Hello community, here is the log from the commit of package shorewall for openSUSE:Factory checked in at 2015-04-05 02:04:21 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/shorewall (Old) and /work/SRC/openSUSE:Factory/.shorewall.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shorewall" Changes: -------- --- /work/SRC/openSUSE:Factory/shorewall/shorewall.changes 2015-03-18 13:05:33.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.shorewall.new/shorewall.changes 2015-04-05 02:04:29.000000000 +0200 @@ -1,0 +2,26 @@ +Sat Apr 4 08:29:52 UTC 2015 - [email protected] + +- Update to version 4.6.8 For more details see changelog.txt and + releasenotes.txt + + * This release includes defect repair from Shorewall 4.6.6.2 and + earlier releases. + + * Previously, when the -n option was specified and NetworkManager + was installed on the target system, the Shorewall-init installer + would still create + ${DESTDIR}etc/NetworkManager/dispatcher.d/01-shorewall, regardless + of the setting of $CONFDIR. That has been corrected such that + the directory + ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/01-shorewall + is created instead. + + * Previously, handling of the IPTABLES and IP6TABLES actions in + the conntrack file was broken. nfw provided a fix on IRC. + + * The Shorewall-core and Shorewall6 installers would previously + report incorrectly that the product release was not installed. + Matt Darfeuille provided fixes. + + +------------------------------------------------------------------- Old: ---- shorewall-4.6.7.tar.bz2 shorewall-core-4.6.7.tar.bz2 shorewall-docs-html-4.6.7.tar.bz2 shorewall-init-4.6.7.tar.bz2 shorewall-lite-4.6.7.tar.bz2 shorewall6-4.6.7.tar.bz2 shorewall6-lite-4.6.7.tar.bz2 New: ---- shorewall-4.6.8.tar.bz2 shorewall-core-4.6.8.tar.bz2 shorewall-docs-html-4.6.8.tar.bz2 shorewall-init-4.6.8.tar.bz2 shorewall-lite-4.6.8.tar.bz2 shorewall6-4.6.8.tar.bz2 shorewall6-lite-4.6.8.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shorewall.spec ++++++ --- /var/tmp/diff_new_pack.7ZZDYZ/_old 2015-04-05 02:04:31.000000000 +0200 +++ /var/tmp/diff_new_pack.7ZZDYZ/_new 2015-04-05 02:04:31.000000000 +0200 @@ -20,19 +20,19 @@ %define have_systemd 1 Name: shorewall -Version: 4.6.7 +Version: 4.6.8 Release: 0 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems License: GPL-2.0 Group: Productivity/Networking/Security Url: http://www.shorewall.net/ -Source: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.7/%{name}-%version.tar.bz2 -Source1: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.7/%{name}-core-%version.tar.bz2 -Source2: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.7/%{name}-lite-%version.tar.bz2 -Source3: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.7/%{name}-init-%version.tar.bz2 -Source4: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.7/%{name}6-lite-%version.tar.bz2 -Source5: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.7/%{name}6-%version.tar.bz2 -Source6: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.7/%{name}-docs-html-%version.tar.bz2 +Source: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.8/%{name}-%version.tar.bz2 +Source1: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.8/%{name}-core-%version.tar.bz2 +Source2: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.8/%{name}-lite-%version.tar.bz2 +Source3: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.8/%{name}-init-%version.tar.bz2 +Source4: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.8/%{name}6-lite-%version.tar.bz2 +Source5: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.8/%{name}6-%version.tar.bz2 +Source6: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.8/%{name}-docs-html-%version.tar.bz2 Source7: %{name}-4.4.22.rpmlintrc Source8: README.openSUSE # PATCH-FIX-UPSTREAM [email protected] Shorewall-lite init.suse.sh Required Stop ++++++ shorewall-4.6.7.tar.bz2 -> shorewall-4.6.8.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-4.6.7/Perl/Shorewall/Chains.pm new/shorewall-4.6.8/Perl/Shorewall/Chains.pm --- old/shorewall-4.6.7/Perl/Shorewall/Chains.pm 2015-03-11 19:41:43.000000000 +0100 +++ new/shorewall-4.6.8/Perl/Shorewall/Chains.pm 2015-04-02 22:27:47.000000000 +0200 @@ -7953,7 +7953,7 @@ fi if chain_exists dynamic; then - $tool -S dynamic | tail -n +2 > \${VARDIR}/.dynamic + $tool -S dynamic | tail -n +2 | fgrep -v -- '-j ACCEPT' > \${VARDIR}/.dynamic else rm -f \${VARDIR}/.dynamic fi @@ -8048,7 +8048,7 @@ if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) { emit( ' local file' , '', - ' file=$1' + ' file=${1:-${VARDIR}/save.ipsets}' ); if ( @ipsets ) { @@ -8074,7 +8074,9 @@ emit( '', " for set in \$(\$IPSET save | grep '$select' | cut -d' ' -f2); do" , " \$IPSET save \$set >> \$file" , - " done" ); + " done" , + '', + ); } else { emit ( '' , ' if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' , @@ -8091,7 +8093,9 @@ ' fi' ); } - emit("}\n" ); + emit( " return 0", + '', + "}\n" ); } elsif ( @ipsets || $globals{SAVED_IPSETS} ) { emit( '' , ' rm -f ${VARDIR}/ipsets.tmp' , @@ -8113,10 +8117,13 @@ emit( '' , " grep -qE -- \"(-N|^create )\" \${VARDIR}/ipsets.tmp && cat \${VARDIR}/ipsets.tmp >> \$file\n" , '' , + ' return 0', + '' , "}\n" ); } } elsif ( $config{SAVE_IPSETS} ) { emit( ' error_message "WARNING: No ipsets were saved"', + ' return 1', "}\n" ); } else { emit( ' true', diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-4.6.7/Perl/Shorewall/Config.pm new/shorewall-4.6.8/Perl/Shorewall/Config.pm --- old/shorewall-4.6.7/Perl/Shorewall/Config.pm 2015-03-11 19:41:43.000000000 +0100 +++ new/shorewall-4.6.8/Perl/Shorewall/Config.pm 2015-04-02 22:27:47.000000000 +0200 @@ -713,7 +713,7 @@ TC_SCRIPT => '', EXPORT => 0, KLUDGEFREE => '', - VERSION => "4.6.7", + VERSION => "4.6.8", CAPVERSION => 40606 , ); # diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-4.6.7/Perl/Shorewall/Misc.pm new/shorewall-4.6.8/Perl/Shorewall/Misc.pm --- old/shorewall-4.6.7/Perl/Shorewall/Misc.pm 2015-03-11 19:41:43.000000000 +0100 +++ new/shorewall-4.6.8/Perl/Shorewall/Misc.pm 2015-04-02 22:27:47.000000000 +0200 @@ -48,7 +48,7 @@ generate_matrix ); our @EXPORT_OK = qw( initialize ); -our $VERSION = '4.6_6'; +our $VERSION = '4.6_8'; our $family; @@ -2418,7 +2418,7 @@ case $COMMAND in stop|clear|restore) if chain_exists dynamic; then - ${IPTABLES}-save -t filter | grep '^-A dynamic' > ${VARDIR}/.dynamic + ${IPTABLES}-save -t filter | grep '^-A dynamic' | fgrep -v -- '-j ACCEPT' > ${VARDIR}/.dynamic fi ;; *) @@ -2433,7 +2433,7 @@ case $COMMAND in stop|clear|restore) if chain_exists dynamic; then - ${IP6TABLES}-save -t filter | grep '^-A dynamic' > ${VARDIR}/.dynamic + ${IP6TABLES}-save -t filter | grep '^-A dynamic' | fgrep -v -- '-j ACCEPT' > ${VARDIR}/.dynamic fi ;; *) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-4.6.7/Perl/Shorewall/Providers.pm new/shorewall-4.6.8/Perl/Shorewall/Providers.pm --- old/shorewall-4.6.7/Perl/Shorewall/Providers.pm 2015-03-11 19:41:43.000000000 +0100 +++ new/shorewall-4.6.8/Perl/Shorewall/Providers.pm 2015-04-02 22:27:47.000000000 +0200 @@ -1086,10 +1086,8 @@ } } -sub add_an_rtrule( ) { - my ( $source, $dest, $provider, $priority, $originalmark ) = - split_line( 'rtrules file', - { source => 0, dest => 1, provider => 2, priority => 3 , mark => 4 } ); +sub add_an_rtrule1( $$$$$ ) { + my ( $source, $dest, $provider, $priority, $originalmark ) = @_; our $current_if; @@ -1178,6 +1176,17 @@ progress_message " Routing rule \"$currentline\" $done"; } +sub add_an_rtrule( ) { + my ( $sources, $dests, $provider, $priority, $originalmark ) = + split_line( 'rtrules file', + { source => 0, dest => 1, provider => 2, priority => 3 , mark => 4 } ); + for my $source ( split_list( $sources, "source" ) ) { + for my $dest (split_list( $dests , "dest" ) ) { + add_an_rtrule1( $source, $dest, $provider, $priority, $originalmark ); + } + } +} + sub add_a_route( ) { my ( $provider, $dest, $gateway, $device ) = split_line( 'routes file', diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-4.6.7/Perl/Shorewall/Raw.pm new/shorewall-4.6.8/Perl/Shorewall/Raw.pm --- old/shorewall-4.6.7/Perl/Shorewall/Raw.pm 2015-03-11 19:41:43.000000000 +0100 +++ new/shorewall-4.6.8/Perl/Shorewall/Raw.pm 2015-04-02 22:27:47.000000000 +0200 @@ -36,7 +36,7 @@ our @ISA = qw(Exporter); our @EXPORT = qw( setup_conntrack ); our @EXPORT_OK = qw( handle_helper_rule ); -our $VERSION = '4.6_0'; +our $VERSION = '4.6_8'; our %valid_ctevent = ( new => 1, related => 1, @@ -113,7 +113,7 @@ $action = $1; $disposition = $1; } - } elsif ( $action =~ /^IP(6)?TABLES\((.+)\)(:(.*))$/ ) { + } elsif ( $action =~ /^IP(6)?TABLES\((.+)\)(:(.*))?$/ ) { if ( $family == F_IPV4 ) { fatal_error 'Invalid conntrack ACTION (IP6TABLES)' if $1; } else { @@ -125,8 +125,8 @@ fatal_error "Unknown target ($tgt)" unless $target_type; fatal_error "The $tgt TARGET is not allowed in the raw table" unless $target_type & RAW_TABLE; $disposition = $tgt; - $action = 2; - validate_level( $level = $3 ) if supplied $3; + $action = $2; + validate_level( $level = $4 ) if supplied $4; } else { ( $disposition, my ( $option, $args ), $level ) = split ':', $action, 4; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-4.6.7/Perl/prog.footer new/shorewall-4.6.8/Perl/prog.footer --- old/shorewall-4.6.7/Perl/prog.footer 2015-02-18 21:04:01.000000000 +0100 +++ new/shorewall-4.6.8/Perl/prog.footer 2015-04-02 22:26:51.000000000 +0200 @@ -407,6 +407,7 @@ savesets) if [ $# -eq 2 ]; then save_ipsets $2 + status=$? else usage 2 fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-4.6.7/changelog.txt new/shorewall-4.6.8/changelog.txt --- old/shorewall-4.6.7/changelog.txt 2015-03-11 19:41:43.000000000 +0100 +++ new/shorewall-4.6.8/changelog.txt 2015-04-02 22:27:47.000000000 +0200 @@ -1,3 +1,39 @@ +Changes in 4.6.8 Final + +1) Update release documents. + +2) Apply Matt Darfeuille's uninstall fixes + +Changes in 4.6.8 RC 1 + +1) Update release documents. + +2) Correct the Shorewall-init installer. + +3) Apply nfw's fix for IP[6]TABLES in the conntrack file. + +Changes in 4.6.8 Beta 3 + +1) Update release documents. + +2) Implement ICMP handling in 'open' and 'close' + +3) Implement 'savesets' command. + +4) Allow comma-separated lists in the rtrules file. + +Changes in 4.6.8 Beta 2 + +1) Update release documents. + +2) Improve the 'close' and 'show opens' commands. + +Changes in 4.6.8 Beta 1 + +1) Update release documents. + +2) Implement the 'open' and 'close' commands + Changes in 4.6.7 Final 1) Update release documents. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-4.6.7/configfiles/rtrules.annotated new/shorewall-4.6.8/configfiles/rtrules.annotated --- old/shorewall-4.6.7/configfiles/rtrules.annotated 2015-03-11 19:43:05.000000000 +0100 +++ new/shorewall-4.6.8/configfiles/rtrules.annotated 2015-04-02 22:29:06.000000000 +0200 @@ -22,6 +22,9 @@ # to indicate that the source is the primary IP address of the named # interface. # +# Beginning with Shorewall 4.6.8, you may specify a comma-separated list of +# addresses in this column. +# # DEST (Optional) - {-|address} # # An ip address (network or host) that matches the destination IP address in @@ -30,6 +33,9 @@ # If you choose to omit either SOURCE or DEST, place "-" in that column. Note # that you may not omit both SOURCE and DEST. # +# Beginning with Shorewall 4.6.8, you may specify a comma-separated list of +# addresses in this column. +# # PROVIDER - {provider-name|provider-number|main} # # The provider to route the traffic through. May be expressed either as the diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-4.6.7/configure new/shorewall-4.6.8/configure --- old/shorewall-4.6.7/configure 2015-03-11 19:41:43.000000000 +0100 +++ new/shorewall-4.6.8/configure 2015-04-02 22:27:47.000000000 +0200 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=4.6.7 +VERSION=4.6.8 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-4.6.7/configure.pl new/shorewall-4.6.8/configure.pl --- old/shorewall-4.6.7/configure.pl 2015-03-11 19:41:43.000000000 +0100 +++ new/shorewall-4.6.8/configure.pl 2015-04-02 22:27:47.000000000 +0200 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '4.6.7' + VERSION => '4.6.8' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-4.6.7/install.sh new/shorewall-4.6.8/install.sh --- old/shorewall-4.6.7/install.sh 2015-03-11 19:41:43.000000000 +0100 +++ new/shorewall-4.6.8/install.sh 2015-04-02 22:27:47.000000000 +0200 @@ -22,7 +22,7 @@ # along with this program; if not, see <http://www.gnu.org/licenses/>. # -VERSION=4.6.7 +VERSION=4.6.8 # # Change to the directory containing this script diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-4.6.7/lib.cli-std new/shorewall-4.6.8/lib.cli-std --- old/shorewall-4.6.7/lib.cli-std 2015-02-18 21:04:01.000000000 +0100 +++ new/shorewall-4.6.8/lib.cli-std 2015-04-02 22:26:51.000000000 +0200 @@ -1645,6 +1645,7 @@ echo " allow <address> ..." echo " [ check | ck ] [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ -i ] [ <directory> ]" echo " clear" + echo " close <source> <dest> [ <protocol> [ <port> ] ]" echo " [ compile | co ] [ -e ] [ -p ] [ -t ] [ -c ] [ -d ] [ -T ] [ -i ] [ <directory name> ] [ <path name> ]" echo " delete <interface>[:<host-list>] ... <zone>" echo " disable <interface>" @@ -1679,6 +1680,7 @@ echo " noiptrace <ip6tables match expression>" fi + echo " open <source> <dest> [ <protocol> [ <port> ] ]" echo " refresh [ -d ] [ -n ] [ -T ] [ -D <directory> ] [ <chain>... ]" echo " reject <address> ..." echo " reload [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory> ] <system>" @@ -1689,6 +1691,7 @@ echo " safe-restart [ -t <timeout> ] [ <directory> ]" echo " safe-start [ -t <timeout> ] [ <directory> ]" echo " save [ -C ] [ <file name> ]" + echo " savesets" echo " [ show | list | ls ] [ -x ] [ -t {filter|mangle|nat|raw|rawpost} ] [ {chain [<chain> [ <chain> ... ]" echo " [ show | list | ls ] actions" echo " [ show | list | ls ] [ -x ] {bl|blacklists}" @@ -1710,6 +1713,7 @@ echo " [ show | list | ls ] marks" echo " [ show | list | ls ] [ -x ] mangle|nat|raw|rawpost|routing" echo " [ show | list | ls ] nfacct" + echo " [ show | list | ls ] opens" echo " [ show | list | ls ] policies" echo " [ show | list | ls ] routing" echo " [ show | list | ls ] tc [ device ]" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-4.6.7/manpages/shorewall-accounting.5 new/shorewall-4.6.8/manpages/shorewall-accounting.5 --- old/shorewall-4.6.7/manpages/shorewall-accounting.5 2015-03-11 19:41:48.000000000 +0100 +++ new/shorewall-4.6.8/manpages/shorewall-accounting.5 2015-04-02 22:27:50.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-accounting .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 03/11/2015 +.\" Date: 04/02/2015 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-ACCOUNTIN" "5" "03/11/2015" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-ACCOUNTIN" "5" "04/02/2015" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-4.6.7/manpages/shorewall-actions.5 new/shorewall-4.6.8/manpages/shorewall-actions.5 --- old/shorewall-4.6.7/manpages/shorewall-actions.5 2015-03-11 19:41:49.000000000 +0100 +++ new/shorewall-4.6.8/manpages/shorewall-actions.5 2015-04-02 22:27:51.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-actions .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 03/11/2015 +.\" Date: 04/02/2015 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-ACTIONS" "5" "03/11/2015" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-ACTIONS" "5" "04/02/2015" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-4.6.7/manpages/shorewall-arprules.5 new/shorewall-4.6.8/manpages/shorewall-arprules.5 --- old/shorewall-4.6.7/manpages/shorewall-arprules.5 2015-03-11 19:41:50.000000000 +0100 +++ new/shorewall-4.6.8/manpages/shorewall-arprules.5 2015-04-02 22:27:52.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-arprules .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 03/11/2015 +.\" Date: 04/02/2015 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-ARPRULES" "5" "03/11/2015" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-ARPRULES" "5" "04/02/2015" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-4.6.7/manpages/shorewall-blacklist.5 new/shorewall-4.6.8/manpages/shorewall-blacklist.5 --- old/shorewall-4.6.7/manpages/shorewall-blacklist.5 2015-03-11 19:41:52.000000000 +0100 +++ new/shorewall-4.6.8/manpages/shorewall-blacklist.5 2015-04-02 22:27:54.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-blacklist .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 03/11/2015 +.\" Date: 04/02/2015 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-BLACKLIST" "5" "03/11/2015" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-BLACKLIST" "5" "04/02/2015" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-4.6.7/manpages/shorewall-blrules.5 new/shorewall-4.6.8/manpages/shorewall-blrules.5 --- old/shorewall-4.6.7/manpages/shorewall-blrules.5 2015-03-11 19:41:53.000000000 +0100 +++ new/shorewall-4.6.8/manpages/shorewall-blrules.5 2015-04-02 22:27:55.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-blrules .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 03/11/2015 +.\" Date: 04/02/2015 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-BLRULES" "5" "03/11/2015" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-BLRULES" "5" "04/02/2015" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-4.6.7/manpages/shorewall-conntrack.5 new/shorewall-4.6.8/manpages/shorewall-conntrack.5 --- old/shorewall-4.6.7/manpages/shorewall-conntrack.5 2015-03-11 19:42:00.000000000 +0100 +++ new/shorewall-4.6.8/manpages/shorewall-conntrack.5 2015-04-02 22:28:02.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall6-conntrack .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 03/11/2015 +.\" Date: 04/02/2015 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL6\-CONNTRAC" "5" "03/11/2015" "Configuration Files" "Configuration Files" +.TH "SHOREWALL6\-CONNTRAC" "5" "04/02/2015" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-4.6.7/manpages/shorewall-ecn.5 new/shorewall-4.6.8/manpages/shorewall-ecn.5 --- old/shorewall-4.6.7/manpages/shorewall-ecn.5 2015-03-11 19:42:01.000000000 +0100 +++ new/shorewall-4.6.8/manpages/shorewall-ecn.5 2015-04-02 22:28:03.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-ecn .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 03/11/2015 +.\" Date: 04/02/2015 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-ECN" "5" "03/11/2015" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-ECN" "5" "04/02/2015" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-4.6.7/manpages/shorewall-exclusion.5 new/shorewall-4.6.8/manpages/shorewall-exclusion.5 --- old/shorewall-4.6.7/manpages/shorewall-exclusion.5 2015-03-11 19:42:02.000000000 +0100 +++ new/shorewall-4.6.8/manpages/shorewall-exclusion.5 2015-04-02 22:28:04.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-exclusion .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 03/11/2015 +.\" Date: 04/02/2015 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-EXCLUSION" "5" "03/11/2015" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-EXCLUSION" "5" "04/02/2015" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-4.6.7/manpages/shorewall-hosts.5 new/shorewall-4.6.8/manpages/shorewall-hosts.5 --- old/shorewall-4.6.7/manpages/shorewall-hosts.5 2015-03-11 19:42:04.000000000 +0100 +++ new/shorewall-4.6.8/manpages/shorewall-hosts.5 2015-04-02 22:28:06.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-hosts .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 03/11/2015 +.\" Date: 04/02/2015 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-HOSTS" "5" "03/11/2015" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-HOSTS" "5" "04/02/2015" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-4.6.7/manpages/shorewall-init.8 new/shorewall-4.6.8/manpages/shorewall-init.8 --- old/shorewall-4.6.7/manpages/shorewall-init.8 2015-03-11 19:42:05.000000000 +0100 +++ new/shorewall-4.6.8/manpages/shorewall-init.8 2015-04-02 22:28:07.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-init .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 03/11/2015 +.\" Date: 04/02/2015 .\" Manual: Administrative Commands .\" Source: Administrative Commands .\" Language: English .\" -.TH "SHOREWALL\-INIT" "8" "03/11/2015" "Administrative Commands" "Administrative Commands" +.TH "SHOREWALL\-INIT" "8" "04/02/2015" "Administrative Commands" "Administrative Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-4.6.7/manpages/shorewall-interfaces.5 new/shorewall-4.6.8/manpages/shorewall-interfaces.5 --- old/shorewall-4.6.7/manpages/shorewall-interfaces.5 2015-03-11 19:42:07.000000000 +0100 +++ new/shorewall-4.6.8/manpages/shorewall-interfaces.5 2015-04-02 22:28:09.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-interfaces .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 03/11/2015 +.\" Date: 04/02/2015 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-INTERFACE" "5" "03/11/2015" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-INTERFACE" "5" "04/02/2015" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-4.6.7/manpages/shorewall-ipsets.5 new/shorewall-4.6.8/manpages/shorewall-ipsets.5 --- old/shorewall-4.6.7/manpages/shorewall-ipsets.5 2015-03-11 19:42:08.000000000 +0100 +++ new/shorewall-4.6.8/manpages/shorewall-ipsets.5 2015-04-02 22:28:10.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-ipsets .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 03/11/2015 +.\" Date: 04/02/2015 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-IPSETS" "5" "03/11/2015" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-IPSETS" "5" "04/02/2015" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-4.6.7/manpages/shorewall-maclist.5 new/shorewall-4.6.8/manpages/shorewall-maclist.5 --- old/shorewall-4.6.7/manpages/shorewall-maclist.5 2015-03-11 19:42:10.000000000 +0100 +++ new/shorewall-4.6.8/manpages/shorewall-maclist.5 2015-04-02 22:28:11.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-maclist .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 03/11/2015 +.\" Date: 04/02/2015 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-MACLIST" "5" "03/11/2015" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-MACLIST" "5" "04/02/2015" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-4.6.7/manpages/shorewall-mangle.5 new/shorewall-4.6.8/manpages/shorewall-mangle.5 --- old/shorewall-4.6.7/manpages/shorewall-mangle.5 2015-03-11 19:42:11.000000000 +0100 +++ new/shorewall-4.6.8/manpages/shorewall-mangle.5 2015-04-02 22:28:13.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-mangle .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 03/11/2015 +.\" Date: 04/02/2015 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-MANGLE" "5" "03/11/2015" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-MANGLE" "5" "04/02/2015" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-4.6.7/manpages/shorewall-masq.5 new/shorewall-4.6.8/manpages/shorewall-masq.5 --- old/shorewall-4.6.7/manpages/shorewall-masq.5 2015-03-11 19:42:13.000000000 +0100 +++ new/shorewall-4.6.8/manpages/shorewall-masq.5 2015-04-02 22:28:15.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-masq .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 03/11/2015 +.\" Date: 04/02/2015 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-MASQ" "5" "03/11/2015" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-MASQ" "5" "04/02/2015" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-4.6.7/manpages/shorewall-modules.5 new/shorewall-4.6.8/manpages/shorewall-modules.5 --- old/shorewall-4.6.7/manpages/shorewall-modules.5 2015-03-11 19:42:14.000000000 +0100 +++ new/shorewall-4.6.8/manpages/shorewall-modules.5 2015-04-02 22:28:16.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-modules .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 03/11/2015 +.\" Date: 04/02/2015 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-MODULES" "5" "03/11/2015" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-MODULES" "5" "04/02/2015" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-4.6.7/manpages/shorewall-nat.5 new/shorewall-4.6.8/manpages/shorewall-nat.5 --- old/shorewall-4.6.7/manpages/shorewall-nat.5 2015-03-11 19:42:16.000000000 +0100 +++ new/shorewall-4.6.8/manpages/shorewall-nat.5 2015-04-02 22:28:17.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-nat .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 03/11/2015 +.\" Date: 04/02/2015 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-NAT" "5" "03/11/2015" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-NAT" "5" "04/02/2015" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-4.6.7/manpages/shorewall-nesting.5 new/shorewall-4.6.8/manpages/shorewall-nesting.5 --- old/shorewall-4.6.7/manpages/shorewall-nesting.5 2015-03-11 19:42:17.000000000 +0100 +++ new/shorewall-4.6.8/manpages/shorewall-nesting.5 2015-04-02 22:28:19.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-nesting .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 03/11/2015 +.\" Date: 04/02/2015 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-NESTING" "5" "03/11/2015" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-NESTING" "5" "04/02/2015" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-4.6.7/manpages/shorewall-netmap.5 new/shorewall-4.6.8/manpages/shorewall-netmap.5 --- old/shorewall-4.6.7/manpages/shorewall-netmap.5 2015-03-11 19:42:19.000000000 +0100 +++ new/shorewall-4.6.8/manpages/shorewall-netmap.5 2015-04-02 22:28:20.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-netmap .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 03/11/2015 +.\" Date: 04/02/2015 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-NETMAP" "5" "03/11/2015" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-NETMAP" "5" "04/02/2015" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-4.6.7/manpages/shorewall-params.5 new/shorewall-4.6.8/manpages/shorewall-params.5 --- old/shorewall-4.6.7/manpages/shorewall-params.5 2015-03-11 19:42:20.000000000 +0100 +++ new/shorewall-4.6.8/manpages/shorewall-params.5 2015-04-02 22:28:21.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-params .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 03/11/2015 +.\" Date: 04/02/2015 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-PARAMS" "5" "03/11/2015" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-PARAMS" "5" "04/02/2015" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-4.6.7/manpages/shorewall-policy.5 new/shorewall-4.6.8/manpages/shorewall-policy.5 --- old/shorewall-4.6.7/manpages/shorewall-policy.5 2015-03-11 19:42:21.000000000 +0100 +++ new/shorewall-4.6.8/manpages/shorewall-policy.5 2015-04-02 22:28:23.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-policy .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 03/11/2015 +.\" Date: 04/02/2015 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-POLICY" "5" "03/11/2015" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-POLICY" "5" "04/02/2015" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-4.6.7/manpages/shorewall-providers.5 new/shorewall-4.6.8/manpages/shorewall-providers.5 --- old/shorewall-4.6.7/manpages/shorewall-providers.5 2015-03-11 19:42:23.000000000 +0100 +++ new/shorewall-4.6.8/manpages/shorewall-providers.5 2015-04-02 22:28:24.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-providers .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 03/11/2015 +.\" Date: 04/02/2015 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-PROVIDERS" "5" "03/11/2015" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-PROVIDERS" "5" "04/02/2015" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-4.6.7/manpages/shorewall-proxyarp.5 new/shorewall-4.6.8/manpages/shorewall-proxyarp.5 --- old/shorewall-4.6.7/manpages/shorewall-proxyarp.5 2015-03-11 19:42:24.000000000 +0100 +++ new/shorewall-4.6.8/manpages/shorewall-proxyarp.5 2015-04-02 22:28:26.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-proxyarp .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 03/11/2015 +.\" Date: 04/02/2015 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-PROXYARP" "5" "03/11/2015" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-PROXYARP" "5" "04/02/2015" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-4.6.7/manpages/shorewall-routes.5 new/shorewall-4.6.8/manpages/shorewall-routes.5 --- old/shorewall-4.6.7/manpages/shorewall-routes.5 2015-03-11 19:42:27.000000000 +0100 +++ new/shorewall-4.6.8/manpages/shorewall-routes.5 2015-04-02 22:28:28.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-routes .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 03/11/2015 +.\" Date: 04/02/2015 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-ROUTES" "5" "03/11/2015" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-ROUTES" "5" "04/02/2015" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-4.6.7/manpages/shorewall-routestopped.5 new/shorewall-4.6.8/manpages/shorewall-routestopped.5 --- old/shorewall-4.6.7/manpages/shorewall-routestopped.5 2015-03-11 19:42:26.000000000 +0100 +++ new/shorewall-4.6.8/manpages/shorewall-routestopped.5 2015-04-02 22:28:27.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-routestopped .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 03/11/2015 +.\" Date: 04/02/2015 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-ROUTESTOP" "5" "03/11/2015" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-ROUTESTOP" "5" "04/02/2015" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-4.6.7/manpages/shorewall-rtrules.5 new/shorewall-4.6.8/manpages/shorewall-rtrules.5 --- old/shorewall-4.6.7/manpages/shorewall-rtrules.5 2015-03-11 19:42:28.000000000 +0100 +++ new/shorewall-4.6.8/manpages/shorewall-rtrules.5 2015-04-02 22:28:30.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-rtrules .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 03/11/2015 +.\" Date: 04/02/2015 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-RTRULES" "5" "03/11/2015" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-RTRULES" "5" "04/02/2015" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -51,6 +51,8 @@ .sp Beginning with Shorewall 4\&.5\&.0, you may specify &\fIinterface\fR in this column to indicate that the source is the primary IP address of the named interface\&. +.sp +Beginning with Shorewall 4\&.6\&.8, you may specify a comma\-separated list of addresses in this column\&. .RE .PP \fBDEST\fR (Optional) \- {\fB\-\fR|\fIaddress\fR} @@ -64,6 +66,8 @@ \fBSOURCE\fR and \fBDEST\fR\&. +.sp +Beginning with Shorewall 4\&.6\&.8, you may specify a comma\-separated list of addresses in this column\&. .RE .PP \fBPROVIDER\fR \- {\fIprovider\-name\fR|\fIprovider\-number\fR|\fBmain\fR} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-4.6.7/manpages/shorewall-rules.5 new/shorewall-4.6.8/manpages/shorewall-rules.5 --- old/shorewall-4.6.7/manpages/shorewall-rules.5 2015-03-11 19:42:31.000000000 +0100 +++ new/shorewall-4.6.8/manpages/shorewall-rules.5 2015-04-02 22:28:33.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-rules .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 03/11/2015 +.\" Date: 04/02/2015 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-RULES" "5" "03/11/2015" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-RULES" "5" "04/02/2015" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-4.6.7/manpages/shorewall-secmarks.5 new/shorewall-4.6.8/manpages/shorewall-secmarks.5 --- old/shorewall-4.6.7/manpages/shorewall-secmarks.5 2015-03-11 19:42:33.000000000 +0100 +++ new/shorewall-4.6.8/manpages/shorewall-secmarks.5 2015-04-02 22:28:34.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-secmarks .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 03/11/2015 +.\" Date: 04/02/2015 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-SECMARKS" "5" "03/11/2015" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-SECMARKS" "5" "04/02/2015" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-4.6.7/manpages/shorewall-stoppedrules.5 new/shorewall-4.6.8/manpages/shorewall-stoppedrules.5 --- old/shorewall-4.6.7/manpages/shorewall-stoppedrules.5 2015-03-11 19:42:34.000000000 +0100 +++ new/shorewall-4.6.8/manpages/shorewall-stoppedrules.5 2015-04-02 22:28:35.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-stoppedrules .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 03/11/2015 +.\" Date: 04/02/2015 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-STOPPEDRU" "5" "03/11/2015" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-STOPPEDRU" "5" "04/02/2015" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-4.6.7/manpages/shorewall-tcclasses.5 new/shorewall-4.6.8/manpages/shorewall-tcclasses.5 --- old/shorewall-4.6.7/manpages/shorewall-tcclasses.5 2015-03-11 19:42:35.000000000 +0100 +++ new/shorewall-4.6.8/manpages/shorewall-tcclasses.5 2015-04-02 22:28:37.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-tcclasses .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 03/11/2015 +.\" Date: 04/02/2015 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-TCCLASSES" "5" "03/11/2015" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-TCCLASSES" "5" "04/02/2015" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-4.6.7/manpages/shorewall-tcdevices.5 new/shorewall-4.6.8/manpages/shorewall-tcdevices.5 --- old/shorewall-4.6.7/manpages/shorewall-tcdevices.5 2015-03-11 19:42:37.000000000 +0100 +++ new/shorewall-4.6.8/manpages/shorewall-tcdevices.5 2015-04-02 22:28:38.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-tcdevices .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 03/11/2015 +.\" Date: 04/02/2015 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-TCDEVICES" "5" "03/11/2015" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-TCDEVICES" "5" "04/02/2015" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-4.6.7/manpages/shorewall-tcfilters.5 new/shorewall-4.6.8/manpages/shorewall-tcfilters.5 --- old/shorewall-4.6.7/manpages/shorewall-tcfilters.5 2015-03-11 19:42:38.000000000 +0100 +++ new/shorewall-4.6.8/manpages/shorewall-tcfilters.5 2015-04-02 22:28:40.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-tcfilters .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 03/11/2015 +.\" Date: 04/02/2015 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-TCFILTERS" "5" "03/11/2015" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-TCFILTERS" "5" "04/02/2015" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-4.6.7/manpages/shorewall-tcinterfaces.5 new/shorewall-4.6.8/manpages/shorewall-tcinterfaces.5 --- old/shorewall-4.6.7/manpages/shorewall-tcinterfaces.5 2015-03-11 19:42:40.000000000 +0100 +++ new/shorewall-4.6.8/manpages/shorewall-tcinterfaces.5 2015-04-02 22:28:41.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-tcinterfaces .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 03/11/2015 +.\" Date: 04/02/2015 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-TCINTERFA" "5" "03/11/2015" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-TCINTERFA" "5" "04/02/2015" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-4.6.7/manpages/shorewall-tcpri.5 new/shorewall-4.6.8/manpages/shorewall-tcpri.5 --- old/shorewall-4.6.7/manpages/shorewall-tcpri.5 2015-03-11 19:42:41.000000000 +0100 +++ new/shorewall-4.6.8/manpages/shorewall-tcpri.5 2015-04-02 22:28:42.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-tcpri .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 03/11/2015 +.\" Date: 04/02/2015 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-TCPRI" "5" "03/11/2015" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-TCPRI" "5" "04/02/2015" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-4.6.7/manpages/shorewall-tcrules.5 new/shorewall-4.6.8/manpages/shorewall-tcrules.5 --- old/shorewall-4.6.7/manpages/shorewall-tcrules.5 2015-03-11 19:42:43.000000000 +0100 +++ new/shorewall-4.6.8/manpages/shorewall-tcrules.5 2015-04-02 22:28:44.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-mangle .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 03/11/2015 +.\" Date: 04/02/2015 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-MANGLE" "5" "03/11/2015" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-MANGLE" "5" "04/02/2015" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-4.6.7/manpages/shorewall-tos.5 new/shorewall-4.6.8/manpages/shorewall-tos.5 --- old/shorewall-4.6.7/manpages/shorewall-tos.5 2015-03-11 19:42:44.000000000 +0100 +++ new/shorewall-4.6.8/manpages/shorewall-tos.5 2015-04-02 22:28:46.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-tos .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 03/11/2015 +.\" Date: 04/02/2015 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-TOS" "5" "03/11/2015" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-TOS" "5" "04/02/2015" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-4.6.7/manpages/shorewall-tunnels.5 new/shorewall-4.6.8/manpages/shorewall-tunnels.5 --- old/shorewall-4.6.7/manpages/shorewall-tunnels.5 2015-03-11 19:42:46.000000000 +0100 +++ new/shorewall-4.6.8/manpages/shorewall-tunnels.5 2015-04-02 22:28:47.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-tunnels .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 03/11/2015 +.\" Date: 04/02/2015 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-TUNNELS" "5" "03/11/2015" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-TUNNELS" "5" "04/02/2015" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-4.6.7/manpages/shorewall-vardir.5 new/shorewall-4.6.8/manpages/shorewall-vardir.5 --- old/shorewall-4.6.7/manpages/shorewall-vardir.5 2015-03-11 19:42:47.000000000 +0100 +++ new/shorewall-4.6.8/manpages/shorewall-vardir.5 2015-04-02 22:28:48.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-vardir .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 03/11/2015 +.\" Date: 04/02/2015 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-VARDIR" "5" "03/11/2015" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-VARDIR" "5" "04/02/2015" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-4.6.7/manpages/shorewall-zones.5 new/shorewall-4.6.8/manpages/shorewall-zones.5 --- old/shorewall-4.6.7/manpages/shorewall-zones.5 2015-03-11 19:42:52.000000000 +0100 +++ new/shorewall-4.6.8/manpages/shorewall-zones.5 2015-04-02 22:28:53.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-zones .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 03/11/2015 +.\" Date: 04/02/2015 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-ZONES" "5" "03/11/2015" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-ZONES" "5" "04/02/2015" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-4.6.7/manpages/shorewall.8 new/shorewall-4.6.8/manpages/shorewall.8 --- old/shorewall-4.6.7/manpages/shorewall.8 2015-03-11 19:42:50.000000000 +0100 +++ new/shorewall-4.6.8/manpages/shorewall.8 2015-04-02 22:28:52.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 03/11/2015 +.\" Date: 04/02/2015 .\" Manual: Administrative Commands .\" Source: Administrative Commands .\" Language: English .\" -.TH "SHOREWALL" "8" "03/11/2015" "Administrative Commands" "Administrative Commands" +.TH "SHOREWALL" "8" "04/02/2015" "Administrative Commands" "Administrative Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -39,6 +39,8 @@ .HP \w'\fBshorewall\fR\ 'u \fBshorewall\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBclear\fR\ [\fB\-f\fR] .HP \w'\fBshorewall\fR\ 'u +\fBshorewall\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBclose\fR\ {\ \fIopen\-number\fR\ |\ \fIsource\fR\fIdest\fR\ [\fIprotocol\fR\ [\ \fIport\fR\ ]]}\fI\ \fR +.HP \w'\fBshorewall\fR\ 'u \fBshorewall\fR [\fBtrace\fR|\fBdebug\fR] [\-\fIoptions\fR] [\fBcompile\ |\ co\ \fR] [\fB\-e\fR] [\fB\-c\fR] [\fB\-d\fR] [\fB\-p\fR] [\fB\-T\fR] [\fB\-i\fR] [\fIdirectory\fR] [\fIpathname\fR] .HP \w'\fBshorewall\fR\ 'u \fBshorewall\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBdelete\ {\fR \fIinterface\fR[:\fIhost\-list\fR]... \fIzone\fR\fB\ |\fR\fI\ zone\ host\-list\fR\fB\ }\fR @@ -75,6 +77,8 @@ .HP \w'\fBshorewall\fR\ 'u \fBshorewall\fR [\fBtrace\fR|\fBdebug\fR] [\-\fIoptions\fR] \fBnoiptrace\fR \fIiptables\ match\ expression\fR .HP \w'\fBshorewall\fR\ 'u +\fBshorewall\fR [\-\fIoptions\fR] \fBopen\fR\fI\ source\fR\fI\ dest\fR\ [\ \fIprotocol\fR\ [\ \fIport\fR\ ]\ ] +.HP \w'\fBshorewall\fR\ 'u \fBshorewall\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBrefresh\fR\ [\fB\-n\fR]\ [\fB\-d\fR]\ [\fB\-T\fR]\ [\fB\-i\fR]\ [\-\fBD\fR\ \fIdirectory\fR\ ]\ [\fIchain\fR...] .HP \w'\fBshorewall\fR\ 'u \fBshorewall\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBreject\fR \fIaddress\fR @@ -95,6 +99,8 @@ .HP \w'\fBshorewall\fR\ 'u \fBshorewall\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBsave\fR\ [\fB\-C\fR] [\fIfilename\fR] .HP \w'\fBshorewall\fR\ 'u +\fBshorewall\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBsavesets\fR +.HP \w'\fBshorewall\fR\ 'u \fBshorewall\fR [\fBtrace\fR|\fBdebug\fR] [\-\fIoptions\fR] {\fBshow\ |\ list\ |\ ls\ \fR} [\fB\-x\fR] \fB{bl|blacklists}\fR .HP \w'\fBshorewall\fR\ 'u \fBshorewall\fR [\fBtrace\fR|\fBdebug\fR] [\-\fIoptions\fR] {\fBshow\ |\ list\ |\ ls\ \fR} [\fB\-b\fR] [\fB\-x\fR] [\fB\-l\fR] [\fB\-t\fR\ {\fBfilter\fR|\fBmangle\fR|\fBnat\fR|\fBraw|rawpost\fR}] [[\fBchain\fR]\ \fIchain\fR...] @@ -258,7 +264,7 @@ .sp The \fB\-i\fR -option was added in Shorewall 4\&.6\&.0 and causes a warning message to be issued if the line current line contains alternative input specifications following a semicolon (";")\&. Such lines will be handled incorrectly if INLINE_MATCHES is set to Yes in +option was added in Shorewall 4\&.6\&.0 and causes a warning message to be issued if the current line contains alternative input specifications following a semicolon (";")\&. Such lines will be handled incorrectly if INLINE_MATCHES is set to Yes in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[2]\d\s+2(5)\&. .RE .PP @@ -276,6 +282,22 @@ command if that script exists\&. .RE .PP +\fBclose\fR { \fIopen\-number\fR | \fIsource\fR \fIdest\fR [ \fIprotocol\fR [ \fIport\fR ] ] } +.RS 4 +Added in Shorewall 4\&.5\&.8\&. This command closes a temporary open created by the +\fBopen\fR +command\&. In the first form, an +\fIopen\-number\fR +specifies the open to be closed\&. Open numbers are displayed in the +\fBnum\fR +column of the output of the +\fBshorewall show opens \fRcommand\&. +.sp +When the second form of the command is used, the parameters must match those given in the earlier +\fBopen\fR +command\&. +.RE +.PP \fBcompile\fR .RS 4 Compiles the current configuration into the executable file @@ -328,7 +350,7 @@ .sp The \fB\-i\fR -option was added in Shorewall 4\&.6\&.0 and causes a warning message to be issued if the line current line contains alternative input specifications following a semicolon (";")\&. Such lines will be handled incorrectly if INLINE_MATCHES is set to Yes in +option was added in Shorewall 4\&.6\&.0 and causes a warning message to be issued if the current line contains alternative input specifications following a semicolon (";")\&. Such lines will be handled incorrectly if INLINE_MATCHES is set to Yes in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[2]\d\s+2(5)\&. .RE .PP @@ -535,7 +557,7 @@ .sp The \fB\-i\fR -option was added in Shorewall 4\&.6\&.0 and causes a warning message to be issued if the line current line contains alternative input specifications following a semicolon (";")\&. Such lines will be handled incorrectly if INLINE_MATCHES is set to Yes in +option was added in Shorewall 4\&.6\&.0 and causes a warning message to be issued if the current line contains alternative input specifications following a semicolon (";")\&. Such lines will be handled incorrectly if INLINE_MATCHES is set to Yes in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[2]\d\s+2(5)\&. .RE .PP @@ -579,6 +601,56 @@ command being canceled\&. .RE .PP +\fBopen\fR \fIsource\fR \fIdest\fR [ \fIprotocol\fR [ \fIport\fR ] ] +.RS 4 +Added in Shorewall 4\&.6\&.8\&. This command requires that the firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in +\m[blue]\fBshorewall\&.conf (5)\fR\m[]\&\s-2\u[2]\d\s+2\&. The effect of the command is to temporarily open the firewall for connections matching the parameters\&. +.sp +The +\fIsource\fR +and +\fIdest\fR +parameters may each be specified as +\fBall\fR +if you don\*(Aqt wish to restrict the connection source or destination respectively\&. Otherwise, each must contain a host or network address or a valid DNS name\&. +.sp +The +\fIprotocol\fR +may be specified either as a number or as a name listed in /etc/protocols\&. The +\fIport\fR +may be specified numerically or as a name listed in /etc/services\&. +.sp +To reverse the effect of a successful +\fBopen\fR +command, use the +\fBclose\fR +command with the same parameters or simply restart the firewall\&. +.sp +Example: To open the firewall for SSH connections to address 192\&.168\&.1\&.1, the command would be: +.sp +.if n \{\ +.RS 4 +.\} +.nf + shorewall open all 192\&.168\&.1\&.1 tcp 22 +.fi +.if n \{\ +.RE +.\} +.sp +To reverse that command, use: +.sp +.if n \{\ +.RS 4 +.\} +.nf + shorewall close all 192\&.168\&.1\&.1 tcp 22 +.fi +.if n \{\ +.RE +.\} +.RE +.PP \fBrefresh\fR .RS 4 All steps performed by @@ -611,7 +683,7 @@ .sp The \fB\-i\fR -option was added in Shorewall 4\&.6\&.0 and causes a warning message to be issued if the line current line contains alternative input specifications following a semicolon (";")\&. Such lines will be handled incorrectly if INLINE_MATCHES is set to Yes in +option was added in Shorewall 4\&.6\&.0 and causes a warning message to be issued if the current line contains alternative input specifications following a semicolon (";")\&. Such lines will be handled incorrectly if INLINE_MATCHES is set to Yes in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[2]\d\s+2(5)\&. .sp The @@ -695,7 +767,7 @@ .sp The \fB\-i\fR -option was added in Shorewall 4\&.6\&.0 and causes a warning message to be issued if the line current line contains alternative input specifications following a semicolon (";")\&. Such lines will be handled incorrectly if INLINE_MATCHES is set to Yes in +option was added in Shorewall 4\&.6\&.0 and causes a warning message to be issued if the current line contains alternative input specifications following a semicolon (";")\&. Such lines will be handled incorrectly if INLINE_MATCHES is set to Yes in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[2]\d\s+2(5)\&. .RE .PP @@ -747,7 +819,7 @@ .sp The \fB\-i\fR -option was added in Shorewall 4\&.6\&.0 and causes a warning message to be issued if the line current line contains alternative input specifications following a semicolon (";")\&. Such lines will be handled incorrectly if INLINE_MATCHES is set to Yes in +option was added in Shorewall 4\&.6\&.0 and causes a warning message to be issued if the current line contains alternative input specifications following a semicolon (";")\&. Such lines will be handled incorrectly if INLINE_MATCHES is set to Yes in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[2]\d\s+2(5)\&. .sp The @@ -879,6 +951,17 @@ option, added in Shorewall 4\&.6\&.5, causes the iptables packet and byte counters to be saved along with the chains and rules\&. .RE .PP +\fBsavesets\fR +.RS 4 +Added in shorewall 4\&.6\&.8\&. Performs the same action as the +\fBstop\fR +command with respect to saving ipsets (see the SAVE_IPSETS option in +\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[2]\d\s+2 +(5))\&. This command may be used to proactively save your ipset contents in the event that a system failure occurs prior to issuing a +\fBstop\fR +command\&. +.RE +.PP \fBshow\fR .RS 4 The show command can have a number of different arguments: @@ -1005,6 +1088,12 @@ option is passed directly through to iptables and causes actual packet and byte counts to be displayed\&. Without this option, those counts are abbreviated\&. .RE .PP +\fBopens\fR +.RS 4 +Added in Shorewall 4\&.5\&.8\&. Displays the iptables rules in the \*(Aqdynamic\*(Aq chain created through use of the +\fBopen \fRcommand\&.\&. +.RE +.PP \fBpolicies\fR .RS 4 Added in Shorewall 4\&.4\&.4\&. Displays the applicable policy between each pair of zones\&. Note that implicit intrazone ACCEPT policies are not displayed for zones associated with a single network where that network doesn\*(Aqt specify @@ -1076,7 +1165,7 @@ \fB\-T\fR option was added in Shorewall 4\&.5\&.3 and causes a Perl stack trace to be included with each compiler\-generated error and warning message\&. .sp -The \-i option was added in Shorewall 4\&.6\&.0 and causes a warning message to be issued if the line current line contains alternative input specifications following a semicolon (";")\&. Such lines will be handled incorrectly if INLINE_MATCHES is set to Yes in +The \-i option was added in Shorewall 4\&.6\&.0 and causes a warning message to be issued if the current line contains alternative input specifications following a semicolon (";")\&. Such lines will be handled incorrectly if INLINE_MATCHES is set to Yes in \m[blue]\fBshorewall\&.conf(5)\fR\m[]\&\s-2\u[2]\d\s+2\&. .sp The @@ -1184,7 +1273,7 @@ \fB\-D\fR option was added in Shorewall 4\&.5\&.11\&. When this option is specified, the compiler will walk through the directories in the CONFIG_PATH replacing FORMAT and COMMENT entries to compiler directives (e\&.g\&., ?FORMAT and ?COMMENT\&. When a file is updated, the original is saved in a \&.bak file in the same directory\&. .sp -The \-i option was added in Shorewall 4\&.6\&.0 and causes a warning message to be issued if the line current line contains alternative input specifications following a semicolon (";")\&. Such lines will be handled incorrectly if INLINE_MATCHES is set to Yes in +The \-i option was added in Shorewall 4\&.6\&.0 and causes a warning message to be issued if the current line contains alternative input specifications following a semicolon (";")\&. Such lines will be handled incorrectly if INLINE_MATCHES is set to Yes in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[2]\d\s+2(5)\&. .sp The diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-4.6.7/manpages/shorewall.conf.5 new/shorewall-4.6.8/manpages/shorewall.conf.5 --- old/shorewall-4.6.7/manpages/shorewall.conf.5 2015-03-11 19:41:58.000000000 +0100 +++ new/shorewall-4.6.8/manpages/shorewall.conf.5 2015-04-02 22:28:00.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall.conf .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 03/11/2015 +.\" Date: 04/02/2015 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\&.CONF" "5" "03/11/2015" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\&.CONF" "5" "04/02/2015" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-4.6.7/releasenotes.txt new/shorewall-4.6.8/releasenotes.txt --- old/shorewall-4.6.7/releasenotes.txt 2015-03-11 19:41:43.000000000 +0100 +++ new/shorewall-4.6.8/releasenotes.txt 2015-04-02 22:27:47.000000000 +0200 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 6 . 7 + S H O R E W A L L 4 . 6 . 8 ------------------------------------ - M a r c h 0 8 , 2 0 1 5 + A p r i l 0 4 , 2 0 1 5 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -17,6 +17,22 @@ 1) This release includes defect repair from Shorewall 4.6.6.2 and earlier releases. +2) Previously, when the -n option was specified and NetworkManager was + installed on the target system, the Shorewall-init installer would + still create + ${DESTDIR}etc/NetworkManager/dispatcher.d/01-shorewall, regardless + of the setting of $CONFDIR. That has been corrected such that the + directory + ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/01-shorewall is + created instead. + +3) Previously, handling of the IPTABLES and IP6TABLES actions in the + conntrack file was broken. nfw provided a fix on IRC. + +4) The Shorewall-core and Shorewall6 installers would previously + report incorrectly that the product release was not installed. Matt + Darfeuille provided fixes. + ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G ---------------------------------------------------------------------------- @@ -28,15 +44,63 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) The 'tunnels' file now supports 'tinc' tunnels. +1) The CLI programs (shorewall, shorewall6, etc) now support 'open' + and 'close' commands. The 'open' command temporarily opens the + firewall for a specified type of connection; the syntax is: -2) Previously, the SAME action in the mangle file had a fixed timeout - of 300 seconds (5 minutes). That action now allows specification of - a different timeout. + open <source> <destination> [ <protocol> [ <port> ] ] -3) It is now possible to add or delete addresses from an ipset with - entries in the mangle file. The ADD and DEL actions have the same - behavior in the mangle file as they do in the rules file. + The <source> and <destination> may be any of the following: + + - a host IP address + - a network IP address + - a valid DNS name (usual warnings apply) + - the word 'all', indicating that the <source> or <destination> is + not restricted + + The protocol may be specified by number or by a name. Same with + <port>. + + Example: Open SSH connections to 1.2.3.4 in Shorewall: + + shorewall open all 1.2.3.4 tcp ssh + + The 'close' command reverses the effect of an earlier 'open' + command and has two forms: + + close <open-number> + close <source> <destination> [ <protocol [ <port ] ] + + + In the first form, the <open-number> is the number displayed in the + 'num' column of the 'shorewall list opens' command (see below). + + In the second form, the parameters must match those of the earlier + 'open' command to be reversed. All temporary connections opens may + be deleted by simply restarting the firewall. + + Both commands require that the firewall be in the started state and + that DYNAMIC_BLACKLIST=Yes in the active configuration. + + The iptables rules created via 'open' commands can be displayed + using the 'show opens' command. + + Example (after the above open command was executed): + + Shorewall 4.6.8 Temporarily opened connections at gateway - Fri Mar 6 09:47:06 PST 2015 + Chain dynamic (14 references) + num pkts bytes target prot opt in out source destination + 1 0 0 ACCEPT tcp -- * * 0.0.0.0/0 1.2.3.4 multiport dports 22 + root@gateway:~# + +2) A 'safesets' command is now available to proactively save changes + to ipset contents. Using this command can guard against accidental + loss of ipset changes in the event of a system failure before a + 'stop' command has been completed. The exact action taken by the + command depends on the setting of SAVE_IPSETS in shorewall[6].conf. + +3) The SOURCE and DEST columns in the rtrules file may now contains + comma-separated lists of addresses. ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -331,6 +395,26 @@ ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 4 . 6 R E L E A S E S ---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 6 . 7 +---------------------------------------------------------------------------- + +None. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 6 . 7 +---------------------------------------------------------------------------- + +1) The 'tunnels' file now supports 'tinc' tunnels. + +2) Previously, the SAME action in the mangle file had a fixed timeout + of 300 seconds (5 minutes). That action now allows specification of + a different timeout. + +3) It is now possible to add or delete addresses from an ipset with + entries in the mangle file. The ADD and DEL actions have the same + behavior in the mangle file as they do in the rules file. + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 6 . 6 ---------------------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-4.6.7/shorewall.spec new/shorewall-4.6.8/shorewall.spec --- old/shorewall-4.6.7/shorewall.spec 2015-03-11 19:41:43.000000000 +0100 +++ new/shorewall-4.6.8/shorewall.spec 2015-04-02 22:27:47.000000000 +0200 @@ -1,5 +1,5 @@ %define name shorewall -%define version 4.6.7 +%define version 4.6.8 %define release 0base Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. @@ -132,6 +132,16 @@ %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples %changelog +* Sun Mar 29 2015 Tom Eastep [email protected] +- Updated to 4.6.8-0base +* Tue Mar 24 2015 Tom Eastep [email protected] +- Updated to 4.6.8-0RC1 +* Tue Mar 17 2015 Tom Eastep [email protected] +- Updated to 4.6.8-0Beta3 +* Sat Mar 14 2015 Tom Eastep [email protected] +- Updated to 4.6.8-0Beta2 +* Fri Mar 06 2015 Tom Eastep [email protected] +- Updated to 4.6.8-0Beta1 * Thu Mar 05 2015 Tom Eastep [email protected] - Updated to 4.6.7-0base * Tue Mar 03 2015 Tom Eastep [email protected] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-4.6.7/uninstall.sh new/shorewall-4.6.8/uninstall.sh --- old/shorewall-4.6.7/uninstall.sh 2015-03-11 19:41:43.000000000 +0100 +++ new/shorewall-4.6.8/uninstall.sh 2015-04-02 22:27:47.000000000 +0200 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.6.7 +VERSION=4.6.8 PRODUCT=shorewall usage() # $1 = exit status @@ -40,6 +40,12 @@ exit $1 } +fatal_error() +{ + echo " ERROR: $@" >&2 + exit 1 +} + qt() { "$@" >/dev/null 2>&1 @@ -197,7 +203,7 @@ rm -rf ${VARDIR}/shorewall rm -rf ${PERLLIBDIR}/Shorewall/* -rm -rf ${LIBEXECDIR}/shorewall +[ ${LIBEXECDIR} = ${SHAREDIR} ] || rm -rf ${LIBEXECDIR}/shorewall rm -rf ${SHAREDIR}/shorewall/configfiles/ rm -rf ${SHAREDIR}/shorewall/Samples/ rm -rf ${SHAREDIR}/shorewall/Shorewall/ ++++++ shorewall-core-4.6.7.tar.bz2 -> shorewall-core-4.6.8.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.7/changelog.txt new/shorewall-core-4.6.8/changelog.txt --- old/shorewall-core-4.6.7/changelog.txt 2015-03-11 19:41:43.000000000 +0100 +++ new/shorewall-core-4.6.8/changelog.txt 2015-04-02 22:27:47.000000000 +0200 @@ -1,3 +1,39 @@ +Changes in 4.6.8 Final + +1) Update release documents. + +2) Apply Matt Darfeuille's uninstall fixes + +Changes in 4.6.8 RC 1 + +1) Update release documents. + +2) Correct the Shorewall-init installer. + +3) Apply nfw's fix for IP[6]TABLES in the conntrack file. + +Changes in 4.6.8 Beta 3 + +1) Update release documents. + +2) Implement ICMP handling in 'open' and 'close' + +3) Implement 'savesets' command. + +4) Allow comma-separated lists in the rtrules file. + +Changes in 4.6.8 Beta 2 + +1) Update release documents. + +2) Improve the 'close' and 'show opens' commands. + +Changes in 4.6.8 Beta 1 + +1) Update release documents. + +2) Implement the 'open' and 'close' commands + Changes in 4.6.7 Final 1) Update release documents. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.7/configure new/shorewall-core-4.6.8/configure --- old/shorewall-core-4.6.7/configure 2015-03-11 19:41:43.000000000 +0100 +++ new/shorewall-core-4.6.8/configure 2015-04-02 22:27:47.000000000 +0200 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=4.6.7 +VERSION=4.6.8 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.7/configure.pl new/shorewall-core-4.6.8/configure.pl --- old/shorewall-core-4.6.7/configure.pl 2015-03-11 19:41:43.000000000 +0100 +++ new/shorewall-core-4.6.8/configure.pl 2015-04-02 22:27:47.000000000 +0200 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '4.6.7' + VERSION => '4.6.8' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.7/install.sh new/shorewall-core-4.6.8/install.sh --- old/shorewall-core-4.6.7/install.sh 2015-03-11 19:41:43.000000000 +0100 +++ new/shorewall-core-4.6.8/install.sh 2015-04-02 22:27:47.000000000 +0200 @@ -22,7 +22,7 @@ # along with this program; if not, see <http://www.gnu.org/licenses/>. # -VERSION=4.6.7 +VERSION=4.6.8 usage() # $1 = exit status { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.7/lib.cli new/shorewall-core-4.6.8/lib.cli --- old/shorewall-core-4.6.7/lib.cli 2015-02-18 21:04:01.000000000 +0100 +++ new/shorewall-core-4.6.8/lib.cli 2015-04-02 22:26:51.000000000 +0200 @@ -375,7 +375,18 @@ supported=$(run_it ${VARDIR}/firewall help | fgrep savesets ) - [ -n "$supported" ] && run_it ${VARDIR}/firewall savesets ${g_restorepath}-ipsets + [ -n "$supported" ] && run_it ${VARDIR}/firewall savesets ${g_restorepath}-ipsets +} + +# +# Proactive save of the current ipset contents +# +savesets1() { + local supported + + supported=$(run_it ${VARDIR}/firewall help | fgrep savesets ) + + [ -n "$supported" ] && run_it ${VARDIR}/firewall savesets ${VARDIR}/ipsets.save && progress_message3 "The ipsets have been saved to ${VARDIR}/ipsets.save" } # @@ -387,7 +398,7 @@ status=0 if [ -f ${VARDIR}/firewall ]; then - if $iptables_save | iptablesbug > ${VARDIR}/restore-$$; then + if $iptables_save | iptablesbug | grep -v -- '-A dynamic.* -j ACCEPT' > ${VARDIR}/restore-$$; then cp -f ${VARDIR}/firewall $g_restorepath mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables chmod +x $g_restorepath @@ -1224,6 +1235,16 @@ echo show_bl; ;; + opens) + [ $# -gt 1 ] && usage 1 + echo "$g_product $SHOREWALL_VERSION Temporarily opened connections at $g_hostname - $(date)" + + if chain_exists dynamic; then + g_ipt_options="$g_ipt_options --line-numbers" + $g_tool -t filter -L dynamic $g_ipt_options | head -n2 + $g_tool -t filter -L dynamic $g_ipt_options | fgrep ACCEPT | $output_filter + fi + ;; *) case "$g_program" in *-lite) @@ -2076,6 +2097,166 @@ fi } +open_close_command() { + local command + local desc + local proto + local icmptype + + open_close_setup() { + [ -n "$g_nolock" ] || mutex_on + + if ! product_is_started ; then + [ -n "$g_nolock" ] || mutex_off + fatal_error "The $COMMAND command requires the firewall to be running" + fi + + if ! chain_exists dynamic; then + [ -n "$g_nolock" ] || mutex_off + fatal_error "The $COMMAND command requires DYNAMIC_BLACKLIST=Yes in the running configuration" + fi + } + + [ $# -le 4 ] || fatal_error "Too many parameters" + + if [ $COMMAND = open ]; then + [ $# -ge 2 ] || fatal_error "Too few parameters" + else + [ $# -ge 1 ] || fatal_error "Too few parameters" + fi + + if [ $# -eq 1 ]; then + # + # close <rule number> + # + case $1 in + [1-9]|[1-9][0-9]|[1-9][0-9][0-9]*) + ;; + *) + fatal_error "$1 is not a valid temporary open number" + ;; + esac + + open_close_setup #Conditionally acquires mutex + + if $g_tool -L dynamic --line-numbers | grep -q "^$1 .* ACCEPT "; then + if $g_tool -D dynamic $1; then + [ -n "$g_nolock" ] || mutex_off + echo "Temporary open #$1 closed" + return 0 + fi + [ -n "$g_nolock" ] || mutex_off + return 2 + else + [ -n "$g_nolock" ] || mutex_off + fatal_error "$1 is not a valid temporary open number" + fi + else + if [ $1 = all ]; then + command=dynamic + else + command="dynamic -s $1" + fi + + if [ $2 != all ]; then + command="$command -d $2" + fi + + desc="from $1 to $2" + + if [ $# -ge 3 ]; then + proto=$3 + + [ $proto = icmp -a $g_family -eq 6 ] && proto=58 + + command="$command -p $proto" + + case $3 in + [0-9]*) + desc="$desc protocol $3" + ;; + *) + desc="$desc $3" + ;; + esac + + if [ $g_family -eq 4 ]; then + if [ $proto = 6 -o $proto = icmp ]; then + proto=icmp + icmptype='--icmp-type' + fi + else + if [ $proto = 58 -o $proto = ipv6-icmp ]; then + proto=icmp + icmptype='--icmpv6-type' + fi + fi + fi + + if [ $# -eq 4 ]; then + if [ $proto = icmp ]; then + case $4 in + *,*) + fatal_error "Only a single ICMP type may be specified" + ;; + [0-9]*) + desc="$desc type $4" + ;; + *) + desc="$desc $4" + ;; + esac + + command="$command $icmptype $4" + else + case $4 in + *,*) + command="$command -m multiport --dports $4" + ;; + *) + command="$command --dport $4" + ;; + esac + + case $4 in + [0-9]*,) + desc="$desc ports $4" + ;; + [0-9]*) + desc="$desc port $4" + ;; + *) + desc="$desc $4" + ;; + esac + fi + fi + + command="$command -j ACCEPT" + + open_close_setup #Conditionally acquires mutex + + if [ $COMMAND = open ]; then + if $g_tool -I $command ; then + [ -n "$g_nolock" ] || mutex_off + echo "Firewall dynamically opened for connections $desc" + return 0 + fi + [ -n "$g_nolock" ] || mutex_off + return 2 + fi + + if $g_tool -D $command 2> /dev/null; then + [ -n "$g_nolock" ] || mutex_off + echo "Firewall dynamically closed for connections $desc (may still be permitted by rules/policies)" + return 0 + fi + + [ -n "$g_nolock" ] || mutex_off + fatal_error "Connections $desc are not currently opened" + fi +} + # # 'hits' commmand executor # @@ -3628,6 +3809,7 @@ echo " add <interface>[:<host-list>] ... <zone>" echo " allow <address> ..." echo " clear" + echo " close <source> <dest> [ <protocol> [ <port> ] ]" echo " delete <interface>[:<host-list>] ... <zone>" echo " disable <interface>" echo " drop <address> ..." @@ -3645,12 +3827,14 @@ echo " logdrop <address> ..." echo " logreject <address> ..." echo " logwatch [<refresh interval>]" + echo " open <source> <dest> [ <protocol> [ <port> ] ]" echo " reject <address> ..." echo " reset [ <chain> ... ]" echo " restart [ -n ] [ -p ] [ -f ] [ -C ] [ <directory> ]" echo " restore [ -n ] [ -p ] [ -C ] [ <file name> ]" echo " run <command> [ <parameter> ... ]" echo " save [ -C ] [ <file name> ]" + echo " savesets" echo " [ show | list | ls ] [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]" echo " [ show | list | ls ] [ -f ] capabilities" echo " [ show | list | ls ] arptables" @@ -3670,6 +3854,7 @@ echo " [ show | list | ls ] [ -m ] log [<regex>]" echo " [ show | list | ls ] [ -x ] mangle|nat|raw|rawpost" echo " [ show | list | ls ] nfacct" + echo " [ show | list | ls ] opens" echo " [ show | list | ls ] policies" echo " [ show | list | ls ] routing" echo " [ show | list | ls ] tc [ device ]" @@ -3979,6 +4164,11 @@ [ $# -eq 1 ] && usage 1 reject_command $@ ;; + open|close) + get_config + shift + open_close_command $@ + ;; allow) get_config allow_command $@ @@ -4042,6 +4232,12 @@ shift noiptrace_command $@ ;; + savesets) + [ $# -eq 1 ] || usage 1 + get_config + [ -n "$g_debugging" ] && set -x + savesets1 + ;; *) if [ -z "$g_lite" ]; then compiler_command $@ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.7/releasenotes.txt new/shorewall-core-4.6.8/releasenotes.txt --- old/shorewall-core-4.6.7/releasenotes.txt 2015-03-11 19:41:43.000000000 +0100 +++ new/shorewall-core-4.6.8/releasenotes.txt 2015-04-02 22:27:47.000000000 +0200 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 6 . 7 + S H O R E W A L L 4 . 6 . 8 ------------------------------------ - M a r c h 0 8 , 2 0 1 5 + A p r i l 0 4 , 2 0 1 5 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -17,6 +17,22 @@ 1) This release includes defect repair from Shorewall 4.6.6.2 and earlier releases. +2) Previously, when the -n option was specified and NetworkManager was + installed on the target system, the Shorewall-init installer would + still create + ${DESTDIR}etc/NetworkManager/dispatcher.d/01-shorewall, regardless + of the setting of $CONFDIR. That has been corrected such that the + directory + ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/01-shorewall is + created instead. + +3) Previously, handling of the IPTABLES and IP6TABLES actions in the + conntrack file was broken. nfw provided a fix on IRC. + +4) The Shorewall-core and Shorewall6 installers would previously + report incorrectly that the product release was not installed. Matt + Darfeuille provided fixes. + ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G ---------------------------------------------------------------------------- @@ -28,15 +44,63 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) The 'tunnels' file now supports 'tinc' tunnels. +1) The CLI programs (shorewall, shorewall6, etc) now support 'open' + and 'close' commands. The 'open' command temporarily opens the + firewall for a specified type of connection; the syntax is: -2) Previously, the SAME action in the mangle file had a fixed timeout - of 300 seconds (5 minutes). That action now allows specification of - a different timeout. + open <source> <destination> [ <protocol> [ <port> ] ] -3) It is now possible to add or delete addresses from an ipset with - entries in the mangle file. The ADD and DEL actions have the same - behavior in the mangle file as they do in the rules file. + The <source> and <destination> may be any of the following: + + - a host IP address + - a network IP address + - a valid DNS name (usual warnings apply) + - the word 'all', indicating that the <source> or <destination> is + not restricted + + The protocol may be specified by number or by a name. Same with + <port>. + + Example: Open SSH connections to 1.2.3.4 in Shorewall: + + shorewall open all 1.2.3.4 tcp ssh + + The 'close' command reverses the effect of an earlier 'open' + command and has two forms: + + close <open-number> + close <source> <destination> [ <protocol [ <port ] ] + + + In the first form, the <open-number> is the number displayed in the + 'num' column of the 'shorewall list opens' command (see below). + + In the second form, the parameters must match those of the earlier + 'open' command to be reversed. All temporary connections opens may + be deleted by simply restarting the firewall. + + Both commands require that the firewall be in the started state and + that DYNAMIC_BLACKLIST=Yes in the active configuration. + + The iptables rules created via 'open' commands can be displayed + using the 'show opens' command. + + Example (after the above open command was executed): + + Shorewall 4.6.8 Temporarily opened connections at gateway - Fri Mar 6 09:47:06 PST 2015 + Chain dynamic (14 references) + num pkts bytes target prot opt in out source destination + 1 0 0 ACCEPT tcp -- * * 0.0.0.0/0 1.2.3.4 multiport dports 22 + root@gateway:~# + +2) A 'safesets' command is now available to proactively save changes + to ipset contents. Using this command can guard against accidental + loss of ipset changes in the event of a system failure before a + 'stop' command has been completed. The exact action taken by the + command depends on the setting of SAVE_IPSETS in shorewall[6].conf. + +3) The SOURCE and DEST columns in the rtrules file may now contains + comma-separated lists of addresses. ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -331,6 +395,26 @@ ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 4 . 6 R E L E A S E S ---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 6 . 7 +---------------------------------------------------------------------------- + +None. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 6 . 7 +---------------------------------------------------------------------------- + +1) The 'tunnels' file now supports 'tinc' tunnels. + +2) Previously, the SAME action in the mangle file had a fixed timeout + of 300 seconds (5 minutes). That action now allows specification of + a different timeout. + +3) It is now possible to add or delete addresses from an ipset with + entries in the mangle file. The ADD and DEL actions have the same + behavior in the mangle file as they do in the rules file. + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 6 . 6 ---------------------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.7/shorewall-core.spec new/shorewall-core-4.6.8/shorewall-core.spec --- old/shorewall-core-4.6.7/shorewall-core.spec 2015-03-11 19:41:43.000000000 +0100 +++ new/shorewall-core-4.6.8/shorewall-core.spec 2015-04-02 22:27:47.000000000 +0200 @@ -1,5 +1,5 @@ %define name shorewall-core -%define version 4.6.7 +%define version 4.6.8 %define release 0base Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. @@ -63,6 +63,16 @@ %doc COPYING INSTALL changelog.txt releasenotes.txt %changelog +* Sun Mar 29 2015 Tom Eastep [email protected] +- Updated to 4.6.8-0base +* Tue Mar 24 2015 Tom Eastep [email protected] +- Updated to 4.6.8-0RC1 +* Tue Mar 17 2015 Tom Eastep [email protected] +- Updated to 4.6.8-0Beta3 +* Sat Mar 14 2015 Tom Eastep [email protected] +- Updated to 4.6.8-0Beta2 +* Fri Mar 06 2015 Tom Eastep [email protected] +- Updated to 4.6.8-0Beta1 * Thu Mar 05 2015 Tom Eastep [email protected] - Updated to 4.6.7-0base * Tue Mar 03 2015 Tom Eastep [email protected] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.7/uninstall.sh new/shorewall-core-4.6.8/uninstall.sh --- old/shorewall-core-4.6.7/uninstall.sh 2015-03-11 19:41:43.000000000 +0100 +++ new/shorewall-core-4.6.8/uninstall.sh 2015-04-02 22:27:47.000000000 +0200 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.6.7 +VERSION=4.6.8 usage() # $1 = exit status { @@ -35,6 +35,12 @@ exit $1 } +fatal_error() +{ + echo " ERROR: $@" >&2 + exit 1 +} + qt() { "$@" >/dev/null 2>&1 ++++++ shorewall-docs-html-4.6.7.tar.bz2 -> shorewall-docs-html-4.6.8.tar.bz2 ++++++ ++++ 7386 lines of diff (skipped) ++++++ shorewall-init-4.6.7.tar.bz2 -> shorewall-init-4.6.8.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.7/changelog.txt new/shorewall-init-4.6.8/changelog.txt --- old/shorewall-init-4.6.7/changelog.txt 2015-03-11 19:41:44.000000000 +0100 +++ new/shorewall-init-4.6.8/changelog.txt 2015-04-02 22:27:48.000000000 +0200 @@ -1,3 +1,39 @@ +Changes in 4.6.8 Final + +1) Update release documents. + +2) Apply Matt Darfeuille's uninstall fixes + +Changes in 4.6.8 RC 1 + +1) Update release documents. + +2) Correct the Shorewall-init installer. + +3) Apply nfw's fix for IP[6]TABLES in the conntrack file. + +Changes in 4.6.8 Beta 3 + +1) Update release documents. + +2) Implement ICMP handling in 'open' and 'close' + +3) Implement 'savesets' command. + +4) Allow comma-separated lists in the rtrules file. + +Changes in 4.6.8 Beta 2 + +1) Update release documents. + +2) Improve the 'close' and 'show opens' commands. + +Changes in 4.6.8 Beta 1 + +1) Update release documents. + +2) Implement the 'open' and 'close' commands + Changes in 4.6.7 Final 1) Update release documents. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.7/configure new/shorewall-init-4.6.8/configure --- old/shorewall-init-4.6.7/configure 2015-03-11 19:41:43.000000000 +0100 +++ new/shorewall-init-4.6.8/configure 2015-04-02 22:27:48.000000000 +0200 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=4.6.7 +VERSION=4.6.8 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.7/configure.pl new/shorewall-init-4.6.8/configure.pl --- old/shorewall-init-4.6.7/configure.pl 2015-03-11 19:41:44.000000000 +0100 +++ new/shorewall-init-4.6.8/configure.pl 2015-04-02 22:27:48.000000000 +0200 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '4.6.7' + VERSION => '4.6.8' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.7/install.sh new/shorewall-init-4.6.8/install.sh --- old/shorewall-init-4.6.7/install.sh 2015-03-11 19:41:43.000000000 +0100 +++ new/shorewall-init-4.6.8/install.sh 2015-04-02 22:27:48.000000000 +0200 @@ -27,7 +27,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.6.7 +VERSION=4.6.8 usage() # $1 = exit status { @@ -188,6 +188,8 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin +[ $configure -eq 1 ] && ETC=/etc || ETC="${CONFDIR}" + if [ -z "$BUILD" ]; then case $(uname) in cygwin*) @@ -379,9 +381,9 @@ if [ $HOST = debian ]; then if [ -n "${DESTDIR}" ]; then - mkdir -p ${DESTDIR}/etc/network/if-up.d/ - mkdir -p ${DESTDIR}/etc/network/if-down.d/ - mkdir -p ${DESTDIR}/etc/network/if-post-down.d/ + mkdir -p ${DESTDIR}${ETC}/network/if-up.d/ + mkdir -p ${DESTDIR}${ETC}/network/if-down.d/ + mkdir -p ${DESTDIR}${ETC}/network/if-post-down.d/ elif [ $configure -eq 0 ]; then mkdir -p ${DESTDIR}${CONFDIR}/network/if-up.d/ mkdir -p ${DESTDIR}${CONFDIR}/network/if-down.d/ @@ -390,15 +392,11 @@ if [ ! -f ${DESTDIR}${CONFDIR}/default/shorewall-init ]; then if [ -n "${DESTDIR}" ]; then - mkdir ${DESTDIR}/etc/default + mkdir ${DESTDIR}${ETC}/default fi - if [ $configure -eq 1 ]; then - install_file sysconfig ${DESTDIR}/etc/default/shorewall-init 0644 - else - mkdir -p ${DESTDIR}${CONFDIR}/default - install_file sysconfig ${DESTDIR}${CONFDIR}/default/shorewall-init 0644 - fi + [ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/default + install_file sysconfig ${DESTDIR}${ETC}/default/shorewall-init 0644 fi IFUPDOWN=ifupdown.debian.sh @@ -408,13 +406,13 @@ if [ -z "$RPM" ]; then if [ $HOST = suse ]; then - mkdir -p ${DESTDIR}/etc/sysconfig/network/if-up.d - mkdir -p ${DESTDIR}/etc/sysconfig/network/if-down.d + mkdir -p ${DESTDIR}${ETC}/sysconfig/network/if-up.d + mkdir -p ${DESTDIR}${ETC}/sysconfig/network/if-down.d elif [ $HOST = gentoo ]; then # Gentoo does not support if-{up,down}.d /bin/true else - mkdir -p ${DESTDIR}/etc/NetworkManager/dispatcher.d + mkdir -p ${DESTDIR}/${ETC}/NetworkManager/dispatcher.d fi fi fi @@ -440,12 +438,8 @@ install_file ifupdown ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown 0544 if [ -d ${DESTDIR}/etc/NetworkManager ]; then - if [ $configure -eq 1 ]; then - install_file ifupdown ${DESTDIR}/etc/NetworkManager/dispatcher.d/01-shorewall 0544 - else - mkdir -p ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/ - install_file ifupdown ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/01-shorewall 0544 - fi + [ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/ + install_file ifupdown ${DESTDIR}${ETC}/NetworkManager/dispatcher.d/01-shorewall 0544 fi case $HOST in diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.7/releasenotes.txt new/shorewall-init-4.6.8/releasenotes.txt --- old/shorewall-init-4.6.7/releasenotes.txt 2015-03-11 19:41:44.000000000 +0100 +++ new/shorewall-init-4.6.8/releasenotes.txt 2015-04-02 22:27:48.000000000 +0200 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 6 . 7 + S H O R E W A L L 4 . 6 . 8 ------------------------------------ - M a r c h 0 8 , 2 0 1 5 + A p r i l 0 4 , 2 0 1 5 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -17,6 +17,22 @@ 1) This release includes defect repair from Shorewall 4.6.6.2 and earlier releases. +2) Previously, when the -n option was specified and NetworkManager was + installed on the target system, the Shorewall-init installer would + still create + ${DESTDIR}etc/NetworkManager/dispatcher.d/01-shorewall, regardless + of the setting of $CONFDIR. That has been corrected such that the + directory + ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/01-shorewall is + created instead. + +3) Previously, handling of the IPTABLES and IP6TABLES actions in the + conntrack file was broken. nfw provided a fix on IRC. + +4) The Shorewall-core and Shorewall6 installers would previously + report incorrectly that the product release was not installed. Matt + Darfeuille provided fixes. + ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G ---------------------------------------------------------------------------- @@ -28,15 +44,63 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) The 'tunnels' file now supports 'tinc' tunnels. +1) The CLI programs (shorewall, shorewall6, etc) now support 'open' + and 'close' commands. The 'open' command temporarily opens the + firewall for a specified type of connection; the syntax is: -2) Previously, the SAME action in the mangle file had a fixed timeout - of 300 seconds (5 minutes). That action now allows specification of - a different timeout. + open <source> <destination> [ <protocol> [ <port> ] ] -3) It is now possible to add or delete addresses from an ipset with - entries in the mangle file. The ADD and DEL actions have the same - behavior in the mangle file as they do in the rules file. + The <source> and <destination> may be any of the following: + + - a host IP address + - a network IP address + - a valid DNS name (usual warnings apply) + - the word 'all', indicating that the <source> or <destination> is + not restricted + + The protocol may be specified by number or by a name. Same with + <port>. + + Example: Open SSH connections to 1.2.3.4 in Shorewall: + + shorewall open all 1.2.3.4 tcp ssh + + The 'close' command reverses the effect of an earlier 'open' + command and has two forms: + + close <open-number> + close <source> <destination> [ <protocol [ <port ] ] + + + In the first form, the <open-number> is the number displayed in the + 'num' column of the 'shorewall list opens' command (see below). + + In the second form, the parameters must match those of the earlier + 'open' command to be reversed. All temporary connections opens may + be deleted by simply restarting the firewall. + + Both commands require that the firewall be in the started state and + that DYNAMIC_BLACKLIST=Yes in the active configuration. + + The iptables rules created via 'open' commands can be displayed + using the 'show opens' command. + + Example (after the above open command was executed): + + Shorewall 4.6.8 Temporarily opened connections at gateway - Fri Mar 6 09:47:06 PST 2015 + Chain dynamic (14 references) + num pkts bytes target prot opt in out source destination + 1 0 0 ACCEPT tcp -- * * 0.0.0.0/0 1.2.3.4 multiport dports 22 + root@gateway:~# + +2) A 'safesets' command is now available to proactively save changes + to ipset contents. Using this command can guard against accidental + loss of ipset changes in the event of a system failure before a + 'stop' command has been completed. The exact action taken by the + command depends on the setting of SAVE_IPSETS in shorewall[6].conf. + +3) The SOURCE and DEST columns in the rtrules file may now contains + comma-separated lists of addresses. ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -331,6 +395,26 @@ ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 4 . 6 R E L E A S E S ---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 6 . 7 +---------------------------------------------------------------------------- + +None. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 6 . 7 +---------------------------------------------------------------------------- + +1) The 'tunnels' file now supports 'tinc' tunnels. + +2) Previously, the SAME action in the mangle file had a fixed timeout + of 300 seconds (5 minutes). That action now allows specification of + a different timeout. + +3) It is now possible to add or delete addresses from an ipset with + entries in the mangle file. The ADD and DEL actions have the same + behavior in the mangle file as they do in the rules file. + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 6 . 6 ---------------------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.7/shorewall-init.spec new/shorewall-init-4.6.8/shorewall-init.spec --- old/shorewall-init-4.6.7/shorewall-init.spec 2015-03-11 19:41:43.000000000 +0100 +++ new/shorewall-init-4.6.8/shorewall-init.spec 2015-04-02 22:27:48.000000000 +0200 @@ -1,5 +1,5 @@ %define name shorewall-init -%define version 4.6.7 +%define version 4.6.8 %define release 0base Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall). @@ -126,6 +126,16 @@ %doc COPYING changelog.txt releasenotes.txt %changelog +* Sun Mar 29 2015 Tom Eastep [email protected] +- Updated to 4.6.8-0base +* Tue Mar 24 2015 Tom Eastep [email protected] +- Updated to 4.6.8-0RC1 +* Tue Mar 17 2015 Tom Eastep [email protected] +- Updated to 4.6.8-0Beta3 +* Sat Mar 14 2015 Tom Eastep [email protected] +- Updated to 4.6.8-0Beta2 +* Fri Mar 06 2015 Tom Eastep [email protected] +- Updated to 4.6.8-0Beta1 * Thu Mar 05 2015 Tom Eastep [email protected] - Updated to 4.6.7-0base * Tue Mar 03 2015 Tom Eastep [email protected] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.7/uninstall.sh new/shorewall-init-4.6.8/uninstall.sh --- old/shorewall-init-4.6.7/uninstall.sh 2015-03-11 19:41:43.000000000 +0100 +++ new/shorewall-init-4.6.8/uninstall.sh 2015-04-02 22:27:48.000000000 +0200 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.6.7 +VERSION=4.6.8 usage() # $1 = exit status { @@ -35,6 +35,12 @@ exit $1 } +fatal_error() +{ + echo " ERROR: $@" >&2 + exit 1 +} + qt() { "$@" >/dev/null 2>&1 ++++++ shorewall-lite-4.6.7.tar.bz2 -> shorewall-lite-4.6.8.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.7/changelog.txt new/shorewall-lite-4.6.8/changelog.txt --- old/shorewall-lite-4.6.7/changelog.txt 2015-03-11 19:41:44.000000000 +0100 +++ new/shorewall-lite-4.6.8/changelog.txt 2015-04-02 22:27:48.000000000 +0200 @@ -1,3 +1,39 @@ +Changes in 4.6.8 Final + +1) Update release documents. + +2) Apply Matt Darfeuille's uninstall fixes + +Changes in 4.6.8 RC 1 + +1) Update release documents. + +2) Correct the Shorewall-init installer. + +3) Apply nfw's fix for IP[6]TABLES in the conntrack file. + +Changes in 4.6.8 Beta 3 + +1) Update release documents. + +2) Implement ICMP handling in 'open' and 'close' + +3) Implement 'savesets' command. + +4) Allow comma-separated lists in the rtrules file. + +Changes in 4.6.8 Beta 2 + +1) Update release documents. + +2) Improve the 'close' and 'show opens' commands. + +Changes in 4.6.8 Beta 1 + +1) Update release documents. + +2) Implement the 'open' and 'close' commands + Changes in 4.6.7 Final 1) Update release documents. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.7/configure new/shorewall-lite-4.6.8/configure --- old/shorewall-lite-4.6.7/configure 2015-03-11 19:41:44.000000000 +0100 +++ new/shorewall-lite-4.6.8/configure 2015-04-02 22:27:48.000000000 +0200 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=4.6.7 +VERSION=4.6.8 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.7/configure.pl new/shorewall-lite-4.6.8/configure.pl --- old/shorewall-lite-4.6.7/configure.pl 2015-03-11 19:41:44.000000000 +0100 +++ new/shorewall-lite-4.6.8/configure.pl 2015-04-02 22:27:48.000000000 +0200 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '4.6.7' + VERSION => '4.6.8' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.7/install.sh new/shorewall-lite-4.6.8/install.sh --- old/shorewall-lite-4.6.7/install.sh 2015-03-11 19:41:44.000000000 +0100 +++ new/shorewall-lite-4.6.8/install.sh 2015-04-02 22:27:48.000000000 +0200 @@ -22,7 +22,7 @@ # along with this program; if not, see <http://www.gnu.org/licenses/>. # -VERSION=4.6.7 +VERSION=4.6.8 usage() # $1 = exit status { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.7/manpages/shorewall-lite-vardir.5 new/shorewall-lite-4.6.8/manpages/shorewall-lite-vardir.5 --- old/shorewall-lite-4.6.7/manpages/shorewall-lite-vardir.5 2015-03-11 19:45:09.000000000 +0100 +++ new/shorewall-lite-4.6.8/manpages/shorewall-lite-vardir.5 2015-04-02 22:31:08.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite-vardir .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 03/11/2015 +.\" Date: 04/02/2015 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-LITE\-VAR" "5" "03/11/2015" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-LITE\-VAR" "5" "04/02/2015" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.7/manpages/shorewall-lite.8 new/shorewall-lite-4.6.8/manpages/shorewall-lite.8 --- old/shorewall-lite-4.6.7/manpages/shorewall-lite.8 2015-03-11 19:45:10.000000000 +0100 +++ new/shorewall-lite-4.6.8/manpages/shorewall-lite.8 2015-04-02 22:31:10.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 03/11/2015 +.\" Date: 04/02/2015 .\" Manual: Administrative Commands .\" Source: Administrative Commands .\" Language: English .\" -.TH "SHOREWALL\-LITE" "8" "03/11/2015" "Administrative Commands" "Administrative Commands" +.TH "SHOREWALL\-LITE" "8" "04/02/2015" "Administrative Commands" "Administrative Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -37,6 +37,8 @@ .HP \w'\fBshorewall\-lite\fR\ 'u \fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBclear\fR\ [\fB\-f\fR] .HP \w'\fBshorewall\-lite\fR\ 'u +\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBclose\fR\ {\ \fIopen\-number\fR\ |\ \fIsource\fR\fIdest\fR\ [\fIprotocol\fR\ [\ \fIport\fR\ ]]}\fI\ \fR +.HP \w'\fBshorewall\-lite\fR\ 'u \fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBdelete\fR \fIinterface\fR[:\fIhost\-list\fR]... \fIzone\fR .HP \w'\fBshorewall\-lite\fR\ 'u \fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBdisable\fR {\ \fIinterface\fR\ |\ \fIprovider\fR\ } @@ -67,6 +69,8 @@ .HP \w'\fBshorewall\-lite\fR\ 'u \fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR] [\-\fIoptions\fR] \fBnoiptrace\fR \fIiptables\ match\ expression\fR .HP \w'\fBshorewall\-lite\fR\ 'u +\fBshorewall\-lite\fR \fBopen\fR\fI\ source\fR\fI\ dest\fR\ [\ \fIprotocol\fR\ [\ \fIport\fR\ ]\ ] +.HP \w'\fBshorewall\-lite\fR\ 'u \fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBreject\fR \fIaddress\fR .HP \w'\fBshorewall\-lite\fR\ 'u \fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBreset\fR @@ -79,6 +83,8 @@ .HP \w'\fBshorewall\-lite\fR\ 'u \fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBsave\fR\ [\fB\-C\fR] [\fIfilename\fR] .HP \w'\fBshorewall\-lite\fR\ 'u +\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBsavesets\fR +.HP \w'\fBshorewall\-lite\fR\ 'u \fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR] [\-\fIoptions\fR] {\fBshow\ |\ list\ |\ ls\ \fR} [\fB\-b\fR] [\fB\-x\fR] [\fB\-l\fR] [\fB\-t\fR\ {\fBfilter\fR|\fBmangle\fR|\fBnat\fR|\fBraw|rawpost\fR}] [[\fBchain\fR]\ \fIchain\fR...] .HP \w'\fBshorewall\-lite\fR\ 'u \fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR] [\-\fIoptions\fR] {\fBshow\ |\ list\ |\ ls\ \fR} [\fB\-x\fR] \fB{bl|blacklists}\fR @@ -209,6 +215,22 @@ command if that script exists\&. .RE .PP +\fBclose\fR { \fIopen\-number\fR | \fIsource\fR \fIdest\fR [ \fIprotocol\fR [ \fIport\fR ] ] } +.RS 4 +Added in Shorewall 4\&.5\&.8\&. This command closes a temporary open created by the +\fBopen\fR +command\&. In the first form, an +\fIopen\-number\fR +specifies the open to be closed\&. Open numbers are displayed in the +\fBnum\fR +column of the output of the +\fBshorewall\-lite show opens \fRcommand\&. +.sp +When the second form of the command is used, the parameters must match those given in the earlier +\fBopen\fR +command\&. +.RE +.PP \fBdelete\fR .RS 4 The delete command reverses the effect of an earlier @@ -350,6 +372,56 @@ command being canceled\&. .RE .PP +\fBopen\fR \fIsource\fR \fIdest\fR [ \fIprotocol\fR [ \fIport\fR ] ] +.RS 4 +Added in Shorewall 4\&.6\&.8\&. This command requires that the firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in +\m[blue]\fBshorewall\&.conf (5)\fR\m[]\&\s-2\u[4]\d\s+2\&. The effect of the command is to temporarily open the firewall for connections matching the parameters\&. +.sp +The +\fIsource\fR +and +\fIdest\fR +parameters may each be specified as +\fBall\fR +if you don\*(Aqt wish to restrict the connection source or destination respectively\&. Otherwise, each must contain a host or network address or a valid DNS name\&. +.sp +The +\fIprotocol\fR +may be specified either as a number or as a name listed in /etc/protocols\&. The +\fIport\fR +may be specified numerically or as a name listed in /etc/services\&. +.sp +To reverse the effect of a successful +\fBopen\fR +command, use the +\fBclose\fR +command with the same parameters or simply restart the firewall\&. +.sp +Example: To open the firewall for SSH connections to address 192\&.168\&.1\&.1, the command would be: +.sp +.if n \{\ +.RS 4 +.\} +.nf + shorewall\-lite open all 192\&.168\&.1\&.1 tcp 22 +.fi +.if n \{\ +.RE +.\} +.sp +To reverse that command, use: +.sp +.if n \{\ +.RS 4 +.\} +.nf + shorewall\-lite close all 192\&.168\&.1\&.1 tcp 22 +.fi +.if n \{\ +.RE +.\} +.RE +.PP \fBreset\fR .RS 4 All the packet and byte counters in the firewall are reset\&. @@ -442,6 +514,17 @@ option, added in Shorewall 4\&.6\&.5, causes the iptables packet and byte counters to be saved along with the chains and rules\&. .RE .PP +\fBsavesets\fR +.RS 4 +Added in shorewall 4\&.6\&.8\&. Performs the same action as the +\fBstop\fR +command with respect to saving ipsets (see the SAVE_IPSETS option in +\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[4]\d\s+2 +(5))\&. This command may be used to proactively save your ipset contents in the event that a system failure occurs prior to issuing a +\fBstop\fR +command\&. +.RE +.PP \fBshow\fR .RS 4 The show command can have a number of different arguments: @@ -526,7 +609,7 @@ .PP \fBipa\fR .RS 4 -Added in Shorewall 4\&.4\&.17\&. Displays the per\-IP accounting counters (\m[blue]\fBshorewall\-accounting\fR\m[]\&\s-2\u[4]\d\s+2 +Added in Shorewall 4\&.4\&.17\&. Displays the per\-IP accounting counters (\m[blue]\fBshorewall\-accounting\fR\m[]\&\s-2\u[5]\d\s+2 (5))\&. .RE .PP @@ -551,6 +634,12 @@ option is passed directly through to iptables and causes actual packet and byte counts to be displayed\&. Without this option, those counts are abbreviated\&. .RE .PP +\fBopens\fR +.RS 4 +Added in Shorewall 4\&.5\&.8\&. Displays the iptables rules in the \*(Aqdynamic\*(Aq chain created through use of the +\fBopen \fRcommand\&.\&. +.RE +.PP \fBpolicies\fR .RS 4 Added in Shorewall 4\&.4\&.4\&. Displays the applicable policy between each pair of zones\&. Note that implicit intrazone ACCEPT policies are not displayed for zones associated with a single network where that network doesn\*(Aqt specify @@ -614,9 +703,9 @@ \fBstop\fR .RS 4 Stops the firewall\&. All existing connections, except those listed in -\m[blue]\fBshorewall\-routestopped\fR\m[]\&\s-2\u[5]\d\s+2(5) or permitted by the ADMINISABSENTMINDED option in +\m[blue]\fBshorewall\-routestopped\fR\m[]\&\s-2\u[6]\d\s+2(5) or permitted by the ADMINISABSENTMINDED option in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[2]\d\s+2(5), are taken down\&. The only new traffic permitted through the firewall is from systems listed in -\m[blue]\fBshorewall\-routestopped\fR\m[]\&\s-2\u[5]\d\s+2(5) or by ADMINISABSENTMINDED\&. +\m[blue]\fBshorewall\-routestopped\fR\m[]\&\s-2\u[6]\d\s+2(5) or by ADMINISABSENTMINDED\&. .sp If \fB\-f\fR @@ -680,11 +769,16 @@ \%http://www.shorewall.netshorewall-interfaces.html .RE .IP " 4." 4 +shorewall.conf (5) +.RS 4 +\%http://www.shorewall.net/manpages/shorewall.conf.html +.RE +.IP " 5." 4 shorewall-accounting .RS 4 \%http://www.shorewall.netmanpages/shorewall-accounting.html .RE -.IP " 5." 4 +.IP " 6." 4 shorewall-routestopped .RS 4 \%http://www.shorewall.netshorewall-routestopped.html diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.7/manpages/shorewall-lite.conf.5 new/shorewall-lite-4.6.8/manpages/shorewall-lite.conf.5 --- old/shorewall-lite-4.6.7/manpages/shorewall-lite.conf.5 2015-03-11 19:45:07.000000000 +0100 +++ new/shorewall-lite-4.6.8/manpages/shorewall-lite.conf.5 2015-04-02 22:31:07.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite.conf .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 03/11/2015 +.\" Date: 04/02/2015 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-LITE\&.CO" "5" "03/11/2015" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-LITE\&.CO" "5" "04/02/2015" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.7/manpages/shorewall-lite.xml new/shorewall-lite-4.6.8/manpages/shorewall-lite.xml --- old/shorewall-lite-4.6.7/manpages/shorewall-lite.xml 2015-03-11 19:45:11.000000000 +0100 +++ new/shorewall-lite-4.6.8/manpages/shorewall-lite.xml 2015-04-02 22:31:10.000000000 +0200 @@ -65,6 +65,21 @@ <arg choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg> + <arg>-<replaceable>options</replaceable></arg> + + <arg choice="plain"><option>close</option><arg choice="req"> + <replaceable>open-number</replaceable> | + <replaceable>source</replaceable><replaceable>dest</replaceable><arg><replaceable>protocol</replaceable><arg> + <replaceable>port</replaceable> </arg></arg></arg><replaceable> + </replaceable></arg> + </cmdsynopsis> + + <cmdsynopsis> + <command>shorewall-lite</command> + + <arg + choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg> + <arg rep="norepeat">-<replaceable>options</replaceable></arg> <arg choice="plain"><option>delete</option></arg> @@ -268,6 +283,15 @@ <cmdsynopsis> <command>shorewall-lite</command> + <arg choice="plain"><option>open</option><replaceable> + source</replaceable><replaceable> dest</replaceable><arg> + <replaceable>protocol</replaceable><arg> <replaceable>port</replaceable> + </arg> </arg></arg> + </cmdsynopsis> + + <cmdsynopsis> + <command>shorewall-lite</command> + <arg choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg> @@ -353,6 +377,17 @@ <cmdsynopsis> <command>shorewall-lite</command> + <arg + choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg> + + <arg>-<replaceable>options</replaceable></arg> + + <arg choice="plain"><option>savesets</option></arg> + </cmdsynopsis> + + <cmdsynopsis> + <command>shorewall-lite</command> + <arg choice="opt"><option>trace</option>|<option>debug</option></arg> <arg>-<replaceable>options</replaceable></arg> @@ -632,6 +667,27 @@ </varlistentry> <varlistentry> + <term><emphasis role="bold">close</emphasis> { + <replaceable>open-number</replaceable> | + <replaceable>source</replaceable> <replaceable>dest</replaceable> [ + <replaceable>protocol</replaceable> [ <replaceable>port</replaceable> + ] ] }</term> + + <listitem> + <para>Added in Shorewall 4.5.8. This command closes a temporary open + created by the <command>open</command> command. In the first form, + an <replaceable>open-number</replaceable> specifies the open to be + closed. Open numbers are displayed in the <emphasis + role="bold">num</emphasis> column of the output of the + <command>shorewall-lite show opens </command>command.</para> + + <para>When the second form of the command is used, the parameters + must match those given in the earlier <command>open</command> + command.</para> + </listitem> + </varlistentry> + + <varlistentry> <term><emphasis role="bold">delete</emphasis></term> <listitem> @@ -824,6 +880,45 @@ </varlistentry> <varlistentry> + <term><emphasis role="bold">open</emphasis> + <replaceable>source</replaceable> <replaceable>dest</replaceable> [ + <replaceable>protocol</replaceable> [ <replaceable>port</replaceable> + ] ]</term> + + <listitem> + <para>Added in Shorewall 4.6.8. This command requires that the + firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in + <ulink url="/manpages/shorewall.conf.html">shorewall.conf + (5)</ulink>. The effect of the command is to temporarily open the + firewall for connections matching the parameters.</para> + + <para>The <replaceable>source</replaceable> and + <replaceable>dest</replaceable> parameters may each be specified as + <emphasis role="bold">all</emphasis> if you don't wish to restrict + the connection source or destination respectively. Otherwise, each + must contain a host or network address or a valid DNS name.</para> + + <para>The <replaceable>protocol</replaceable> may be specified + either as a number or as a name listed in /etc/protocols. The + <replaceable>port</replaceable> may be specified numerically or as a + name listed in /etc/services.</para> + + <para>To reverse the effect of a successful <command>open</command> + command, use the <command>close</command> command with the same + parameters or simply restart the firewall.</para> + + <para>Example: To open the firewall for SSH connections to address + 192.168.1.1, the command would be:</para> + + <programlisting> shorewall-lite open all 192.168.1.1 tcp 22</programlisting> + + <para>To reverse that command, use:</para> + + <screen> shorewall-lite close all 192.168.1.1 tcp 22</screen> + </listitem> + </varlistentry> + + <varlistentry> <term><emphasis role="bold">reset</emphasis></term> <listitem> @@ -919,6 +1014,20 @@ </varlistentry> <varlistentry> + <term><emphasis role="bold">savesets</emphasis></term> + + <listitem> + <para>Added in shorewall 4.6.8. Performs the same action as the + <command>stop</command> command with respect to saving ipsets (see + the SAVE_IPSETS option in <ulink + url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5)). + This command may be used to proactively save your ipset contents in + the event that a system failure occurs prior to issuing a + <command>stop</command> command.</para> + </listitem> + </varlistentry> + + <varlistentry> <term><emphasis role="bold">show</emphasis></term> <listitem> @@ -1086,6 +1195,16 @@ </listitem> </varlistentry> + <varlistentry> + <term><emphasis role="bold">opens</emphasis></term> + + <listitem> + <para>Added in Shorewall 4.5.8. Displays the iptables rules in + the 'dynamic' chain created through use of the <command>open + </command>command..</para> + </listitem> + </varlistentry> + <varlistentry> <term><emphasis role="bold">policies</emphasis></term> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.7/releasenotes.txt new/shorewall-lite-4.6.8/releasenotes.txt --- old/shorewall-lite-4.6.7/releasenotes.txt 2015-03-11 19:41:44.000000000 +0100 +++ new/shorewall-lite-4.6.8/releasenotes.txt 2015-04-02 22:27:48.000000000 +0200 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 6 . 7 + S H O R E W A L L 4 . 6 . 8 ------------------------------------ - M a r c h 0 8 , 2 0 1 5 + A p r i l 0 4 , 2 0 1 5 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -17,6 +17,22 @@ 1) This release includes defect repair from Shorewall 4.6.6.2 and earlier releases. +2) Previously, when the -n option was specified and NetworkManager was + installed on the target system, the Shorewall-init installer would + still create + ${DESTDIR}etc/NetworkManager/dispatcher.d/01-shorewall, regardless + of the setting of $CONFDIR. That has been corrected such that the + directory + ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/01-shorewall is + created instead. + +3) Previously, handling of the IPTABLES and IP6TABLES actions in the + conntrack file was broken. nfw provided a fix on IRC. + +4) The Shorewall-core and Shorewall6 installers would previously + report incorrectly that the product release was not installed. Matt + Darfeuille provided fixes. + ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G ---------------------------------------------------------------------------- @@ -28,15 +44,63 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) The 'tunnels' file now supports 'tinc' tunnels. +1) The CLI programs (shorewall, shorewall6, etc) now support 'open' + and 'close' commands. The 'open' command temporarily opens the + firewall for a specified type of connection; the syntax is: -2) Previously, the SAME action in the mangle file had a fixed timeout - of 300 seconds (5 minutes). That action now allows specification of - a different timeout. + open <source> <destination> [ <protocol> [ <port> ] ] -3) It is now possible to add or delete addresses from an ipset with - entries in the mangle file. The ADD and DEL actions have the same - behavior in the mangle file as they do in the rules file. + The <source> and <destination> may be any of the following: + + - a host IP address + - a network IP address + - a valid DNS name (usual warnings apply) + - the word 'all', indicating that the <source> or <destination> is + not restricted + + The protocol may be specified by number or by a name. Same with + <port>. + + Example: Open SSH connections to 1.2.3.4 in Shorewall: + + shorewall open all 1.2.3.4 tcp ssh + + The 'close' command reverses the effect of an earlier 'open' + command and has two forms: + + close <open-number> + close <source> <destination> [ <protocol [ <port ] ] + + + In the first form, the <open-number> is the number displayed in the + 'num' column of the 'shorewall list opens' command (see below). + + In the second form, the parameters must match those of the earlier + 'open' command to be reversed. All temporary connections opens may + be deleted by simply restarting the firewall. + + Both commands require that the firewall be in the started state and + that DYNAMIC_BLACKLIST=Yes in the active configuration. + + The iptables rules created via 'open' commands can be displayed + using the 'show opens' command. + + Example (after the above open command was executed): + + Shorewall 4.6.8 Temporarily opened connections at gateway - Fri Mar 6 09:47:06 PST 2015 + Chain dynamic (14 references) + num pkts bytes target prot opt in out source destination + 1 0 0 ACCEPT tcp -- * * 0.0.0.0/0 1.2.3.4 multiport dports 22 + root@gateway:~# + +2) A 'safesets' command is now available to proactively save changes + to ipset contents. Using this command can guard against accidental + loss of ipset changes in the event of a system failure before a + 'stop' command has been completed. The exact action taken by the + command depends on the setting of SAVE_IPSETS in shorewall[6].conf. + +3) The SOURCE and DEST columns in the rtrules file may now contains + comma-separated lists of addresses. ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -331,6 +395,26 @@ ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 4 . 6 R E L E A S E S ---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 6 . 7 +---------------------------------------------------------------------------- + +None. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 6 . 7 +---------------------------------------------------------------------------- + +1) The 'tunnels' file now supports 'tinc' tunnels. + +2) Previously, the SAME action in the mangle file had a fixed timeout + of 300 seconds (5 minutes). That action now allows specification of + a different timeout. + +3) It is now possible to add or delete addresses from an ipset with + entries in the mangle file. The ADD and DEL actions have the same + behavior in the mangle file as they do in the rules file. + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 6 . 6 ---------------------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.7/shorewall-lite.spec new/shorewall-lite-4.6.8/shorewall-lite.spec --- old/shorewall-lite-4.6.7/shorewall-lite.spec 2015-03-11 19:41:44.000000000 +0100 +++ new/shorewall-lite-4.6.8/shorewall-lite.spec 2015-04-02 22:27:48.000000000 +0200 @@ -1,5 +1,5 @@ %define name shorewall-lite -%define version 4.6.7 +%define version 4.6.8 %define release 0base %define initdir /etc/init.d @@ -106,6 +106,16 @@ %doc COPYING changelog.txt releasenotes.txt %changelog +* Sun Mar 29 2015 Tom Eastep [email protected] +- Updated to 4.6.8-0base +* Tue Mar 24 2015 Tom Eastep [email protected] +- Updated to 4.6.8-0RC1 +* Tue Mar 17 2015 Tom Eastep [email protected] +- Updated to 4.6.8-0Beta3 +* Sat Mar 14 2015 Tom Eastep [email protected] +- Updated to 4.6.8-0Beta2 +* Fri Mar 06 2015 Tom Eastep [email protected] +- Updated to 4.6.8-0Beta1 * Thu Mar 05 2015 Tom Eastep [email protected] - Updated to 4.6.7-0base * Tue Mar 03 2015 Tom Eastep [email protected] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.7/uninstall.sh new/shorewall-lite-4.6.8/uninstall.sh --- old/shorewall-lite-4.6.7/uninstall.sh 2015-03-11 19:41:44.000000000 +0100 +++ new/shorewall-lite-4.6.8/uninstall.sh 2015-04-02 22:27:48.000000000 +0200 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.6.7 +VERSION=4.6.8 PRODUCT=shorewall-lite usage() # $1 = exit status @@ -40,6 +40,12 @@ exit $1 } +fatal_error() +{ + echo " ERROR: $@" >&2 + exit 1 +} + qt() { "$@" >/dev/null 2>&1 ++++++ shorewall-4.6.7.tar.bz2 -> shorewall6-4.6.8.tar.bz2 ++++++ ++++ 128028 lines of diff (skipped) ++++++ shorewall-lite-4.6.7.tar.bz2 -> shorewall6-lite-4.6.8.tar.bz2 ++++++ ++++ 8362 lines of diff (skipped)
