Hello community, here is the log from the commit of package shorewall for openSUSE:Factory checked in at 2015-05-10 10:46:53 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/shorewall (Old) and /work/SRC/openSUSE:Factory/.shorewall.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shorewall" Changes: -------- --- /work/SRC/openSUSE:Factory/shorewall/shorewall.changes 2015-04-15 16:24:55.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.shorewall.new/shorewall.changes 2015-05-10 10:46:55.000000000 +0200 @@ -1,0 +2,25 @@ +Thu May 7 16:39:16 UTC 2015 - [email protected] + +- Update to version 4.6.9 For more details see changelog.txt and + releasenotes.txt + + * This release contains defect repair from Shorewall 4.6.8.1 and + earlier releases. + + * The means for preventing loading of helper modules has been + clarified in the documentation. + + * The SetEvent and ResetEvent actions previously set/reset the + event even if the packet did not match the other specified + columns. This has been corrected. + + * Previously, the 'show capabilities' command was ignoring the + HELPERS setting. This resulted in unwanted modules being + autoloaded and, when the -f option was given, an incorrect + capabilities file was generated. + + * Previously, when 'wait' was specified for an interface, the + generated script erroneously checked for required interfaces on + all commands rather than just start, restart and restore. + +------------------------------------------------------------------- Old: ---- shorewall-4.6.8.1.tar.bz2 shorewall-core-4.6.8.1.tar.bz2 shorewall-docs-html-4.6.8.1.tar.bz2 shorewall-init-4.6.8.1.tar.bz2 shorewall-lite-4.6.8.1.tar.bz2 shorewall6-4.6.8.1.tar.bz2 shorewall6-lite-4.6.8.1.tar.bz2 New: ---- shorewall-4.6.9.tar.bz2 shorewall-core-4.6.9.tar.bz2 shorewall-docs-html-4.6.9.tar.bz2 shorewall-init-4.6.9.tar.bz2 shorewall-lite-4.6.9.tar.bz2 shorewall6-4.6.9.tar.bz2 shorewall6-lite-4.6.9.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shorewall.spec ++++++ --- /var/tmp/diff_new_pack.chsjFV/_old 2015-05-10 10:46:56.000000000 +0200 +++ /var/tmp/diff_new_pack.chsjFV/_new 2015-05-10 10:46:56.000000000 +0200 @@ -20,19 +20,19 @@ %define have_systemd 1 Name: shorewall -Version: 4.6.8.1 +Version: 4.6.9 Release: 0 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems License: GPL-2.0 Group: Productivity/Networking/Security Url: http://www.shorewall.net/ -Source: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.8/%{name}-%version.tar.bz2 -Source1: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.8/%{name}-core-%version.tar.bz2 -Source2: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.8/%{name}-lite-%version.tar.bz2 -Source3: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.8/%{name}-init-%version.tar.bz2 -Source4: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.8/%{name}6-lite-%version.tar.bz2 -Source5: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.8/%{name}6-%version.tar.bz2 -Source6: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.8/%{name}-docs-html-%version.tar.bz2 +Source: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.9/%{name}-%version.tar.bz2 +Source1: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.9/%{name}-core-%version.tar.bz2 +Source2: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.9/%{name}-lite-%version.tar.bz2 +Source3: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.9/%{name}-init-%version.tar.bz2 +Source4: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.9/%{name}6-lite-%version.tar.bz2 +Source5: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.9/%{name}6-%version.tar.bz2 +Source6: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.9/%{name}-docs-html-%version.tar.bz2 Source7: %{name}-4.4.22.rpmlintrc Source8: README.openSUSE # PATCH-FIX-UPSTREAM [email protected] Shorewall-lite init.suse.sh Required Stop ++++++ shorewall-4.6.8.1.tar.bz2 -> shorewall-4.6.9.tar.bz2 ++++++ ++++ 2622 lines of diff (skipped) ++++++ shorewall-core-4.6.8.1.tar.bz2 -> shorewall-core-4.6.9.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.8.1/changelog.txt new/shorewall-core-4.6.9/changelog.txt --- old/shorewall-core-4.6.8.1/changelog.txt 2015-04-11 16:50:07.000000000 +0200 +++ new/shorewall-core-4.6.9/changelog.txt 2015-05-06 18:14:15.000000000 +0200 @@ -1,9 +1,55 @@ -Changes in 4.6.8.1 +Changes in 4.6.9 Final 1) Update release documents. -2) Add 'wants=network-online.target' to service files so that the - firewall will start when there are required interfaces. +Changes in 4.6.9 RC 2 + +1) Update release documents. + +2) Fix generated code. + + - Eliminate syntax error + - Correct handling of required interfaces when 'wait' is specified. + +Changes in 4.6.9 RC 1 + +1) Update release documents. + +2) More detect_configuration() optimization. + +3) Add 'reenable' command. + +4) Fix helper capabilities detection. + +Changes in 4.6.9 Beta 3 + +1) Update release documents. + +2) Clarify how to avoid loading helper modules. + +3) Merge Tuomo Soini's QUIC macro. + +4) Merge Tuomo Soini's deprecation of the JabberSecure macro. + +5) Correct rule generated by SetEvent and ResetEvent. + +6) Optimize detect_configuration() for enable/disable. + +Changes in 4.6.9 Beta 2 + +1) Update release documents. + +2) Add brief mention of 'list' and 'ls' to the CLI manpages. + +3) Add complete syntax in the CLI manpages. + +4) Add Tuomo Soini's fixes for .service files. + +Changes in 4.6.9 Beta 1 + +1) Update release documents. + +2) Implement TCPMSS_TARGET capability. Changes in 4.6.8 Final diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.8.1/configure new/shorewall-core-4.6.9/configure --- old/shorewall-core-4.6.8.1/configure 2015-04-11 16:50:07.000000000 +0200 +++ new/shorewall-core-4.6.9/configure 2015-05-06 18:14:15.000000000 +0200 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=4.6.8.1 +VERSION=4.6.9 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.8.1/configure.pl new/shorewall-core-4.6.9/configure.pl --- old/shorewall-core-4.6.8.1/configure.pl 2015-04-11 16:50:07.000000000 +0200 +++ new/shorewall-core-4.6.9/configure.pl 2015-05-06 18:14:15.000000000 +0200 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '4.6.8.1' + VERSION => '4.6.9' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.8.1/install.sh new/shorewall-core-4.6.9/install.sh --- old/shorewall-core-4.6.8.1/install.sh 2015-04-11 16:50:07.000000000 +0200 +++ new/shorewall-core-4.6.9/install.sh 2015-05-06 18:14:15.000000000 +0200 @@ -22,7 +22,7 @@ # along with this program; if not, see <http://www.gnu.org/licenses/>. # -VERSION=4.6.8.1 +VERSION=4.6.9 usage() # $1 = exit status { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.8.1/known_problems.txt new/shorewall-core-4.6.9/known_problems.txt --- old/shorewall-core-4.6.8.1/known_problems.txt 2015-04-11 16:50:07.000000000 +0200 +++ new/shorewall-core-4.6.9/known_problems.txt 2015-05-06 18:14:15.000000000 +0200 @@ -1,7 +1,11 @@ 1) On systems running Upstart, shorewall-init cannot reliably secure the firewall before interfaces are brought up. -2) When servicd is installed and there were one or more required - interfaces, the firewall may fail to start at boot. +2) The SetEvent and ResetEvent actions currently set/reset the named + event even if the packet does not match the other specified + columns. - Corrected in Shorewall 4.6.8.1. +3) The 'show capabilities' command ignores the HELPERS setting. This + results in unwanted modules being autoloaded and, when the -f + option is given, an incorrect capabilities file is generated. + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.8.1/lib.cli new/shorewall-core-4.6.9/lib.cli --- old/shorewall-core-4.6.8.1/lib.cli 2015-04-11 16:49:05.000000000 +0200 +++ new/shorewall-core-4.6.9/lib.cli 2015-05-05 20:28:13.000000000 +0200 @@ -2475,6 +2475,7 @@ local chain local chain1 local arptables + local helper if [ -z "$g_tool" ]; then [ $g_family -eq 4 ] && tool=iptables || tool=ip6tables @@ -2776,21 +2777,44 @@ if qt $g_tool -t raw -A $chain -j CT --notrack; then CT_TARGET=Yes; - qt $g_tool -t raw -A $chain -p udp --dport 10080 -j CT --helper amanda && AMANDA_HELPER=Yes - qt $g_tool -t raw -A $chain -p tcp --dport 21 -j CT --helper ftp && FTP_HELPER=Yes - qt $g_tool -t raw -A $chain -p tcp --dport 21 -j CT --helper ftp-0 && FTP0_HELPER=Yes - qt $g_tool -t raw -A $chain -p udp --dport 1719 -j CT --helper RAS && H323_HELPER=Yes - qt $g_tool -t raw -A $chain -p tcp --dport 6667 -j CT --helper irc && IRC_HELPER=Yes - qt $g_tool -t raw -A $chain -p tcp --dport 6667 -j CT --helper irc-0 && IRC0_HELPER=Yes - qt $g_tool -t raw -A $chain -p udp --dport 137 -j CT --helper netbios-ns && NETBIOS_NS_HELPER=Yes - qt $g_tool -t raw -A $chain -p tcp --dport 1729 -j CT --helper pptp && PPTP_HELPER=Yes - qt $g_tool -t raw -A $chain -p tcp --dport 6566 -j CT --helper sane && SANE_HELPER=Yes - qt $g_tool -t raw -A $chain -p tcp --dport 6566 -j CT --helper sane-0 && SANE0_HELPER=Yes - qt $g_tool -t raw -A $chain -p udp --dport 5060 -j CT --helper sip && SIP_HELPER=Yes - qt $g_tool -t raw -A $chain -p udp --dport 5060 -j CT --helper sip-0 && SIP0_HELPER=Yes - qt $g_tool -t raw -A $chain -p udp --dport 161 -j CT --helper snmp && SNMP_HELPER=Yes - qt $g_tool -t raw -A $chain -p udp --dport 69 -j CT --helper tftp && TFTP_HELPER=Yes - qt $g_tool -t raw -A $chain -p udp --dport 69 -j CT --helper tftp-0 && TFTP0_HELPER=Yes + for helper in amanda ftp ftp0 h323 irc irc0 netbios_ns pptp sane sane0 sip sip0 snmp tftp tftp0; do + eval ${helper}_ENABLED='' + done + + if [ -n "$HELPERS" ]; then + for helper in $(split_list "$HELPERS"); do + case $helper in + none) + ;; + amanda|ftp|ftp0|h323|irc|irc0|netbios_ns|pptp|sane|sane0|sip|sip0|snmp|tftp|tftp0) + eval ${helper}_ENABLED=Yes + ;; + *) + error_message "WARNING: Invalid helper ($helper) ignored" + ;; + esac + done + else + for helper in amanda ftp ftp0 h323 irc irc0 netbios_ns pptp sane sane0 sip sip0 snmp tftp tftp0; do + eval ${helper}_ENABLED=Yes + done + fi + + [ -n "$amanda_ENABLED" ] && qt $g_tool -t raw -A $chain -p udp --dport 10080 -j CT --helper amanda && AMANDA_HELPER=Yes + [ -n "$ftp_ENABLED" ] && qt $g_tool -t raw -A $chain -p tcp --dport 21 -j CT --helper ftp && FTP_HELPER=Yes + [ -n "$ftp0_ENABLED" ] && qt $g_tool -t raw -A $chain -p tcp --dport 21 -j CT --helper ftp-0 && FTP0_HELPER=Yes + [ -n "$h323_ENABLED" ] && qt $g_tool -t raw -A $chain -p udp --dport 1719 -j CT --helper RAS && H323_HELPER=Yes + [ -n "$irc_ENABLED" ] && qt $g_tool -t raw -A $chain -p tcp --dport 6667 -j CT --helper irc && IRC_HELPER=Yes + [ -n "$irc0_ENABLED" ] && qt $g_tool -t raw -A $chain -p tcp --dport 6667 -j CT --helper irc-0 && IRC0_HELPER=Yes + [ -n "$netbios_ns_ENABLED" ] && qt $g_tool -t raw -A $chain -p udp --dport 137 -j CT --helper netbios-ns && NETBIOS_NS_HELPER=Yes + [ -n "$pptp_ENABLED" ] && qt $g_tool -t raw -A $chain -p tcp --dport 1729 -j CT --helper pptp && PPTP_HELPER=Yes + [ -n "$sane_ENABLED" ] && qt $g_tool -t raw -A $chain -p tcp --dport 6566 -j CT --helper sane && SANE_HELPER=Yes + [ -n "$sane0_ENABLED" ] && qt $g_tool -t raw -A $chain -p tcp --dport 6566 -j CT --helper sane-0 && SANE0_HELPER=Yes + [ -n "$sip_ENABLED" ] && qt $g_tool -t raw -A $chain -p udp --dport 5060 -j CT --helper sip && SIP_HELPER=Yes + [ -n "$sip0_ENABLED" ] && qt $g_tool -t raw -A $chain -p udp --dport 5060 -j CT --helper sip-0 && SIP0_HELPER=Yes + [ -n "$snmp_ENABLED" ] && qt $g_tool -t raw -A $chain -p udp --dport 161 -j CT --helper snmp && SNMP_HELPER=Yes + [ -n "$tftp_ENABLED" ] && qt $g_tool -t raw -A $chain -p udp --dport 69 -j CT --helper tftp && TFTP_HELPER=Yes + [ -n "$tftp0_ENABLED" ] && qt $g_tool -t raw -A $chain -p udp --dport 69 -j CT --helper tftp-0 && TFTP0_HELPER=Yes fi qt $g_tool -t raw -F $chain @@ -3834,6 +3858,7 @@ echo " logwatch [<refresh interval>]" echo " open <source> <dest> [ <protocol> [ <port> ] ]" echo " reject <address> ..." + echo " reenable <interface>" echo " reset [ <chain> ... ]" echo " restart [ -n ] [ -p ] [ -f ] [ -C ] [ <directory> ]" echo " restore [ -n ] [ -p ] [ -C ] [ <file name> ]" @@ -4102,7 +4127,7 @@ shift restart_command $@ ;; - disable|enable) + disable|enable|reenable) get_config Yes if product_is_started; then run_it ${VARDIR}/firewall $g_debugging $@ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.8.1/lib.common new/shorewall-core-4.6.9/lib.common --- old/shorewall-core-4.6.8.1/lib.common 2015-04-11 16:49:05.000000000 +0200 +++ new/shorewall-core-4.6.9/lib.common 2015-05-05 20:28:13.000000000 +0200 @@ -212,6 +212,17 @@ } # +# Split a comma-separated list into a space-separated list +# +split_list() { + local ifs + ifs=$IFS + IFS=, + echo $* + IFS=$ifs +} + +# # Search a list looking for a match -- returns zero if a match found # 1 otherwise # diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.8.1/releasenotes.txt new/shorewall-core-4.6.9/releasenotes.txt --- old/shorewall-core-4.6.8.1/releasenotes.txt 2015-04-11 16:50:07.000000000 +0200 +++ new/shorewall-core-4.6.9/releasenotes.txt 2015-05-06 18:14:15.000000000 +0200 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 6 . 8 . 1 - ------------------------------------ - A p r i l 1 1 , 2 0 1 5 + S H O R E W A L L 4 . 6 . 9 + ---------------------------- + M a y 0 6 , 2 0 1 5 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,36 +14,24 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -4.6.8.1 - -1) Previously, when servicd was installed and there were one or more - required interfaces, the firewall would fail to start at boot. This - has been corrected by Tuomo Soini. - -2) Some startup logic in lib.cli has been deleted. A bug prevented the - code from working as intended, so there is no loss of functionality - resulting from deletion of the code. - -4.6.8 - -1) This release includes defect repair from Shorewall 4.6.6.2 and +1) This release contains defect repair from Shorewall 4.6.8.1 and earlier releases. -2) Previously, when the -n option was specified and NetworkManager was - installed on the target system, the Shorewall-init installer would - still create - ${DESTDIR}etc/NetworkManager/dispatcher.d/01-shorewall, regardless - of the setting of $CONFDIR. That has been corrected such that the - directory - ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/01-shorewall is - created instead. - -3) Previously, handling of the IPTABLES and IP6TABLES actions in the - conntrack file was broken. nfw provided a fix on IRC. +2) The means for preventing loading of helper modules has been + clarified in the documentation. -4) The Shorewall-core and Shorewall6 installers would previously - report incorrectly that the product release was not installed. Matt - Darfeuille provided fixes. +3) The SetEvent and ResetEvent actions previously set/reset the event + even if the packet did not match the other specified columns. This + has been corrected. + +4) Previously, the 'show capabilities' command was ignoring the + HELPERS setting. This resulted in unwanted modules being autoloaded + and, when the -f option was given, an incorrect capabilities file + was generated. + +6) Previously, when 'wait' was specified for an interface, the + generated script erroneously checked for required interfaces on all + commands rather than just start, restart and restore. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -56,63 +44,36 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) The CLI programs (shorewall, shorewall6, etc) now support 'open' - and 'close' commands. The 'open' command temporarily opens the - firewall for a specified type of connection; the syntax is: - - open <source> <destination> [ <protocol> [ <port> ] ] - - The <source> and <destination> may be any of the following: - - - a host IP address - - a network IP address - - a valid DNS name (usual warnings apply) - - the word 'all', indicating that the <source> or <destination> is - not restricted - - The protocol may be specified by number or by a name. Same with - <port>. - - Example: Open SSH connections to 1.2.3.4 in Shorewall: - - shorewall open all 1.2.3.4 tcp ssh - - The 'close' command reverses the effect of an earlier 'open' - command and has two forms: - - close <open-number> - close <source> <destination> [ <protocol [ <port ] ] - - - In the first form, the <open-number> is the number displayed in the - 'num' column of the 'shorewall list opens' command (see below). - - In the second form, the parameters must match those of the earlier - 'open' command to be reversed. All temporary connections opens may - be deleted by simply restarting the firewall. - - Both commands require that the firewall be in the started state and - that DYNAMIC_BLACKLIST=Yes in the active configuration. - - The iptables rules created via 'open' commands can be displayed - using the 'show opens' command. - - Example (after the above open command was executed): - - Shorewall 4.6.8 Temporarily opened connections at gateway - Fri Mar 6 09:47:06 PST 2015 - Chain dynamic (14 references) - num pkts bytes target prot opt in out source destination - 1 0 0 ACCEPT tcp -- * * 0.0.0.0/0 1.2.3.4 multiport dports 22 - root@gateway:~# - -2) A 'safesets' command is now available to proactively save changes - to ipset contents. Using this command can guard against accidental - loss of ipset changes in the event of a system failure before a - 'stop' command has been completed. The exact action taken by the - command depends on the setting of SAVE_IPSETS in shorewall[6].conf. - -3) The SOURCE and DEST columns in the rtrules file may now contains - comma-separated lists of addresses. +1) There is now a TCPMSS Target (TCPMSS_TARGET) capability. Your + iptables and kernel must support this capability in order to use + the CLAMPMSS option in shorewall.conf and the 'mss=' option in the + zones, interfaces and hosts files. This capability was added when + it was learned that Debian on ARM doesn't provide the feature. + + When using a capabilities file from at earlier release, the + compiler assumes that this capability is available, since most + distributions have traditionally provided the capability. + +2) The CLI manpages now state explicitly that 'list' and 'ls' are + synonyms for 'show' and refer the reader to the description of + 'show'. + +3) The complete syntax of each CLI command is now repeated in the + detailed description of the command in the man pages. + +4) Tuomo Soini has contributed a QUIC macro. + +5) The JabberSecure macro is now deprecated. Configure Jabber to use + TLS and use the Jabber macro instead. (Tuomo Soini). + +6) The enable and disable commands now execute more quickly on slow + hardware. + +7) The CLI programs now support a 'reenable' command. This command is + logically equivalent to a 'disable' command followed by an 'enable' + command, with the exception that no error is generated if the + specified interface or provider is disabled at the time the + command is given. ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -282,7 +243,7 @@ is '-' rather than '2'. If you prefer to keep your pre-4.6.0 chain names, then specify ZONE2ZONE=2 in shorewall[6].conf. -13) Beginning with Shorewall 4.6.0, ection headers are now preceded by +13) Beginning with Shorewall 4.6.0, section headers are now preceded by '?' (e.g., '?SECTION ...'). If your configuration contains any bare 'SECTION' entries, the following warning is issued: @@ -407,6 +368,91 @@ ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 4 . 6 R E L E A S E S ---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 6 . 8 +---------------------------------------------------------------------------- + +1) This release includes defect repair from Shorewall 4.6.6.2 and + earlier releases. + +2) Previously, when the -n option was specified and NetworkManager was + installed on the target system, the Shorewall-init installer would + still create + ${DESTDIR}etc/NetworkManager/dispatcher.d/01-shorewall, regardless + of the setting of $CONFDIR. That has been corrected such that the + directory + ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/01-shorewall is + created instead. + +3) Previously, handling of the IPTABLES and IP6TABLES actions in the + conntrack file was broken. nfw provided a fix on IRC. + +4) The Shorewall-core and Shorewall6 installers would previously + report incorrectly that the product release was not installed. Matt + Darfeuille provided fixes. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 6 . 8 +---------------------------------------------------------------------------- + +1) The CLI programs (shorewall, shorewall6, etc) now support 'open' + and 'close' commands. The 'open' command temporarily opens the + firewall for a specified type of connection; the syntax is: + + open <source> <destination> [ <protocol> [ <port> ] ] + + The <source> and <destination> may be any of the following: + + - a host IP address + - a network IP address + - a valid DNS name (usual warnings apply) + - the word 'all', indicating that the <source> or <destination> is + not restricted + + The protocol may be specified by number or by a name. Same with + <port>. + + Example: Open SSH connections to 1.2.3.4 in Shorewall: + + shorewall open all 1.2.3.4 tcp ssh + + The 'close' command reverses the effect of an earlier 'open' + command and has two forms: + + close <open-number> + close <source> <destination> [ <protocol [ <port ] ] + + + In the first form, the <open-number> is the number displayed in the + 'num' column of the 'shorewall list opens' command (see below). + + In the second form, the parameters must match those of the earlier + 'open' command to be reversed. All temporary connections opens may + be deleted by simply restarting the firewall. + + Both commands require that the firewall be in the started state and + that DYNAMIC_BLACKLIST=Yes in the active configuration. + + The iptables rules created via 'open' commands can be displayed + using the 'show opens' command. + + Example (after the above open command was executed): + + Shorewall 4.6.8 Temporarily opened connections at gateway - Fri Mar 6 09:47:06 PST 2015 + Chain dynamic (14 references) + num pkts bytes target prot opt in out source destination + 1 0 0 ACCEPT tcp -- * * 0.0.0.0/0 1.2.3.4 multiport dports 22 + root@gateway:~# + +2) A 'safesets' command is now available to proactively save changes + to ipset contents. Using this command can guard against accidental + loss of ipset changes in the event of a system failure before a + 'stop' command has been completed. The exact action taken by the + command depends on the setting of SAVE_IPSETS in shorewall[6].conf. + +3) The SOURCE and DEST columns in the rtrules file may now contains + comma-separated lists of addresses. + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 6 . 7 ---------------------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.8.1/shorewall-core.spec new/shorewall-core-4.6.9/shorewall-core.spec --- old/shorewall-core-4.6.8.1/shorewall-core.spec 2015-04-11 16:50:07.000000000 +0200 +++ new/shorewall-core-4.6.9/shorewall-core.spec 2015-05-06 18:14:15.000000000 +0200 @@ -1,6 +1,6 @@ %define name shorewall-core -%define version 4.6.8 -%define release 1 +%define version 4.6.9 +%define release 0base Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. Name: %{name} @@ -63,8 +63,18 @@ %doc COPYING INSTALL changelog.txt releasenotes.txt %changelog -* Sat Apr 11 2015 Tom Eastep [email protected] -- Updated to 4.6.8-1 +* Tue May 05 2015 Tom Eastep [email protected] +- Updated to 4.6.9-0base +* Tue May 05 2015 Tom Eastep [email protected] +- Updated to 4.6.9-0RC2 +* Mon Apr 27 2015 Tom Eastep [email protected] +- Updated to 4.6.9-0RC1 +* Fri Apr 17 2015 Tom Eastep [email protected] +- Updated to 4.6.9-0Beta3 +* Mon Apr 06 2015 Tom Eastep [email protected] +- Updated to 4.6.9-0Beta2 +* Fri Apr 03 2015 Tom Eastep [email protected] +- Updated to 4.6.9-0Beta1 * Sun Mar 29 2015 Tom Eastep [email protected] - Updated to 4.6.8-0base * Tue Mar 24 2015 Tom Eastep [email protected] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.8.1/uninstall.sh new/shorewall-core-4.6.9/uninstall.sh --- old/shorewall-core-4.6.8.1/uninstall.sh 2015-04-11 16:50:07.000000000 +0200 +++ new/shorewall-core-4.6.9/uninstall.sh 2015-05-06 18:14:15.000000000 +0200 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.6.8.1 +VERSION=4.6.9 usage() # $1 = exit status { ++++++ shorewall-docs-html-4.6.8.1.tar.bz2 -> shorewall-docs-html-4.6.9.tar.bz2 ++++++ ++++ 7951 lines of diff (skipped) ++++++ shorewall-init-4.6.8.1.tar.bz2 -> shorewall-init-4.6.9.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.8.1/changelog.txt new/shorewall-init-4.6.9/changelog.txt --- old/shorewall-init-4.6.8.1/changelog.txt 2015-04-11 16:50:08.000000000 +0200 +++ new/shorewall-init-4.6.9/changelog.txt 2015-05-06 18:14:16.000000000 +0200 @@ -1,9 +1,55 @@ -Changes in 4.6.8.1 +Changes in 4.6.9 Final 1) Update release documents. -2) Add 'wants=network-online.target' to service files so that the - firewall will start when there are required interfaces. +Changes in 4.6.9 RC 2 + +1) Update release documents. + +2) Fix generated code. + + - Eliminate syntax error + - Correct handling of required interfaces when 'wait' is specified. + +Changes in 4.6.9 RC 1 + +1) Update release documents. + +2) More detect_configuration() optimization. + +3) Add 'reenable' command. + +4) Fix helper capabilities detection. + +Changes in 4.6.9 Beta 3 + +1) Update release documents. + +2) Clarify how to avoid loading helper modules. + +3) Merge Tuomo Soini's QUIC macro. + +4) Merge Tuomo Soini's deprecation of the JabberSecure macro. + +5) Correct rule generated by SetEvent and ResetEvent. + +6) Optimize detect_configuration() for enable/disable. + +Changes in 4.6.9 Beta 2 + +1) Update release documents. + +2) Add brief mention of 'list' and 'ls' to the CLI manpages. + +3) Add complete syntax in the CLI manpages. + +4) Add Tuomo Soini's fixes for .service files. + +Changes in 4.6.9 Beta 1 + +1) Update release documents. + +2) Implement TCPMSS_TARGET capability. Changes in 4.6.8 Final diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.8.1/configure new/shorewall-init-4.6.9/configure --- old/shorewall-init-4.6.8.1/configure 2015-04-11 16:50:08.000000000 +0200 +++ new/shorewall-init-4.6.9/configure 2015-05-06 18:14:16.000000000 +0200 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=4.6.8.1 +VERSION=4.6.9 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.8.1/configure.pl new/shorewall-init-4.6.9/configure.pl --- old/shorewall-init-4.6.8.1/configure.pl 2015-04-11 16:50:08.000000000 +0200 +++ new/shorewall-init-4.6.9/configure.pl 2015-05-06 18:14:16.000000000 +0200 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '4.6.8.1' + VERSION => '4.6.9' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.8.1/install.sh new/shorewall-init-4.6.9/install.sh --- old/shorewall-init-4.6.8.1/install.sh 2015-04-11 16:50:08.000000000 +0200 +++ new/shorewall-init-4.6.9/install.sh 2015-05-06 18:14:16.000000000 +0200 @@ -27,7 +27,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.6.8.1 +VERSION=4.6.9 usage() # $1 = exit status { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.8.1/releasenotes.txt new/shorewall-init-4.6.9/releasenotes.txt --- old/shorewall-init-4.6.8.1/releasenotes.txt 2015-04-11 16:50:08.000000000 +0200 +++ new/shorewall-init-4.6.9/releasenotes.txt 2015-05-06 18:14:16.000000000 +0200 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 6 . 8 . 1 - ------------------------------------ - A p r i l 1 1 , 2 0 1 5 + S H O R E W A L L 4 . 6 . 9 + ---------------------------- + M a y 0 6 , 2 0 1 5 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,36 +14,24 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -4.6.8.1 - -1) Previously, when servicd was installed and there were one or more - required interfaces, the firewall would fail to start at boot. This - has been corrected by Tuomo Soini. - -2) Some startup logic in lib.cli has been deleted. A bug prevented the - code from working as intended, so there is no loss of functionality - resulting from deletion of the code. - -4.6.8 - -1) This release includes defect repair from Shorewall 4.6.6.2 and +1) This release contains defect repair from Shorewall 4.6.8.1 and earlier releases. -2) Previously, when the -n option was specified and NetworkManager was - installed on the target system, the Shorewall-init installer would - still create - ${DESTDIR}etc/NetworkManager/dispatcher.d/01-shorewall, regardless - of the setting of $CONFDIR. That has been corrected such that the - directory - ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/01-shorewall is - created instead. - -3) Previously, handling of the IPTABLES and IP6TABLES actions in the - conntrack file was broken. nfw provided a fix on IRC. +2) The means for preventing loading of helper modules has been + clarified in the documentation. -4) The Shorewall-core and Shorewall6 installers would previously - report incorrectly that the product release was not installed. Matt - Darfeuille provided fixes. +3) The SetEvent and ResetEvent actions previously set/reset the event + even if the packet did not match the other specified columns. This + has been corrected. + +4) Previously, the 'show capabilities' command was ignoring the + HELPERS setting. This resulted in unwanted modules being autoloaded + and, when the -f option was given, an incorrect capabilities file + was generated. + +6) Previously, when 'wait' was specified for an interface, the + generated script erroneously checked for required interfaces on all + commands rather than just start, restart and restore. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -56,63 +44,36 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) The CLI programs (shorewall, shorewall6, etc) now support 'open' - and 'close' commands. The 'open' command temporarily opens the - firewall for a specified type of connection; the syntax is: - - open <source> <destination> [ <protocol> [ <port> ] ] - - The <source> and <destination> may be any of the following: - - - a host IP address - - a network IP address - - a valid DNS name (usual warnings apply) - - the word 'all', indicating that the <source> or <destination> is - not restricted - - The protocol may be specified by number or by a name. Same with - <port>. - - Example: Open SSH connections to 1.2.3.4 in Shorewall: - - shorewall open all 1.2.3.4 tcp ssh - - The 'close' command reverses the effect of an earlier 'open' - command and has two forms: - - close <open-number> - close <source> <destination> [ <protocol [ <port ] ] - - - In the first form, the <open-number> is the number displayed in the - 'num' column of the 'shorewall list opens' command (see below). - - In the second form, the parameters must match those of the earlier - 'open' command to be reversed. All temporary connections opens may - be deleted by simply restarting the firewall. - - Both commands require that the firewall be in the started state and - that DYNAMIC_BLACKLIST=Yes in the active configuration. - - The iptables rules created via 'open' commands can be displayed - using the 'show opens' command. - - Example (after the above open command was executed): - - Shorewall 4.6.8 Temporarily opened connections at gateway - Fri Mar 6 09:47:06 PST 2015 - Chain dynamic (14 references) - num pkts bytes target prot opt in out source destination - 1 0 0 ACCEPT tcp -- * * 0.0.0.0/0 1.2.3.4 multiport dports 22 - root@gateway:~# - -2) A 'safesets' command is now available to proactively save changes - to ipset contents. Using this command can guard against accidental - loss of ipset changes in the event of a system failure before a - 'stop' command has been completed. The exact action taken by the - command depends on the setting of SAVE_IPSETS in shorewall[6].conf. - -3) The SOURCE and DEST columns in the rtrules file may now contains - comma-separated lists of addresses. +1) There is now a TCPMSS Target (TCPMSS_TARGET) capability. Your + iptables and kernel must support this capability in order to use + the CLAMPMSS option in shorewall.conf and the 'mss=' option in the + zones, interfaces and hosts files. This capability was added when + it was learned that Debian on ARM doesn't provide the feature. + + When using a capabilities file from at earlier release, the + compiler assumes that this capability is available, since most + distributions have traditionally provided the capability. + +2) The CLI manpages now state explicitly that 'list' and 'ls' are + synonyms for 'show' and refer the reader to the description of + 'show'. + +3) The complete syntax of each CLI command is now repeated in the + detailed description of the command in the man pages. + +4) Tuomo Soini has contributed a QUIC macro. + +5) The JabberSecure macro is now deprecated. Configure Jabber to use + TLS and use the Jabber macro instead. (Tuomo Soini). + +6) The enable and disable commands now execute more quickly on slow + hardware. + +7) The CLI programs now support a 'reenable' command. This command is + logically equivalent to a 'disable' command followed by an 'enable' + command, with the exception that no error is generated if the + specified interface or provider is disabled at the time the + command is given. ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -282,7 +243,7 @@ is '-' rather than '2'. If you prefer to keep your pre-4.6.0 chain names, then specify ZONE2ZONE=2 in shorewall[6].conf. -13) Beginning with Shorewall 4.6.0, ection headers are now preceded by +13) Beginning with Shorewall 4.6.0, section headers are now preceded by '?' (e.g., '?SECTION ...'). If your configuration contains any bare 'SECTION' entries, the following warning is issued: @@ -407,6 +368,91 @@ ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 4 . 6 R E L E A S E S ---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 6 . 8 +---------------------------------------------------------------------------- + +1) This release includes defect repair from Shorewall 4.6.6.2 and + earlier releases. + +2) Previously, when the -n option was specified and NetworkManager was + installed on the target system, the Shorewall-init installer would + still create + ${DESTDIR}etc/NetworkManager/dispatcher.d/01-shorewall, regardless + of the setting of $CONFDIR. That has been corrected such that the + directory + ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/01-shorewall is + created instead. + +3) Previously, handling of the IPTABLES and IP6TABLES actions in the + conntrack file was broken. nfw provided a fix on IRC. + +4) The Shorewall-core and Shorewall6 installers would previously + report incorrectly that the product release was not installed. Matt + Darfeuille provided fixes. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 6 . 8 +---------------------------------------------------------------------------- + +1) The CLI programs (shorewall, shorewall6, etc) now support 'open' + and 'close' commands. The 'open' command temporarily opens the + firewall for a specified type of connection; the syntax is: + + open <source> <destination> [ <protocol> [ <port> ] ] + + The <source> and <destination> may be any of the following: + + - a host IP address + - a network IP address + - a valid DNS name (usual warnings apply) + - the word 'all', indicating that the <source> or <destination> is + not restricted + + The protocol may be specified by number or by a name. Same with + <port>. + + Example: Open SSH connections to 1.2.3.4 in Shorewall: + + shorewall open all 1.2.3.4 tcp ssh + + The 'close' command reverses the effect of an earlier 'open' + command and has two forms: + + close <open-number> + close <source> <destination> [ <protocol [ <port ] ] + + + In the first form, the <open-number> is the number displayed in the + 'num' column of the 'shorewall list opens' command (see below). + + In the second form, the parameters must match those of the earlier + 'open' command to be reversed. All temporary connections opens may + be deleted by simply restarting the firewall. + + Both commands require that the firewall be in the started state and + that DYNAMIC_BLACKLIST=Yes in the active configuration. + + The iptables rules created via 'open' commands can be displayed + using the 'show opens' command. + + Example (after the above open command was executed): + + Shorewall 4.6.8 Temporarily opened connections at gateway - Fri Mar 6 09:47:06 PST 2015 + Chain dynamic (14 references) + num pkts bytes target prot opt in out source destination + 1 0 0 ACCEPT tcp -- * * 0.0.0.0/0 1.2.3.4 multiport dports 22 + root@gateway:~# + +2) A 'safesets' command is now available to proactively save changes + to ipset contents. Using this command can guard against accidental + loss of ipset changes in the event of a system failure before a + 'stop' command has been completed. The exact action taken by the + command depends on the setting of SAVE_IPSETS in shorewall[6].conf. + +3) The SOURCE and DEST columns in the rtrules file may now contains + comma-separated lists of addresses. + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 6 . 7 ---------------------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.8.1/shorewall-init.service new/shorewall-init-4.6.9/shorewall-init.service --- old/shorewall-init-4.6.8.1/shorewall-init.service 2015-04-11 16:49:05.000000000 +0200 +++ new/shorewall-init-4.6.9/shorewall-init.service 2015-05-05 20:28:13.000000000 +0200 @@ -6,8 +6,7 @@ [Unit] Description=Shorewall IPv4 firewall (bootup security) Before=network.target -Wants=network.target -Conflicts=iptables.service firewalld.service +Conflicts=iptables.service ip6tables.service firewalld.service [Service] Type=oneshot diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.8.1/shorewall-init.spec new/shorewall-init-4.6.9/shorewall-init.spec --- old/shorewall-init-4.6.8.1/shorewall-init.spec 2015-04-11 16:50:08.000000000 +0200 +++ new/shorewall-init-4.6.9/shorewall-init.spec 2015-05-06 18:14:16.000000000 +0200 @@ -1,6 +1,6 @@ %define name shorewall-init -%define version 4.6.8 -%define release 1 +%define version 4.6.9 +%define release 0base Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall). Name: %{name} @@ -126,8 +126,18 @@ %doc COPYING changelog.txt releasenotes.txt %changelog -* Sat Apr 11 2015 Tom Eastep [email protected] -- Updated to 4.6.8-1 +* Tue May 05 2015 Tom Eastep [email protected] +- Updated to 4.6.9-0base +* Tue May 05 2015 Tom Eastep [email protected] +- Updated to 4.6.9-0RC2 +* Mon Apr 27 2015 Tom Eastep [email protected] +- Updated to 4.6.9-0RC1 +* Fri Apr 17 2015 Tom Eastep [email protected] +- Updated to 4.6.9-0Beta3 +* Mon Apr 06 2015 Tom Eastep [email protected] +- Updated to 4.6.9-0Beta2 +* Fri Apr 03 2015 Tom Eastep [email protected] +- Updated to 4.6.9-0Beta1 * Sun Mar 29 2015 Tom Eastep [email protected] - Updated to 4.6.8-0base * Tue Mar 24 2015 Tom Eastep [email protected] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.8.1/uninstall.sh new/shorewall-init-4.6.9/uninstall.sh --- old/shorewall-init-4.6.8.1/uninstall.sh 2015-04-11 16:50:08.000000000 +0200 +++ new/shorewall-init-4.6.9/uninstall.sh 2015-05-06 18:14:16.000000000 +0200 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.6.8.1 +VERSION=4.6.9 usage() # $1 = exit status { ++++++ shorewall-lite-4.6.8.1.tar.bz2 -> shorewall-lite-4.6.9.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.8.1/changelog.txt new/shorewall-lite-4.6.9/changelog.txt --- old/shorewall-lite-4.6.8.1/changelog.txt 2015-04-11 16:50:08.000000000 +0200 +++ new/shorewall-lite-4.6.9/changelog.txt 2015-05-06 18:14:16.000000000 +0200 @@ -1,9 +1,55 @@ -Changes in 4.6.8.1 +Changes in 4.6.9 Final 1) Update release documents. -2) Add 'wants=network-online.target' to service files so that the - firewall will start when there are required interfaces. +Changes in 4.6.9 RC 2 + +1) Update release documents. + +2) Fix generated code. + + - Eliminate syntax error + - Correct handling of required interfaces when 'wait' is specified. + +Changes in 4.6.9 RC 1 + +1) Update release documents. + +2) More detect_configuration() optimization. + +3) Add 'reenable' command. + +4) Fix helper capabilities detection. + +Changes in 4.6.9 Beta 3 + +1) Update release documents. + +2) Clarify how to avoid loading helper modules. + +3) Merge Tuomo Soini's QUIC macro. + +4) Merge Tuomo Soini's deprecation of the JabberSecure macro. + +5) Correct rule generated by SetEvent and ResetEvent. + +6) Optimize detect_configuration() for enable/disable. + +Changes in 4.6.9 Beta 2 + +1) Update release documents. + +2) Add brief mention of 'list' and 'ls' to the CLI manpages. + +3) Add complete syntax in the CLI manpages. + +4) Add Tuomo Soini's fixes for .service files. + +Changes in 4.6.9 Beta 1 + +1) Update release documents. + +2) Implement TCPMSS_TARGET capability. Changes in 4.6.8 Final diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.8.1/configure new/shorewall-lite-4.6.9/configure --- old/shorewall-lite-4.6.8.1/configure 2015-04-11 16:50:08.000000000 +0200 +++ new/shorewall-lite-4.6.9/configure 2015-05-06 18:14:16.000000000 +0200 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=4.6.8.1 +VERSION=4.6.9 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.8.1/configure.pl new/shorewall-lite-4.6.9/configure.pl --- old/shorewall-lite-4.6.8.1/configure.pl 2015-04-11 16:50:08.000000000 +0200 +++ new/shorewall-lite-4.6.9/configure.pl 2015-05-06 18:14:16.000000000 +0200 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '4.6.8.1' + VERSION => '4.6.9' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.8.1/install.sh new/shorewall-lite-4.6.9/install.sh --- old/shorewall-lite-4.6.8.1/install.sh 2015-04-11 16:50:08.000000000 +0200 +++ new/shorewall-lite-4.6.9/install.sh 2015-05-06 18:14:16.000000000 +0200 @@ -22,7 +22,7 @@ # along with this program; if not, see <http://www.gnu.org/licenses/>. # -VERSION=4.6.8.1 +VERSION=4.6.9 usage() # $1 = exit status { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.8.1/manpages/shorewall-lite-vardir.5 new/shorewall-lite-4.6.9/manpages/shorewall-lite-vardir.5 --- old/shorewall-lite-4.6.8.1/manpages/shorewall-lite-vardir.5 2015-04-11 16:53:30.000000000 +0200 +++ new/shorewall-lite-4.6.9/manpages/shorewall-lite-vardir.5 2015-05-06 18:17:38.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite-vardir .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 04/11/2015 +.\" Date: 05/06/2015 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-LITE\-VAR" "5" "04/11/2015" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-LITE\-VAR" "5" "05/06/2015" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.8.1/manpages/shorewall-lite.8 new/shorewall-lite-4.6.9/manpages/shorewall-lite.8 --- old/shorewall-lite-4.6.8.1/manpages/shorewall-lite.8 2015-04-11 16:53:32.000000000 +0200 +++ new/shorewall-lite-4.6.9/manpages/shorewall-lite.8 2015-05-06 18:17:40.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 04/11/2015 +.\" Date: 05/06/2015 .\" Manual: Administrative Commands .\" Source: Administrative Commands .\" Language: English .\" -.TH "SHOREWALL\-LITE" "8" "04/11/2015" "Administrative Commands" "Administrative Commands" +.TH "SHOREWALL\-LITE" "8" "05/06/2015" "Administrative Commands" "Administrative Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -71,11 +71,13 @@ .HP \w'\fBshorewall\-lite\fR\ 'u \fBshorewall\-lite\fR \fBopen\fR\fI\ source\fR\fI\ dest\fR\ [\ \fIprotocol\fR\ [\ \fIport\fR\ ]\ ] .HP \w'\fBshorewall\-lite\fR\ 'u +\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBreenable\fR {\ \fIinterface\fR\ |\ \fIprovider\fR\ } +.HP \w'\fBshorewall\-lite\fR\ 'u \fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBreject\fR \fIaddress\fR .HP \w'\fBshorewall\-lite\fR\ 'u \fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBreset\fR .HP \w'\fBshorewall\-lite\fR\ 'u -\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBrestart\fR [\fB\-n\fR] [\fB\-p\fR\ [\fB\-C\fR]] [\fIdirectory\fR] +\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBrestart\fR [\fB\-n\fR] [\fB\-p\fR\ [\fB\-C\fR]] .HP \w'\fBshorewall\-lite\fR\ 'u \fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBrestore\fR [\fB\-C\fR] [\fIfilename\fR] .HP \w'\fBshorewall\-lite\fR\ 'u @@ -155,7 +157,7 @@ .PP The available commands are listed below\&. .PP -\fBadd\fR +\fBadd \fR{ \fIinterface\fR[:\fIhost\-list\fR]\&.\&.\&. \fIzone\fR | \fIzone\fR \fIhost\-list\fR } .RS 4 Adds a list of hosts or subnets to a dynamic zone usually used with VPN\*(Aqs\&. .sp @@ -191,7 +193,7 @@ .RE .RE .PP -\fBallow\fR +\fBallow \fR\fIaddress\fR .RS 4 Re\-enables receipt of packets from hosts previously blacklisted by a \fBdrop\fR, @@ -201,7 +203,7 @@ command\&. .RE .PP -\fBclear\fR +\fBclear \fR[\-\fBf\fR] .RS 4 Clear will remove all rules and chains installed by Shorewall\-lite\&. The firewall is then wide open and unprotected\&. Existing connections are untouched\&. Clear is often used to see if the firewall is causing connection problems\&. .sp @@ -231,7 +233,7 @@ command\&. .RE .PP -\fBdelete\fR +\fBdelete \fR{ \fIinterface\fR[:\fIhost\-list\fR]\&.\&.\&. \fIzone\fR | \fIzone\fR \fIhost\-list\fR } .RS 4 The delete command reverses the effect of an earlier \fBadd\fR @@ -245,7 +247,7 @@ is comma\-separated list whose elements are a host or network address\&. .RE .PP -\fBdisable\fR +\fBdisable \fR{ \fIinterface\fR | \fIprovider\fR } .RS 4 Added in Shorewall 4\&.4\&.26\&. Disables the optional provider associated with the specified \fIinterface\fR @@ -255,13 +257,13 @@ name must be given\&. .RE .PP -\fBdrop\fR +\fBdrop \fR\fIaddress\fR .RS 4 Causes traffic from the listed \fIaddress\fRes to be silently dropped\&. .RE .PP -\fBdump\fR +\fBdump \fR[\-\fBx\fR] [\-\fBl\fR] [\-\fBm\fR] [\-\fBc\fR] .RS 4 Produces a verbose report about the firewall configuration for the purpose of problem analysis\&. .sp @@ -280,7 +282,7 @@ option causes the route cache to be dumped in addition to the other routing information\&. .RE .PP -\fBenable\fR +\fBenable \fR{ \fIinterface\fR | \fIprovider\fR } .RS 4 Added in Shorewall 4\&.4\&.26\&. Enables the optional provider associated with the specified \fIinterface\fR @@ -290,7 +292,7 @@ name must be given\&. .RE .PP -\fBforget\fR +\fBforget \fR[ \fIfilename\fR ] .RS 4 Deletes /var/lib/shorewall\-lite/\fIfilename\fR and /var/lib/shorewall\-lite/save\&. If no @@ -304,24 +306,24 @@ Displays a syntax summary\&. .RE .PP -\fBhits\fR +\fBhits \fR [\-\fBt\fR] .RS 4 Generates several reports from Shorewall\-lite log messages in the current log file\&. If the \fB\-t\fR option is included, the reports are restricted to log messages generated today\&. .RE .PP -\fBipcalc\fR +\fBipcalc \fR{ address mask | address/vlsm } .RS 4 Ipcalc displays the network address, broadcast address, network in CIDR notation and netmask corresponding to the input[s]\&. .RE .PP -\fBiprange\fR +\fBiprange \fR\fIaddress1\fR\-\fIaddress2\fR .RS 4 Iprange decomposes the specified range of IP addresses into the equivalent list of network/host addresses\&. .RE .PP -\fBiptrace\fR +\fBiptrace \fR\fIiptables match expression\fR .RS 4 This is a low\-level debugging command that causes iptables TRACE log records to be created\&. See iptables(8) for details\&. .sp @@ -332,7 +334,15 @@ The trace records are written to the kernel\*(Aqs log buffer with facility = kernel and priority = warning, and they are routed from there by your logging daemon (syslogd, rsyslog, syslog\-ng, \&.\&.\&.) \-\- Shorewall\-lite has no control over where the messages go; consult your logging daemon\*(Aqs documentation\&. .RE .PP -\fBlogdrop\fR +\fBlist\fR +.RS 4 +\fBlist\fR +is a synonym for +\fBshow\fR +\-\- please see below\&. +.RE +.PP +\fBlogdrop \fR\fIaddress\fR .RS 4 Causes traffic from the listed \fIaddress\fRes to be logged then discarded\&. Logging occurs at the log level specified by the BLACKLIST_LOGLEVEL setting in @@ -340,7 +350,7 @@ (5)\&. .RE .PP -\fBlogwatch\fR +\fBlogwatch \fR[\-\fBm\fR] [\fIrefresh\-interval\fR] .RS 4 Monitors the log file specified by the LOGFILE option in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[2]\d\s+2(5) and produces an audible alarm when new Shorewall\-lite messages are logged\&. The @@ -351,7 +361,7 @@ \fBshorewall\-lite logwatch \-\- \-30\fR)\&. In this case, when a packet count changes, you will be prompted to hit any key to resume screen refreshes\&. .RE .PP -\fBlogreject\fR +\fBlogreject \fR\fIaddress\fR .RS 4 Causes traffic from the listed \fIaddress\fRes to be logged then rejected\&. Logging occurs at the log level specified by the BLACKLIST_LOGLEVEL setting in @@ -359,7 +369,15 @@ (5)\&. .RE .PP -\fBnoiptrace\fR +\fBls\fR +.RS 4 +\fBls\fR +is a synonym for +\fBshow\fR +\-\- please see below\&. +.RE +.PP +\fBnoiptrace \fR\fIiptables match expression\fR .RS 4 This is a low\-level debugging command that cancels a trace started by a preceding \fBiptrace\fR @@ -422,12 +440,33 @@ .\} .RE .PP -\fBreset\fR +\fBreenable\fR{ \fIinterface\fR | \fIprovider\fR } .RS 4 -All the packet and byte counters in the firewall are reset\&. +Added in Shorewall 4\&.6\&.9\&. This is equivalent to a +\fBdisable\fR +command followed by an +\fBenable\fR +command on the specified +\fIinterface\fR +or +\fIprovider\fR\&. .RE .PP -\fBrestart\fR +\fBreject\fR\fI address\fR +.RS 4 +Causes traffic from the listed +\fIaddress\fRes to be silently rejected\&. +.RE +.PP +\fBreset [\fR\fB\fIchain\fR\fR\fB, \&.\&.\&.]\fR +.RS 4 +Resets the packet and byte counters in the specified +\fIchain\fR(s)\&. If no +\fIchain\fR +is specified, all the packet and byte counters in the firewall are reset\&. +.RE +.PP +\fBrestart \fR[\-n] [\-p] [\-\fBC\fR] .RS 4 Restart is similar to \fBshorewall\-lite start\fR @@ -448,7 +487,7 @@ option was added in Shorewall 4\&.6\&.5\&. If the specified (or implicit) firewall script is the one that generated the current running configuration, then the running netfilter configuration will be reloaded as is so as to preserve the iptables packet and byte counters\&. .RE .PP -\fBrestore\fR +\fBrestore \fR[\-\fBn\fR] [\-\fBp\fR] [\-\fBC\fR] [ \fIfilename\fR ] .RS 4 Restore Shorewall\-lite to a state saved using the \fBshorewall\-lite save\fR @@ -477,6 +516,16 @@ .sp .5v .RE The +\fB\-n\fR +option causes Shorewall to avoid updating the routing table(s)\&. +.sp +The +\fB\-p\fR +option, added in Shorewall 4\&.6\&.5, causes the connection tracking table to be flushed; the +\fBconntrack\fR +utility must be installed to use this option\&. +.sp +The \fB\-C\fR option was added in Shorewall 4\&.6\&.5\&. If the \fB\-C\fR @@ -484,7 +533,7 @@ \fBshorewall save\fR, then the counters saved by that operation will be restored\&. .RE .PP -\fBrun\fR +\fBrun \fR\fIcommand\fR [ \fIparameter\fR \&.\&.\&. ] .RS 4 Added in Shorewall 4\&.6\&.3\&. Executes \fIcommand\fR @@ -500,7 +549,7 @@ extension script with $COMMAND = \*(Aqrun\*(Aq\&. .RE .PP -\fBsave\fR +\fBsave \fR[\-\fBC\fR] [ \fIfilename\fR ] .RS 4 The dynamic blacklist is stored in /var/lib/shorewall\-lite/save\&. The state of the firewall is stored in /var/lib/shorewall\-lite/\fIfilename\fR for use by the @@ -529,14 +578,14 @@ .RS 4 The show command can have a number of different arguments: .PP -\fBbl|blacklists\fR +\fBbl|blacklists \fR[\-\fBx\fR] .RS 4 Added in Shorewall 4\&.6\&.2\&. Displays the dynamic chain along with any chains produced by entries in shorewall\-blrules(5)\&.The \fB\-x\fR option is passed directly through to iptables and causes actual packet and byte counts to be displayed\&. Without this option, those counts are abbreviated\&. .RE .PP -\fBcapabilities\fR +[\-\fBf\fR] \fBcapabilities\fR .RS 4 Displays your kernel/iptables capabilities\&. The \fB\-f\fR @@ -544,7 +593,7 @@ \fBcompile \-e\fR\&. .RE .PP -[ [ \fBchain\fR ] \fIchain\fR\&.\&.\&. ] +[\-\fBb\fR] [\-\fBx\fR] [\-\fBl\fR] [\-\fBt\fR {\fBfilter\fR|\fBmangle\fR|\fBnat\fR|\fBraw\fR|\fBrawpost\fR}] [ \fIchain\fR\&.\&.\&. ] .RS 4 The rules in each \fIchain\fR @@ -613,7 +662,7 @@ (5))\&. .RE .PP -\fBlog\fR +[\-\fBm\fR] \fBlog\fR .RS 4 Displays the last 20 Shorewall\-lite messages from the log file specified by the LOGFILE option in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[2]\d\s+2(5)\&. The @@ -621,6 +670,14 @@ option causes the MAC address of each packet source to be displayed if that information is available\&. .RE .PP +[\-\fBx\fR] \fBmangle\fR +.RS 4 +Displays the Netfilter mangle table using the command +\fBiptables \-t mangle \-L \-n \-v\fR\&. The +\fB\-x\fR +option is passed directly through to iptables and causes actual packet and byte counts to be displayed\&. Without this option, those counts are abbreviated\&. +.RE +.PP \fBmarks\fR .RS 4 Added in Shorewall 4\&.4\&.26\&. Displays the various fields in packet marks giving the min and max value (in both decimal and hex) and the applicable mask (in hex)\&. @@ -670,7 +727,7 @@ .RE .RE .PP -\fBstart\fR +\fBstart\fR [\-\fBp\fR] [\-\fBn\fR] [\fB\-f\fR] [\-\fBC\fR] .RS 4 Start Shorewall Lite\&. Existing connections through shorewall\-lite managed interfaces are untouched\&. New connections will be allowed only if they are allowed by the firewall rules or policies\&. .sp @@ -681,7 +738,7 @@ utility must be installed to use this option\&. .sp The -\fB\-m\fR +\fB\-n\fR option prevents the firewall script from modifying the current routing configuration\&. .sp The diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.8.1/manpages/shorewall-lite.conf.5 new/shorewall-lite-4.6.9/manpages/shorewall-lite.conf.5 --- old/shorewall-lite-4.6.8.1/manpages/shorewall-lite.conf.5 2015-04-11 16:53:29.000000000 +0200 +++ new/shorewall-lite-4.6.9/manpages/shorewall-lite.conf.5 2015-05-06 18:17:37.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite.conf .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 04/11/2015 +.\" Date: 05/06/2015 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-LITE\&.CO" "5" "04/11/2015" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-LITE\&.CO" "5" "05/06/2015" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.8.1/manpages/shorewall-lite.xml new/shorewall-lite-4.6.9/manpages/shorewall-lite.xml --- old/shorewall-lite-4.6.8.1/manpages/shorewall-lite.xml 2015-04-11 16:53:32.000000000 +0200 +++ new/shorewall-lite-4.6.9/manpages/shorewall-lite.xml 2015-05-06 18:17:40.000000000 +0200 @@ -297,6 +297,20 @@ <arg>-<replaceable>options</replaceable></arg> + <arg choice="plain"><option>reenable</option></arg> + + <arg choice="plain">{ <replaceable>interface</replaceable> | + <replaceable>provider</replaceable> }</arg> + </cmdsynopsis> + + <cmdsynopsis> + <command>shorewall-lite</command> + + <arg + choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg> + + <arg>-<replaceable>options</replaceable></arg> + <arg choice="plain"><option>reject</option></arg> <arg choice="plain"><replaceable>address</replaceable></arg> @@ -326,8 +340,6 @@ <arg><option>-n</option></arg> <arg><option>-p</option><arg><option>-C</option></arg></arg> - - <arg><replaceable>directory</replaceable></arg> </cmdsynopsis> <cmdsynopsis> @@ -613,7 +625,10 @@ <variablelist> <varlistentry> - <term><emphasis role="bold">add</emphasis></term> + <term><emphasis role="bold">add </emphasis>{ + <replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]... + <replaceable>zone</replaceable> | <replaceable>zone</replaceable> + <replaceable>host-list</replaceable> }</term> <listitem> <para>Adds a list of hosts or subnets to a dynamic zone usually used @@ -638,7 +653,8 @@ </varlistentry> <varlistentry> - <term><emphasis role="bold">allow</emphasis></term> + <term><emphasis role="bold">allow + </emphasis><replaceable>address</replaceable></term> <listitem> <para>Re-enables receipt of packets from hosts previously @@ -650,7 +666,8 @@ </varlistentry> <varlistentry> - <term><emphasis role="bold">clear</emphasis></term> + <term><emphasis role="bold">clear + </emphasis>[-<option>f</option>]</term> <listitem> <para>Clear will remove all rules and chains installed by @@ -688,7 +705,10 @@ </varlistentry> <varlistentry> - <term><emphasis role="bold">delete</emphasis></term> + <term><emphasis role="bold">delete </emphasis>{ + <replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]... + <replaceable>zone</replaceable> | <replaceable>zone</replaceable> + <replaceable>host-list</replaceable> }</term> <listitem> <para>The delete command reverses the effect of an earlier <emphasis @@ -703,7 +723,9 @@ </varlistentry> <varlistentry> - <term><emphasis role="bold">disable</emphasis></term> + <term><emphasis role="bold">disable </emphasis>{ + <replaceable>interface</replaceable> | + <replaceable>provider</replaceable> }</term> <listitem> <para>Added in Shorewall 4.4.26. Disables the optional provider @@ -715,7 +737,8 @@ </varlistentry> <varlistentry> - <term><emphasis role="bold">drop</emphasis></term> + <term><emphasis role="bold">drop + </emphasis><replaceable>address</replaceable></term> <listitem> <para>Causes traffic from the listed <emphasis>address</emphasis>es @@ -724,7 +747,9 @@ </varlistentry> <varlistentry> - <term><emphasis role="bold">dump</emphasis></term> + <term><emphasis role="bold">dump </emphasis>[-<option>x</option>] + [-<option>l</option>] [-<option>m</option>] + [-<option>c</option>]</term> <listitem> <para>Produces a verbose report about the firewall configuration for @@ -745,7 +770,9 @@ </varlistentry> <varlistentry> - <term><emphasis role="bold">enable</emphasis></term> + <term><emphasis role="bold">enable </emphasis>{ + <replaceable>interface</replaceable> | + <replaceable>provider</replaceable> }</term> <listitem> <para>Added in Shorewall 4.4.26. Enables the optional provider @@ -757,7 +784,8 @@ </varlistentry> <varlistentry> - <term><emphasis role="bold">forget</emphasis></term> + <term><emphasis role="bold">forget </emphasis>[ + <replaceable>filename</replaceable> ]</term> <listitem> <para>Deletes /var/lib/shorewall-lite/<emphasis>filename</emphasis> @@ -778,7 +806,8 @@ </varlistentry> <varlistentry> - <term><emphasis role="bold">hits</emphasis></term> + <term><emphasis role="bold">hits </emphasis> + [-<option>t</option>]</term> <listitem> <para>Generates several reports from Shorewall-lite log messages in @@ -788,7 +817,8 @@ </varlistentry> <varlistentry> - <term><emphasis role="bold">ipcalc</emphasis></term> + <term><emphasis role="bold">ipcalc </emphasis>{ address mask | + address/vlsm }</term> <listitem> <para>Ipcalc displays the network address, broadcast address, @@ -798,7 +828,8 @@ </varlistentry> <varlistentry> - <term><emphasis role="bold">iprange</emphasis></term> + <term><emphasis role="bold">iprange + </emphasis><replaceable>address1</replaceable>-<replaceable>address2</replaceable></term> <listitem> <para>Iprange decomposes the specified range of IP addresses into @@ -807,7 +838,8 @@ </varlistentry> <varlistentry> - <term><emphasis role="bold">iptrace</emphasis></term> + <term><emphasis role="bold">iptrace </emphasis><replaceable>iptables + match expression</replaceable></term> <listitem> <para>This is a low-level debugging command that causes iptables @@ -826,7 +858,17 @@ </varlistentry> <varlistentry> - <term><emphasis role="bold">logdrop</emphasis></term> + <term><emphasis role="bold">list</emphasis></term> + + <listitem> + <para><command>list</command> is a synonym for + <command>show</command> -- please see below.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis role="bold">logdrop + </emphasis><replaceable>address</replaceable></term> <listitem> <para>Causes traffic from the listed <emphasis>address</emphasis>es @@ -837,7 +879,8 @@ </varlistentry> <varlistentry> - <term><emphasis role="bold">logwatch</emphasis></term> + <term><emphasis role="bold">logwatch </emphasis>[-<option>m</option>] + [<replaceable>refresh-interval</replaceable>]</term> <listitem> <para>Monitors the log file specified by the LOGFILE option in @@ -856,7 +899,8 @@ </varlistentry> <varlistentry> - <term><emphasis role="bold">logreject</emphasis></term> + <term><emphasis role="bold">logreject + </emphasis><replaceable>address</replaceable></term> <listitem> <para>Causes traffic from the listed <emphasis>address</emphasis>es @@ -867,7 +911,17 @@ </varlistentry> <varlistentry> - <term><emphasis role="bold">noiptrace</emphasis></term> + <term><emphasis role="bold">ls</emphasis></term> + + <listitem> + <para><command>ls</command> is a synonym for <command>show</command> + -- please see below.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis role="bold">noiptrace </emphasis><replaceable>iptables + match expression</replaceable></term> <listitem> <para>This is a low-level debugging command that cancels a trace @@ -919,16 +973,44 @@ </varlistentry> <varlistentry> - <term><emphasis role="bold">reset</emphasis></term> + <term><emphasis role="bold">reenable</emphasis>{ + <replaceable>interface</replaceable> | + <replaceable>provider</replaceable> }</term> <listitem> - <para>All the packet and byte counters in the firewall are - reset.</para> + <para>Added in Shorewall 4.6.9. This is equivalent to a + <command>disable</command> command followed by an + <command>enable</command> command on the specified + <replaceable>interface</replaceable> or + <replaceable>provider</replaceable>.</para> </listitem> </varlistentry> <varlistentry> - <term><emphasis role="bold">restart</emphasis></term> + <term><emphasis role="bold">reject</emphasis><replaceable> + address</replaceable></term> + + <listitem> + <para>Causes traffic from the listed <emphasis>address</emphasis>es + to be silently rejected.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis role="bold">reset [<replaceable>chain</replaceable>, + ...]</emphasis><acronym/></term> + + <listitem> + <para>Resets the packet and byte counters in the specified + <replaceable>chain</replaceable>(s). If no + <replaceable>chain</replaceable> is specified, all the packet and + byte counters in the firewall are reset.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis role="bold">restart </emphasis>[-n] [-p] + [-<option>C</option>]</term> <listitem> <para>Restart is similar to <emphasis role="bold">shorewall-lite @@ -951,7 +1033,9 @@ </varlistentry> <varlistentry> - <term><emphasis role="bold">restore</emphasis></term> + <term><emphasis role="bold">restore </emphasis>[-<option>n</option>] + [-<option>p</option>] [-<option>C</option>] [ + <replaceable>filename</replaceable> ]</term> <listitem> <para>Restore Shorewall-lite to a state saved using the <emphasis @@ -971,6 +1055,14 @@ different from the current values.</para> </caution> + <para>The <option>-n</option> option causes Shorewall to avoid + updating the routing table(s).</para> + + <para>The <option>-p</option> option, added in Shorewall 4.6.5, + causes the connection tracking table to be flushed; the + <command>conntrack</command> utility must be installed to use this + option.</para> + <para>The <option>-C</option> option was added in Shorewall 4.6.5. If the <option>-C</option> option was specified during <emphasis role="bold">shorewall save</emphasis>, then the counters saved by @@ -979,7 +1071,9 @@ </varlistentry> <varlistentry> - <term><emphasis role="bold">run</emphasis></term> + <term><emphasis role="bold">run + </emphasis><replaceable>command</replaceable> [ + <replaceable>parameter</replaceable> ... ]</term> <listitem> <para>Added in Shorewall 4.6.3. Executes @@ -996,7 +1090,8 @@ </varlistentry> <varlistentry> - <term><emphasis role="bold">save</emphasis></term> + <term><emphasis role="bold">save </emphasis>[-<option>C</option>] [ + <replaceable>filename</replaceable> ]</term> <listitem> <para>The dynamic blacklist is stored in @@ -1036,7 +1131,8 @@ <variablelist> <varlistentry> - <term><emphasis role="bold">bl|blacklists</emphasis></term> + <term><emphasis role="bold">bl|blacklists + </emphasis>[-<option>x</option>]</term> <listitem> <para>Added in Shorewall 4.6.2. Displays the dynamic chain @@ -1049,7 +1145,8 @@ </varlistentry> <varlistentry> - <term><emphasis role="bold">capabilities</emphasis></term> + <term>[-<option>f</option>] <emphasis + role="bold">capabilities</emphasis></term> <listitem> <para>Displays your kernel/iptables capabilities. The @@ -1060,8 +1157,10 @@ </varlistentry> <varlistentry> - <term>[ [ <option>chain</option> ] <emphasis>chain</emphasis>... - ]</term> + <term>[-<option>b</option>] [-<option>x</option>] + [-<option>l</option>] [-<option>t</option> + {<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw</option>|<option>rawpost</option>}] + [ <emphasis>chain</emphasis>... ]</term> <listitem> <para>The rules in each <emphasis>chain</emphasis> are @@ -1160,7 +1259,8 @@ </varlistentry> <varlistentry> - <term><emphasis role="bold">log</emphasis></term> + <term>[-<option>m</option>] <emphasis + role="bold">log</emphasis></term> <listitem> <para>Displays the last 20 Shorewall-lite messages from the @@ -1173,6 +1273,20 @@ </varlistentry> <varlistentry> + <term>[-<option>x</option>] <emphasis + role="bold">mangle</emphasis></term> + + <listitem> + <para>Displays the Netfilter mangle table using the command + <emphasis role="bold">iptables -t mangle -L -n -v</emphasis>. + The <emphasis role="bold">-x</emphasis> option is passed + directly through to iptables and causes actual packet and byte + counts to be displayed. Without this option, those counts are + abbreviated.</para> + </listitem> + </varlistentry> + + <varlistentry> <term><emphasis role="bold">marks</emphasis></term> <listitem> @@ -1262,7 +1376,9 @@ </varlistentry> <varlistentry> - <term><emphasis role="bold">start</emphasis></term> + <term><emphasis role="bold">start</emphasis> [-<option>p</option>] + [-<option>n</option>] [<option>-f</option>] + [-<option>C</option>]</term> <listitem> <para>Start Shorewall Lite. Existing connections through @@ -1274,7 +1390,7 @@ table to be flushed; the <command>conntrack</command> utility must be installed to use this option.</para> - <para>The <option>-m</option> option prevents the firewall script + <para>The <option>-n</option> option prevents the firewall script from modifying the current routing configuration.</para> <para>The <option>-f</option> option was added in Shorewall 4.6.5. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.8.1/releasenotes.txt new/shorewall-lite-4.6.9/releasenotes.txt --- old/shorewall-lite-4.6.8.1/releasenotes.txt 2015-04-11 16:50:08.000000000 +0200 +++ new/shorewall-lite-4.6.9/releasenotes.txt 2015-05-06 18:14:16.000000000 +0200 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 6 . 8 . 1 - ------------------------------------ - A p r i l 1 1 , 2 0 1 5 + S H O R E W A L L 4 . 6 . 9 + ---------------------------- + M a y 0 6 , 2 0 1 5 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,36 +14,24 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -4.6.8.1 - -1) Previously, when servicd was installed and there were one or more - required interfaces, the firewall would fail to start at boot. This - has been corrected by Tuomo Soini. - -2) Some startup logic in lib.cli has been deleted. A bug prevented the - code from working as intended, so there is no loss of functionality - resulting from deletion of the code. - -4.6.8 - -1) This release includes defect repair from Shorewall 4.6.6.2 and +1) This release contains defect repair from Shorewall 4.6.8.1 and earlier releases. -2) Previously, when the -n option was specified and NetworkManager was - installed on the target system, the Shorewall-init installer would - still create - ${DESTDIR}etc/NetworkManager/dispatcher.d/01-shorewall, regardless - of the setting of $CONFDIR. That has been corrected such that the - directory - ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/01-shorewall is - created instead. - -3) Previously, handling of the IPTABLES and IP6TABLES actions in the - conntrack file was broken. nfw provided a fix on IRC. +2) The means for preventing loading of helper modules has been + clarified in the documentation. -4) The Shorewall-core and Shorewall6 installers would previously - report incorrectly that the product release was not installed. Matt - Darfeuille provided fixes. +3) The SetEvent and ResetEvent actions previously set/reset the event + even if the packet did not match the other specified columns. This + has been corrected. + +4) Previously, the 'show capabilities' command was ignoring the + HELPERS setting. This resulted in unwanted modules being autoloaded + and, when the -f option was given, an incorrect capabilities file + was generated. + +6) Previously, when 'wait' was specified for an interface, the + generated script erroneously checked for required interfaces on all + commands rather than just start, restart and restore. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -56,63 +44,36 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) The CLI programs (shorewall, shorewall6, etc) now support 'open' - and 'close' commands. The 'open' command temporarily opens the - firewall for a specified type of connection; the syntax is: - - open <source> <destination> [ <protocol> [ <port> ] ] - - The <source> and <destination> may be any of the following: - - - a host IP address - - a network IP address - - a valid DNS name (usual warnings apply) - - the word 'all', indicating that the <source> or <destination> is - not restricted - - The protocol may be specified by number or by a name. Same with - <port>. - - Example: Open SSH connections to 1.2.3.4 in Shorewall: - - shorewall open all 1.2.3.4 tcp ssh - - The 'close' command reverses the effect of an earlier 'open' - command and has two forms: - - close <open-number> - close <source> <destination> [ <protocol [ <port ] ] - - - In the first form, the <open-number> is the number displayed in the - 'num' column of the 'shorewall list opens' command (see below). - - In the second form, the parameters must match those of the earlier - 'open' command to be reversed. All temporary connections opens may - be deleted by simply restarting the firewall. - - Both commands require that the firewall be in the started state and - that DYNAMIC_BLACKLIST=Yes in the active configuration. - - The iptables rules created via 'open' commands can be displayed - using the 'show opens' command. - - Example (after the above open command was executed): - - Shorewall 4.6.8 Temporarily opened connections at gateway - Fri Mar 6 09:47:06 PST 2015 - Chain dynamic (14 references) - num pkts bytes target prot opt in out source destination - 1 0 0 ACCEPT tcp -- * * 0.0.0.0/0 1.2.3.4 multiport dports 22 - root@gateway:~# - -2) A 'safesets' command is now available to proactively save changes - to ipset contents. Using this command can guard against accidental - loss of ipset changes in the event of a system failure before a - 'stop' command has been completed. The exact action taken by the - command depends on the setting of SAVE_IPSETS in shorewall[6].conf. - -3) The SOURCE and DEST columns in the rtrules file may now contains - comma-separated lists of addresses. +1) There is now a TCPMSS Target (TCPMSS_TARGET) capability. Your + iptables and kernel must support this capability in order to use + the CLAMPMSS option in shorewall.conf and the 'mss=' option in the + zones, interfaces and hosts files. This capability was added when + it was learned that Debian on ARM doesn't provide the feature. + + When using a capabilities file from at earlier release, the + compiler assumes that this capability is available, since most + distributions have traditionally provided the capability. + +2) The CLI manpages now state explicitly that 'list' and 'ls' are + synonyms for 'show' and refer the reader to the description of + 'show'. + +3) The complete syntax of each CLI command is now repeated in the + detailed description of the command in the man pages. + +4) Tuomo Soini has contributed a QUIC macro. + +5) The JabberSecure macro is now deprecated. Configure Jabber to use + TLS and use the Jabber macro instead. (Tuomo Soini). + +6) The enable and disable commands now execute more quickly on slow + hardware. + +7) The CLI programs now support a 'reenable' command. This command is + logically equivalent to a 'disable' command followed by an 'enable' + command, with the exception that no error is generated if the + specified interface or provider is disabled at the time the + command is given. ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -282,7 +243,7 @@ is '-' rather than '2'. If you prefer to keep your pre-4.6.0 chain names, then specify ZONE2ZONE=2 in shorewall[6].conf. -13) Beginning with Shorewall 4.6.0, ection headers are now preceded by +13) Beginning with Shorewall 4.6.0, section headers are now preceded by '?' (e.g., '?SECTION ...'). If your configuration contains any bare 'SECTION' entries, the following warning is issued: @@ -407,6 +368,91 @@ ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 4 . 6 R E L E A S E S ---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 6 . 8 +---------------------------------------------------------------------------- + +1) This release includes defect repair from Shorewall 4.6.6.2 and + earlier releases. + +2) Previously, when the -n option was specified and NetworkManager was + installed on the target system, the Shorewall-init installer would + still create + ${DESTDIR}etc/NetworkManager/dispatcher.d/01-shorewall, regardless + of the setting of $CONFDIR. That has been corrected such that the + directory + ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/01-shorewall is + created instead. + +3) Previously, handling of the IPTABLES and IP6TABLES actions in the + conntrack file was broken. nfw provided a fix on IRC. + +4) The Shorewall-core and Shorewall6 installers would previously + report incorrectly that the product release was not installed. Matt + Darfeuille provided fixes. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 6 . 8 +---------------------------------------------------------------------------- + +1) The CLI programs (shorewall, shorewall6, etc) now support 'open' + and 'close' commands. The 'open' command temporarily opens the + firewall for a specified type of connection; the syntax is: + + open <source> <destination> [ <protocol> [ <port> ] ] + + The <source> and <destination> may be any of the following: + + - a host IP address + - a network IP address + - a valid DNS name (usual warnings apply) + - the word 'all', indicating that the <source> or <destination> is + not restricted + + The protocol may be specified by number or by a name. Same with + <port>. + + Example: Open SSH connections to 1.2.3.4 in Shorewall: + + shorewall open all 1.2.3.4 tcp ssh + + The 'close' command reverses the effect of an earlier 'open' + command and has two forms: + + close <open-number> + close <source> <destination> [ <protocol [ <port ] ] + + + In the first form, the <open-number> is the number displayed in the + 'num' column of the 'shorewall list opens' command (see below). + + In the second form, the parameters must match those of the earlier + 'open' command to be reversed. All temporary connections opens may + be deleted by simply restarting the firewall. + + Both commands require that the firewall be in the started state and + that DYNAMIC_BLACKLIST=Yes in the active configuration. + + The iptables rules created via 'open' commands can be displayed + using the 'show opens' command. + + Example (after the above open command was executed): + + Shorewall 4.6.8 Temporarily opened connections at gateway - Fri Mar 6 09:47:06 PST 2015 + Chain dynamic (14 references) + num pkts bytes target prot opt in out source destination + 1 0 0 ACCEPT tcp -- * * 0.0.0.0/0 1.2.3.4 multiport dports 22 + root@gateway:~# + +2) A 'safesets' command is now available to proactively save changes + to ipset contents. Using this command can guard against accidental + loss of ipset changes in the event of a system failure before a + 'stop' command has been completed. The exact action taken by the + command depends on the setting of SAVE_IPSETS in shorewall[6].conf. + +3) The SOURCE and DEST columns in the rtrules file may now contains + comma-separated lists of addresses. + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 6 . 7 ---------------------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.8.1/shorewall-lite.spec new/shorewall-lite-4.6.9/shorewall-lite.spec --- old/shorewall-lite-4.6.8.1/shorewall-lite.spec 2015-04-11 16:50:08.000000000 +0200 +++ new/shorewall-lite-4.6.9/shorewall-lite.spec 2015-05-06 18:14:16.000000000 +0200 @@ -1,6 +1,6 @@ %define name shorewall-lite -%define version 4.6.8 -%define release 1 +%define version 4.6.9 +%define release 0base %define initdir /etc/init.d Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems. @@ -106,8 +106,18 @@ %doc COPYING changelog.txt releasenotes.txt %changelog -* Sat Apr 11 2015 Tom Eastep [email protected] -- Updated to 4.6.8-1 +* Tue May 05 2015 Tom Eastep [email protected] +- Updated to 4.6.9-0base +* Tue May 05 2015 Tom Eastep [email protected] +- Updated to 4.6.9-0RC2 +* Mon Apr 27 2015 Tom Eastep [email protected] +- Updated to 4.6.9-0RC1 +* Fri Apr 17 2015 Tom Eastep [email protected] +- Updated to 4.6.9-0Beta3 +* Mon Apr 06 2015 Tom Eastep [email protected] +- Updated to 4.6.9-0Beta2 +* Fri Apr 03 2015 Tom Eastep [email protected] +- Updated to 4.6.9-0Beta1 * Sun Mar 29 2015 Tom Eastep [email protected] - Updated to 4.6.8-0base * Tue Mar 24 2015 Tom Eastep [email protected] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.8.1/uninstall.sh new/shorewall-lite-4.6.9/uninstall.sh --- old/shorewall-lite-4.6.8.1/uninstall.sh 2015-04-11 16:50:08.000000000 +0200 +++ new/shorewall-lite-4.6.9/uninstall.sh 2015-05-06 18:14:16.000000000 +0200 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.6.8.1 +VERSION=4.6.9 PRODUCT=shorewall-lite usage() # $1 = exit status ++++++ shorewall-4.6.8.1.tar.bz2 -> shorewall6-4.6.9.tar.bz2 ++++++ ++++ 128395 lines of diff (skipped) ++++++ shorewall-lite-4.6.8.1.tar.bz2 -> shorewall6-lite-4.6.9.tar.bz2 ++++++ ++++ 8834 lines of diff (skipped)
