Hello community, here is the log from the commit of package shorewall for openSUSE:Factory checked in at 2014-11-24 11:09:30 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/shorewall (Old) and /work/SRC/openSUSE:Factory/.shorewall.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shorewall" Changes: -------- --- /work/SRC/openSUSE:Factory/shorewall/shorewall.changes 2014-11-06 16:51:01.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.shorewall.new/shorewall.changes 2014-11-24 11:10:14.000000000 +0100 @@ -1,0 +2,27 @@ +Sun Nov 23 23:20:00 UTC 2014 - [email protected] + +- Update to version 4.6.5.2 For more details see changelog.txt and + releasenotes.txt + + * LOG_BACKEND=LOG failed at run-time for all but the most recent + kernels. + +- Changes in 4.6.5.1 + + * The generated script can now detect an gateway address assigned + by later versions of that program (Alan Barrett). + + * In 4.6.5, the bash-based configure script would issue the + following diagnostic if SERVICEDIR was not specified in the + shorewallrc file: + + ./configure: line 199: [SERVICEDIR]=: command not found + + This was compounded by the fact that all of the released + shorewallrc files still specified SYSTEMDDIR rather than + SERVICEDIR (Evangelos Foutras) + + * The shorewallrc.archlinux file now reflects a change in SBINDIR + that occurred in Arch Linux in mid 2013 (Evangelos Foutras). + +------------------------------------------------------------------- Old: ---- shorewall-4.6.4.3.tar.bz2 shorewall-core-4.6.4.3.tar.bz2 shorewall-docs-html-4.6.4.3.tar.bz2 shorewall-init-4.6.4.3.tar.bz2 shorewall-lite-4.6.4.3.tar.bz2 shorewall6-4.6.4.3.tar.bz2 shorewall6-lite-4.6.4.3.tar.bz2 New: ---- shorewall-4.6.5.2.tar.bz2 shorewall-core-4.6.5.2.tar.bz2 shorewall-docs-html-4.6.5.2.tar.bz2 shorewall-init-4.6.5.2.tar.bz2 shorewall-lite-4.6.5.2.tar.bz2 shorewall6-4.6.5.2.tar.bz2 shorewall6-lite-4.6.5.2.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shorewall.spec ++++++ --- /var/tmp/diff_new_pack.oP0bRP/_old 2014-11-24 11:10:16.000000000 +0100 +++ /var/tmp/diff_new_pack.oP0bRP/_new 2014-11-24 11:10:16.000000000 +0100 @@ -20,19 +20,19 @@ %define have_systemd 1 Name: shorewall -Version: 4.6.4.3 +Version: 4.6.5.2 Release: 0 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems License: GPL-2.0 Group: Productivity/Networking/Security Url: http://www.shorewall.net/ -Source: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.4/%{name}-%version.tar.bz2 -Source1: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.4/%{name}-core-%version.tar.bz2 -Source2: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.4/%{name}-lite-%version.tar.bz2 -Source3: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.4/%{name}-init-%version.tar.bz2 -Source4: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.4/%{name}6-lite-%version.tar.bz2 -Source5: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.4/%{name}6-%version.tar.bz2 -Source6: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.4/%{name}-docs-html-%version.tar.bz2 +Source: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.5/%{name}-%version.tar.bz2 +Source1: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.5/%{name}-core-%version.tar.bz2 +Source2: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.5/%{name}-lite-%version.tar.bz2 +Source3: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.5/%{name}-init-%version.tar.bz2 +Source4: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.5/%{name}6-lite-%version.tar.bz2 +Source5: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.5/%{name}6-%version.tar.bz2 +Source6: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.5/%{name}-docs-html-%version.tar.bz2 Source7: %{name}-4.4.22.rpmlintrc Source8: README.openSUSE # PATCH-FIX-UPSTREAM [email protected] Shorewall-lite init.suse.sh Required Stop @@ -360,6 +360,7 @@ # FIXME # somehow shorewall-init is not installed for opensuse 11.4 +# systemd changed to servicedir for i in $targets; do pushd ${i}-%{version} @@ -371,7 +372,7 @@ libexecdir=%{_libexecdir} \ sbindir=%_sbindir \ %if 0%{?have_systemd} - systemd=%_unitdir \ + servicedir=%_unitdir \ %endif # %%if 0%%{?suse_version} >= 1210 # systemd=%%_unitdir \ ++++++ shorewall-4.6.4.3.tar.bz2 -> shorewall-4.6.5.2.tar.bz2 ++++++ ++++ 3251 lines of diff (skipped) ++++++ shorewall-core-4.6.4.3.tar.bz2 -> shorewall-core-4.6.5.2.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.4.3/changelog.txt new/shorewall-core-4.6.5.2/changelog.txt --- old/shorewall-core-4.6.4.3/changelog.txt 2014-10-19 16:59:58.000000000 +0200 +++ new/shorewall-core-4.6.5.2/changelog.txt 2014-11-17 16:17:15.000000000 +0100 @@ -1,14 +1,66 @@ -Changes in 4.6.4.3 +Changes in 4.6.5.1 -1) Update release documents +1) Update release documents. -2) Add xt_LOG to the helpers files. +2) Fix IPv6 LOG_BACKEND=LOG -Changes in 4.6.4.2 +Changes in 4.6.5.1 -1) Update release documents +1) Update release documents. -2) Add ipt_LOG to the helpers files. +2) Apply Alan Barrett's dhclient patch + +3) Make emacs sh-mode work better with lib.core + +4) Fix setting of options[SERVICEDIR] in configure + +5) Rename SYSTEMDDIR to SERVICEDIR in shorewallrc.* + +6) Eliminate redundant "/" in the installers + +Changes in 4.6.5 Final + +1) Update release documents. + +2) Apply Thomas D's manpage fixes. + +3) Correct .service files. + +Changes in 4.6.5 RC 1 + +1) Update release documents. + +2) Correct a couple of defects in the -C code. + +3) Fix LOG_BACKEND on kernel 3.17. + +Changes in 4.6.5 Beta 3 + +1) Update release documents. + +2) Process params files with $SHOREWALL_SHELL. + +3) Implement the -C option. + +Changes in 4.6.5 Beta 2 + +1) Update release documents. + +2) Defect repair from the 4.6.4 branch. + +3) Allow both source and dest limits in the RATE LIMIT column. + +Changes in 4.6.5 Beta 1 + +1) Update release documents. + +2) Merge defect repair from 4.6.4. + +Changes in 4.6.5 Beta 1 + +1) Update release documents. + +2) New .service file strategy. Changes in 4.6.4.1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.4.3/configure new/shorewall-core-4.6.5.2/configure --- old/shorewall-core-4.6.4.3/configure 2014-10-19 16:59:57.000000000 +0200 +++ new/shorewall-core-4.6.5.2/configure 2014-11-17 16:17:14.000000000 +0100 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=4.6.4.3 +VERSION=4.6.5.2 case "$BASH_VERSION" in [4-9].*) @@ -195,6 +195,10 @@ fi fi +if [ -z "${options[SERVICEDIR]}" ]; then + options[SERVICEDIR]="${options[SYSTEMD]}" +fi + for on in \ HOST \ PREFIX \ @@ -209,7 +213,7 @@ INITFILE \ AUXINITSOURCE \ AUXINITFILE \ - SYSTEMD \ + SERVICEDIR \ SERVICEFILE \ SYSCONFFILE \ SYSCONFDIR \ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.4.3/configure.pl new/shorewall-core-4.6.5.2/configure.pl --- old/shorewall-core-4.6.4.3/configure.pl 2014-10-19 16:59:57.000000000 +0200 +++ new/shorewall-core-4.6.5.2/configure.pl 2014-11-17 16:17:14.000000000 +0100 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '4.6.4.3' + VERSION => '4.6.5.2' }; my %params; @@ -154,6 +154,8 @@ $options{VARDIR} = '${VARLIB}/${PRODUCT}'; } +$options{SERVICEDIR}=$options{SYSTEMD} unless $options{SERVICEDIR}; + for ( qw/ HOST PREFIX SHAREDIR @@ -167,8 +169,8 @@ INITFILE AUXINITSOURCE AUXINITFILE - SYSTEMD - SERVICEFILE + SERVICEDIR + SERVICEFILE SYSCONFFILE SYSCONFDIR SPARSE diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.4.3/install.sh new/shorewall-core-4.6.5.2/install.sh --- old/shorewall-core-4.6.4.3/install.sh 2014-10-19 16:59:57.000000000 +0200 +++ new/shorewall-core-4.6.5.2/install.sh 2014-11-17 16:17:14.000000000 +0100 @@ -22,7 +22,7 @@ # along with this program; if not, see <http://www.gnu.org/licenses/>. # -VERSION=4.6.4.3 +VERSION=4.6.5.2 usage() # $1 = exit status { @@ -329,9 +329,13 @@ chmod 755 ${DESTDIR}${SYSCONFDIR} fi -if [ -n "${SYSTEMD}" ]; then - mkdir -p ${DESTDIR}${SYSTEMD} - chmod 755 ${DESTDIR}${SYSTEMD} +if [ -z "${SERVICEDIR}" ]; then + SERVICEDIR="$SYSTEMD" +fi + +if [ -n "${SERVICEDIR}" ]; then + mkdir -p ${DESTDIR}${SERVICEDIR} + chmod 755 ${DESTDIR}${SERVICEDIR} fi mkdir -p ${DESTDIR}${SBINDIR} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.4.3/known_problems.txt new/shorewall-core-4.6.5.2/known_problems.txt --- old/shorewall-core-4.6.4.3/known_problems.txt 2014-10-19 16:59:58.000000000 +0200 +++ new/shorewall-core-4.6.5.2/known_problems.txt 2014-11-17 16:17:15.000000000 +0100 @@ -1,74 +1,25 @@ 1) On systems running Upstart, shorewall-init cannot reliably secure the firewall before interfaces are brought up. -2) If you install 4.6.4 and then use the 'safe-restart' command to - restart your firewall, confusing output is produced: +2) The generated firewall cannot detect the gateway added by recent + versions of dhclient. - # shorewall safe-restart - Compiling... - Processing /etc/shorewall/params ... - Processing /etc/shorewall/shorewall.conf... - ... - Optimizing Ruleset... - Creating iptables-restore input... - Shorewall configuration compiled to /var/lib/shorewall/.restart - Currently-running Configuration Saved to /var/lib/shorewall/.safe - Usage: /var/lib/shorewall/firewall [ options ] <command> - - <command> is one of: - start - stop - clear - disable <interface> - down <interface> - enable <interface> - reset - refresh - restart - run <command> [ <parameter> ... ] - status - up <interface> - version - - Options are: - - -v and -q Standard Shorewall verbosity controls - -n Don't update routing configuration - -p Purge Conntrack Table - -t Timestamp progress Messages - -V <verbosity> Set verbosity explicitly - -R <file> Override RESTOREFILE setting - Restarting... - Restarting Shorewall.... - Initializing... - Processing /etc/shorewall/init ... - ... - Processing /etc/shorewall/start ... - Processing /etc/shorewall/started ... - done. - Do you want to accept the new firewall configuration? [y/n] - - The above 'usage' information, while confusing, does not represent a - problem and it is safe to answer 'y'. - - - Corrected in Shorewall 4.6.4.1. - -3) The 'Universal' sample configuration fails to start. - - Workaround: Remove the 'optional' option from the interfaces file - entry. - - Corrected in Shorewall 4.6.4.1. - -4) Setting LOGBACKEND=ipt_LOG may result in the following startup - failure at boot: - - Starting shorewall ... - /var/lib/shorewall/firewall: line 2080: echo: write error: No such file or directory - WARNING: Unable to set log backend to ipt_LOG + Corrected in 4.6.5.1. - Partially corrected in Shorewall 4.6.4.2. Fixed on Squeeze and - RHEL6 (and derivatives). Not fixed on Fedora, Ubuntu and OpenSuSE. +3) In 4.6.5, the bash-based configure script would issue the following + diagnostic if SERVICEDIR was not specified in the shorewallrc + file. + + ./configure: line 199: [SERVICEDIR]=: command not found + + This is compounded by the fact that all of the released + shorewallrc files still specify SYSTEMDDIR rather than SERVICEDIR + (Evangelos Foutras) + + Corrected in 4.6.5.1. + +4) LOG_BACKEND=LOG is broken in Shorewall6 on all but the most recent + kernel versions. + + Corrected in 4.6.5.2. - Corrected on other distros in 4.6.4.3. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.4.3/lib.cli new/shorewall-core-4.6.5.2/lib.cli --- old/shorewall-core-4.6.4.3/lib.cli 2014-10-19 16:44:01.000000000 +0200 +++ new/shorewall-core-4.6.5.2/lib.cli 2014-11-15 17:56:42.000000000 +0100 @@ -493,6 +493,8 @@ [ -x $iptables_save ] || echo "$iptables-save does not exist or is not executable" >&2 + [ -n "$g_counters" ] && iptables_save="$iptables_save --counters" + if product_is_started ; then [ -d ${VARDIR} ] || mkdir -p ${VARDIR} @@ -1624,6 +1626,15 @@ g_noroutes=Yes option=${option#n} ;; + p*) + [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system" + g_purge=Yes + option=${option%p} + ;; + C*) + g_counters=Yes + option=${option#C} + ;; *) usage 1 ;; @@ -3108,11 +3119,45 @@ } save_command() { + local finished + finished=0 + + shift + + while [ $finished -eq 0 -a $# -gt 0 ]; do + option=$1 + case $option in + -*) + option=${option#-} + + while [ -n "$option" ]; do + case $option in + -) + finished=1 + option= + ;; + C*) + g_counters=Yes + option=${option#C} + ;; + *) + usage 1 + ;; + esac + done + shift + ;; + *) + finished=1 + ;; + esac + done + case $# in - 1) + 0) ;; - 2) - RESTOREFILE="$2" + 1) + RESTOREFILE="$1" validate_restorefile '<restore file>' ;; *) @@ -3407,7 +3452,11 @@ [ -n "$g_nolock" ] || mutex_on if [ -x ${VARDIR}/firewall ]; then - run_it ${VARDIR}/firewall $g_debugging start + if [ -n "$g_fast" -a -x ${VARDIR}/${RESTOREFILE} -a ! ${VARDIR}/firewall -nt ${VARDIR}/${RESTOREFILE} ]; then + run_it ${VARDIR}/${RESTOREFILE} $g_debugging restore + else + run_it ${VARDIR}/firewall $g_debugging start + fi rc=$? else error_message "${VARDIR}/firewall is missing or is not executable" @@ -3443,6 +3492,14 @@ finished=1 option= ;; + f*) + g_fast=Yes + option=${option#f} + ;; + C*) + g_counters=Yes + option=${option#C} + ;; p*) [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system" g_purge=Yes @@ -3504,6 +3561,10 @@ g_purge=Yes option=${option%p} ;; + C*) + g_counters=Yes + option=${option#C} + ;; *) usage 1 ;; @@ -3577,10 +3638,10 @@ echo " logwatch [<refresh interval>]" echo " reject <address> ..." echo " reset [ <chain> ... ]" - echo " restart [ -n ] [ -p ] [ -f ] [ <directory> ]" - echo " restore [ -n ] [ <file name> ]" + echo " restart [ -n ] [ -p ] [ -f ] [ -C ] [ <directory> ]" + echo " restore [ -n ] [ -p ] [ -C ] [ <file name> ]" echo " run <command> [ <parameter> ... ]" - echo " save [ <file name> ]" + echo " save [ -C ] [ <file name> ]" echo " [ show | list | ls ] [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]" echo " [ show | list | ls ] [ -f ] capabilities" echo " [ show | list | ls ] arptables" @@ -3605,7 +3666,7 @@ echo " [ show | list | ls ] tc [ device ]" echo " [ show | list | ls ] vardir" echo " [ show | list | ls ] zones" - echo " start [ -f ] [ -p ] [ <directory> ]" + echo " start [ -f ] [ -p ] [ -C ] [ <directory> ]" echo " stop" echo " status [ -i ]" echo " version [ -a ]" @@ -3657,6 +3718,7 @@ g_directives= g_inline= g_tcrules= + g_counters= VERBOSE= VERBOSITY=1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.4.3/lib.common new/shorewall-core-4.6.5.2/lib.common --- old/shorewall-core-4.6.4.3/lib.common 2014-10-19 16:44:01.000000000 +0200 +++ new/shorewall-core-4.6.5.2/lib.common 2014-11-15 17:56:42.000000000 +0100 @@ -157,6 +157,7 @@ [ -n "$g_timestamp" ] && options=${options}t [ -n "$g_purge" ] && options=${options}p [ -n "$g_recovering" ] && options=${options}r + [ -n "$g_counters" ] && options=${options}c options="${options}V $VERBOSITY" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.4.3/releasenotes.txt new/shorewall-core-4.6.5.2/releasenotes.txt --- old/shorewall-core-4.6.4.3/releasenotes.txt 2014-10-19 16:59:58.000000000 +0200 +++ new/shorewall-core-4.6.5.2/releasenotes.txt 2014-11-17 16:17:15.000000000 +0100 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 6 . 4 . 3 + S H O R E W A L L 4 . 6 . 5 . 2 ------------------------------------ - O c t o b e r 2 0 , 2 0 1 4 + N o v e m b e r 1 8 , 2 0 1 4 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,82 +14,45 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -4.6.4.3 +4.6.5.2 -1) The fix for LOGBACKEND in 4.6.4.2 worked on some older - distributions but not on newer ones. This release fixes the problem - in the remaining cases. +1) LOG_BACKEND=LOG failed at run-time for all but the most recent + kernels. -4.6.4.2 +4.6.5.1 -1) Setting LOGBACKEND=ipt_LOG could result in the following startup - failure at boot: +1) The generated script can now detect an gateway address assigned by + later versions of that program (Alan Barrett). - Starting shorewall ... - /var/lib/shorewall/firewall: line 2080: echo: write error: No such file or directory - WARNING: Unable to set log backend to ipt_LOG +2) In 4.6.5, the bash-based configure script would issue the following + diagnostic if SERVICEDIR was not specified in the shorewallrc + file: -4.6.4.1 - -1) Confusing 'usage' output was produced under the following - conditions: - - a) 4.6.4 installed - - b) The running firewall was compiled on an earlier release. - - c) A 'safe-start', 'save-restart', 'save' or 'try' command is - executed. - - This problem has been corrected. - -2) The 'optional' option has been removed from the IPv4 Universal - interfaces file, as that option caused startup failures. - -4.6.4 Final. + ./configure: line 199: [SERVICEDIR]=: command not found -1) This release includes defect repair through release 4.6.3.4. - -2) Two corrections have been made to the .service files: + This was compounded by the fact that all of the released + shorewallrc files still specified SYSTEMDDIR rather than SERVICEDIR + (Evangelos Foutras) - - The .service files now correctly specify - - WantedBy=basic.target +3) The shorewallrc.archlinux file now reflects a change in SBINDIR + that occurred in Arch Linux in mid 2013 (Evangelos Foutras). - - Conflicting services have been added. - -3) A warning message generated during stoppedrules processing - previously referred to the file as routestopped. - -4) Previously, the stoppedrules file did not work properly when - ADMINISABSENTMINDED=No. - - - A warning message was issued stating that the file would be - processed as if ADMINISABSENTMINDED=Yes, and it was. - - - Unfortunately, part of the surrounding rule-generating logic - proceded as if ADMINISABSENTMINDED=No, leading to an unusable - ruleset. - - This problem has been corrected by changing the way that - stoppedrules works with ADMINISABSENTMINDED=No. In the new - implementation: - - - All existing connections continue to work. - - Response packets and related connection requests to new accepted - connections are accepted (in other words, the resulting ruleset - is stateful). +4.6.5 - See shorewall[6].conf(5) for additional details. +1) This release includes defect repair through release 4.6.4.3. -5) The .spec files now set SBINDIR correctly. +2) On kernel 3.17, LOG_BACKEND=LOG previously failed with the + diagnostics: -6) The -lite installers now create INITDIR if it doesn't exist. + Setting up log backend + /var/lib/shorewall/.restart: line 2075: echo: write error: + No such file or directory + WARNING: Unable to set log backend to ipt_LOG -7) The installers no longer attempt to create a symbolic link to the - init script when no init script is installed. +3) A number of corrections have been made to the manpages (Thomas D). -8) A large number of defects in the uninstallers have been corrected. +4) Previously, if $OPTIONS was set in /etc/sysconfig/shorewall-init, + then servicd failed to start/stop Shorewall-init. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -102,39 +65,83 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) Install support for Centos 7 and Foobar 7 has been added (Tuomo - Soini). - -2) A 'terminating' option has been added to shorewall[6].actions. - this option, when used with the 'builtin' option, indicates to the - compiler that the built-in action is terminating. This allows the - optimizer to omit rules after an unconditional jump to the - built-in. - -3) A LOG_BACKEND option has been added to allow specification of the - default logging backends. See shorewall.conf(5) and - shorewall6.conf(5) for details. - -4) The SAVE_IPSETS option may now specify a list of ipsets to be - saved. When such a list is specified, only those ipsets together - with the ipsets supporting dynamic zones are saved. - - Shorewall6 now supports the SAVE_IPSETS option. When - SAVE_IPSETS=Yes, only ipv6 ipsets are saved. For Shorewall, if - SAVE_IPSETS=ipv4, then only ipv4 ipsets are saved. Both features - require ipset version 5 or later. - - Note that shorewall.conf and shorewall6.conf may now both specify - SAVE_IPSETS. - -5) The SBINDIR setting for SuSE now defaults to /usr/sbin/. - -6) With the exception of Shorewall-core, the tarball installers and - uninstallers now support a -n option which inhibits any attempt to - change the startup configuration. The -n option can be - automatically invoked by setting the SANDBOX variable to a - non-empty value, either in the environment or in your shorewallrc - file. +1) The configure scripts and installers now support SERVICEDIR as an + alternative to SYSTEMD. For compatability, SERVICED is an alias + for SERVICEDIR. + +2) The installers now offer a choice of .service files, selected by + the SERVICEFILE option. The default remains $PRODUCT.service. Each + product supplying a .service file now supplies a .service.214. The + differences between the standard .service files and the service.214 + files are: + + a) They specify 'after=network-online.target' rather than + 'after=network.target'. + + b) The file shorewall-init.service.214 specifies + 'before=network-pre.target' rather than + 'before=network.target'. That file requires serviced 214 or + later, hence the names of the new files. + + Regardless of which file is selected, it is installed in + $SERVICEDIR/$PRODUCT.service. + +3) The RATE LIMIT column of the rules files now allows specification + of both a per-source and per-destination limit. See + shorewall[6]-rules(5) for details. + +4) Previously, /bin/sh was used unconditionally to process the helper + script 'getparams'. That shell script reads the params file and + passes back the (variable,value) pairs to the compiler. Beginning + with this release, $SHOREWALL_SHELL is used to process that script, + unless the compilation is for export, in which case /bin/sh is + still used. + + Note that the default value of $SHOREWALL_SHELL is /bin/sh, so + unless your configuration sets that variable, this enhancement will + have no effect. Similarly, on an administrative system, this + enhancement has no effect on the processing of the 'compile -e', + 'load', 'reload' and 'export' commands. + +5) A -C option has been added to several commands to allow the + ip[6]tables packet and byte counters to be preserved. + + - save command + + Causes the packet and byte counters to be saved along with the + chains and rules. + + - restore command + + Causes the packet and byte counters (if saved) to be restored + along with the chains and rules. + + - start command + + With Shorewall and Shorewall6, the -C option only has an effect + if the -f option is also specified. If a previously-saved + configuration is restored, then the packet and byte counters (if + saved) will be restored along with the chains and rules. + + - restart command + + If an existing compiled script is used (no recompilation + required) and if that script generated the current running + configuration, then the current netfilter configuration is + reloaded as is so as to preserve the current packet and byte + counters. + + If you wish to (approximately) preserve the counters over a + possibly unexpected reboot, then: + + - Create a cron job that periodically does 'shorewall save -C' + + - Specify the -C and -f option in the STARTOPTIONS variable in + either /etc/default/shorewall[6][-lite] or + /etc/sysconfig/shorewall[6][-lite], whichever is supported by your + distribution. Note that some distributions do not distribute these + files so you may have to create the one(s) you need (such as + /etc/sysconfig/shorewall). ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -429,6 +436,110 @@ ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 4 . 6 R E L E A S E S ---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 6 . 4 +---------------------------------------------------------------------------- + +4.6.4.1 + +1) Confusing 'usage' output was produced under the following + conditions: + + a) 4.6.4 installed + + b) The running firewall was compiled on an earlier release. + + c) A 'safe-start', 'save-restart', 'save' or 'try' command is + executed. + + This problem has been corrected. + +2) The 'optional' option has been removed from the IPv4 Universal + interfaces file, as that option caused startup failures. + +4.6.4 Final. + +1) This release includes defect repair through release 4.6.3.4. + +2) Two corrections have been made to the .service files: + + - The .service files now correctly specify + + WantedBy=basic.target + + - Conflicting services have been added. + +3) A warning message generated during stoppedrules processing + previously referred to the file as routestopped. + +4) Previously, the stoppedrules file did not work properly when + ADMINISABSENTMINDED=No. + + - A warning message was issued stating that the file would be + processed as if ADMINISABSENTMINDED=Yes, and it was. + + - Unfortunately, part of the surrounding rule-generating logic + proceded as if ADMINISABSENTMINDED=No, leading to an unusable + ruleset. + + This problem has been corrected by changing the way that + stoppedrules works with ADMINISABSENTMINDED=No. In the new + implementation: + + - All existing connections continue to work. + - Response packets and related connection requests to new accepted + connections are accepted (in other words, the resulting ruleset + is stateful). + + See shorewall[6].conf(5) for additional details. + +5) The .spec files now set SBINDIR correctly. + +6) The -lite installers now create INITDIR if it doesn't exist. + +7) The installers no longer attempt to create a symbolic link to the + init script when no init script is installed. + +8) A large number of defects in the uninstallers have been corrected. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 6 . 4 +---------------------------------------------------------------------------- + +1) Install support for Centos 7 and Foobar 7 has been added (Tuomo + Soini). + +2) A 'terminating' option has been added to shorewall[6].actions. + this option, when used with the 'builtin' option, indicates to the + compiler that the built-in action is terminating. This allows the + optimizer to omit rules after an unconditional jump to the + built-in. + +3) A LOG_BACKEND option has been added to allow specification of the + default logging backends. See shorewall.conf(5) and + shorewall6.conf(5) for details. + +4) The SAVE_IPSETS option may now specify a list of ipsets to be + saved. When such a list is specified, only those ipsets together + with the ipsets supporting dynamic zones are saved. + + Shorewall6 now supports the SAVE_IPSETS option. When + SAVE_IPSETS=Yes, only ipv6 ipsets are saved. For Shorewall, if + SAVE_IPSETS=ipv4, then only ipv4 ipsets are saved. Both features + require ipset version 5 or later. + + Note that shorewall.conf and shorewall6.conf may now both specify + SAVE_IPSETS. + +5) The SBINDIR setting for SuSE now defaults to /usr/sbin/. + +6) With the exception of Shorewall-core, the tarball installers and + uninstallers now support a -n option which inhibits any attempt to + change the startup configuration. The -n option can be + automatically invoked by setting the SANDBOX variable to a + non-empty value, either in the environment or in your shorewallrc + file. + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 6 . 3 ---------------------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.4.3/shorewall-core.spec new/shorewall-core-4.6.5.2/shorewall-core.spec --- old/shorewall-core-4.6.4.3/shorewall-core.spec 2014-10-19 16:59:58.000000000 +0200 +++ new/shorewall-core-4.6.5.2/shorewall-core.spec 2014-11-17 16:17:15.000000000 +0100 @@ -1,6 +1,6 @@ %define name shorewall-core -%define version 4.6.4 -%define release 3 +%define version 4.6.5 +%define release 2 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. Name: %{name} @@ -63,12 +63,20 @@ %doc COPYING INSTALL changelog.txt releasenotes.txt %changelog -* Sun Oct 19 2014 Tom Eastep [email protected] -- Updated to 4.6.4-3 -* Wed Oct 15 2014 Tom Eastep [email protected] -- Updated to 4.6.4-2 -* Fri Oct 10 2014 Tom Eastep [email protected] -- Updated to 4.6.4-1 +* Sat Nov 15 2014 Tom Eastep [email protected] +- Updated to 4.6.5-2 +* Fri Nov 14 2014 Tom Eastep [email protected] +- Updated to 4.6.5-1 +* Thu Nov 06 2014 Tom Eastep [email protected] +- Updated to 4.6.5-0base +* Sat Nov 01 2014 Tom Eastep [email protected] +- Updated to 4.6.5-0RC1 +* Thu Oct 30 2014 Tom Eastep [email protected] +- Updated to 4.6.5-0Beta3 +* Mon Oct 20 2014 Tom Eastep [email protected] +- Updated to 4.6.5-0Beta2 +* Wed Oct 08 2014 Tom Eastep [email protected] +- Updated to 4.6.5-0Beta1 * Mon Oct 06 2014 Tom Eastep [email protected] - Updated to 4.6.4-0base * Thu Oct 02 2014 Tom Eastep [email protected] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.4.3/shorewallrc.apple new/shorewall-core-4.6.5.2/shorewallrc.apple --- old/shorewall-core-4.6.4.3/shorewallrc.apple 2014-10-19 16:44:01.000000000 +0200 +++ new/shorewall-core-4.6.5.2/shorewallrc.apple 2014-11-15 17:56:42.000000000 +0100 @@ -14,7 +14,7 @@ INITFILE= #Unused on OS X INITSOURCE= #Unused on OS X ANNOTATED= #Unused on OS X -SYSTEMD= #Unused on OS X +SERVICEDIR= #Unused on OS X SERVICEFILE= #Unused on OS X SYSCONFDIR= #Unused on OS X SPARSE=Yes #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.4.3/shorewallrc.archlinux new/shorewall-core-4.6.5.2/shorewallrc.archlinux --- old/shorewall-core-4.6.4.3/shorewallrc.archlinux 2014-10-19 16:44:01.000000000 +0200 +++ new/shorewall-core-4.6.5.2/shorewallrc.archlinux 2014-11-15 17:56:42.000000000 +0100 @@ -8,14 +8,14 @@ LIBEXECDIR=${PREFIX}/share #Directory for executable scripts. PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory CONFDIR=/etc #Directory where subsystem configurations are installed -SBINDIR=/usr/sbin #Directory where system administration programs are installed +SBINDIR=/usr/bin #Directory where system administration programs are installed MANDIR=${SHAREDIR}/man #Directory where manpages are installed. INITDIR= #Directory where SysV init scripts are installed. INITFILE= #Name of the product's installed SysV init script INITSOURCE= #Name of the distributed file to be installed as the SysV init script ANNOTATED= #If non-zero, annotated configuration files are installed SYSCONFDIR= #Directory where SysV init parameter files are installed -SYSTEMD=/usr/lib/systemd/system #Directory where .service files are installed (systems running systemd only) +SERVICEDIR=/usr/lib/systemd/system #Directory where .service files are installed (systems running systemd only) SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR VARLIB=/var/lib #Directory where product variable data is stored. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.4.3/shorewallrc.cygwin new/shorewall-core-4.6.5.2/shorewallrc.cygwin --- old/shorewall-core-4.6.4.3/shorewallrc.cygwin 2014-10-19 16:44:01.000000000 +0200 +++ new/shorewall-core-4.6.5.2/shorewallrc.cygwin 2014-11-15 17:56:42.000000000 +0100 @@ -14,7 +14,7 @@ INITFILE= #Unused on Cygwin INITSOURCE= #Unused on Cygwin ANNOTATED= #Unused on Cygwin -SYSTEMD= #Unused on Cygwin +SERVICEDIR= #Unused on Cygwin SERVICEFILE= #Unused on Cygwin SYSCONFDIR= #Unused on Cygwin SPARSE=Yes #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.4.3/shorewallrc.debian new/shorewall-core-4.6.5.2/shorewallrc.debian --- old/shorewall-core-4.6.4.3/shorewallrc.debian 2014-10-19 16:44:01.000000000 +0200 +++ new/shorewall-core-4.6.5.2/shorewallrc.debian 2014-11-15 17:56:42.000000000 +0100 @@ -17,7 +17,7 @@ SYSCONFFILE=default.debian #Name of the distributed file to be installed in $SYSCONFDIR SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service SYSCONFDIR=/etc/default #Directory where SysV init parameter files are installed -SYSTEMD= #Directory where .service files are installed (systems running systemd only) +SERVICEDIR= #Directory where .service files are installed (systems running systemd only) SPARSE=Yes #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR VARLIB=/var/lib #Directory where product variable data is stored. VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.4.3/shorewallrc.default new/shorewall-core-4.6.5.2/shorewallrc.default --- old/shorewall-core-4.6.4.3/shorewallrc.default 2014-10-19 16:44:01.000000000 +0200 +++ new/shorewall-core-4.6.5.2/shorewallrc.default 2014-11-15 17:56:42.000000000 +0100 @@ -14,7 +14,7 @@ INITFILE=$PRODUCT #Name of the product's installed SysV init script INITSOURCE=init.sh #Name of the distributed file to be installed as the SysV init script ANNOTATED= #If non-zero, annotated configuration files are installed -SYSTEMD= #Directory where .service files are installed (systems running systemd only) +SERVICEDIR= #Directory where .service files are installed (systems running systemd only) SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service SYSCONFFILE= #Name of the distributed file to be installed in $SYSCONFDIR SYSCONFDIR= #Directory where SysV init parameter files are installed diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.4.3/shorewallrc.redhat new/shorewall-core-4.6.5.2/shorewallrc.redhat --- old/shorewall-core-4.6.4.3/shorewallrc.redhat 2014-10-19 16:44:01.000000000 +0200 +++ new/shorewall-core-4.6.5.2/shorewallrc.redhat 2014-11-15 17:56:42.000000000 +0100 @@ -14,7 +14,7 @@ INITFILE=$PRODUCT #Name of the product's installed SysV init script INITSOURCE=init.fedora.sh #Name of the distributed file to be installed as the SysV init script ANNOTATED= #If non-zero, annotated configuration files are installed -SYSTEMD=/lib/systemd/system #Directory where .service files are installed (systems running systemd only) +SERVICEDIR=/lib/systemd/system #Directory where .service files are installed (systems running systemd only) SYSCONFFILE=sysconfig #Name of the distributed file to be installed as $SYSCONFDIR/$PRODUCT SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service SYSCONFDIR=/etc/sysconfig/ #Directory where SysV init parameter files are installed diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.4.3/shorewallrc.slackware new/shorewall-core-4.6.5.2/shorewallrc.slackware --- old/shorewall-core-4.6.4.3/shorewallrc.slackware 2014-10-19 16:44:01.000000000 +0200 +++ new/shorewall-core-4.6.5.2/shorewallrc.slackware 2014-11-15 17:56:42.000000000 +0100 @@ -15,7 +15,7 @@ AUXINITFILE=rc.firewall #Name of the product's installed SysV init script INITSOURCE=init.slackware.$PRODUCT.sh #Name of the distributed file to be installed as a second SysV init script INITFILE=rc.$PRODUCT #Name of the product's installed second init script -SYSTEMD= #Name of the directory where .service files are installed (systems running systemd only) +SERVICEDIR= #Name of the directory where .service files are installed (systems running systemd only) SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service SYSCONFFILE= #Name of the distributed file to be installed in $SYSCONFDIR SYSCONFDIR= #Name of the directory where SysV init parameter files are installed. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.4.3/shorewallrc.suse new/shorewall-core-4.6.5.2/shorewallrc.suse --- old/shorewall-core-4.6.4.3/shorewallrc.suse 2014-10-19 16:44:01.000000000 +0200 +++ new/shorewall-core-4.6.5.2/shorewallrc.suse 2014-11-15 17:56:42.000000000 +0100 @@ -14,7 +14,7 @@ INITFILE=$PRODUCT #Name of the product's SysV init script INITSOURCE=init.suse.sh #Name of the distributed file to be installed as the SysV init script ANNOTATED= #If non-zero, annotated configuration files are installed -SYSTEMD= #Directory where .service files are installed (systems running systemd only) +SERVICEDIR= #Directory where .service files are installed (systems running systemd only) SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service SYSCONFFILE=sysconfig #Name of the distributed file to be installed in $SYSCONFDIR SYSCONFDIR=/etc/sysconfig/ #Directory where SysV init parameter files are installed diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.4.3/uninstall.sh new/shorewall-core-4.6.5.2/uninstall.sh --- old/shorewall-core-4.6.4.3/uninstall.sh 2014-10-19 16:59:57.000000000 +0200 +++ new/shorewall-core-4.6.5.2/uninstall.sh 2014-11-17 16:17:14.000000000 +0100 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.6.4.3 +VERSION=4.6.5.2 usage() # $1 = exit status { ++++++ shorewall-docs-html-4.6.4.3.tar.bz2 -> shorewall-docs-html-4.6.5.2.tar.bz2 ++++++ ++++ 7715 lines of diff (skipped) ++++++ shorewall-init-4.6.4.3.tar.bz2 -> shorewall-init-4.6.5.2.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.4.3/changelog.txt new/shorewall-init-4.6.5.2/changelog.txt --- old/shorewall-init-4.6.4.3/changelog.txt 2014-10-19 17:16:42.000000000 +0200 +++ new/shorewall-init-4.6.5.2/changelog.txt 2014-11-17 16:17:15.000000000 +0100 @@ -1,14 +1,66 @@ -Changes in 4.6.4.3 +Changes in 4.6.5.1 -1) Update release documents +1) Update release documents. -2) Add xt_LOG to the helpers files. +2) Fix IPv6 LOG_BACKEND=LOG -Changes in 4.6.4.2 +Changes in 4.6.5.1 -1) Update release documents +1) Update release documents. -2) Add ipt_LOG to the helpers files. +2) Apply Alan Barrett's dhclient patch + +3) Make emacs sh-mode work better with lib.core + +4) Fix setting of options[SERVICEDIR] in configure + +5) Rename SYSTEMDDIR to SERVICEDIR in shorewallrc.* + +6) Eliminate redundant "/" in the installers + +Changes in 4.6.5 Final + +1) Update release documents. + +2) Apply Thomas D's manpage fixes. + +3) Correct .service files. + +Changes in 4.6.5 RC 1 + +1) Update release documents. + +2) Correct a couple of defects in the -C code. + +3) Fix LOG_BACKEND on kernel 3.17. + +Changes in 4.6.5 Beta 3 + +1) Update release documents. + +2) Process params files with $SHOREWALL_SHELL. + +3) Implement the -C option. + +Changes in 4.6.5 Beta 2 + +1) Update release documents. + +2) Defect repair from the 4.6.4 branch. + +3) Allow both source and dest limits in the RATE LIMIT column. + +Changes in 4.6.5 Beta 1 + +1) Update release documents. + +2) Merge defect repair from 4.6.4. + +Changes in 4.6.5 Beta 1 + +1) Update release documents. + +2) New .service file strategy. Changes in 4.6.4.1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.4.3/configure new/shorewall-init-4.6.5.2/configure --- old/shorewall-init-4.6.4.3/configure 2014-10-19 17:16:42.000000000 +0200 +++ new/shorewall-init-4.6.5.2/configure 2014-11-17 16:17:15.000000000 +0100 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=4.6.4.3 +VERSION=4.6.5.2 case "$BASH_VERSION" in [4-9].*) @@ -195,6 +195,10 @@ fi fi +if [ -z "${options[SERVICEDIR]}" ]; then + options[SERVICEDIR]="${options[SYSTEMD]}" +fi + for on in \ HOST \ PREFIX \ @@ -209,7 +213,7 @@ INITFILE \ AUXINITSOURCE \ AUXINITFILE \ - SYSTEMD \ + SERVICEDIR \ SERVICEFILE \ SYSCONFFILE \ SYSCONFDIR \ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.4.3/configure.pl new/shorewall-init-4.6.5.2/configure.pl --- old/shorewall-init-4.6.4.3/configure.pl 2014-10-19 17:16:42.000000000 +0200 +++ new/shorewall-init-4.6.5.2/configure.pl 2014-11-17 16:17:15.000000000 +0100 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '4.6.4.3' + VERSION => '4.6.5.2' }; my %params; @@ -154,6 +154,8 @@ $options{VARDIR} = '${VARLIB}/${PRODUCT}'; } +$options{SERVICEDIR}=$options{SYSTEMD} unless $options{SERVICEDIR}; + for ( qw/ HOST PREFIX SHAREDIR @@ -167,8 +169,8 @@ INITFILE AUXINITSOURCE AUXINITFILE - SYSTEMD - SERVICEFILE + SERVICEDIR + SERVICEFILE SYSCONFFILE SYSCONFDIR SPARSE diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.4.3/install.sh new/shorewall-init-4.6.5.2/install.sh --- old/shorewall-init-4.6.4.3/install.sh 2014-10-19 17:16:42.000000000 +0200 +++ new/shorewall-init-4.6.5.2/install.sh 2014-11-17 16:17:15.000000000 +0100 @@ -27,7 +27,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.6.4.3 +VERSION=4.6.5.2 usage() # $1 = exit status { @@ -330,12 +330,16 @@ # # Install the .service file # -if [ -n "$SYSTEMD" ]; then - mkdir -p ${DESTDIR}${SYSTEMD} +if [ -z "${SERVICEDIR}" ]; then + SERVICEDIR="$SYSTEMD" +fi + +if [ -n "$SERVICEDIR" ]; then + mkdir -p ${DESTDIR}${SERVICEDIR} [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service - run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SYSTEMD}/$PRODUCT.service - [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service - echo "Service file $SERVICEFILE installed as ${DESTDIR}${SYSTEMD}/$PRODUCT.service" + run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service + [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service + echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service" if [ -n "$DESTDIR" -o $configure -eq 0 ]; then mkdir -p ${DESTDIR}${SBINDIR} chmod 755 ${DESTDIR}${SBINDIR} @@ -513,7 +517,7 @@ # not by the installer /bin/true else - if [ -n "$SYSTEMD" ]; then + if [ -n "$SERVICEDIR" ]; then if systemctl enable shorewall-init.service; then echo "Shorewall Init will start automatically at boot" fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.4.3/releasenotes.txt new/shorewall-init-4.6.5.2/releasenotes.txt --- old/shorewall-init-4.6.4.3/releasenotes.txt 2014-10-19 17:16:42.000000000 +0200 +++ new/shorewall-init-4.6.5.2/releasenotes.txt 2014-11-17 16:17:15.000000000 +0100 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 6 . 4 . 3 + S H O R E W A L L 4 . 6 . 5 . 2 ------------------------------------ - O c t o b e r 2 0 , 2 0 1 4 + N o v e m b e r 1 8 , 2 0 1 4 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,82 +14,45 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -4.6.4.3 +4.6.5.2 -1) The fix for LOGBACKEND in 4.6.4.2 worked on some older - distributions but not on newer ones. This release fixes the problem - in the remaining cases. +1) LOG_BACKEND=LOG failed at run-time for all but the most recent + kernels. -4.6.4.2 +4.6.5.1 -1) Setting LOGBACKEND=ipt_LOG could result in the following startup - failure at boot: +1) The generated script can now detect an gateway address assigned by + later versions of that program (Alan Barrett). - Starting shorewall ... - /var/lib/shorewall/firewall: line 2080: echo: write error: No such file or directory - WARNING: Unable to set log backend to ipt_LOG +2) In 4.6.5, the bash-based configure script would issue the following + diagnostic if SERVICEDIR was not specified in the shorewallrc + file: -4.6.4.1 - -1) Confusing 'usage' output was produced under the following - conditions: - - a) 4.6.4 installed - - b) The running firewall was compiled on an earlier release. - - c) A 'safe-start', 'save-restart', 'save' or 'try' command is - executed. - - This problem has been corrected. - -2) The 'optional' option has been removed from the IPv4 Universal - interfaces file, as that option caused startup failures. - -4.6.4 Final. + ./configure: line 199: [SERVICEDIR]=: command not found -1) This release includes defect repair through release 4.6.3.4. - -2) Two corrections have been made to the .service files: + This was compounded by the fact that all of the released + shorewallrc files still specified SYSTEMDDIR rather than SERVICEDIR + (Evangelos Foutras) - - The .service files now correctly specify - - WantedBy=basic.target +3) The shorewallrc.archlinux file now reflects a change in SBINDIR + that occurred in Arch Linux in mid 2013 (Evangelos Foutras). - - Conflicting services have been added. - -3) A warning message generated during stoppedrules processing - previously referred to the file as routestopped. - -4) Previously, the stoppedrules file did not work properly when - ADMINISABSENTMINDED=No. - - - A warning message was issued stating that the file would be - processed as if ADMINISABSENTMINDED=Yes, and it was. - - - Unfortunately, part of the surrounding rule-generating logic - proceded as if ADMINISABSENTMINDED=No, leading to an unusable - ruleset. - - This problem has been corrected by changing the way that - stoppedrules works with ADMINISABSENTMINDED=No. In the new - implementation: - - - All existing connections continue to work. - - Response packets and related connection requests to new accepted - connections are accepted (in other words, the resulting ruleset - is stateful). +4.6.5 - See shorewall[6].conf(5) for additional details. +1) This release includes defect repair through release 4.6.4.3. -5) The .spec files now set SBINDIR correctly. +2) On kernel 3.17, LOG_BACKEND=LOG previously failed with the + diagnostics: -6) The -lite installers now create INITDIR if it doesn't exist. + Setting up log backend + /var/lib/shorewall/.restart: line 2075: echo: write error: + No such file or directory + WARNING: Unable to set log backend to ipt_LOG -7) The installers no longer attempt to create a symbolic link to the - init script when no init script is installed. +3) A number of corrections have been made to the manpages (Thomas D). -8) A large number of defects in the uninstallers have been corrected. +4) Previously, if $OPTIONS was set in /etc/sysconfig/shorewall-init, + then servicd failed to start/stop Shorewall-init. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -102,39 +65,83 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) Install support for Centos 7 and Foobar 7 has been added (Tuomo - Soini). - -2) A 'terminating' option has been added to shorewall[6].actions. - this option, when used with the 'builtin' option, indicates to the - compiler that the built-in action is terminating. This allows the - optimizer to omit rules after an unconditional jump to the - built-in. - -3) A LOG_BACKEND option has been added to allow specification of the - default logging backends. See shorewall.conf(5) and - shorewall6.conf(5) for details. - -4) The SAVE_IPSETS option may now specify a list of ipsets to be - saved. When such a list is specified, only those ipsets together - with the ipsets supporting dynamic zones are saved. - - Shorewall6 now supports the SAVE_IPSETS option. When - SAVE_IPSETS=Yes, only ipv6 ipsets are saved. For Shorewall, if - SAVE_IPSETS=ipv4, then only ipv4 ipsets are saved. Both features - require ipset version 5 or later. - - Note that shorewall.conf and shorewall6.conf may now both specify - SAVE_IPSETS. - -5) The SBINDIR setting for SuSE now defaults to /usr/sbin/. - -6) With the exception of Shorewall-core, the tarball installers and - uninstallers now support a -n option which inhibits any attempt to - change the startup configuration. The -n option can be - automatically invoked by setting the SANDBOX variable to a - non-empty value, either in the environment or in your shorewallrc - file. +1) The configure scripts and installers now support SERVICEDIR as an + alternative to SYSTEMD. For compatability, SERVICED is an alias + for SERVICEDIR. + +2) The installers now offer a choice of .service files, selected by + the SERVICEFILE option. The default remains $PRODUCT.service. Each + product supplying a .service file now supplies a .service.214. The + differences between the standard .service files and the service.214 + files are: + + a) They specify 'after=network-online.target' rather than + 'after=network.target'. + + b) The file shorewall-init.service.214 specifies + 'before=network-pre.target' rather than + 'before=network.target'. That file requires serviced 214 or + later, hence the names of the new files. + + Regardless of which file is selected, it is installed in + $SERVICEDIR/$PRODUCT.service. + +3) The RATE LIMIT column of the rules files now allows specification + of both a per-source and per-destination limit. See + shorewall[6]-rules(5) for details. + +4) Previously, /bin/sh was used unconditionally to process the helper + script 'getparams'. That shell script reads the params file and + passes back the (variable,value) pairs to the compiler. Beginning + with this release, $SHOREWALL_SHELL is used to process that script, + unless the compilation is for export, in which case /bin/sh is + still used. + + Note that the default value of $SHOREWALL_SHELL is /bin/sh, so + unless your configuration sets that variable, this enhancement will + have no effect. Similarly, on an administrative system, this + enhancement has no effect on the processing of the 'compile -e', + 'load', 'reload' and 'export' commands. + +5) A -C option has been added to several commands to allow the + ip[6]tables packet and byte counters to be preserved. + + - save command + + Causes the packet and byte counters to be saved along with the + chains and rules. + + - restore command + + Causes the packet and byte counters (if saved) to be restored + along with the chains and rules. + + - start command + + With Shorewall and Shorewall6, the -C option only has an effect + if the -f option is also specified. If a previously-saved + configuration is restored, then the packet and byte counters (if + saved) will be restored along with the chains and rules. + + - restart command + + If an existing compiled script is used (no recompilation + required) and if that script generated the current running + configuration, then the current netfilter configuration is + reloaded as is so as to preserve the current packet and byte + counters. + + If you wish to (approximately) preserve the counters over a + possibly unexpected reboot, then: + + - Create a cron job that periodically does 'shorewall save -C' + + - Specify the -C and -f option in the STARTOPTIONS variable in + either /etc/default/shorewall[6][-lite] or + /etc/sysconfig/shorewall[6][-lite], whichever is supported by your + distribution. Note that some distributions do not distribute these + files so you may have to create the one(s) you need (such as + /etc/sysconfig/shorewall). ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -429,6 +436,110 @@ ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 4 . 6 R E L E A S E S ---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 6 . 4 +---------------------------------------------------------------------------- + +4.6.4.1 + +1) Confusing 'usage' output was produced under the following + conditions: + + a) 4.6.4 installed + + b) The running firewall was compiled on an earlier release. + + c) A 'safe-start', 'save-restart', 'save' or 'try' command is + executed. + + This problem has been corrected. + +2) The 'optional' option has been removed from the IPv4 Universal + interfaces file, as that option caused startup failures. + +4.6.4 Final. + +1) This release includes defect repair through release 4.6.3.4. + +2) Two corrections have been made to the .service files: + + - The .service files now correctly specify + + WantedBy=basic.target + + - Conflicting services have been added. + +3) A warning message generated during stoppedrules processing + previously referred to the file as routestopped. + +4) Previously, the stoppedrules file did not work properly when + ADMINISABSENTMINDED=No. + + - A warning message was issued stating that the file would be + processed as if ADMINISABSENTMINDED=Yes, and it was. + + - Unfortunately, part of the surrounding rule-generating logic + proceded as if ADMINISABSENTMINDED=No, leading to an unusable + ruleset. + + This problem has been corrected by changing the way that + stoppedrules works with ADMINISABSENTMINDED=No. In the new + implementation: + + - All existing connections continue to work. + - Response packets and related connection requests to new accepted + connections are accepted (in other words, the resulting ruleset + is stateful). + + See shorewall[6].conf(5) for additional details. + +5) The .spec files now set SBINDIR correctly. + +6) The -lite installers now create INITDIR if it doesn't exist. + +7) The installers no longer attempt to create a symbolic link to the + init script when no init script is installed. + +8) A large number of defects in the uninstallers have been corrected. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 6 . 4 +---------------------------------------------------------------------------- + +1) Install support for Centos 7 and Foobar 7 has been added (Tuomo + Soini). + +2) A 'terminating' option has been added to shorewall[6].actions. + this option, when used with the 'builtin' option, indicates to the + compiler that the built-in action is terminating. This allows the + optimizer to omit rules after an unconditional jump to the + built-in. + +3) A LOG_BACKEND option has been added to allow specification of the + default logging backends. See shorewall.conf(5) and + shorewall6.conf(5) for details. + +4) The SAVE_IPSETS option may now specify a list of ipsets to be + saved. When such a list is specified, only those ipsets together + with the ipsets supporting dynamic zones are saved. + + Shorewall6 now supports the SAVE_IPSETS option. When + SAVE_IPSETS=Yes, only ipv6 ipsets are saved. For Shorewall, if + SAVE_IPSETS=ipv4, then only ipv4 ipsets are saved. Both features + require ipset version 5 or later. + + Note that shorewall.conf and shorewall6.conf may now both specify + SAVE_IPSETS. + +5) The SBINDIR setting for SuSE now defaults to /usr/sbin/. + +6) With the exception of Shorewall-core, the tarball installers and + uninstallers now support a -n option which inhibits any attempt to + change the startup configuration. The -n option can be + automatically invoked by setting the SANDBOX variable to a + non-empty value, either in the environment or in your shorewallrc + file. + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 6 . 3 ---------------------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.4.3/shorewall-init.service new/shorewall-init-4.6.5.2/shorewall-init.service --- old/shorewall-init-4.6.4.3/shorewall-init.service 2014-10-19 17:16:02.000000000 +0200 +++ new/shorewall-init-4.6.5.2/shorewall-init.service 2014-11-15 17:56:42.000000000 +0100 @@ -13,8 +13,8 @@ RemainAfterExit=yes EnvironmentFile=-/etc/sysconfig/shorewall-init StandardOutput=syslog -ExecStart=/sbin/shorewall-init $OPTIONS start -ExecStop=/sbin/shorewall-init $OPTIONS stop +ExecStart=/sbin/shorewall-init start +ExecStop=/sbin/shorewall-init stop [Install] WantedBy=basic.target diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.4.3/shorewall-init.service.214 new/shorewall-init-4.6.5.2/shorewall-init.service.214 --- old/shorewall-init-4.6.4.3/shorewall-init.service.214 1970-01-01 01:00:00.000000000 +0100 +++ new/shorewall-init-4.6.5.2/shorewall-init.service.214 2014-11-15 17:56:42.000000000 +0100 @@ -0,0 +1,21 @@ +# +# The Shoreline Firewall (Shorewall) Packet Filtering Firewall +# +# Copyright 2011 Jonathan Underwood <[email protected]> +# +[Unit] +Description=Shorewall IPv4 firewall (bootup security) +Before=network-pre.target +Wants=network-pre.target +Conflicts=iptables.service firewalld.service + +[Service] +Type=oneshot +RemainAfterExit=yes +EnvironmentFile=-/etc/sysconfig/shorewall-init +StandardOutput=syslog +ExecStart=/sbin/shorewall-init start +ExecStop=/sbin/shorewall-init stop + +[Install] +WantedBy=basic.target diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.4.3/shorewall-init.spec new/shorewall-init-4.6.5.2/shorewall-init.spec --- old/shorewall-init-4.6.4.3/shorewall-init.spec 2014-10-19 17:16:42.000000000 +0200 +++ new/shorewall-init-4.6.5.2/shorewall-init.spec 2014-11-17 16:17:15.000000000 +0100 @@ -1,6 +1,6 @@ %define name shorewall-init -%define version 4.6.4 -%define release 3 +%define version 4.6.5 +%define release 2 Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall). Name: %{name} @@ -126,12 +126,20 @@ %doc COPYING changelog.txt releasenotes.txt %changelog -* Sun Oct 19 2014 Tom Eastep [email protected] -- Updated to 4.6.4-3 -* Wed Oct 15 2014 Tom Eastep [email protected] -- Updated to 4.6.4-2 -* Fri Oct 10 2014 Tom Eastep [email protected] -- Updated to 4.6.4-1 +* Sat Nov 15 2014 Tom Eastep [email protected] +- Updated to 4.6.5-2 +* Fri Nov 14 2014 Tom Eastep [email protected] +- Updated to 4.6.5-1 +* Thu Nov 06 2014 Tom Eastep [email protected] +- Updated to 4.6.5-0base +* Sat Nov 01 2014 Tom Eastep [email protected] +- Updated to 4.6.5-0RC1 +* Thu Oct 30 2014 Tom Eastep [email protected] +- Updated to 4.6.5-0Beta3 +* Mon Oct 20 2014 Tom Eastep [email protected] +- Updated to 4.6.5-0Beta2 +* Wed Oct 08 2014 Tom Eastep [email protected] +- Updated to 4.6.5-0Beta1 * Mon Oct 06 2014 Tom Eastep [email protected] - Updated to 4.6.4-0base * Thu Oct 02 2014 Tom Eastep [email protected] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.4.3/shorewallrc.apple new/shorewall-init-4.6.5.2/shorewallrc.apple --- old/shorewall-init-4.6.4.3/shorewallrc.apple 2014-10-19 17:16:42.000000000 +0200 +++ new/shorewall-init-4.6.5.2/shorewallrc.apple 2014-11-17 16:17:15.000000000 +0100 @@ -14,7 +14,7 @@ INITFILE= #Unused on OS X INITSOURCE= #Unused on OS X ANNOTATED= #Unused on OS X -SYSTEMD= #Unused on OS X +SERVICEDIR= #Unused on OS X SERVICEFILE= #Unused on OS X SYSCONFDIR= #Unused on OS X SPARSE=Yes #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.4.3/shorewallrc.archlinux new/shorewall-init-4.6.5.2/shorewallrc.archlinux --- old/shorewall-init-4.6.4.3/shorewallrc.archlinux 2014-10-19 17:16:42.000000000 +0200 +++ new/shorewall-init-4.6.5.2/shorewallrc.archlinux 2014-11-17 16:17:15.000000000 +0100 @@ -8,14 +8,14 @@ LIBEXECDIR=${PREFIX}/share #Directory for executable scripts. PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory CONFDIR=/etc #Directory where subsystem configurations are installed -SBINDIR=/usr/sbin #Directory where system administration programs are installed +SBINDIR=/usr/bin #Directory where system administration programs are installed MANDIR=${SHAREDIR}/man #Directory where manpages are installed. INITDIR= #Directory where SysV init scripts are installed. INITFILE= #Name of the product's installed SysV init script INITSOURCE= #Name of the distributed file to be installed as the SysV init script ANNOTATED= #If non-zero, annotated configuration files are installed SYSCONFDIR= #Directory where SysV init parameter files are installed -SYSTEMD=/usr/lib/systemd/system #Directory where .service files are installed (systems running systemd only) +SERVICEDIR=/usr/lib/systemd/system #Directory where .service files are installed (systems running systemd only) SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR VARLIB=/var/lib #Directory where product variable data is stored. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.4.3/shorewallrc.cygwin new/shorewall-init-4.6.5.2/shorewallrc.cygwin --- old/shorewall-init-4.6.4.3/shorewallrc.cygwin 2014-10-19 17:16:42.000000000 +0200 +++ new/shorewall-init-4.6.5.2/shorewallrc.cygwin 2014-11-17 16:17:15.000000000 +0100 @@ -14,7 +14,7 @@ INITFILE= #Unused on Cygwin INITSOURCE= #Unused on Cygwin ANNOTATED= #Unused on Cygwin -SYSTEMD= #Unused on Cygwin +SERVICEDIR= #Unused on Cygwin SERVICEFILE= #Unused on Cygwin SYSCONFDIR= #Unused on Cygwin SPARSE=Yes #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.4.3/shorewallrc.debian new/shorewall-init-4.6.5.2/shorewallrc.debian --- old/shorewall-init-4.6.4.3/shorewallrc.debian 2014-10-19 17:16:42.000000000 +0200 +++ new/shorewall-init-4.6.5.2/shorewallrc.debian 2014-11-17 16:17:15.000000000 +0100 @@ -17,7 +17,7 @@ SYSCONFFILE=default.debian #Name of the distributed file to be installed in $SYSCONFDIR SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service SYSCONFDIR=/etc/default #Directory where SysV init parameter files are installed -SYSTEMD= #Directory where .service files are installed (systems running systemd only) +SERVICEDIR= #Directory where .service files are installed (systems running systemd only) SPARSE=Yes #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR VARLIB=/var/lib #Directory where product variable data is stored. VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.4.3/shorewallrc.default new/shorewall-init-4.6.5.2/shorewallrc.default --- old/shorewall-init-4.6.4.3/shorewallrc.default 2014-10-19 17:16:42.000000000 +0200 +++ new/shorewall-init-4.6.5.2/shorewallrc.default 2014-11-17 16:17:15.000000000 +0100 @@ -14,7 +14,7 @@ INITFILE=$PRODUCT #Name of the product's installed SysV init script INITSOURCE=init.sh #Name of the distributed file to be installed as the SysV init script ANNOTATED= #If non-zero, annotated configuration files are installed -SYSTEMD= #Directory where .service files are installed (systems running systemd only) +SERVICEDIR= #Directory where .service files are installed (systems running systemd only) SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service SYSCONFFILE= #Name of the distributed file to be installed in $SYSCONFDIR SYSCONFDIR= #Directory where SysV init parameter files are installed diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.4.3/shorewallrc.redhat new/shorewall-init-4.6.5.2/shorewallrc.redhat --- old/shorewall-init-4.6.4.3/shorewallrc.redhat 2014-10-19 17:16:42.000000000 +0200 +++ new/shorewall-init-4.6.5.2/shorewallrc.redhat 2014-11-17 16:17:15.000000000 +0100 @@ -14,7 +14,7 @@ INITFILE=$PRODUCT #Name of the product's installed SysV init script INITSOURCE=init.fedora.sh #Name of the distributed file to be installed as the SysV init script ANNOTATED= #If non-zero, annotated configuration files are installed -SYSTEMD=/lib/systemd/system #Directory where .service files are installed (systems running systemd only) +SERVICEDIR=/lib/systemd/system #Directory where .service files are installed (systems running systemd only) SYSCONFFILE=sysconfig #Name of the distributed file to be installed as $SYSCONFDIR/$PRODUCT SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service SYSCONFDIR=/etc/sysconfig/ #Directory where SysV init parameter files are installed diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.4.3/shorewallrc.slackware new/shorewall-init-4.6.5.2/shorewallrc.slackware --- old/shorewall-init-4.6.4.3/shorewallrc.slackware 2014-10-19 17:16:42.000000000 +0200 +++ new/shorewall-init-4.6.5.2/shorewallrc.slackware 2014-11-17 16:17:15.000000000 +0100 @@ -15,7 +15,7 @@ AUXINITFILE=rc.firewall #Name of the product's installed SysV init script INITSOURCE=init.slackware.$PRODUCT.sh #Name of the distributed file to be installed as a second SysV init script INITFILE=rc.$PRODUCT #Name of the product's installed second init script -SYSTEMD= #Name of the directory where .service files are installed (systems running systemd only) +SERVICEDIR= #Name of the directory where .service files are installed (systems running systemd only) SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service SYSCONFFILE= #Name of the distributed file to be installed in $SYSCONFDIR SYSCONFDIR= #Name of the directory where SysV init parameter files are installed. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.4.3/shorewallrc.suse new/shorewall-init-4.6.5.2/shorewallrc.suse --- old/shorewall-init-4.6.4.3/shorewallrc.suse 2014-10-19 17:16:42.000000000 +0200 +++ new/shorewall-init-4.6.5.2/shorewallrc.suse 2014-11-17 16:17:15.000000000 +0100 @@ -14,7 +14,7 @@ INITFILE=$PRODUCT #Name of the product's SysV init script INITSOURCE=init.suse.sh #Name of the distributed file to be installed as the SysV init script ANNOTATED= #If non-zero, annotated configuration files are installed -SYSTEMD= #Directory where .service files are installed (systems running systemd only) +SERVICEDIR= #Directory where .service files are installed (systems running systemd only) SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service SYSCONFFILE=sysconfig #Name of the distributed file to be installed in $SYSCONFDIR SYSCONFDIR=/etc/sysconfig/ #Directory where SysV init parameter files are installed diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.4.3/uninstall.sh new/shorewall-init-4.6.5.2/uninstall.sh --- old/shorewall-init-4.6.4.3/uninstall.sh 2014-10-19 17:16:42.000000000 +0200 +++ new/shorewall-init-4.6.5.2/uninstall.sh 2014-11-17 16:17:15.000000000 +0100 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.6.4.3 +VERSION=4.6.5.2 usage() # $1 = exit status { ++++++ shorewall-lite-4.6.4.3.tar.bz2 -> shorewall-lite-4.6.5.2.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.4.3/changelog.txt new/shorewall-lite-4.6.5.2/changelog.txt --- old/shorewall-lite-4.6.4.3/changelog.txt 2014-10-19 16:59:58.000000000 +0200 +++ new/shorewall-lite-4.6.5.2/changelog.txt 2014-11-17 16:17:15.000000000 +0100 @@ -1,14 +1,66 @@ -Changes in 4.6.4.3 +Changes in 4.6.5.1 -1) Update release documents +1) Update release documents. -2) Add xt_LOG to the helpers files. +2) Fix IPv6 LOG_BACKEND=LOG -Changes in 4.6.4.2 +Changes in 4.6.5.1 -1) Update release documents +1) Update release documents. -2) Add ipt_LOG to the helpers files. +2) Apply Alan Barrett's dhclient patch + +3) Make emacs sh-mode work better with lib.core + +4) Fix setting of options[SERVICEDIR] in configure + +5) Rename SYSTEMDDIR to SERVICEDIR in shorewallrc.* + +6) Eliminate redundant "/" in the installers + +Changes in 4.6.5 Final + +1) Update release documents. + +2) Apply Thomas D's manpage fixes. + +3) Correct .service files. + +Changes in 4.6.5 RC 1 + +1) Update release documents. + +2) Correct a couple of defects in the -C code. + +3) Fix LOG_BACKEND on kernel 3.17. + +Changes in 4.6.5 Beta 3 + +1) Update release documents. + +2) Process params files with $SHOREWALL_SHELL. + +3) Implement the -C option. + +Changes in 4.6.5 Beta 2 + +1) Update release documents. + +2) Defect repair from the 4.6.4 branch. + +3) Allow both source and dest limits in the RATE LIMIT column. + +Changes in 4.6.5 Beta 1 + +1) Update release documents. + +2) Merge defect repair from 4.6.4. + +Changes in 4.6.5 Beta 1 + +1) Update release documents. + +2) New .service file strategy. Changes in 4.6.4.1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.4.3/configure new/shorewall-lite-4.6.5.2/configure --- old/shorewall-lite-4.6.4.3/configure 2014-10-19 16:59:59.000000000 +0200 +++ new/shorewall-lite-4.6.5.2/configure 2014-11-17 16:17:15.000000000 +0100 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=4.6.4.3 +VERSION=4.6.5.2 case "$BASH_VERSION" in [4-9].*) @@ -195,6 +195,10 @@ fi fi +if [ -z "${options[SERVICEDIR]}" ]; then + options[SERVICEDIR]="${options[SYSTEMD]}" +fi + for on in \ HOST \ PREFIX \ @@ -209,7 +213,7 @@ INITFILE \ AUXINITSOURCE \ AUXINITFILE \ - SYSTEMD \ + SERVICEDIR \ SERVICEFILE \ SYSCONFFILE \ SYSCONFDIR \ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.4.3/configure.pl new/shorewall-lite-4.6.5.2/configure.pl --- old/shorewall-lite-4.6.4.3/configure.pl 2014-10-19 16:59:59.000000000 +0200 +++ new/shorewall-lite-4.6.5.2/configure.pl 2014-11-17 16:17:15.000000000 +0100 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '4.6.4.3' + VERSION => '4.6.5.2' }; my %params; @@ -154,6 +154,8 @@ $options{VARDIR} = '${VARLIB}/${PRODUCT}'; } +$options{SERVICEDIR}=$options{SYSTEMD} unless $options{SERVICEDIR}; + for ( qw/ HOST PREFIX SHAREDIR @@ -167,8 +169,8 @@ INITFILE AUXINITSOURCE AUXINITFILE - SYSTEMD - SERVICEFILE + SERVICEDIR + SERVICEFILE SYSCONFFILE SYSCONFDIR SPARSE diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.4.3/helpers new/shorewall-lite-4.6.5.2/helpers --- old/shorewall-lite-4.6.4.3/helpers 2014-10-19 16:59:58.000000000 +0200 +++ new/shorewall-lite-4.6.5.2/helpers 2014-11-17 16:17:15.000000000 +0100 @@ -58,11 +58,13 @@ loadmodule nf_nat_snmp_basic loadmodule nf_nat_tftp # -# While not actually helpers, these are handy to have. Not -# all of these will be found on any given system, since -# some are aliases on later kernels. +# While not actually helpers, these are included here so that +# LOG_BACKEND can work correctly. Not all of them will be +# loaded, since at least one of them will be an alias on any +# given system. # loadmodule ipt_LOG +loadmodule nf_log_ipv4 loadmodule xt_LOG loadmodule xt_NFLOG loadmodule ipt_ULOG diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.4.3/init.fedora.sh new/shorewall-lite-4.6.5.2/init.fedora.sh --- old/shorewall-lite-4.6.4.3/init.fedora.sh 2014-10-19 16:44:01.000000000 +0200 +++ new/shorewall-lite-4.6.5.2/init.fedora.sh 2014-11-15 17:56:42.000000000 +0100 @@ -39,7 +39,7 @@ start() { echo -n $"Starting Shorewall: " - $shorewall $OPTIONS start 2>&1 | $logger + $shorewall $OPTIONS start $STARTOPTIONS 2>&1 | $logger retval=${PIPESTATUS[0]} if [[ $retval == 0 ]]; then touch $lockfile @@ -69,7 +69,7 @@ # Note that we don't simply stop and start since shorewall has a built in # restart which stops the firewall if running and then starts it. echo -n $"Restarting Shorewall: " - $shorewall $OPTIONS restart 2>&1 | $logger + $shorewall $OPTIONS restart $RESTARTOPTIONS 2>&1 | $logger retval=${PIPESTATUS[0]} if [[ $retval == 0 ]]; then touch $lockfile diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.4.3/install.sh new/shorewall-lite-4.6.5.2/install.sh --- old/shorewall-lite-4.6.4.3/install.sh 2014-10-19 16:59:58.000000000 +0200 +++ new/shorewall-lite-4.6.5.2/install.sh 2014-11-17 16:17:15.000000000 +0100 @@ -22,7 +22,7 @@ # along with this program; if not, see <http://www.gnu.org/licenses/>. # -VERSION=4.6.4.3 +VERSION=4.6.5.2 usage() # $1 = exit status { @@ -381,7 +381,7 @@ if [ -n "$INITFILE" ]; then if [ -f "${INITSOURCE}" ]; then - initfile="${DESTDIR}/${INITDIR}/${INITFILE}" + initfile="${DESTDIR}${INITDIR}/${INITFILE}" install_file ${INITSOURCE} "$initfile" 0544 [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' "$initfile" @@ -392,12 +392,16 @@ # # Install the .service file # -if [ -n "$SYSTEMD" ]; then - mkdir -p ${DESTDIR}${SYSTEMD} +if [ -z "${SERVICEDIR}" ]; then + SERVICEDIR="$SYSTEMD" +fi + +if [ -n "$SERVICEDIR" ]; then + mkdir -p ${DESTDIR}${SERVICEDIR} [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service - run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SYSTEMD}/$PRODUCT.service - [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service - echo "Service file $SERVICEFILE installed as ${DESTDIR}${SYSTEMD}/$PRODUCT.service" + run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service + [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service + echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service" fi # # Install the config file @@ -539,7 +543,7 @@ fi if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then - if [ -n "$SYSTEMD" ]; then + if [ -n "$SERVICEDIR" ]; then if systemctl enable ${PRODUCT}.service; then echo "$Product will start automatically at boot" fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.4.3/manpages/shorewall-lite-vardir.5 new/shorewall-lite-4.6.5.2/manpages/shorewall-lite-vardir.5 --- old/shorewall-lite-4.6.4.3/manpages/shorewall-lite-vardir.5 2014-10-19 17:03:23.000000000 +0200 +++ new/shorewall-lite-4.6.5.2/manpages/shorewall-lite-vardir.5 2014-11-17 16:20:35.000000000 +0100 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite-vardir .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 10/19/2014 +.\" Date: 11/17/2014 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-LITE\-VAR" "5" "10/19/2014" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-LITE\-VAR" "5" "11/17/2014" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.4.3/manpages/shorewall-lite.8 new/shorewall-lite-4.6.5.2/manpages/shorewall-lite.8 --- old/shorewall-lite-4.6.4.3/manpages/shorewall-lite.8 2014-10-19 17:03:24.000000000 +0200 +++ new/shorewall-lite-4.6.5.2/manpages/shorewall-lite.8 2014-11-17 16:20:36.000000000 +0100 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 10/19/2014 +.\" Date: 11/17/2014 .\" Manual: Administrative Commands .\" Source: Administrative Commands .\" Language: English .\" -.TH "SHOREWALL\-LITE" "8" "10/19/2014" "Administrative Commands" "Administrative Commands" +.TH "SHOREWALL\-LITE" "8" "11/17/2014" "Administrative Commands" "Administrative Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -71,13 +71,13 @@ .HP \w'\fBshorewall\-lite\fR\ 'u \fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBreset\fR .HP \w'\fBshorewall\-lite\fR\ 'u -\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBrestart\fR [\fB\-n\fR] [\fB\-p\fR] [\fIdirectory\fR] +\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBrestart\fR [\fB\-n\fR] [\fB\-p\fR\ [\fB\-C\fR]] [\fIdirectory\fR] .HP \w'\fBshorewall\-lite\fR\ 'u -\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBrestore\fR [\fIfilename\fR] +\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBrestore\fR [\fB\-C\fR] [\fIfilename\fR] .HP \w'\fBshorewall\-lite\fR\ 'u \fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBrun\fR function [\fIparameter\ \&.\&.\&.\fR] .HP \w'\fBshorewall\-lite\fR\ 'u -\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBsave\fR [\fIfilename\fR] +\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBsave\fR\ [\fB\-C\fR] [\fIfilename\fR] .HP \w'\fBshorewall\-lite\fR\ 'u \fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR] [\-\fIoptions\fR] [\fBshow\ |\ list\ |\ ls\ \fR] [\fB\-b\fR] [\fB\-x\fR] [\fB\-l\fR] [\fB\-t\fR\ {\fBfilter\fR|\fBmangle\fR|\fBnat\fR|\fBraw|rawpost\fR}] [[\fBchain\fR]\ \fIchain\fR...] .HP \w'\fBshorewall\-lite\fR\ 'u @@ -95,7 +95,7 @@ .HP \w'\fBshorewall\-lite\fR\ 'u \fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR] [\-\fIoptions\fR] [\fBshow\ |\ list\ |\ ls\ \fR] [\fB\-m\fR] \fBlog\fR .HP \w'\fBshorewall\-lite\fR\ 'u -\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBstart\fR [\fB\-n\fR] [\fB\-p\fR] +\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBstart\fR [\fB\-n\fR] [\fB\-p\fR] [\fB\-f\fR] [\fB\-C\fR] .HP \w'\fBshorewall\-lite\fR\ 'u \fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBstop\fR .HP \w'\fBshorewall\-lite\fR\ 'u @@ -118,8 +118,9 @@ \fBoption\fR prevents the command from attempting to acquire the Shorewall\-lite lockfile\&. It is useful if you need to include \fBshorewall\fR -commands in -/etc/shorewall/started\&. +commands in the +started +\m[blue]\fBextension script\fR\m[]\&\s-2\u[1]\d\s+2\&. .PP The \fIoptions\fR @@ -127,13 +128,13 @@ \fBv\fR and \fBq\fR\&. If the options are omitted, the amount of output is determined by the setting of the VERBOSITY parameter in -\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2(5)\&. Each +\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[2]\d\s+2(5)\&. Each \fBv\fR adds one to the effective verbosity and each \fBq\fR subtracts one from the effective VERBOSITY\&. Alternately, \fBv\fR -may be followed immediately with one of \-1,0,1,2 to specify a specify VERBOSITY\&. There may be no white\-space between +may be followed immediately with one of \-1,0,1,2 to specify VERBOSITY\&. There may be no white\-space between \fBv\fR and the VERBOSITY\&. .PP @@ -153,7 +154,7 @@ The \fIinterface\fR argument names an interface defined in the -\m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[2]\d\s+2(5) file\&. A +\m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[3]\d\s+2(5) file\&. A \fIhost\-list\fR is comma\-separated list whose elements are host or network addresses\&. .if n \{\ @@ -215,7 +216,7 @@ The \fIinterface\fR argument names an interface defined in the -\m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[2]\d\s+2(5) file\&. A +\m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[3]\d\s+2(5) file\&. A \fIhost\-list\fR is comma\-separated list whose elements are a host or network address\&. .RE @@ -267,7 +268,7 @@ and /var/lib/shorewall\-lite/save\&. If no \fIfilename\fR is given then the file specified by RESTOREFILE in -\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2(5) is assumed\&. +\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[2]\d\s+2(5) is assumed\&. .RE .PP \fBhelp\fR @@ -307,14 +308,14 @@ .RS 4 Causes traffic from the listed \fIaddress\fRes to be logged then discarded\&. Logging occurs at the log level specified by the BLACKLIST_LOGLEVEL setting in -\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2 +\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[2]\d\s+2 (5)\&. .RE .PP \fBlogwatch\fR .RS 4 Monitors the log file specified by the LOGFILE option in -\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2(5) and produces an audible alarm when new Shorewall\-lite messages are logged\&. The +\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[2]\d\s+2(5) and produces an audible alarm when new Shorewall\-lite messages are logged\&. The \fB\-m\fR option causes the MAC address of each packet source to be displayed if that information is available\&. The \fIrefresh\-interval\fR @@ -326,7 +327,7 @@ .RS 4 Causes traffic from the listed \fIaddress\fRes to be logged then rejected\&. Logging occurs at the log level specified by the BLACKLIST_LOGLEVEL setting in -\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2 +\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[2]\d\s+2 (5)\&. .RE .PP @@ -363,6 +364,10 @@ option causes the connection tracking table to be flushed; the \fBconntrack\fR utility must be installed to use this option\&. +.sp +The +\fB\-C\fR +option was added in Shorewall 4\&.6\&.5\&. If the specified (or implicit) firewall script is the one that generated the current running configuration, then the running netfilter configuration will be reloaded as is so as to preserve the iptables packet and byte counters\&. .RE .PP \fBrestore\fR @@ -375,7 +380,30 @@ \fBshorewall\-lite save\fR; if no \fIfilename\fR is given then Shorewall\-lite will be restored from the file specified by the RESTOREFILE option in -\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2(5)\&. +\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[2]\d\s+2(5)\&. +.if n \{\ +.sp +.\} +.RS 4 +.it 1 an-trap +.nr an-no-space-flag 1 +.nr an-break-flag 1 +.br +.ps +1 +\fBCaution\fR +.ps -1 +.br +If your iptables ruleset depends on variables that are detected at run\-time, either in your params file or by Shorewall\-generated code, +\fBrestore\fR +will use the values that were current when the ruleset was saved, which may be different from the current values\&. +.sp .5v +.RE +The +\fB\-C\fR +option was added in Shorewall 4\&.6\&.5\&. If the +\fB\-C\fR +option was specified during +\fBshorewall save\fR, then the counters saved by that operation will be restored\&. .RE .PP \fBrun\fR @@ -401,7 +429,11 @@ \fBshorewall\-lite restore\fR\&. If \fIfilename\fR is not given then the state is saved in the file specified by the RESTOREFILE option in -\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2(5)\&. +\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[2]\d\s+2(5)\&. +.sp +The +\fB\-C\fR +option, added in Shorewall 4\&.6\&.5, causes the iptables packet and byte counters to be saved along with the chains and rules\&. .RE .PP \fBshow\fR @@ -488,14 +520,14 @@ .PP \fBipa\fR .RS 4 -Added in Shorewall 4\&.4\&.17\&. Displays the per\-IP accounting counters (\m[blue]\fBshorewall\-accounting\fR\m[]\&\s-2\u[3]\d\s+2 +Added in Shorewall 4\&.4\&.17\&. Displays the per\-IP accounting counters (\m[blue]\fBshorewall\-accounting\fR\m[]\&\s-2\u[4]\d\s+2 (5))\&. .RE .PP \fBlog\fR .RS 4 Displays the last 20 Shorewall\-lite messages from the log file specified by the LOGFILE option in -\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2(5)\&. The +\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[2]\d\s+2(5)\&. The \fB\-m\fR option causes the MAC address of each packet source to be displayed if that information is available\&. .RE @@ -552,14 +584,33 @@ option causes the connection tracking table to be flushed; the \fBconntrack\fR utility must be installed to use this option\&. +.sp +The +\fB\-m\fR +option prevents the firewall script from modifying the current routing configuration\&. +.sp +The +\fB\-f\fR +option was added in Shorewall 4\&.6\&.5\&. If the RESTOREFILE named in +\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[2]\d\s+2(5) exists, is executable and is not older than the current filewall script, then that saved configuration is restored\&. +.sp +The +\fB\-C\fR +option was added in Shorewall 4\&.6\&.5 and is only meaningful when the +\fB\-f\fR +option is also specified\&. If the previously\-saved configuration is restored, and if the +\fB\-C\fR +option was also specified in the +\fBsave\fR +command, then the packet and byte counters will be restored\&. .RE .PP \fBstop\fR .RS 4 Stops the firewall\&. All existing connections, except those listed in -\m[blue]\fBshorewall\-routestopped\fR\m[]\&\s-2\u[4]\d\s+2(5) or permitted by the ADMINISABSENTMINDED option in -\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2(5), are taken down\&. The only new traffic permitted through the firewall is from systems listed in -\m[blue]\fBshorewall\-routestopped\fR\m[]\&\s-2\u[4]\d\s+2(5) or by ADMINISABSENTMINDED\&. +\m[blue]\fBshorewall\-routestopped\fR\m[]\&\s-2\u[5]\d\s+2(5) or permitted by the ADMINISABSENTMINDED option in +\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[2]\d\s+2(5), are taken down\&. The only new traffic permitted through the firewall is from systems listed in +\m[blue]\fBshorewall\-routestopped\fR\m[]\&\s-2\u[5]\d\s+2(5) or by ADMINISABSENTMINDED\&. .sp If \fB\-f\fR @@ -608,21 +659,26 @@ shorewall\-accounting(5), shorewall\-actions(5), shorewall\-blacklist(5), shorewall\-hosts(5), shorewall_interfaces(5), shorewall\-ipsets(5), shorewall\-maclist(5), shorewall\-masq(5), shorewall\-nat(5), shorewall\-netmap(5), shorewall\-params(5), shorewall\-policy(5), shorewall\-providers(5), shorewall\-proxyarp(5), shorewall\-rtrules(5), shorewall\-routestopped(5), shorewall\-rules(5), shorewall\&.conf(5), shorewall\-secmarks(5), shorewall\-tcclasses(5), shorewall\-tcdevices(5), shorewall\-tcrules(5), shorewall\-tos(5), shorewall\-tunnels(5), shorewall\-zones(5) .SH "NOTES" .IP " 1." 4 +extension script +.RS 4 +\%http://www.shorewall.net../shorewall_extension_scripts.html +.RE +.IP " 2." 4 shorewall.conf .RS 4 \%http://www.shorewall.netshorewall.conf.html .RE -.IP " 2." 4 +.IP " 3." 4 shorewall-interfaces .RS 4 \%http://www.shorewall.netshorewall-interfaces.html .RE -.IP " 3." 4 +.IP " 4." 4 shorewall-accounting .RS 4 \%http://www.shorewall.netmanpages/shorewall-accounting.html .RE -.IP " 4." 4 +.IP " 5." 4 shorewall-routestopped .RS 4 \%http://www.shorewall.netshorewall-routestopped.html diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.4.3/manpages/shorewall-lite.conf.5 new/shorewall-lite-4.6.5.2/manpages/shorewall-lite.conf.5 --- old/shorewall-lite-4.6.4.3/manpages/shorewall-lite.conf.5 2014-10-19 17:03:21.000000000 +0200 +++ new/shorewall-lite-4.6.5.2/manpages/shorewall-lite.conf.5 2014-11-17 16:20:33.000000000 +0100 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite.conf .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 10/19/2014 +.\" Date: 11/17/2014 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-LITE\&.CO" "5" "10/19/2014" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-LITE\&.CO" "5" "11/17/2014" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.4.3/manpages/shorewall-lite.xml new/shorewall-lite-4.6.5.2/manpages/shorewall-lite.xml --- old/shorewall-lite-4.6.4.3/manpages/shorewall-lite.xml 2014-10-19 17:03:25.000000000 +0200 +++ new/shorewall-lite-4.6.5.2/manpages/shorewall-lite.xml 2014-11-17 16:20:36.000000000 +0100 @@ -299,7 +299,7 @@ <arg><option>-n</option></arg> - <arg><option>-p</option></arg> + <arg><option>-p</option><arg><option>-C</option></arg></arg> <arg><replaceable>directory</replaceable></arg> </cmdsynopsis> @@ -314,6 +314,8 @@ <arg choice="plain"><option>restore</option></arg> + <arg><option>-C</option></arg> + <arg><replaceable>filename</replaceable></arg> </cmdsynopsis> @@ -340,7 +342,8 @@ <arg>-<replaceable>options</replaceable></arg> - <arg choice="plain"><option>save</option></arg> + <arg + choice="plain"><option>save</option><arg><option>-C</option></arg></arg> <arg choice="opt"><replaceable>filename</replaceable></arg> </cmdsynopsis> @@ -474,6 +477,10 @@ <arg><option>-n</option></arg> <arg><option>-p</option></arg> + + <arg><option>-f</option></arg> + + <arg><option>-C</option></arg> </cmdsynopsis> <cmdsynopsis> @@ -526,8 +533,9 @@ <para>The nolock <option>option</option> prevents the command from attempting to acquire the Shorewall-lite lockfile. It is useful if you - need to include <command>shorewall</command> commands in - <filename>/etc/shorewall/started</filename>.</para> + need to include <command>shorewall</command> commands in the + <filename>started</filename> <ulink + url="../shorewall_extension_scripts.html">extension script</ulink>.</para> <para>The <emphasis>options</emphasis> control the amount of output that the command produces. They consist of a sequence of the letters <emphasis @@ -538,8 +546,8 @@ role="bold">v</emphasis> adds one to the effective verbosity and each <emphasis role="bold">q</emphasis> subtracts one from the effective VERBOSITY. Alternately, <emphasis role="bold">v</emphasis> may be followed - immediately with one of -1,0,1,2 to specify a specify VERBOSITY. There may - be no white-space between <emphasis role="bold">v</emphasis> and the + immediately with one of -1,0,1,2 to specify VERBOSITY. There may be no + white-space between <emphasis role="bold">v</emphasis> and the VERBOSITY.</para> <para>The <emphasis>options</emphasis> may also include the letter @@ -819,6 +827,12 @@ <para>The <option>-p</option> option causes the connection tracking table to be flushed; the <command>conntrack</command> utility must be installed to use this option.</para> + + <para>The <option>-C</option> option was added in Shorewall 4.6.5. + If the specified (or implicit) firewall script is the one that + generated the current running configuration, then the running + netfilter configuration will be reloaded as is so as to preserve the + iptables packet and byte counters.</para> </listitem> </varlistentry> @@ -834,6 +848,19 @@ <emphasis>filename</emphasis> is given then Shorewall-lite will be restored from the file specified by the RESTOREFILE option in <ulink url="shorewall.conf.html">shorewall.conf</ulink>(5).</para> + + <caution> + <para>If your iptables ruleset depends on variables that are + detected at run-time, either in your params file or by + Shorewall-generated code, <command>restore</command> will use the + values that were current when the ruleset was saved, which may be + different from the current values.</para> + </caution> + + <para>The <option>-C</option> option was added in Shorewall 4.6.5. + If the <option>-C</option> option was specified during <emphasis + role="bold">shorewall save</emphasis>, then the counters saved by + that operation will be restored.</para> </listitem> </varlistentry> @@ -865,6 +892,10 @@ <emphasis>filename</emphasis> is not given then the state is saved in the file specified by the RESTOREFILE option in <ulink url="shorewall.conf.html">shorewall.conf</ulink>(5).</para> + + <para>The <option>-C</option> option, added in Shorewall 4.6.5, + causes the iptables packet and byte counters to be saved along with + the chains and rules.</para> </listitem> </varlistentry> @@ -1102,6 +1133,22 @@ <para>The <option>-p</option> option causes the connection tracking table to be flushed; the <command>conntrack</command> utility must be installed to use this option.</para> + + <para>The <option>-m</option> option prevents the firewall script + from modifying the current routing configuration.</para> + + <para>The <option>-f</option> option was added in Shorewall 4.6.5. + If the RESTOREFILE named in <ulink + url="shorewall.conf.html">shorewall.conf</ulink>(5) exists, is + executable and is not older than the current filewall script, then + that saved configuration is restored.</para> + + <para>The <option>-C</option> option was added in Shorewall 4.6.5 + and is only meaningful when the <option>-f</option> option is also + specified. If the previously-saved configuration is restored, and if + the <option>-C</option> option was also specified in the <emphasis + role="bold">save</emphasis> command, then the packet and byte + counters will be restored.</para> </listitem> </varlistentry> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.4.3/modules.essential new/shorewall-lite-4.6.5.2/modules.essential --- old/shorewall-lite-4.6.4.3/modules.essential 2014-10-19 16:59:58.000000000 +0200 +++ new/shorewall-lite-4.6.5.2/modules.essential 2014-11-17 16:17:15.000000000 +0100 @@ -28,4 +28,3 @@ loadmodule iptable_raw loadmodule xt_state loadmodule xt_tcpudp -loadmodule ipt_LOG diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.4.3/modules.extensions new/shorewall-lite-4.6.5.2/modules.extensions --- old/shorewall-lite-4.6.4.3/modules.extensions 2014-10-19 16:59:58.000000000 +0200 +++ new/shorewall-lite-4.6.5.2/modules.extensions 2014-11-17 16:17:15.000000000 +0100 @@ -32,7 +32,6 @@ loadmodule ipt_iprange loadmodule ipt_length loadmodule ipt_limit -loadmodule ipt_LOG loadmodule ipt_mac loadmodule ipt_mark loadmodule ipt_MARK @@ -58,4 +57,3 @@ loadmodule ipt_TOS loadmodule ipt_ttl loadmodule ipt_TTL -loadmodule ipt_ULOG diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.4.3/modules.xtables new/shorewall-lite-4.6.5.2/modules.xtables --- old/shorewall-lite-4.6.4.3/modules.xtables 2014-10-19 16:59:58.000000000 +0200 +++ new/shorewall-lite-4.6.5.2/modules.xtables 2014-11-17 16:17:15.000000000 +0100 @@ -31,7 +31,6 @@ loadmodule xt_mark loadmodule xt_MARK loadmodule xt_multiport -loadmodule xt_NFLOG loadmodule xt_NFQUEUE loadmodule xt_owner loadmodule xt_physdev diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.4.3/releasenotes.txt new/shorewall-lite-4.6.5.2/releasenotes.txt --- old/shorewall-lite-4.6.4.3/releasenotes.txt 2014-10-19 16:59:58.000000000 +0200 +++ new/shorewall-lite-4.6.5.2/releasenotes.txt 2014-11-17 16:17:15.000000000 +0100 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 6 . 4 . 3 + S H O R E W A L L 4 . 6 . 5 . 2 ------------------------------------ - O c t o b e r 2 0 , 2 0 1 4 + N o v e m b e r 1 8 , 2 0 1 4 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,82 +14,45 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -4.6.4.3 +4.6.5.2 -1) The fix for LOGBACKEND in 4.6.4.2 worked on some older - distributions but not on newer ones. This release fixes the problem - in the remaining cases. +1) LOG_BACKEND=LOG failed at run-time for all but the most recent + kernels. -4.6.4.2 +4.6.5.1 -1) Setting LOGBACKEND=ipt_LOG could result in the following startup - failure at boot: +1) The generated script can now detect an gateway address assigned by + later versions of that program (Alan Barrett). - Starting shorewall ... - /var/lib/shorewall/firewall: line 2080: echo: write error: No such file or directory - WARNING: Unable to set log backend to ipt_LOG +2) In 4.6.5, the bash-based configure script would issue the following + diagnostic if SERVICEDIR was not specified in the shorewallrc + file: -4.6.4.1 - -1) Confusing 'usage' output was produced under the following - conditions: - - a) 4.6.4 installed - - b) The running firewall was compiled on an earlier release. - - c) A 'safe-start', 'save-restart', 'save' or 'try' command is - executed. - - This problem has been corrected. - -2) The 'optional' option has been removed from the IPv4 Universal - interfaces file, as that option caused startup failures. - -4.6.4 Final. + ./configure: line 199: [SERVICEDIR]=: command not found -1) This release includes defect repair through release 4.6.3.4. - -2) Two corrections have been made to the .service files: + This was compounded by the fact that all of the released + shorewallrc files still specified SYSTEMDDIR rather than SERVICEDIR + (Evangelos Foutras) - - The .service files now correctly specify - - WantedBy=basic.target +3) The shorewallrc.archlinux file now reflects a change in SBINDIR + that occurred in Arch Linux in mid 2013 (Evangelos Foutras). - - Conflicting services have been added. - -3) A warning message generated during stoppedrules processing - previously referred to the file as routestopped. - -4) Previously, the stoppedrules file did not work properly when - ADMINISABSENTMINDED=No. - - - A warning message was issued stating that the file would be - processed as if ADMINISABSENTMINDED=Yes, and it was. - - - Unfortunately, part of the surrounding rule-generating logic - proceded as if ADMINISABSENTMINDED=No, leading to an unusable - ruleset. - - This problem has been corrected by changing the way that - stoppedrules works with ADMINISABSENTMINDED=No. In the new - implementation: - - - All existing connections continue to work. - - Response packets and related connection requests to new accepted - connections are accepted (in other words, the resulting ruleset - is stateful). +4.6.5 - See shorewall[6].conf(5) for additional details. +1) This release includes defect repair through release 4.6.4.3. -5) The .spec files now set SBINDIR correctly. +2) On kernel 3.17, LOG_BACKEND=LOG previously failed with the + diagnostics: -6) The -lite installers now create INITDIR if it doesn't exist. + Setting up log backend + /var/lib/shorewall/.restart: line 2075: echo: write error: + No such file or directory + WARNING: Unable to set log backend to ipt_LOG -7) The installers no longer attempt to create a symbolic link to the - init script when no init script is installed. +3) A number of corrections have been made to the manpages (Thomas D). -8) A large number of defects in the uninstallers have been corrected. +4) Previously, if $OPTIONS was set in /etc/sysconfig/shorewall-init, + then servicd failed to start/stop Shorewall-init. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -102,39 +65,83 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) Install support for Centos 7 and Foobar 7 has been added (Tuomo - Soini). - -2) A 'terminating' option has been added to shorewall[6].actions. - this option, when used with the 'builtin' option, indicates to the - compiler that the built-in action is terminating. This allows the - optimizer to omit rules after an unconditional jump to the - built-in. - -3) A LOG_BACKEND option has been added to allow specification of the - default logging backends. See shorewall.conf(5) and - shorewall6.conf(5) for details. - -4) The SAVE_IPSETS option may now specify a list of ipsets to be - saved. When such a list is specified, only those ipsets together - with the ipsets supporting dynamic zones are saved. - - Shorewall6 now supports the SAVE_IPSETS option. When - SAVE_IPSETS=Yes, only ipv6 ipsets are saved. For Shorewall, if - SAVE_IPSETS=ipv4, then only ipv4 ipsets are saved. Both features - require ipset version 5 or later. - - Note that shorewall.conf and shorewall6.conf may now both specify - SAVE_IPSETS. - -5) The SBINDIR setting for SuSE now defaults to /usr/sbin/. - -6) With the exception of Shorewall-core, the tarball installers and - uninstallers now support a -n option which inhibits any attempt to - change the startup configuration. The -n option can be - automatically invoked by setting the SANDBOX variable to a - non-empty value, either in the environment or in your shorewallrc - file. +1) The configure scripts and installers now support SERVICEDIR as an + alternative to SYSTEMD. For compatability, SERVICED is an alias + for SERVICEDIR. + +2) The installers now offer a choice of .service files, selected by + the SERVICEFILE option. The default remains $PRODUCT.service. Each + product supplying a .service file now supplies a .service.214. The + differences between the standard .service files and the service.214 + files are: + + a) They specify 'after=network-online.target' rather than + 'after=network.target'. + + b) The file shorewall-init.service.214 specifies + 'before=network-pre.target' rather than + 'before=network.target'. That file requires serviced 214 or + later, hence the names of the new files. + + Regardless of which file is selected, it is installed in + $SERVICEDIR/$PRODUCT.service. + +3) The RATE LIMIT column of the rules files now allows specification + of both a per-source and per-destination limit. See + shorewall[6]-rules(5) for details. + +4) Previously, /bin/sh was used unconditionally to process the helper + script 'getparams'. That shell script reads the params file and + passes back the (variable,value) pairs to the compiler. Beginning + with this release, $SHOREWALL_SHELL is used to process that script, + unless the compilation is for export, in which case /bin/sh is + still used. + + Note that the default value of $SHOREWALL_SHELL is /bin/sh, so + unless your configuration sets that variable, this enhancement will + have no effect. Similarly, on an administrative system, this + enhancement has no effect on the processing of the 'compile -e', + 'load', 'reload' and 'export' commands. + +5) A -C option has been added to several commands to allow the + ip[6]tables packet and byte counters to be preserved. + + - save command + + Causes the packet and byte counters to be saved along with the + chains and rules. + + - restore command + + Causes the packet and byte counters (if saved) to be restored + along with the chains and rules. + + - start command + + With Shorewall and Shorewall6, the -C option only has an effect + if the -f option is also specified. If a previously-saved + configuration is restored, then the packet and byte counters (if + saved) will be restored along with the chains and rules. + + - restart command + + If an existing compiled script is used (no recompilation + required) and if that script generated the current running + configuration, then the current netfilter configuration is + reloaded as is so as to preserve the current packet and byte + counters. + + If you wish to (approximately) preserve the counters over a + possibly unexpected reboot, then: + + - Create a cron job that periodically does 'shorewall save -C' + + - Specify the -C and -f option in the STARTOPTIONS variable in + either /etc/default/shorewall[6][-lite] or + /etc/sysconfig/shorewall[6][-lite], whichever is supported by your + distribution. Note that some distributions do not distribute these + files so you may have to create the one(s) you need (such as + /etc/sysconfig/shorewall). ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -429,6 +436,110 @@ ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 4 . 6 R E L E A S E S ---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 6 . 4 +---------------------------------------------------------------------------- + +4.6.4.1 + +1) Confusing 'usage' output was produced under the following + conditions: + + a) 4.6.4 installed + + b) The running firewall was compiled on an earlier release. + + c) A 'safe-start', 'save-restart', 'save' or 'try' command is + executed. + + This problem has been corrected. + +2) The 'optional' option has been removed from the IPv4 Universal + interfaces file, as that option caused startup failures. + +4.6.4 Final. + +1) This release includes defect repair through release 4.6.3.4. + +2) Two corrections have been made to the .service files: + + - The .service files now correctly specify + + WantedBy=basic.target + + - Conflicting services have been added. + +3) A warning message generated during stoppedrules processing + previously referred to the file as routestopped. + +4) Previously, the stoppedrules file did not work properly when + ADMINISABSENTMINDED=No. + + - A warning message was issued stating that the file would be + processed as if ADMINISABSENTMINDED=Yes, and it was. + + - Unfortunately, part of the surrounding rule-generating logic + proceded as if ADMINISABSENTMINDED=No, leading to an unusable + ruleset. + + This problem has been corrected by changing the way that + stoppedrules works with ADMINISABSENTMINDED=No. In the new + implementation: + + - All existing connections continue to work. + - Response packets and related connection requests to new accepted + connections are accepted (in other words, the resulting ruleset + is stateful). + + See shorewall[6].conf(5) for additional details. + +5) The .spec files now set SBINDIR correctly. + +6) The -lite installers now create INITDIR if it doesn't exist. + +7) The installers no longer attempt to create a symbolic link to the + init script when no init script is installed. + +8) A large number of defects in the uninstallers have been corrected. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 6 . 4 +---------------------------------------------------------------------------- + +1) Install support for Centos 7 and Foobar 7 has been added (Tuomo + Soini). + +2) A 'terminating' option has been added to shorewall[6].actions. + this option, when used with the 'builtin' option, indicates to the + compiler that the built-in action is terminating. This allows the + optimizer to omit rules after an unconditional jump to the + built-in. + +3) A LOG_BACKEND option has been added to allow specification of the + default logging backends. See shorewall.conf(5) and + shorewall6.conf(5) for details. + +4) The SAVE_IPSETS option may now specify a list of ipsets to be + saved. When such a list is specified, only those ipsets together + with the ipsets supporting dynamic zones are saved. + + Shorewall6 now supports the SAVE_IPSETS option. When + SAVE_IPSETS=Yes, only ipv6 ipsets are saved. For Shorewall, if + SAVE_IPSETS=ipv4, then only ipv4 ipsets are saved. Both features + require ipset version 5 or later. + + Note that shorewall.conf and shorewall6.conf may now both specify + SAVE_IPSETS. + +5) The SBINDIR setting for SuSE now defaults to /usr/sbin/. + +6) With the exception of Shorewall-core, the tarball installers and + uninstallers now support a -n option which inhibits any attempt to + change the startup configuration. The -n option can be + automatically invoked by setting the SANDBOX variable to a + non-empty value, either in the environment or in your shorewallrc + file. + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 6 . 3 ---------------------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.4.3/shorewall-lite.service new/shorewall-lite-4.6.5.2/shorewall-lite.service --- old/shorewall-lite-4.6.4.3/shorewall-lite.service 2014-10-19 16:44:01.000000000 +0200 +++ new/shorewall-lite-4.6.5.2/shorewall-lite.service 2014-11-15 17:56:42.000000000 +0100 @@ -13,7 +13,7 @@ RemainAfterExit=yes EnvironmentFile=-/etc/sysconfig/shorewall-lite StandardOutput=syslog -ExecStart=/sbin/shorewall-lite $OPTIONS start +ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS ExecStop=/sbin/shorewall-lite $OPTIONS stop [Install] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.4.3/shorewall-lite.service.214 new/shorewall-lite-4.6.5.2/shorewall-lite.service.214 --- old/shorewall-lite-4.6.4.3/shorewall-lite.service.214 1970-01-01 01:00:00.000000000 +0100 +++ new/shorewall-lite-4.6.5.2/shorewall-lite.service.214 2014-11-15 17:56:42.000000000 +0100 @@ -0,0 +1,20 @@ +# +# The Shoreline Firewall (Shorewall) Packet Filtering Firewall +# +# Copyright 2011 Jonathan Underwood <[email protected]> +# +[Unit] +Description=Shorewall IPv4 firewall (lite) +After=network-online.target +Conflicts=iptables.service firewalld.service + +[Service] +Type=oneshot +RemainAfterExit=yes +EnvironmentFile=-/etc/sysconfig/shorewall-lite +StandardOutput=syslog +ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS +ExecStop=/sbin/shorewall-lite $OPTIONS stop + +[Install] +WantedBy=basic.target diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.4.3/shorewall-lite.spec new/shorewall-lite-4.6.5.2/shorewall-lite.spec --- old/shorewall-lite-4.6.4.3/shorewall-lite.spec 2014-10-19 16:59:58.000000000 +0200 +++ new/shorewall-lite-4.6.5.2/shorewall-lite.spec 2014-11-17 16:17:15.000000000 +0100 @@ -1,6 +1,6 @@ %define name shorewall-lite -%define version 4.6.4 -%define release 3 +%define version 4.6.5 +%define release 2 %define initdir /etc/init.d Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems. @@ -106,12 +106,20 @@ %doc COPYING changelog.txt releasenotes.txt %changelog -* Sun Oct 19 2014 Tom Eastep [email protected] -- Updated to 4.6.4-3 -* Wed Oct 15 2014 Tom Eastep [email protected] -- Updated to 4.6.4-2 -* Fri Oct 10 2014 Tom Eastep [email protected] -- Updated to 4.6.4-1 +* Sat Nov 15 2014 Tom Eastep [email protected] +- Updated to 4.6.5-2 +* Fri Nov 14 2014 Tom Eastep [email protected] +- Updated to 4.6.5-1 +* Thu Nov 06 2014 Tom Eastep [email protected] +- Updated to 4.6.5-0base +* Sat Nov 01 2014 Tom Eastep [email protected] +- Updated to 4.6.5-0RC1 +* Thu Oct 30 2014 Tom Eastep [email protected] +- Updated to 4.6.5-0Beta3 +* Mon Oct 20 2014 Tom Eastep [email protected] +- Updated to 4.6.5-0Beta2 +* Wed Oct 08 2014 Tom Eastep [email protected] +- Updated to 4.6.5-0Beta1 * Mon Oct 06 2014 Tom Eastep [email protected] - Updated to 4.6.4-0base * Thu Oct 02 2014 Tom Eastep [email protected] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.4.3/shorewallrc.apple new/shorewall-lite-4.6.5.2/shorewallrc.apple --- old/shorewall-lite-4.6.4.3/shorewallrc.apple 2014-10-19 16:59:59.000000000 +0200 +++ new/shorewall-lite-4.6.5.2/shorewallrc.apple 2014-11-17 16:17:15.000000000 +0100 @@ -14,7 +14,7 @@ INITFILE= #Unused on OS X INITSOURCE= #Unused on OS X ANNOTATED= #Unused on OS X -SYSTEMD= #Unused on OS X +SERVICEDIR= #Unused on OS X SERVICEFILE= #Unused on OS X SYSCONFDIR= #Unused on OS X SPARSE=Yes #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.4.3/shorewallrc.archlinux new/shorewall-lite-4.6.5.2/shorewallrc.archlinux --- old/shorewall-lite-4.6.4.3/shorewallrc.archlinux 2014-10-19 16:59:59.000000000 +0200 +++ new/shorewall-lite-4.6.5.2/shorewallrc.archlinux 2014-11-17 16:17:15.000000000 +0100 @@ -8,14 +8,14 @@ LIBEXECDIR=${PREFIX}/share #Directory for executable scripts. PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory CONFDIR=/etc #Directory where subsystem configurations are installed -SBINDIR=/usr/sbin #Directory where system administration programs are installed +SBINDIR=/usr/bin #Directory where system administration programs are installed MANDIR=${SHAREDIR}/man #Directory where manpages are installed. INITDIR= #Directory where SysV init scripts are installed. INITFILE= #Name of the product's installed SysV init script INITSOURCE= #Name of the distributed file to be installed as the SysV init script ANNOTATED= #If non-zero, annotated configuration files are installed SYSCONFDIR= #Directory where SysV init parameter files are installed -SYSTEMD=/usr/lib/systemd/system #Directory where .service files are installed (systems running systemd only) +SERVICEDIR=/usr/lib/systemd/system #Directory where .service files are installed (systems running systemd only) SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR VARLIB=/var/lib #Directory where product variable data is stored. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.4.3/shorewallrc.cygwin new/shorewall-lite-4.6.5.2/shorewallrc.cygwin --- old/shorewall-lite-4.6.4.3/shorewallrc.cygwin 2014-10-19 16:59:59.000000000 +0200 +++ new/shorewall-lite-4.6.5.2/shorewallrc.cygwin 2014-11-17 16:17:15.000000000 +0100 @@ -14,7 +14,7 @@ INITFILE= #Unused on Cygwin INITSOURCE= #Unused on Cygwin ANNOTATED= #Unused on Cygwin -SYSTEMD= #Unused on Cygwin +SERVICEDIR= #Unused on Cygwin SERVICEFILE= #Unused on Cygwin SYSCONFDIR= #Unused on Cygwin SPARSE=Yes #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.4.3/shorewallrc.debian new/shorewall-lite-4.6.5.2/shorewallrc.debian --- old/shorewall-lite-4.6.4.3/shorewallrc.debian 2014-10-19 16:59:59.000000000 +0200 +++ new/shorewall-lite-4.6.5.2/shorewallrc.debian 2014-11-17 16:17:15.000000000 +0100 @@ -17,7 +17,7 @@ SYSCONFFILE=default.debian #Name of the distributed file to be installed in $SYSCONFDIR SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service SYSCONFDIR=/etc/default #Directory where SysV init parameter files are installed -SYSTEMD= #Directory where .service files are installed (systems running systemd only) +SERVICEDIR= #Directory where .service files are installed (systems running systemd only) SPARSE=Yes #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR VARLIB=/var/lib #Directory where product variable data is stored. VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.4.3/shorewallrc.default new/shorewall-lite-4.6.5.2/shorewallrc.default --- old/shorewall-lite-4.6.4.3/shorewallrc.default 2014-10-19 16:59:59.000000000 +0200 +++ new/shorewall-lite-4.6.5.2/shorewallrc.default 2014-11-17 16:17:15.000000000 +0100 @@ -14,7 +14,7 @@ INITFILE=$PRODUCT #Name of the product's installed SysV init script INITSOURCE=init.sh #Name of the distributed file to be installed as the SysV init script ANNOTATED= #If non-zero, annotated configuration files are installed -SYSTEMD= #Directory where .service files are installed (systems running systemd only) +SERVICEDIR= #Directory where .service files are installed (systems running systemd only) SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service SYSCONFFILE= #Name of the distributed file to be installed in $SYSCONFDIR SYSCONFDIR= #Directory where SysV init parameter files are installed diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.4.3/shorewallrc.redhat new/shorewall-lite-4.6.5.2/shorewallrc.redhat --- old/shorewall-lite-4.6.4.3/shorewallrc.redhat 2014-10-19 16:59:59.000000000 +0200 +++ new/shorewall-lite-4.6.5.2/shorewallrc.redhat 2014-11-17 16:17:15.000000000 +0100 @@ -14,7 +14,7 @@ INITFILE=$PRODUCT #Name of the product's installed SysV init script INITSOURCE=init.fedora.sh #Name of the distributed file to be installed as the SysV init script ANNOTATED= #If non-zero, annotated configuration files are installed -SYSTEMD=/lib/systemd/system #Directory where .service files are installed (systems running systemd only) +SERVICEDIR=/lib/systemd/system #Directory where .service files are installed (systems running systemd only) SYSCONFFILE=sysconfig #Name of the distributed file to be installed as $SYSCONFDIR/$PRODUCT SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service SYSCONFDIR=/etc/sysconfig/ #Directory where SysV init parameter files are installed diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.4.3/shorewallrc.slackware new/shorewall-lite-4.6.5.2/shorewallrc.slackware --- old/shorewall-lite-4.6.4.3/shorewallrc.slackware 2014-10-19 16:59:59.000000000 +0200 +++ new/shorewall-lite-4.6.5.2/shorewallrc.slackware 2014-11-17 16:17:15.000000000 +0100 @@ -15,7 +15,7 @@ AUXINITFILE=rc.firewall #Name of the product's installed SysV init script INITSOURCE=init.slackware.$PRODUCT.sh #Name of the distributed file to be installed as a second SysV init script INITFILE=rc.$PRODUCT #Name of the product's installed second init script -SYSTEMD= #Name of the directory where .service files are installed (systems running systemd only) +SERVICEDIR= #Name of the directory where .service files are installed (systems running systemd only) SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service SYSCONFFILE= #Name of the distributed file to be installed in $SYSCONFDIR SYSCONFDIR= #Name of the directory where SysV init parameter files are installed. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.4.3/shorewallrc.suse new/shorewall-lite-4.6.5.2/shorewallrc.suse --- old/shorewall-lite-4.6.4.3/shorewallrc.suse 2014-10-19 16:59:59.000000000 +0200 +++ new/shorewall-lite-4.6.5.2/shorewallrc.suse 2014-11-17 16:17:15.000000000 +0100 @@ -14,7 +14,7 @@ INITFILE=$PRODUCT #Name of the product's SysV init script INITSOURCE=init.suse.sh #Name of the distributed file to be installed as the SysV init script ANNOTATED= #If non-zero, annotated configuration files are installed -SYSTEMD= #Directory where .service files are installed (systems running systemd only) +SERVICEDIR= #Directory where .service files are installed (systems running systemd only) SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service SYSCONFFILE=sysconfig #Name of the distributed file to be installed in $SYSCONFDIR SYSCONFDIR=/etc/sysconfig/ #Directory where SysV init parameter files are installed diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.4.3/uninstall.sh new/shorewall-lite-4.6.5.2/uninstall.sh --- old/shorewall-lite-4.6.4.3/uninstall.sh 2014-10-19 16:59:58.000000000 +0200 +++ new/shorewall-lite-4.6.5.2/uninstall.sh 2014-11-17 16:17:15.000000000 +0100 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.6.4.3 +VERSION=4.6.5.2 PRODUCT=shorewall-lite usage() # $1 = exit status ++++++ shorewall-4.6.4.3.tar.bz2 -> shorewall6-4.6.5.2.tar.bz2 ++++++ ++++ 127074 lines of diff (skipped) ++++++ shorewall-lite-4.6.4.3.tar.bz2 -> shorewall6-lite-4.6.5.2.tar.bz2 ++++++ ++++ 8349 lines of diff (skipped) -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
