releasenotes.txt %changelog -* Sun Sep 14 2014 Tom Eastep [email protected] -- Updated to 4.6.3-4 -* Wed Sep 10 2014 Tom Eastep [email protected] -- Updated to 4.6.3-3 -* Sat Aug 30 2014 Tom Eastep [email protected] -- Updated to 4.6.3-2 +* Sun Oct 19 2014 Tom Eastep [email protected] +- Updated to 4.6.4-3 +* Wed Oct 15 2014 Tom Eastep [email protected] +- Updated to 4.6.4-2 +* Fri Oct 10 2014 Tom Eastep [email protected] +- Updated to 4.6.4-1 +* Mon Oct 06 2014 Tom Eastep [email protected] +- Updated to 4.6.4-0base +* Thu Oct 02 2014 Tom Eastep [email protected] +- Updated to 4.6.4-0RC1 +* Sun Sep 28 2014 Tom Eastep [email protected] +- Updated to 4.6.4-0Beta3 +* Wed Sep 24 2014 Tom Eastep [email protected] +- Updated to 4.6.4-0Beta2 +* Sun Aug 24 2014 Tom Eastep [email protected] +- Updated to 4.6.4-0Beta1 * Thu Aug 21 2014 Tom Eastep [email protected] - Updated to 4.6.3-1 * Thu Aug 14 2014 Tom Eastep [email protected] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.3.4/shorewallrc.suse new/shorewall-lite-4.6.4.3/shorewallrc.suse --- old/shorewall-lite-4.6.3.4/shorewallrc.suse 2014-09-16 17:18:06.000000000 +0200 +++ new/shorewall-lite-4.6.4.3/shorewallrc.suse 2014-10-19 16:59:59.000000000 +0200 @@ -8,7 +8,7 @@ SHAREDIR=${PREFIX}/share #Directory for arch-neutral files. LIBEXECDIR=${PREFIX}/lib #Directory for executable scripts. PERLLIBDIR=${PREFIX}/lib/perl5/vendor_perl/5.14.2 #Directory to install Shorewall Perl module directory -SBINDIR=/sbin #Directory where system administration programs are installed +SBINDIR=/usr/sbin #Directory where system administration programs are installed MANDIR=${SHAREDIR}/man/ #Directory where manpages are installed. INITDIR=/etc/init.d #Directory where SysV init scripts are installed. INITFILE=$PRODUCT #Name of the product's SysV init script diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.3.4/uninstall.sh new/shorewall-lite-4.6.4.3/uninstall.sh --- old/shorewall-lite-4.6.3.4/uninstall.sh 2014-09-16 17:18:06.000000000 +0200 +++ new/shorewall-lite-4.6.4.3/uninstall.sh 2014-10-19 16:59:58.000000000 +0200 @@ -26,12 +26,17 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.6.3.4 +VERSION=4.6.4.3 +PRODUCT=shorewall-lite usage() # $1 = exit status { ME=$(basename $0) - echo "usage: $ME [ <shorewallrc file> ]" + echo "usage: $ME [ <option> ] [ <shorewallrc file> ]" + echo "where <option> is one of" + echo " -h" + echo " -v" + echo " -n" exit $1 } @@ -69,6 +74,42 @@ fi } +finished=0 +configure=1 + +while [ $finished -eq 0 ]; do + option=$1 + + case "$option" in + -*) + option=${option#-} + + while [ -n "$option" ]; do + case $option in + h) + usage 0 + ;; + v) + echo "$Product Firewall Installer Version $VERSION" + exit 0 + ;; + n*) + configure=0 + option=${option#n} + ;; + *) + usage 1 + ;; + esac + done + + shift + ;; + *) + finished=1 + ;; + esac +done # # Read the RC file # @@ -112,8 +153,12 @@ echo "Uninstalling Shorewall Lite $VERSION" -if qt iptables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall ]; then - shorewall-lite clear +[ -n "$SANDBOX" ] && configure=0 + +if [ $configure -eq 1 ]; then + if qt iptables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall ]; then + shorewall-lite clear + fi fi if [ -L ${SHAREDIR}/shorewall-lite/init ]; then @@ -123,28 +168,34 @@ fi if [ -f "$FIREWALL" ]; then - if mywhich updaterc.d ; then - updaterc.d shorewall-lite remove - elif mywhich insserv ; then - insserv -r $FIREWALL - elif [ mywhich chkconfig ; then - chkconfig --del $(basename $FIREWALL) - elif mywhich systemctl ; then - systemctl disable shorewall-lite + if [ $configure -eq 1 ]; then + if mywhich updaterc.d ; then + updaterc.d shorewall-lite remove + elif mywhich insserv ; then + insserv -r $FIREWALL + elif mywhich chkconfig ; then + chkconfig --del $(basename $FIREWALL) + fi fi remove_file $FIREWALL fi +if [ -n "$SYSTEMD" ]; then + [ $configure -eq 1 ] && systemctl disable ${PRODUCT} + rm -f $SYSTEMD/shorewall-lite.service +fi + rm -f ${SBINDIR}/shorewall-lite -rm -rf ${SBINDIR}/shorewall-lite +rm -rf ${CONFDIR}/shorewall-lite rm -rf ${VARDIR}/shorewall-lite rm -rf ${SHAREDIR}/shorewall-lite -rm -rf ${LIBEXEC}/shorewall-lite +rm -rf ${LIBEXECDIR}/shorewall-lite rm -f ${CONFDIR}/logrotate.d/shorewall-lite -[ -n "$SYSTEMD" ] && rm -f ${SYSTEMD}/shorewall-lite.service -echo "Shorewall Lite Uninstalled" +rm -f ${MANDIR}/man5/shorewall-lite* +rm -f ${MANDIR}/man8/shorewall-lite* +echo "Shorewall Lite Uninstalled" ++++++ shorewall-4.6.3.4.tar.bz2 -> shorewall6-4.6.4.3.tar.bz2 ++++++ ++++ 126168 lines of diff (skipped) ++++++ shorewall-lite-4.6.3.4.tar.bz2 -> shorewall6-lite-4.6.4.3.tar.bz2 ++++++ ++++ 8030 lines of diff (skipped) -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
