Hello community, here is the log from the commit of package shorewall for openSUSE:Factory checked in at 2015-06-24 21:01:34 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/shorewall (Old) and /work/SRC/openSUSE:Factory/.shorewall.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shorewall" Changes: -------- --- /work/SRC/openSUSE:Factory/shorewall/shorewall.changes 2015-05-10 10:46:55.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.shorewall.new/shorewall.changes 2015-06-24 21:01:35.000000000 +0200 @@ -1,0 +2,14 @@ +Wed Jun 17 06:43:22 UTC 2015 - [email protected] + +- Update to version 4.6.10.1 For more details see changelog.txt and + releasenotes.txt + + * Indentation is now consistent in lib.core (Tuomo Soini). + + * The first problem corrected in 4.6.10 below was incomplete. It + is now complete (Tuomo Soini). + + * Similarly, the second fix was also incomplete and is now + completed (Tuomo Soini). + +------------------------------------------------------------------- Old: ---- shorewall-4.6.9.tar.bz2 shorewall-core-4.6.9.tar.bz2 shorewall-docs-html-4.6.9.tar.bz2 shorewall-init-4.6.9.tar.bz2 shorewall-lite-4.6.9.tar.bz2 shorewall6-4.6.9.tar.bz2 shorewall6-lite-4.6.9.tar.bz2 New: ---- shorewall-4.6.10.1.tar.bz2 shorewall-core-4.6.10.1.tar.bz2 shorewall-docs-html-4.6.10.1.tar.bz2 shorewall-init-4.6.10.1.tar.bz2 shorewall-lite-4.6.10.1.tar.bz2 shorewall6-4.6.10.1.tar.bz2 shorewall6-lite-4.6.10.1.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shorewall.spec ++++++ --- /var/tmp/diff_new_pack.OfDwoo/_old 2015-06-24 21:01:37.000000000 +0200 +++ /var/tmp/diff_new_pack.OfDwoo/_new 2015-06-24 21:01:37.000000000 +0200 @@ -20,19 +20,19 @@ %define have_systemd 1 Name: shorewall -Version: 4.6.9 +Version: 4.6.10.1 Release: 0 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems License: GPL-2.0 Group: Productivity/Networking/Security Url: http://www.shorewall.net/ -Source: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.9/%{name}-%version.tar.bz2 -Source1: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.9/%{name}-core-%version.tar.bz2 -Source2: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.9/%{name}-lite-%version.tar.bz2 -Source3: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.9/%{name}-init-%version.tar.bz2 -Source4: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.9/%{name}6-lite-%version.tar.bz2 -Source5: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.9/%{name}6-%version.tar.bz2 -Source6: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.9/%{name}-docs-html-%version.tar.bz2 +Source: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.10/%{name}-%version.tar.bz2 +Source1: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.10/%{name}-core-%version.tar.bz2 +Source2: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.10/%{name}-lite-%version.tar.bz2 +Source3: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.10/%{name}-init-%version.tar.bz2 +Source4: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.10/%{name}6-lite-%version.tar.bz2 +Source5: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.10/%{name}6-%version.tar.bz2 +Source6: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.10/%{name}-docs-html-%version.tar.bz2 Source7: %{name}-4.4.22.rpmlintrc Source8: README.openSUSE # PATCH-FIX-UPSTREAM [email protected] Shorewall-lite init.suse.sh Required Stop ++++++ shorewall-4.6.9.tar.bz2 -> shorewall-4.6.10.1.tar.bz2 ++++++ ++++ 2792 lines of diff (skipped) ++++++ shorewall-core-4.6.9.tar.bz2 -> shorewall-core-4.6.10.1.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.9/changelog.txt new/shorewall-core-4.6.10.1/changelog.txt --- old/shorewall-core-4.6.9/changelog.txt 2015-05-06 18:14:15.000000000 +0200 +++ new/shorewall-core-4.6.10.1/changelog.txt 2015-06-10 17:00:52.000000000 +0200 @@ -1,3 +1,52 @@ +Changes in 4.6.10.1 + +1) Update release documents. + +2) Use consistent indentation in lib.core + +3) Complete Shorewall-init improvements + +4) Return exit status 6 when startup is disabled + +Changes in 4.6.10 Final + +1) Update release documents. + +2) Update Module Versions + +3) Tuomo Soini's fix to enable/disable. + +Changes in 4.6.10 RC 1 + +1) Update release documents. + +2) load= enhancements + +3) Indicate success when no ipsets are saved by the script + +4) load= corrections. + +5) IPv6 findgw. + +Changes in 4.6.10 Beta 2 + +1) Update release documents. + +2) Add queue-balance and queue-bypass options to NFQUEUE. + +3) Implement 'call' in the compiled program and externalize 'call' in + the CLI. + +Changes in 4.6.10 Beta 1 + +1) Update release documents. + +2) Fix Shorewall-init bailing out when a product didn't start/stop + +3) Return exit status 6 for non-configured firewall. + +4) Don't require a helper for ctevents and expevents. + Changes in 4.6.9 Final 1) Update release documents. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.9/configure new/shorewall-core-4.6.10.1/configure --- old/shorewall-core-4.6.9/configure 2015-05-06 18:14:15.000000000 +0200 +++ new/shorewall-core-4.6.10.1/configure 2015-06-10 17:00:52.000000000 +0200 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=4.6.9 +VERSION=4.6.10.1 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.9/configure.pl new/shorewall-core-4.6.10.1/configure.pl --- old/shorewall-core-4.6.9/configure.pl 2015-05-06 18:14:15.000000000 +0200 +++ new/shorewall-core-4.6.10.1/configure.pl 2015-06-10 17:00:52.000000000 +0200 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '4.6.9' + VERSION => '4.6.10.1' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.9/install.sh new/shorewall-core-4.6.10.1/install.sh --- old/shorewall-core-4.6.9/install.sh 2015-05-06 18:14:15.000000000 +0200 +++ new/shorewall-core-4.6.10.1/install.sh 2015-06-10 17:00:52.000000000 +0200 @@ -22,7 +22,7 @@ # along with this program; if not, see <http://www.gnu.org/licenses/>. # -VERSION=4.6.9 +VERSION=4.6.10.1 usage() # $1 = exit status { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.9/known_problems.txt new/shorewall-core-4.6.10.1/known_problems.txt --- old/shorewall-core-4.6.9/known_problems.txt 2015-05-06 18:14:15.000000000 +0200 +++ new/shorewall-core-4.6.10.1/known_problems.txt 2015-06-10 17:00:52.000000000 +0200 @@ -1,11 +1,2 @@ 1) On systems running Upstart, shorewall-init cannot reliably secure the firewall before interfaces are brought up. - -2) The SetEvent and ResetEvent actions currently set/reset the named - event even if the packet does not match the other specified - columns. - -3) The 'show capabilities' command ignores the HELPERS setting. This - results in unwanted modules being autoloaded and, when the -f - option is given, an incorrect capabilities file is generated. - diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.9/lib.cli new/shorewall-core-4.6.10.1/lib.cli --- old/shorewall-core-4.6.9/lib.cli 2015-05-05 20:28:13.000000000 +0200 +++ new/shorewall-core-4.6.10.1/lib.cli 2015-06-09 20:02:00.000000000 +0200 @@ -42,16 +42,6 @@ . ${SHAREDIR}/shorewall/lib.base - -# -# Fatal Error -# -fatal_error() # $@ = Message -{ - echo " ERROR: $@" >&2 - exit 2 -} - # # Issue an error message and die # @@ -484,7 +474,7 @@ fi fi ;; - [Nn]o) + [Nn]o|ipv4|ipv6) ;; *) error_message "WARNING: Invalid value ($SAVE_IPSETS) for SAVE_IPSETS" @@ -1683,7 +1673,7 @@ if [ -z "$STARTUP_ENABLED" ]; then error_message "ERROR: Startup is disabled" - exit 2 + exit 6 fi g_restorepath=${VARDIR}/$RESTOREFILE @@ -3680,7 +3670,7 @@ else error_message "${VARDIR}/firewall is missing or is not executable" logger -p kern.err "ERROR:$g_product start failed" - rc=2 + rc=6 fi [ -n "$g_nolock" ] || mutex_off @@ -3813,7 +3803,7 @@ else error_message "${VARDIR}/firewall is missing or is not executable" logger -p kern.err "ERROR:$g_product restart failed" - rc=2 + rc=6 fi [ -n "$g_nolock" ] || mutex_off @@ -4239,10 +4229,29 @@ get_config [ -n "$g_debugging" ] && set -x # - # Undocumented way to call functions in the libraries directly + # Way to call functions in the libraries directly # shift - $@ + + if [ $# -gt 0 ]; then + # + # First look for it here + # + if type $1 2> /dev/null | fgrep -q 'is a function'; then + # + # It's a shell function -- call it + # + $@ + else + # + # It isn't a function visible to this script -- try + # the compiled firewall + # + run_it $g_firewall $g_debugging call $@ + fi + else + usage 1 + fi ;; help) shift diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.9/lib.common new/shorewall-core-4.6.10.1/lib.common --- old/shorewall-core-4.6.9/lib.common 2015-05-05 20:28:13.000000000 +0200 +++ new/shorewall-core-4.6.10.1/lib.common 2015-06-09 20:02:00.000000000 +0200 @@ -71,6 +71,24 @@ } # +# Fatal Error +# +fatal_error() # $@ = Message +{ + echo " ERROR: $@" >&2 + exit 2 +} + +# +# Not configured Error +# +not_configured_error() # $@ = Message +{ + echo " ERROR: $@" >&2 + exit 6 +} + +# # Get the Shorewall version of the passed script # get_script_version() { # $1 = script diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.9/releasenotes.txt new/shorewall-core-4.6.10.1/releasenotes.txt --- old/shorewall-core-4.6.9/releasenotes.txt 2015-05-06 18:14:15.000000000 +0200 +++ new/shorewall-core-4.6.10.1/releasenotes.txt 2015-06-10 17:00:52.000000000 +0200 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 6 . 9 + S H O R E W A L L 4 . 6 . 1 0 . 1 ---------------------------- - M a y 0 6 , 2 0 1 5 + J u n e 1 0 , 2 0 1 5 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,24 +14,37 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) This release contains defect repair from Shorewall 4.6.8.1 and - earlier releases. +4.6.10.1 -2) The means for preventing loading of helper modules has been - clarified in the documentation. +1) Indentation is now consistent in lib.core (Tuomo Soini). -3) The SetEvent and ResetEvent actions previously set/reset the event - even if the packet did not match the other specified columns. This - has been corrected. +2) The first problem corrected in 4.6.10 below was incomplete. It is + now complete (Tuomo Soini). -4) Previously, the 'show capabilities' command was ignoring the - HELPERS setting. This resulted in unwanted modules being autoloaded - and, when the -f option was given, an incorrect capabilities file - was generated. +3) Similarly, the second fix was also incomplete and is now completed + (Tuomo Soini). + +4.6.10 -6) Previously, when 'wait' was specified for an interface, the - generated script erroneously checked for required interfaces on all - commands rather than just start, restart and restore. +1) On some distributions, Shorewall-init would fail if one of the + configured products had a problem. Now, Shorewall-init goes on to + the next product rather than stopping. + +2) Previously, when startup was disabled (STARTUP_ENABLED=No or no + compiled firewall on a -lite system), exit status 2 was + returned. Now, exit status 6 is returned. + +3) Previously, if SAVE_IPSETS=ipv4 (or ipv6) but the configuration did + not use ipsets, then a superfluous warning message was issued: + + WARNING: Invalid value (ipv4) for SAVE_IPSETS + + That warning is now suppressed. + +4) Previously, the algorithm used to normalize the probabilities + defined in the 'load' provider option was incorrect and could + result in probabilities > 1.0. When this occurred, the firewall + would fail to start. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -44,36 +57,73 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) There is now a TCPMSS Target (TCPMSS_TARGET) capability. Your - iptables and kernel must support this capability in order to use - the CLAMPMSS option in shorewall.conf and the 'mss=' option in the - zones, interfaces and hosts files. This capability was added when - it was learned that Debian on ARM doesn't provide the feature. +1) Previously, the 'ctevents' and 'expevents' options could only be + specified in the conntrack file if a helper was named. That is no + longer necessary. - When using a capabilities file from at earlier release, the - compiler assumes that this capability is available, since most - distributions have traditionally provided the capability. + Example: -2) The CLI manpages now state explicitly that 'list' and 'ls' are - synonyms for 'show' and refer the reader to the description of - 'show'. + #ACTION SOURCE DESTINATION PROTO DEST ... + # PORT(S) ... + # + CT:ctevents:assured,destroy\ + all - - -3) The complete syntax of each CLI command is now repeated in the - detailed description of the command in the man pages. +2) Two new options have been added to the NFQUEUE target. -4) Tuomo Soini has contributed a QUIC macro. + - By default, if no userspace program is listening on an NFQUEUE, + then all packets that are to be queued are dropped. When the new + 'bypass' option is used, the NFQUEUE rule is silently bypassed + instead. The packet will move on to the next rule. -5) The JabberSecure macro is now deprecated. Configure Jabber to use - TLS and use the Jabber macro instead. (Tuomo Soini). + Examples: -6) The enable and disable commands now execute more quickly on slow - hardware. + NFQUEUE(bypass) + NFQUEUE(3,bypass) -7) The CLI programs now support a 'reenable' command. This command is - logically equivalent to a 'disable' command followed by an 'enable' - command, with the exception that no error is generated if the - specified interface or provider is disabled at the time the - command is given. + - Now, a queue range of the form n:m may be specified. Packets are + then balanced across the given queues. This is useful for + multicore systems: start multiple instances of the userspace + program on queues x, x+1, .. x+n and use "x:x+n". Packets + belonging to the same connection are put into the same nfqueue. + + Examples: + + NFQUEUE(4:6) + NFQUEUE(4:6,bypass) + + Queue ranges are also permitted in an NFQUEUE policy; the + 'bypass' option is not permitted there. + +3) The 'call' command is now documented. It provides a way to call + shell functions in the Shorewall libraries or in the generated + script. + + call <function> [ <parameter> ... ] + + <function> must name a shell function in one of the Shorewall + libraries or in the generated script. The function is first + searched for in lib.base, lib.common, lib.cli and lib.cli-std + (lib.cli-std is not searched by the '-lite' products). If the + function is found, it is called with any supplied <parameter>s. + + If the function is not found in the libraries, the call command + is passed to the generated script for processing. + +4) Several changes have been made to the processing of the 'load' + option in provider files: + + - load values are normalized to 8-digit precision and 10-byte + length. + - a warning is issued if the sum of the loads is not 1.000000. + - if the normalized probability for an interface is >= + 1.000000 then the probability match part of the generated rule is + omitted. + +5) There is now an ipv6 'findgw' skeleton file. + +6) The 'disable' and 'enable' commands now succed if the interface is + already disabled or enabled respectively. Tuomo Soini. ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -266,7 +316,7 @@ See shorewall6(8) for limitations of 'update -t'. -15) The default value LOAD_HELPERS_ONLY is now 'Yes'. +15) The default value of LOAD_HELPERS_ONLY is now 'Yes'. 16) Beginning with Shorewall 4.6.0, FORMAT-1 actions and macros are deprecated and a warning will be issued for each FORMAT-1 action @@ -368,6 +418,64 @@ ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 4 . 6 R E L E A S E S ---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 6 . 9 +---------------------------------------------------------------------------- + +1) This release contains defect repair from Shorewall 4.6.8.1 and + earlier releases. + +2) The means for preventing loading of helper modules has been + clarified in the documentation. + +3) The SetEvent and ResetEvent actions previously set/reset the event + even if the packet did not match the other specified columns. This + has been corrected. + +4) Previously, the 'show capabilities' command was ignoring the + HELPERS setting. This resulted in unwanted modules being autoloaded + and, when the -f option was given, an incorrect capabilities file + was generated. + +6) Previously, when 'wait' was specified for an interface, the + generated script erroneously checked for required interfaces on all + commands rather than just start, restart and restore. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 6 . 89 +---------------------------------------------------------------------------- + +1) There is now a TCPMSS Target (TCPMSS_TARGET) capability. Your + iptables and kernel must support this capability in order to use + the CLAMPMSS option in shorewall.conf and the 'mss=' option in the + zones, interfaces and hosts files. This capability was added when + it was learned that Debian on ARM doesn't provide the feature. + + When using a capabilities file from at earlier release, the + compiler assumes that this capability is available, since most + distributions have traditionally provided the capability. + +2) The CLI manpages now state explicitly that 'list' and 'ls' are + synonyms for 'show' and refer the reader to the description of + 'show'. + +3) The complete syntax of each CLI command is now repeated in the + detailed description of the command in the man pages. + +4) Tuomo Soini has contributed a QUIC macro. + +5) The JabberSecure macro is now deprecated. Configure Jabber to use + TLS and use the Jabber macro instead. (Tuomo Soini). + +6) The enable and disable commands now execute more quickly on slow + hardware. + +7) The CLI programs now support a 'reenable' command. This command is + logically equivalent to a 'disable' command followed by an 'enable' + command, with the exception that no error is generated if the + specified interface or provider is disabled at the time the + command is given. + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 6 . 8 ---------------------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.9/shorewall-core.spec new/shorewall-core-4.6.10.1/shorewall-core.spec --- old/shorewall-core-4.6.9/shorewall-core.spec 2015-05-06 18:14:15.000000000 +0200 +++ new/shorewall-core-4.6.10.1/shorewall-core.spec 2015-06-10 17:00:52.000000000 +0200 @@ -1,6 +1,6 @@ %define name shorewall-core -%define version 4.6.9 -%define release 0base +%define version 4.6.10 +%define release 1 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. Name: %{name} @@ -63,6 +63,16 @@ %doc COPYING INSTALL changelog.txt releasenotes.txt %changelog +* Tue Jun 09 2015 Tom Eastep [email protected] +- Updated to 4.6.10-1 +* Fri May 29 2015 Tom Eastep [email protected] +- Updated to 4.6.10-0base +* Mon May 25 2015 Tom Eastep [email protected] +- Updated to 4.6.10-0RC1 +* Sun May 17 2015 Tom Eastep [email protected] +- Updated to 4.6.10-0Beta2 +* Tue May 05 2015 Tom Eastep [email protected] +- Updated to 4.6.10-0Beta1 * Tue May 05 2015 Tom Eastep [email protected] - Updated to 4.6.9-0base * Tue May 05 2015 Tom Eastep [email protected] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.9/uninstall.sh new/shorewall-core-4.6.10.1/uninstall.sh --- old/shorewall-core-4.6.9/uninstall.sh 2015-05-06 18:14:15.000000000 +0200 +++ new/shorewall-core-4.6.10.1/uninstall.sh 2015-06-10 17:00:52.000000000 +0200 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.6.9 +VERSION=4.6.10.1 usage() # $1 = exit status { ++++++ shorewall-docs-html-4.6.9.tar.bz2 -> shorewall-docs-html-4.6.10.1.tar.bz2 ++++++ ++++ 7172 lines of diff (skipped) ++++++ shorewall-init-4.6.9.tar.bz2 -> shorewall-init-4.6.10.1.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.9/changelog.txt new/shorewall-init-4.6.10.1/changelog.txt --- old/shorewall-init-4.6.9/changelog.txt 2015-05-06 18:14:16.000000000 +0200 +++ new/shorewall-init-4.6.10.1/changelog.txt 2015-06-10 17:00:53.000000000 +0200 @@ -1,3 +1,52 @@ +Changes in 4.6.10.1 + +1) Update release documents. + +2) Use consistent indentation in lib.core + +3) Complete Shorewall-init improvements + +4) Return exit status 6 when startup is disabled + +Changes in 4.6.10 Final + +1) Update release documents. + +2) Update Module Versions + +3) Tuomo Soini's fix to enable/disable. + +Changes in 4.6.10 RC 1 + +1) Update release documents. + +2) load= enhancements + +3) Indicate success when no ipsets are saved by the script + +4) load= corrections. + +5) IPv6 findgw. + +Changes in 4.6.10 Beta 2 + +1) Update release documents. + +2) Add queue-balance and queue-bypass options to NFQUEUE. + +3) Implement 'call' in the compiled program and externalize 'call' in + the CLI. + +Changes in 4.6.10 Beta 1 + +1) Update release documents. + +2) Fix Shorewall-init bailing out when a product didn't start/stop + +3) Return exit status 6 for non-configured firewall. + +4) Don't require a helper for ctevents and expevents. + Changes in 4.6.9 Final 1) Update release documents. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.9/configure new/shorewall-init-4.6.10.1/configure --- old/shorewall-init-4.6.9/configure 2015-05-06 18:14:16.000000000 +0200 +++ new/shorewall-init-4.6.10.1/configure 2015-06-10 17:00:53.000000000 +0200 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=4.6.9 +VERSION=4.6.10.1 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.9/configure.pl new/shorewall-init-4.6.10.1/configure.pl --- old/shorewall-init-4.6.9/configure.pl 2015-05-06 18:14:16.000000000 +0200 +++ new/shorewall-init-4.6.10.1/configure.pl 2015-06-10 17:00:53.000000000 +0200 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '4.6.9' + VERSION => '4.6.10.1' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.9/init.debian.sh new/shorewall-init-4.6.10.1/init.debian.sh --- old/shorewall-init-4.6.9/init.debian.sh 2015-05-05 20:28:13.000000000 +0200 +++ new/shorewall-init-4.6.10.1/init.debian.sh 2015-06-09 20:02:00.000000000 +0200 @@ -74,7 +74,9 @@ [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT} if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then - ${SBINDIR}/$PRODUCT ${OPTIONS} compile -c || echo_notdone + ${SBINDIR}/$PRODUCT ${OPTIONS} compile -c + else + return 0 fi } @@ -103,21 +105,17 @@ echo -n "Initializing \"Shorewall-based firewalls\": " for PRODUCT in $PRODUCTS; do - setstatedir - - if [ -x ${STATEDIR}/firewall ]; then - # - # Run in a sub-shell to avoid name collisions - # - ( - if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then - ${STATEDIR}/firewall ${OPTIONS} stop || echo_notdone - else - echo_notdone - fi - ) - else - echo_notdone + if setstatedir; then + if [ -x ${STATEDIR}/firewall ]; then + # + # Run in a sub-shell to avoid name collisions + # + ( + if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then + ${STATEDIR}/firewall ${OPTIONS} stop + fi + ) + fi fi done @@ -144,10 +142,10 @@ echo -n "Clearing \"Shorewall-based firewalls\": " for PRODUCT in $PRODUCTS; do - setstatedir - - if [ -x ${STATEDIR}/firewall ]; then - ${STATEDIR}/firewall ${OPTIONS} clear || echo_notdone + if setstatedir; then + if [ -x ${STATEDIR}/firewall ]; then + ${STATEDIR}/firewall ${OPTIONS} clear + fi fi done diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.9/init.sh new/shorewall-init-4.6.10.1/init.sh --- old/shorewall-init-4.6.9/init.sh 2015-05-05 20:28:13.000000000 +0200 +++ new/shorewall-init-4.6.10.1/init.sh 2015-06-09 20:02:00.000000000 +0200 @@ -69,10 +69,10 @@ [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT} - if [ ! -x $STATEDIR/firewall ]; then - if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then - ${SBINDIR}/$PRODUCT ${OPTIONS} compile $STATEDIR/firewall - fi + if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then + ${SBINDIR}/$PRODUCT ${OPTIONS} compile $STATEDIR/firewall + else + return 0 fi } @@ -83,11 +83,11 @@ echo -n "Initializing \"Shorewall-based firewalls\": " for PRODUCT in $PRODUCTS; do - setstatedir - - if [ -x ${STATEDIR}/firewall ]; then - if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then - ${STATEDIR}/firewall ${OPTIONS} stop || exit 1 + if setstatedir; then + if [ -x ${STATEDIR}/firewall ]; then + if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then + ${STATEDIR}/firewall ${OPTIONS} stop + fi fi fi done @@ -106,10 +106,10 @@ echo -n "Clearing \"Shorewall-based firewalls\": " for PRODUCT in $PRODUCTS; do - setstatedir - - if [ -x ${STATEDIR}/firewall ]; then - ${STATEDIR}/firewall ${OPTIONS} clear || exit 1 + if setstatedir; then + if [ -x ${STATEDIR}/firewall ]; then + ${STATEDIR}/firewall ${OPTIONS} clear + fi fi done diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.9/init.suse.sh new/shorewall-init-4.6.10.1/init.suse.sh --- old/shorewall-init-4.6.9/init.suse.sh 2015-05-05 20:28:13.000000000 +0200 +++ new/shorewall-init-4.6.10.1/init.suse.sh 2015-06-09 20:02:00.000000000 +0200 @@ -80,7 +80,9 @@ [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT} if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then - ${SBINDIR}/$PRODUCT ${OPTIONS} compile -c || exit + ${SBINDIR}/$PRODUCT ${OPTIONS} compile -c + else + return 0 fi } @@ -91,14 +93,12 @@ echo -n "Initializing \"Shorewall-based firewalls\": " for PRODUCT in $PRODUCTS; do - setstatedir - - if [ -x $STATEDIR/firewall ]; then - if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then - $STATEDIR/$PRODUCT/firewall ${OPTIONS} stop || exit + if setstatedir; then + if [ -x $STATEDIR/firewall ]; then + if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then + $STATEDIR/$PRODUCT/firewall ${OPTIONS} stop + fi fi - else - exit 6 fi done @@ -114,12 +114,10 @@ echo -n "Clearing \"Shorewall-based firewalls\": " for PRODUCT in $PRODUCTS; do - setstatedir - - if [ -x ${STATEDIR}/firewall ]; then - ${STATEDIR}/firewall ${OPTIONS} clear || exit - else - exit 6 + if setstatedir; then + if [ -x ${STATEDIR}/firewall ]; then + ${STATEDIR}/firewall ${OPTIONS} clear + fi fi done diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.9/install.sh new/shorewall-init-4.6.10.1/install.sh --- old/shorewall-init-4.6.9/install.sh 2015-05-06 18:14:16.000000000 +0200 +++ new/shorewall-init-4.6.10.1/install.sh 2015-06-10 17:00:53.000000000 +0200 @@ -27,7 +27,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.6.9 +VERSION=4.6.10.1 usage() # $1 = exit status { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.9/releasenotes.txt new/shorewall-init-4.6.10.1/releasenotes.txt --- old/shorewall-init-4.6.9/releasenotes.txt 2015-05-06 18:14:16.000000000 +0200 +++ new/shorewall-init-4.6.10.1/releasenotes.txt 2015-06-10 17:00:53.000000000 +0200 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 6 . 9 + S H O R E W A L L 4 . 6 . 1 0 . 1 ---------------------------- - M a y 0 6 , 2 0 1 5 + J u n e 1 0 , 2 0 1 5 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,24 +14,37 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) This release contains defect repair from Shorewall 4.6.8.1 and - earlier releases. +4.6.10.1 -2) The means for preventing loading of helper modules has been - clarified in the documentation. +1) Indentation is now consistent in lib.core (Tuomo Soini). -3) The SetEvent and ResetEvent actions previously set/reset the event - even if the packet did not match the other specified columns. This - has been corrected. +2) The first problem corrected in 4.6.10 below was incomplete. It is + now complete (Tuomo Soini). -4) Previously, the 'show capabilities' command was ignoring the - HELPERS setting. This resulted in unwanted modules being autoloaded - and, when the -f option was given, an incorrect capabilities file - was generated. +3) Similarly, the second fix was also incomplete and is now completed + (Tuomo Soini). + +4.6.10 -6) Previously, when 'wait' was specified for an interface, the - generated script erroneously checked for required interfaces on all - commands rather than just start, restart and restore. +1) On some distributions, Shorewall-init would fail if one of the + configured products had a problem. Now, Shorewall-init goes on to + the next product rather than stopping. + +2) Previously, when startup was disabled (STARTUP_ENABLED=No or no + compiled firewall on a -lite system), exit status 2 was + returned. Now, exit status 6 is returned. + +3) Previously, if SAVE_IPSETS=ipv4 (or ipv6) but the configuration did + not use ipsets, then a superfluous warning message was issued: + + WARNING: Invalid value (ipv4) for SAVE_IPSETS + + That warning is now suppressed. + +4) Previously, the algorithm used to normalize the probabilities + defined in the 'load' provider option was incorrect and could + result in probabilities > 1.0. When this occurred, the firewall + would fail to start. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -44,36 +57,73 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) There is now a TCPMSS Target (TCPMSS_TARGET) capability. Your - iptables and kernel must support this capability in order to use - the CLAMPMSS option in shorewall.conf and the 'mss=' option in the - zones, interfaces and hosts files. This capability was added when - it was learned that Debian on ARM doesn't provide the feature. +1) Previously, the 'ctevents' and 'expevents' options could only be + specified in the conntrack file if a helper was named. That is no + longer necessary. - When using a capabilities file from at earlier release, the - compiler assumes that this capability is available, since most - distributions have traditionally provided the capability. + Example: -2) The CLI manpages now state explicitly that 'list' and 'ls' are - synonyms for 'show' and refer the reader to the description of - 'show'. + #ACTION SOURCE DESTINATION PROTO DEST ... + # PORT(S) ... + # + CT:ctevents:assured,destroy\ + all - - -3) The complete syntax of each CLI command is now repeated in the - detailed description of the command in the man pages. +2) Two new options have been added to the NFQUEUE target. -4) Tuomo Soini has contributed a QUIC macro. + - By default, if no userspace program is listening on an NFQUEUE, + then all packets that are to be queued are dropped. When the new + 'bypass' option is used, the NFQUEUE rule is silently bypassed + instead. The packet will move on to the next rule. -5) The JabberSecure macro is now deprecated. Configure Jabber to use - TLS and use the Jabber macro instead. (Tuomo Soini). + Examples: -6) The enable and disable commands now execute more quickly on slow - hardware. + NFQUEUE(bypass) + NFQUEUE(3,bypass) -7) The CLI programs now support a 'reenable' command. This command is - logically equivalent to a 'disable' command followed by an 'enable' - command, with the exception that no error is generated if the - specified interface or provider is disabled at the time the - command is given. + - Now, a queue range of the form n:m may be specified. Packets are + then balanced across the given queues. This is useful for + multicore systems: start multiple instances of the userspace + program on queues x, x+1, .. x+n and use "x:x+n". Packets + belonging to the same connection are put into the same nfqueue. + + Examples: + + NFQUEUE(4:6) + NFQUEUE(4:6,bypass) + + Queue ranges are also permitted in an NFQUEUE policy; the + 'bypass' option is not permitted there. + +3) The 'call' command is now documented. It provides a way to call + shell functions in the Shorewall libraries or in the generated + script. + + call <function> [ <parameter> ... ] + + <function> must name a shell function in one of the Shorewall + libraries or in the generated script. The function is first + searched for in lib.base, lib.common, lib.cli and lib.cli-std + (lib.cli-std is not searched by the '-lite' products). If the + function is found, it is called with any supplied <parameter>s. + + If the function is not found in the libraries, the call command + is passed to the generated script for processing. + +4) Several changes have been made to the processing of the 'load' + option in provider files: + + - load values are normalized to 8-digit precision and 10-byte + length. + - a warning is issued if the sum of the loads is not 1.000000. + - if the normalized probability for an interface is >= + 1.000000 then the probability match part of the generated rule is + omitted. + +5) There is now an ipv6 'findgw' skeleton file. + +6) The 'disable' and 'enable' commands now succed if the interface is + already disabled or enabled respectively. Tuomo Soini. ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -266,7 +316,7 @@ See shorewall6(8) for limitations of 'update -t'. -15) The default value LOAD_HELPERS_ONLY is now 'Yes'. +15) The default value of LOAD_HELPERS_ONLY is now 'Yes'. 16) Beginning with Shorewall 4.6.0, FORMAT-1 actions and macros are deprecated and a warning will be issued for each FORMAT-1 action @@ -368,6 +418,64 @@ ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 4 . 6 R E L E A S E S ---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 6 . 9 +---------------------------------------------------------------------------- + +1) This release contains defect repair from Shorewall 4.6.8.1 and + earlier releases. + +2) The means for preventing loading of helper modules has been + clarified in the documentation. + +3) The SetEvent and ResetEvent actions previously set/reset the event + even if the packet did not match the other specified columns. This + has been corrected. + +4) Previously, the 'show capabilities' command was ignoring the + HELPERS setting. This resulted in unwanted modules being autoloaded + and, when the -f option was given, an incorrect capabilities file + was generated. + +6) Previously, when 'wait' was specified for an interface, the + generated script erroneously checked for required interfaces on all + commands rather than just start, restart and restore. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 6 . 89 +---------------------------------------------------------------------------- + +1) There is now a TCPMSS Target (TCPMSS_TARGET) capability. Your + iptables and kernel must support this capability in order to use + the CLAMPMSS option in shorewall.conf and the 'mss=' option in the + zones, interfaces and hosts files. This capability was added when + it was learned that Debian on ARM doesn't provide the feature. + + When using a capabilities file from at earlier release, the + compiler assumes that this capability is available, since most + distributions have traditionally provided the capability. + +2) The CLI manpages now state explicitly that 'list' and 'ls' are + synonyms for 'show' and refer the reader to the description of + 'show'. + +3) The complete syntax of each CLI command is now repeated in the + detailed description of the command in the man pages. + +4) Tuomo Soini has contributed a QUIC macro. + +5) The JabberSecure macro is now deprecated. Configure Jabber to use + TLS and use the Jabber macro instead. (Tuomo Soini). + +6) The enable and disable commands now execute more quickly on slow + hardware. + +7) The CLI programs now support a 'reenable' command. This command is + logically equivalent to a 'disable' command followed by an 'enable' + command, with the exception that no error is generated if the + specified interface or provider is disabled at the time the + command is given. + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 6 . 8 ---------------------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.9/shorewall-init new/shorewall-init-4.6.10.1/shorewall-init --- old/shorewall-init-4.6.9/shorewall-init 2015-05-05 20:28:13.000000000 +0200 +++ new/shorewall-init-4.6.10.1/shorewall-init 2015-06-09 20:02:00.000000000 +0200 @@ -1,18 +1,19 @@ -#! /bin/bash -# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5 +#!/bin/bash +# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.6 # -# (c) 2012-2014 - Tom Eastep ([email protected]) +# (c) 2012-2014 - Tom Eastep ([email protected]) # -# On most distributions, this file should be called /etc/init.d/shorewall. +# On most distributions, this file should be called +# /etc/init.d/shorewall. # -# Complete documentation is available at http://shorewall.net +# Complete documentation is available at http://shorewall.net # -# This program is part of Shorewall. +# This program is part of Shorewall. # # This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by the -# Free Software Foundation, either version 2 of the license or, at your -# option, any later version. +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 2 of the license or, +# at your option, any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of @@ -22,7 +23,7 @@ # You should have received a copy of the GNU General Public License # along with this program; if not, see <http://www.gnu.org/licenses/>. # -######################################################################################### +############################################################################### # set the STATEDIR variable setstatedir() { local statedir @@ -33,7 +34,9 @@ [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT} if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then - ${SBINDIR}/$PRODUCT ${OPTIONS} compile -c || exit 1 + ${SBINDIR}/$PRODUCT ${OPTIONS} compile -c + else + return 0 fi } @@ -46,7 +49,7 @@ if [ -f "$SYSCONFDIR/shorewall-init" ]; then . $SYSCONFDIR/shorewall-init if [ -z "$PRODUCTS" ]; then - echo "ERROR: No products configured" >&2 + echo "ERROR: No products configured" >&2 exit 1 fi else @@ -56,71 +59,66 @@ # Initialize the firewall shorewall_start () { - local PRODUCT - local STATEDIR + local PRODUCT + local STATEDIR - echo -n "Initializing \"Shorewall-based firewalls\": " - for PRODUCT in $PRODUCTS; do - setstatedir - - if [ -x ${STATEDIR}/firewall ]; then - # - # Run in a sub-shell to avoid name collisions - # - ( - if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then - ${STATEDIR}/firewall ${OPTIONS} stop || exit 1 - else - exit 1 - fi - ) - else - echo ERROR: ${STATEDIR}/firewall does not exist or is not executable! - exit 1 - fi - done - - if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then - ipset -R < "$SAVE_IPSETS" - fi + echo -n "Initializing \"Shorewall-based firewalls\": " + for PRODUCT in $PRODUCTS; do + if setstatedir; then + if [ -x ${STATEDIR}/firewall ]; then + # + # Run in a sub-shell to avoid name collisions + # + ( + if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then + ${STATEDIR}/firewall ${OPTIONS} stop + fi + ) + fi + fi + done - return 0 + if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then + ipset -R < "$SAVE_IPSETS" + fi + + return 0 } # Clear the firewall shorewall_stop () { - local PRODUCT - local STATEDIR + local PRODUCT + local STATEDIR - echo -n "Clearing \"Shorewall-based firewalls\": " - for PRODUCT in $PRODUCTS; do - setstatedir - - if [ -x ${STATEDIR}/firewall ]; then - ${STATEDIR}/firewall ${OPTIONS} clear || exit 1 - fi - done - - if [ -n "$SAVE_IPSETS" ]; then - mkdir -p $(dirname "$SAVE_IPSETS") - if ipset -S > "${SAVE_IPSETS}.tmp"; then - grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" - fi - fi + echo -n "Clearing \"Shorewall-based firewalls\": " + for PRODUCT in $PRODUCTS; do + if setstatedir; then + if [ -x ${STATEDIR}/firewall ]; then + ${STATEDIR}/firewall ${OPTIONS} clear + fi + fi + done + + if [ -n "$SAVE_IPSETS" ]; then + mkdir -p $(dirname "$SAVE_IPSETS") + if ipset -S > "${SAVE_IPSETS}.tmp"; then + grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" + fi + fi - return 0 + return 0 } case "$1" in - start) - shorewall_start - ;; - stop) - shorewall_stop - ;; - *) - echo "Usage: $0 {start|stop}" - exit 1 + start) + shorewall_start + ;; + stop) + shorewall_stop + ;; + *) + echo "Usage: $0 {start|stop}" + exit 1 esac exit 0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.9/shorewall-init.service new/shorewall-init-4.6.10.1/shorewall-init.service --- old/shorewall-init-4.6.9/shorewall-init.service 2015-05-05 20:28:13.000000000 +0200 +++ new/shorewall-init-4.6.10.1/shorewall-init.service 2015-06-09 20:02:00.000000000 +0200 @@ -4,7 +4,7 @@ # Copyright 2011 Jonathan Underwood <[email protected]> # [Unit] -Description=Shorewall IPv4 firewall (bootup security) +Description=Shorewall firewall (bootup security) Before=network.target Conflicts=iptables.service ip6tables.service firewalld.service diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.9/shorewall-init.service.214 new/shorewall-init-4.6.10.1/shorewall-init.service.214 --- old/shorewall-init-4.6.9/shorewall-init.service.214 2015-05-05 20:28:13.000000000 +0200 +++ new/shorewall-init-4.6.10.1/shorewall-init.service.214 2015-06-09 20:02:00.000000000 +0200 @@ -4,7 +4,7 @@ # Copyright 2011 Jonathan Underwood <[email protected]> # [Unit] -Description=Shorewall IPv4 firewall (bootup security) +Description=Shorewall firewall (bootup security) Before=network-pre.target Wants=network-pre.target Conflicts=iptables.service firewalld.service diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.9/shorewall-init.spec new/shorewall-init-4.6.10.1/shorewall-init.spec --- old/shorewall-init-4.6.9/shorewall-init.spec 2015-05-06 18:14:16.000000000 +0200 +++ new/shorewall-init-4.6.10.1/shorewall-init.spec 2015-06-10 17:00:53.000000000 +0200 @@ -1,6 +1,6 @@ %define name shorewall-init -%define version 4.6.9 -%define release 0base +%define version 4.6.10 +%define release 1 Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall). Name: %{name} @@ -126,6 +126,16 @@ %doc COPYING changelog.txt releasenotes.txt %changelog +* Tue Jun 09 2015 Tom Eastep [email protected] +- Updated to 4.6.10-1 +* Fri May 29 2015 Tom Eastep [email protected] +- Updated to 4.6.10-0base +* Mon May 25 2015 Tom Eastep [email protected] +- Updated to 4.6.10-0RC1 +* Sun May 17 2015 Tom Eastep [email protected] +- Updated to 4.6.10-0Beta2 +* Tue May 05 2015 Tom Eastep [email protected] +- Updated to 4.6.10-0Beta1 * Tue May 05 2015 Tom Eastep [email protected] - Updated to 4.6.9-0base * Tue May 05 2015 Tom Eastep [email protected] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.9/uninstall.sh new/shorewall-init-4.6.10.1/uninstall.sh --- old/shorewall-init-4.6.9/uninstall.sh 2015-05-06 18:14:16.000000000 +0200 +++ new/shorewall-init-4.6.10.1/uninstall.sh 2015-06-10 17:00:53.000000000 +0200 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.6.9 +VERSION=4.6.10.1 usage() # $1 = exit status { ++++++ shorewall-lite-4.6.9.tar.bz2 -> shorewall-lite-4.6.10.1.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.9/changelog.txt new/shorewall-lite-4.6.10.1/changelog.txt --- old/shorewall-lite-4.6.9/changelog.txt 2015-05-06 18:14:16.000000000 +0200 +++ new/shorewall-lite-4.6.10.1/changelog.txt 2015-06-10 17:00:53.000000000 +0200 @@ -1,3 +1,52 @@ +Changes in 4.6.10.1 + +1) Update release documents. + +2) Use consistent indentation in lib.core + +3) Complete Shorewall-init improvements + +4) Return exit status 6 when startup is disabled + +Changes in 4.6.10 Final + +1) Update release documents. + +2) Update Module Versions + +3) Tuomo Soini's fix to enable/disable. + +Changes in 4.6.10 RC 1 + +1) Update release documents. + +2) load= enhancements + +3) Indicate success when no ipsets are saved by the script + +4) load= corrections. + +5) IPv6 findgw. + +Changes in 4.6.10 Beta 2 + +1) Update release documents. + +2) Add queue-balance and queue-bypass options to NFQUEUE. + +3) Implement 'call' in the compiled program and externalize 'call' in + the CLI. + +Changes in 4.6.10 Beta 1 + +1) Update release documents. + +2) Fix Shorewall-init bailing out when a product didn't start/stop + +3) Return exit status 6 for non-configured firewall. + +4) Don't require a helper for ctevents and expevents. + Changes in 4.6.9 Final 1) Update release documents. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.9/configure new/shorewall-lite-4.6.10.1/configure --- old/shorewall-lite-4.6.9/configure 2015-05-06 18:14:16.000000000 +0200 +++ new/shorewall-lite-4.6.10.1/configure 2015-06-10 17:00:53.000000000 +0200 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=4.6.9 +VERSION=4.6.10.1 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.9/configure.pl new/shorewall-lite-4.6.10.1/configure.pl --- old/shorewall-lite-4.6.9/configure.pl 2015-05-06 18:14:16.000000000 +0200 +++ new/shorewall-lite-4.6.10.1/configure.pl 2015-06-10 17:00:53.000000000 +0200 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '4.6.9' + VERSION => '4.6.10.1' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.9/install.sh new/shorewall-lite-4.6.10.1/install.sh --- old/shorewall-lite-4.6.9/install.sh 2015-05-06 18:14:16.000000000 +0200 +++ new/shorewall-lite-4.6.10.1/install.sh 2015-06-10 17:00:53.000000000 +0200 @@ -22,7 +22,7 @@ # along with this program; if not, see <http://www.gnu.org/licenses/>. # -VERSION=4.6.9 +VERSION=4.6.10.1 usage() # $1 = exit status { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.9/manpages/shorewall-lite-vardir.5 new/shorewall-lite-4.6.10.1/manpages/shorewall-lite-vardir.5 --- old/shorewall-lite-4.6.9/manpages/shorewall-lite-vardir.5 2015-05-06 18:17:38.000000000 +0200 +++ new/shorewall-lite-4.6.10.1/manpages/shorewall-lite-vardir.5 2015-06-10 17:04:14.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite-vardir .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 05/06/2015 +.\" Date: 06/10/2015 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-LITE\-VAR" "5" "05/06/2015" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-LITE\-VAR" "5" "06/10/2015" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.9/manpages/shorewall-lite.8 new/shorewall-lite-4.6.10.1/manpages/shorewall-lite.8 --- old/shorewall-lite-4.6.9/manpages/shorewall-lite.8 2015-05-06 18:17:40.000000000 +0200 +++ new/shorewall-lite-4.6.10.1/manpages/shorewall-lite.8 2015-06-10 17:04:16.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 05/06/2015 +.\" Date: 06/10/2015 .\" Manual: Administrative Commands .\" Source: Administrative Commands .\" Language: English .\" -.TH "SHOREWALL\-LITE" "8" "05/06/2015" "Administrative Commands" "Administrative Commands" +.TH "SHOREWALL\-LITE" "8" "06/10/2015" "Administrative Commands" "Administrative Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -35,6 +35,8 @@ .HP \w'\fBshorewall\-lite\fR\ 'u \fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBallow\fR \fIaddress\fR .HP \w'\fBshorewall\-lite\fR\ 'u +\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBallow\fR \fIaddress\fR +.HP \w'\fBshorewall\-lite\fR\ 'u \fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBclear\fR\ [\fB\-f\fR] .HP \w'\fBshorewall\-lite\fR\ 'u \fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBclose\fR\ {\ \fIopen\-number\fR\ |\ \fIsource\fR\fIdest\fR\ [\fIprotocol\fR\ [\ \fIport\fR\ ]]}\fI\ \fR @@ -203,6 +205,17 @@ command\&. .RE .PP +\fBcall \fR\fB\fIfunction\fR\fR\fB [ \fR\fB\fIparameter\fR\fR\fB \&.\&.\&. ]\fR +.RS 4 +Added in Shorewall 4\&.6\&.10\&. Allows you to call a function in one of the Shorewall libraries or in your compiled script\&. function must name the shell function to be called\&. The listed parameters are passed to the function\&. +.sp +The function is first searched for in +lib\&.base, +lib\&.common +and +lib\&.cli\&. If it is not found, the call command is passed to the generated script to be executed\&. +.RE +.PP \fBclear \fR[\-\fBf\fR] .RS 4 Clear will remove all rules and chains installed by Shorewall\-lite\&. The firewall is then wide open and unprotected\&. Existing connections are untouched\&. Clear is often used to see if the firewall is causing connection problems\&. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.9/manpages/shorewall-lite.conf.5 new/shorewall-lite-4.6.10.1/manpages/shorewall-lite.conf.5 --- old/shorewall-lite-4.6.9/manpages/shorewall-lite.conf.5 2015-05-06 18:17:37.000000000 +0200 +++ new/shorewall-lite-4.6.10.1/manpages/shorewall-lite.conf.5 2015-06-10 17:04:13.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite.conf .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 05/06/2015 +.\" Date: 06/10/2015 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-LITE\&.CO" "5" "05/06/2015" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-LITE\&.CO" "5" "06/10/2015" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.9/manpages/shorewall-lite.xml new/shorewall-lite-4.6.10.1/manpages/shorewall-lite.xml --- old/shorewall-lite-4.6.9/manpages/shorewall-lite.xml 2015-05-06 18:17:40.000000000 +0200 +++ new/shorewall-lite-4.6.10.1/manpages/shorewall-lite.xml 2015-06-10 17:04:16.000000000 +0200 @@ -55,6 +55,19 @@ <arg>-<replaceable>options</replaceable></arg> + <arg choice="plain"><option>allow</option></arg> + + <arg choice="plain"><replaceable>address</replaceable></arg> + </cmdsynopsis> + + <cmdsynopsis> + <command>shorewall-lite</command> + + <arg + choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg> + + <arg>-<replaceable>options</replaceable></arg> + <arg choice="plain"><option>clear</option><arg><option>-f</option></arg></arg> </cmdsynopsis> @@ -665,6 +678,23 @@ </listitem> </varlistentry> + <varlistentry> + <term><emphasis role="bold">call <replaceable>function</replaceable> [ + <replaceable>parameter</replaceable> ... ]</emphasis></term> + + <listitem> + <para>Added in Shorewall 4.6.10. Allows you to call a function in + one of the Shorewall libraries or in your compiled script. function + must name the shell function to be called. The listed parameters are + passed to the function.</para> + + <para>The function is first searched for in + <filename>lib.base</filename>, <filename>lib.common</filename> and + <filename>lib.cli</filename>. If it is not found, the call command + is passed to the generated script to be executed.</para> + </listitem> + </varlistentry> + <varlistentry> <term><emphasis role="bold">clear </emphasis>[-<option>f</option>]</term> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.9/releasenotes.txt new/shorewall-lite-4.6.10.1/releasenotes.txt --- old/shorewall-lite-4.6.9/releasenotes.txt 2015-05-06 18:14:16.000000000 +0200 +++ new/shorewall-lite-4.6.10.1/releasenotes.txt 2015-06-10 17:00:53.000000000 +0200 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 6 . 9 + S H O R E W A L L 4 . 6 . 1 0 . 1 ---------------------------- - M a y 0 6 , 2 0 1 5 + J u n e 1 0 , 2 0 1 5 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,24 +14,37 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) This release contains defect repair from Shorewall 4.6.8.1 and - earlier releases. +4.6.10.1 -2) The means for preventing loading of helper modules has been - clarified in the documentation. +1) Indentation is now consistent in lib.core (Tuomo Soini). -3) The SetEvent and ResetEvent actions previously set/reset the event - even if the packet did not match the other specified columns. This - has been corrected. +2) The first problem corrected in 4.6.10 below was incomplete. It is + now complete (Tuomo Soini). -4) Previously, the 'show capabilities' command was ignoring the - HELPERS setting. This resulted in unwanted modules being autoloaded - and, when the -f option was given, an incorrect capabilities file - was generated. +3) Similarly, the second fix was also incomplete and is now completed + (Tuomo Soini). + +4.6.10 -6) Previously, when 'wait' was specified for an interface, the - generated script erroneously checked for required interfaces on all - commands rather than just start, restart and restore. +1) On some distributions, Shorewall-init would fail if one of the + configured products had a problem. Now, Shorewall-init goes on to + the next product rather than stopping. + +2) Previously, when startup was disabled (STARTUP_ENABLED=No or no + compiled firewall on a -lite system), exit status 2 was + returned. Now, exit status 6 is returned. + +3) Previously, if SAVE_IPSETS=ipv4 (or ipv6) but the configuration did + not use ipsets, then a superfluous warning message was issued: + + WARNING: Invalid value (ipv4) for SAVE_IPSETS + + That warning is now suppressed. + +4) Previously, the algorithm used to normalize the probabilities + defined in the 'load' provider option was incorrect and could + result in probabilities > 1.0. When this occurred, the firewall + would fail to start. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -44,36 +57,73 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) There is now a TCPMSS Target (TCPMSS_TARGET) capability. Your - iptables and kernel must support this capability in order to use - the CLAMPMSS option in shorewall.conf and the 'mss=' option in the - zones, interfaces and hosts files. This capability was added when - it was learned that Debian on ARM doesn't provide the feature. +1) Previously, the 'ctevents' and 'expevents' options could only be + specified in the conntrack file if a helper was named. That is no + longer necessary. - When using a capabilities file from at earlier release, the - compiler assumes that this capability is available, since most - distributions have traditionally provided the capability. + Example: -2) The CLI manpages now state explicitly that 'list' and 'ls' are - synonyms for 'show' and refer the reader to the description of - 'show'. + #ACTION SOURCE DESTINATION PROTO DEST ... + # PORT(S) ... + # + CT:ctevents:assured,destroy\ + all - - -3) The complete syntax of each CLI command is now repeated in the - detailed description of the command in the man pages. +2) Two new options have been added to the NFQUEUE target. -4) Tuomo Soini has contributed a QUIC macro. + - By default, if no userspace program is listening on an NFQUEUE, + then all packets that are to be queued are dropped. When the new + 'bypass' option is used, the NFQUEUE rule is silently bypassed + instead. The packet will move on to the next rule. -5) The JabberSecure macro is now deprecated. Configure Jabber to use - TLS and use the Jabber macro instead. (Tuomo Soini). + Examples: -6) The enable and disable commands now execute more quickly on slow - hardware. + NFQUEUE(bypass) + NFQUEUE(3,bypass) -7) The CLI programs now support a 'reenable' command. This command is - logically equivalent to a 'disable' command followed by an 'enable' - command, with the exception that no error is generated if the - specified interface or provider is disabled at the time the - command is given. + - Now, a queue range of the form n:m may be specified. Packets are + then balanced across the given queues. This is useful for + multicore systems: start multiple instances of the userspace + program on queues x, x+1, .. x+n and use "x:x+n". Packets + belonging to the same connection are put into the same nfqueue. + + Examples: + + NFQUEUE(4:6) + NFQUEUE(4:6,bypass) + + Queue ranges are also permitted in an NFQUEUE policy; the + 'bypass' option is not permitted there. + +3) The 'call' command is now documented. It provides a way to call + shell functions in the Shorewall libraries or in the generated + script. + + call <function> [ <parameter> ... ] + + <function> must name a shell function in one of the Shorewall + libraries or in the generated script. The function is first + searched for in lib.base, lib.common, lib.cli and lib.cli-std + (lib.cli-std is not searched by the '-lite' products). If the + function is found, it is called with any supplied <parameter>s. + + If the function is not found in the libraries, the call command + is passed to the generated script for processing. + +4) Several changes have been made to the processing of the 'load' + option in provider files: + + - load values are normalized to 8-digit precision and 10-byte + length. + - a warning is issued if the sum of the loads is not 1.000000. + - if the normalized probability for an interface is >= + 1.000000 then the probability match part of the generated rule is + omitted. + +5) There is now an ipv6 'findgw' skeleton file. + +6) The 'disable' and 'enable' commands now succed if the interface is + already disabled or enabled respectively. Tuomo Soini. ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -266,7 +316,7 @@ See shorewall6(8) for limitations of 'update -t'. -15) The default value LOAD_HELPERS_ONLY is now 'Yes'. +15) The default value of LOAD_HELPERS_ONLY is now 'Yes'. 16) Beginning with Shorewall 4.6.0, FORMAT-1 actions and macros are deprecated and a warning will be issued for each FORMAT-1 action @@ -368,6 +418,64 @@ ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 4 . 6 R E L E A S E S ---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 6 . 9 +---------------------------------------------------------------------------- + +1) This release contains defect repair from Shorewall 4.6.8.1 and + earlier releases. + +2) The means for preventing loading of helper modules has been + clarified in the documentation. + +3) The SetEvent and ResetEvent actions previously set/reset the event + even if the packet did not match the other specified columns. This + has been corrected. + +4) Previously, the 'show capabilities' command was ignoring the + HELPERS setting. This resulted in unwanted modules being autoloaded + and, when the -f option was given, an incorrect capabilities file + was generated. + +6) Previously, when 'wait' was specified for an interface, the + generated script erroneously checked for required interfaces on all + commands rather than just start, restart and restore. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 6 . 89 +---------------------------------------------------------------------------- + +1) There is now a TCPMSS Target (TCPMSS_TARGET) capability. Your + iptables and kernel must support this capability in order to use + the CLAMPMSS option in shorewall.conf and the 'mss=' option in the + zones, interfaces and hosts files. This capability was added when + it was learned that Debian on ARM doesn't provide the feature. + + When using a capabilities file from at earlier release, the + compiler assumes that this capability is available, since most + distributions have traditionally provided the capability. + +2) The CLI manpages now state explicitly that 'list' and 'ls' are + synonyms for 'show' and refer the reader to the description of + 'show'. + +3) The complete syntax of each CLI command is now repeated in the + detailed description of the command in the man pages. + +4) Tuomo Soini has contributed a QUIC macro. + +5) The JabberSecure macro is now deprecated. Configure Jabber to use + TLS and use the Jabber macro instead. (Tuomo Soini). + +6) The enable and disable commands now execute more quickly on slow + hardware. + +7) The CLI programs now support a 'reenable' command. This command is + logically equivalent to a 'disable' command followed by an 'enable' + command, with the exception that no error is generated if the + specified interface or provider is disabled at the time the + command is given. + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 6 . 8 ---------------------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.9/shorewall-lite.spec new/shorewall-lite-4.6.10.1/shorewall-lite.spec --- old/shorewall-lite-4.6.9/shorewall-lite.spec 2015-05-06 18:14:16.000000000 +0200 +++ new/shorewall-lite-4.6.10.1/shorewall-lite.spec 2015-06-10 17:00:53.000000000 +0200 @@ -1,6 +1,6 @@ %define name shorewall-lite -%define version 4.6.9 -%define release 0base +%define version 4.6.10 +%define release 1 %define initdir /etc/init.d Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems. @@ -106,6 +106,16 @@ %doc COPYING changelog.txt releasenotes.txt %changelog +* Tue Jun 09 2015 Tom Eastep [email protected] +- Updated to 4.6.10-1 +* Fri May 29 2015 Tom Eastep [email protected] +- Updated to 4.6.10-0base +* Mon May 25 2015 Tom Eastep [email protected] +- Updated to 4.6.10-0RC1 +* Sun May 17 2015 Tom Eastep [email protected] +- Updated to 4.6.10-0Beta2 +* Tue May 05 2015 Tom Eastep [email protected] +- Updated to 4.6.10-0Beta1 * Tue May 05 2015 Tom Eastep [email protected] - Updated to 4.6.9-0base * Tue May 05 2015 Tom Eastep [email protected] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.9/uninstall.sh new/shorewall-lite-4.6.10.1/uninstall.sh --- old/shorewall-lite-4.6.9/uninstall.sh 2015-05-06 18:14:16.000000000 +0200 +++ new/shorewall-lite-4.6.10.1/uninstall.sh 2015-06-10 17:00:53.000000000 +0200 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.6.9 +VERSION=4.6.10.1 PRODUCT=shorewall-lite usage() # $1 = exit status ++++++ shorewall-4.6.9.tar.bz2 -> shorewall6-4.6.10.1.tar.bz2 ++++++ ++++ 128808 lines of diff (skipped) ++++++ shorewall-lite-4.6.9.tar.bz2 -> shorewall6-lite-4.6.10.1.tar.bz2 ++++++ ++++ 9041 lines of diff (skipped)
