Hello community, here is the log from the commit of package shorewall for openSUSE:Factory checked in at 2017-06-18 13:50:54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/shorewall (Old) and /work/SRC/openSUSE:Factory/.shorewall.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shorewall" Sun Jun 18 13:50:54 2017 rev:96 rq:504332 version:5.1.4.2 Changes: -------- --- /work/SRC/openSUSE:Factory/shorewall/shorewall.changes 2017-03-28 15:24:25.434857281 +0200 +++ /work/SRC/openSUSE:Factory/.shorewall.new/shorewall.changes 2017-06-18 13:51:10.664171333 +0200 @@ -1,0 +2,25 @@ +Wed Jun 14 09:06:19 UTC 2017 - [email protected] + +- Bugfix and enhancement release 5.1.4.2 + complete changelog is available + http://shorewall.net/pub/shorewall/5.1/shorewall-5.1.4/releasenotes.txt +- Main changes + All IPv6 standard actions have been deleted and their logic + has been added to their IPv4 counterparts who can now handle + both address families. + + Previously, ?error and ?require messages as well as verbose ?info + and ?warning messages (those that report the file and line numbers) + generated from an action file would report the action file name and + line number rather than the file and line number where the action + was invoked. The file and line number where the action was invoked + were listed second. Beginning with this release, the invoking file + and line number are listed first and the action file and line number + are not reported. This allows for creation of clearer messages. + + IPv6 UPnP support (including MINIUPNPD) is now available. + + A PERL_HASH_SEED option has been added to allow the Perl hash seed + to be specified. See shorewall.conf(5) and perlsec(1) for details. + +------------------------------------------------------------------- Old: ---- shorewall-5.1.3.2.tar.bz2 shorewall-core-5.1.3.2.tar.bz2 shorewall-docs-html-5.1.3.2.tar.bz2 shorewall-init-5.1.3.2.tar.bz2 shorewall-lite-5.1.3.2.tar.bz2 shorewall6-5.1.3.2.tar.bz2 shorewall6-lite-5.1.3.2.tar.bz2 New: ---- shorewall-5.1.4.2.tar.bz2 shorewall-core-5.1.4.2.tar.bz2 shorewall-docs-html-5.1.4.2.tar.bz2 shorewall-init-5.1.4.2.tar.bz2 shorewall-lite-5.1.4.2.tar.bz2 shorewall6-5.1.4.2.tar.bz2 shorewall6-lite-5.1.4.2.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shorewall.spec ++++++ --- /var/tmp/diff_new_pack.eQzSCw/_old 2017-06-18 13:51:13.383788620 +0200 +++ /var/tmp/diff_new_pack.eQzSCw/_new 2017-06-18 13:51:13.387788056 +0200 @@ -19,9 +19,9 @@ # %define have_systemd 1 %define dmaj 5.1 -%define dmin 5.1.3 +%define dmin 5.1.4 Name: shorewall -Version: 5.1.3.2 +Version: 5.1.4.2 Release: 0 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems License: GPL-2.0 ++++++ shorewall-5.1.3.2.tar.bz2 -> shorewall-5.1.4.2.tar.bz2 ++++++ ++++ 4440 lines of diff (skipped) ++++++ shorewall-core-5.1.3.2.tar.bz2 -> shorewall-core-5.1.4.2.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.1.3.2/changelog.txt new/shorewall-core-5.1.4.2/changelog.txt --- old/shorewall-core-5.1.3.2/changelog.txt 2017-03-24 19:49:23.000000000 +0100 +++ new/shorewall-core-5.1.4.2/changelog.txt 2017-06-12 16:53:04.000000000 +0200 @@ -1,10 +1,61 @@ -Changes in 5.1.3.1 +Changes in 5.1.4.2 + +1) Update release documents. + +2) Correct many broken links in the manpages. + +3) Correct NFQUEUE without the 'c' option. + +Changes in 5.1.4.1 + +1) Update release documents. + +2) Update shorewall-rules(5). + +3) Expand LOGFORMAT documentation. + +4) Restore the BLACKLIST action in Shorewall6. + +Changes in 5.1.4 Final 1) Update release documents. -2) Set $parmsmodified on ?reset +2) Clean up introduction to shorewall-rules(5). + +3) Clarify LOGFORMAT in shorewall[6].conf(5) and + shorewall[6]-zones(5). + +4) Add BLACKLIST to the IPv6 actions.std file. + +Changes in 5.1.4 RC 1 + +1) Update release documents. + +2) Add PERL_HASH_SEED option. + +Changes in 5.1.4 Beta 2 + +1) Update release documents. + +2) Correct validation of string interface options. + +3) Correct handling of IPv6 tunnel-src and tunnel-dst. + +4) Documentation cleanup. + +Changes in 5.1.4 Beta 1 + +1) Update release documents. + +2) Unify Actions + +3) Report invocation site when generating ?info and ?warning messages + +4) Add IPv6 UPnP support. + +5) ?reset of action variable now sets $parmsmodified. -3) Clean up column/value pair editing. +6) Clean up column/value pair editing. Changes in 5.1.3.1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.1.3.2/configure new/shorewall-core-5.1.4.2/configure --- old/shorewall-core-5.1.3.2/configure 2017-03-24 19:49:23.000000000 +0100 +++ new/shorewall-core-5.1.4.2/configure 2017-06-12 16:53:03.000000000 +0200 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=5.1.3.2 +VERSION=5.1.4.2 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.1.3.2/configure.pl new/shorewall-core-5.1.4.2/configure.pl --- old/shorewall-core-5.1.3.2/configure.pl 2017-03-24 19:49:23.000000000 +0100 +++ new/shorewall-core-5.1.4.2/configure.pl 2017-06-12 16:53:03.000000000 +0200 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '5.1.3.2' + VERSION => '5.1.4.2' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.1.3.2/install.sh new/shorewall-core-5.1.4.2/install.sh --- old/shorewall-core-5.1.3.2/install.sh 2017-03-24 19:49:23.000000000 +0100 +++ new/shorewall-core-5.1.4.2/install.sh 2017-06-12 16:53:03.000000000 +0200 @@ -22,7 +22,7 @@ # along with this program; if not, see <http://www.gnu.org/licenses/>. # -VERSION=5.1.3.2 +VERSION=5.1.4.2 PRODUCT=shorewall-core Product="Shorewall Core" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.1.3.2/known_problems.txt new/shorewall-core-5.1.4.2/known_problems.txt --- old/shorewall-core-5.1.3.2/known_problems.txt 2017-03-24 19:49:23.000000000 +0100 +++ new/shorewall-core-5.1.4.2/known_problems.txt 2017-06-12 16:53:04.000000000 +0200 @@ -5,41 +5,17 @@ correctly in configurations with USE_DEFAULT_RT=No and optional providers listed in the DUPLICATE column. -3) There is a typo in the BLACKLIST_DEFAULT settings in the IPv6 - sample config files. +3) The BLACKLIST action was inadvertently omitted from Shorewall6 in + Shorewall 5.1.1. - The settings end with: + Corrected in Shorewall 5.1.4.1. - "...dropInvalid:$LOG_LEVEL:DropDNSrep:$LOG_LEVEL" +4) Support for the NFQUEUE '--queue-cpu-fanout' option, introduced in + Shorewall 5.1.0, contained a defect which can result in the + following compile-time error: - when they should end with: + Use of uninitialized value $fanout in concatenation (.) or string + at /usr/share/shorewall/Shorewall/Rules.pm line 643, + <$currentfile> line 2. - "...dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL" - - Workaround: Edit /etc/shorewall6/shorewall6.conf and - make the correction. - - Corrected in Shorewall 5.1.3.1. - -4) The two-interface sample snat file contains a typo; 192.16.0.0/16 - was inadvertently entered as 92.16.0.0/16. - - Corrected in Shorewall 5.1.3.1. - -5) In the policy file, all+ is incorrectly processed the same as all. - - Corrected in Shorewall 5.1.3.1. - -6) If a Shorewall Variable ( e.g., @chain ) is the target - of a conditional ?RESET directive (one that was enclosed in ?if... - ?else...?endif logic), the compiler can incorrectly use an - existing chain created from the action rather than creating a new - (and different) chain. - - Corrected in Shorewall 5.1.3.2. - -7) If alternate input format specifies a column that has - already been specified, the contents of that column are silently - overwritten. - - Corrected in Shorewall 5.1.3.2. + Corrected in Shorewall 5.1.4.2. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.1.3.2/manpages/shorewall.8 new/shorewall-core-5.1.4.2/manpages/shorewall.8 --- old/shorewall-core-5.1.3.2/manpages/shorewall.8 2017-03-24 19:51:09.000000000 +0100 +++ new/shorewall-core-5.1.4.2/manpages/shorewall.8 2017-06-12 16:54:34.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 03/24/2017 +.\" Date: 06/12/2017 .\" Manual: Administrative Commands .\" Source: Administrative Commands .\" Language: English .\" -.TH "SHOREWALL" "8" "03/24/2017" "Administrative Commands" "Administrative Commands" +.TH "SHOREWALL" "8" "06/12/2017" "Administrative Commands" "Administrative Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.1.3.2/releasenotes.txt new/shorewall-core-5.1.4.2/releasenotes.txt --- old/shorewall-core-5.1.3.2/releasenotes.txt 2017-03-24 19:49:23.000000000 +0100 +++ new/shorewall-core-5.1.4.2/releasenotes.txt 2017-06-12 16:53:04.000000000 +0200 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 5 . 1 . 3 . 2 - ----------------------------- - M a r c h 2 5 , 2 0 1 7 + S H O R E W A L L 5 . 1 . 4 . 2 + ------------------------------ + J u n e 1 2 , 2 0 1 7 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,45 +14,70 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -5.1.3.2 +5.1.4.2 -1) Previously, if a Shorewall Variable ( e.g., @chain ) was the target +1) Many broken links in the manpages have been corrected. + +2) Support for the NFQUEUE '--queue-cpu-fanout' option, introduced in + Shorewall 5.1.0, contained a defect which could result in the + following compile-time error: + + Use of uninitialized value $fanout in concatenation (.) or string + at /usr/share/shorewall/Shorewall/Rules.pm line 643, + <$currentfile> line 2. + + That has been corrected. + +5.1.4.1 + +1) The introductory material in shorewall-rules(5) has been cleaned + up. + +2) The information about LOGFORMAT in shorewall[6].conf(5) and + shorewall[6]-zones(5) has been expanded. + + In Shorewall 5.1.0, the setting of LOGFORMAT in the default and + sample .conf files was changed to "%s:%s " to enable 10-character + zone names (up from 5 characters using the default + "Shorewall:%s:%s:" setting). As part of this change, if a + shorewall.conf file which did not set LOGFORMAT is updated using + "shorewall update", LOGFORMAT is set to "Shorewall:%s:%s:" to + preserve the existing behavior. + + This can have an effect on new installations, however in that + scipts or log analyzers can no longer be configured to simply look + for "Shorewall:" in log messages unless the setting of LOGFORMAT is + changed. The manpages (and the Migration Considerations below) have + been updated to describe how to locate these messages using the new + "%s:%s " setting. + +3) The BLACKLIST action was inadvertently omitted from Shorewall6 in + Shorewall 5.1.1. That has been corrected. + +5.1.4 + +1) This release contains defect repair through Shorewall 5.1.3.1. + +2) Previously, if a Shorewall Variable ( e.g., @chain ) was the target of a conditional ?RESET directive (one that was enclosed in ?if... ?else...?endif logic), the compiler could incorrectly use an existing chain created from the action rather than creating a new (and different) chain. That has been corrected. -2) Previously, if alternate input format specified a column that had +3) Previously, if alternate input format specified a column that had already been specified, the contents of that column were silently overwritten. Now, a warning message is issued stating that the prior value has been replaced by the newer value. - - -5.1.3.1 - -1) There was a typo in the BLACKLIST_DEFAULT settings in the 5.1.3 - sample config files, which resulted in a compilation error. - That typo has been corrected. - -2) There was also a typo in the two-interface IPv4 sample snat file; - 192.168.0.0/16 was inadvertently entered as 92.168.0.0/16. That has - been corrected. - -3) Previously, when processing the policy file, 'all+' was incorrectly - treated the same as 'all'. That has been corrected so that 'all+' - causes intra-zone traffic to be included in the policy. - -5.1.3 - -1) This release includes defect repair for releases through 5.1.2.4. -2) The documentation for 'reload' has been corrected: +4) Previously, a string-valued interface option, such as + 'physical', could be given an empty value (e.g., "physical=,"), and + the compiler would fail to flag it. Now, this usage raises an + error. - - A command synopsis has been added in shorewall(8). - - The command synopsis in the 'help' output has been corrected. +5) Previously, the 'tunnel-src' and 'tunnel-dst' zone options would + generate an error under Shorewall6. That has been corrected. -3) The CONFIG_PATH setting has been corrected in the IPv6 Universal - sample configuration. +6) A number of small documentation corrections have been made. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -77,51 +102,44 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) The tarball installers and uninstallers have been unified and - now use a common library that is included in each tarball (Matt - Darfuille). +1) All IPv6 standard actions have been deleted and their logic + has been added to their IPv4 counterparts who can now handle + both address families. -2) The installers now print a diagnostic if the relevant shorewallrc - file cannot be loaded (Matt Darfuille). +2) Previously, ?error and ?require messages as well as verbose ?info + and ?warning messages (those that report the file and line numbers) + generated from an action file would report the action file name and + line number rather than the file and line number where the action + was invoked. The file and line number where the action was invoked + were listed second. Beginning with this release, the invoking file + and line number are listed first and the action file and line number + are not reported. This allows for creation of clearer messages. -3) The /etc/default/... files installed on Debian are now dependent on - whether systemd is used or not (Matt Darfuille). + Example: -4) In Perl 5.8.1 and again in 5.18.0, the Perl developers altered the - behavior of the hash function used in the implementation of - hashes. The hash key is now chosen randomly as a defense against - DOS attacks targeting Perl programs. Such attacks supply input data - that causes a single hash bucket to be used. While those changes - improved security, they cause non-deterministic program behavior - when the 'keys', 'values' and 'each' functions are used. + Previously, when an invalid value was passed for the 'bricks' + parameter to the GlusterFS action on line 45 of the rules file, a + message such as the following was issued (folded to 76 columns): - Prior to this release, Shorewall sorted the lists produced by those - functions to ensure that consecutive compilations of the same - configuration produced the same ruleset. In this release, - compilation speed has been improved by removing the sort calls and - by instructing Perl to use a constant hash key. + ERROR: Invalid value for Bricks (2000) + /usr/share/shorewall/action.GlusterFS (line 15) + from /etc/shorewall/rules (line 45) - Note: The ruleset produced by this release will be equivalent - to that produced by 5.1.2, but will likely be different. + Note that the message seems to imply that the error is in + action.GlusterFS rather than in the rules file. -5) All builtin actions have been replaced with standard actions. In - some cases. the standard action produces different but equivalent - rules when compared to those produced by the corresponding builtin - action. + Beginning with this release, the message will be: -6) The PROTO columns may now specify tcp:!syn (6:!syn) which matches - TCP packets with the SYN flag reset or one or more of ACK, RST or - FIN set. The dropNotSyn and rejNotSyn actions have been modified to - use this feature. + ERROR: Invalid value (2000) for the GlusterFS Bricks argument + /etc/shorewall/rules (line 45) -7) During 'update', the settings of all _LEVEL and _DEFAULT options - are now enclosed in quotes. This is done because these settings - often contain parentheses and the .conf files are process by - the shell. The sample configurations also have these settings - enclosed in quotes. + Note: This change only affects actions, including inline actions. + Macros will continue to report the old way. - Update will continue to also enclose in quotes any settings that - contains characters other than alphanumeric, '/', and '.'. +3) IPv6 UPnP support (including MINIUPNPD) is now available. + +4) A PERL_HASH_SEED option has been added to allow the Perl hash seed + to be specified. See shorewall.conf(5) and perlsec(1) for details. ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -246,6 +264,86 @@ ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 5 . 1 R E L E A S E S ---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 5 . 1 . 3 +---------------------------------------------------------------------------- + +5.1.3.1 + +1) There was a typo in the BLACKLIST_DEFAULT settings in the 5.1.3 + sample config files, which resulted in a compilation error. + That typo has been corrected. + +2) There was also a typo in the two-interface IPv4 sample snat file; + 192.168.0.0/16 was inadvertently entered as 92.168.0.0/16. That has + been corrected. + +3) Previously, when processing the policy file, 'all+' was incorrectly + treated the same as 'all'. That has been corrected so that 'all+' + causes intra-zone traffic to be included in the policy. + +5.1.3 + +1) This release includes defect repair for releases through 5.1.2.4. + +2) The documentation for 'reload' has been corrected: + + - A command synopsis has been added in shorewall(8). + - The command synopsis in the 'help' output has been corrected. + +3) The CONFIG_PATH setting has been corrected in the IPv6 Universal + sample configuration. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 5 . 1 . 2 +---------------------------------------------------------------------------- + +1) The tarball installers and uninstallers have been unified and + now use a common library that is included in each tarball (Matt + Darfuille). + +2) The installers now print a diagnostic if the relevant shorewallrc + file cannot be loaded (Matt Darfuille). + +3) The /etc/default/... files installed on Debian are now dependent on + whether systemd is used or not (Matt Darfuille). + +4) In Perl 5.8.1 and again in 5.18.0, the Perl developers altered the + behavior of the hash function used in the implementation of + hashes. The hash key is now chosen randomly as a defense against + DOS attacks targeting Perl programs. Such attacks supply input data + that causes a single hash bucket to be used. While those changes + improved security, they cause non-deterministic program behavior + when the 'keys', 'values' and 'each' functions are used. + + Prior to this release, Shorewall sorted the lists produced by those + functions to ensure that consecutive compilations of the same + configuration produced the same ruleset. In this release, + compilation speed has been improved by removing the sort calls and + by instructing Perl to use a constant hash key. + + Note: The ruleset produced by this release will be equivalent + to that produced by 5.1.2, but will likely be different. + +5) All builtin actions have been replaced with standard actions. In + some cases. the standard action produces different but equivalent + rules when compared to those produced by the corresponding builtin + action. + +6) The PROTO columns may now specify tcp:!syn (6:!syn) which matches + TCP packets with the SYN flag reset or one or more of ACK, RST or + FIN set. The dropNotSyn and rejNotSyn actions have been modified to + use this feature. + +7) During 'update', the settings of all _LEVEL and _DEFAULT options + are now enclosed in quotes. This is done because these settings + often contain parentheses and the .conf files are process by + the shell. The sample configurations also have these settings + enclosed in quotes. + + Update will continue to also enclose in quotes any settings that + contains characters other than alphanumeric, '/', and '.'. + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 5 . 1 . 2 ---------------------------------------------------------------------------- 1) Previously, when the 5.1 CLI program was run with no command given, @@ -517,9 +615,32 @@ 2) Several settings in the default/sample .conf files have been modified: - a) The LOGFORMAT setting has been changed from "Shorewall:%s:%s:" - to "%s %s " to enable longer zone names. + a) In Shorewall 5.1.0, the setting of LOGFORMAT in the default and + sample .conf files was changed to "%s:%s " to enable + 10-character zone names (up from 5 characters using the default + "Shorewall:%s:%s:" setting). As part of this change, if a + shorewall.conf file which did not set LOGFORMAT is updated using + "shorewall update", LOGFORMAT is set to "Shorewall:%s:%s:" to + preserve the existing behavior. + + This can have an effect on new installations, however in that + scipts or log analyzers can no longer be configured to simply look + for "Shorewall:" in log messages unless the setting of LOGFORMAT is + changed. If you use the new "%s:%s " setting then + Shorewall-generated Netfilter messages may be matched using + this regular expression: + + 'IN=.* OUT=.* SRC=.*\..* DST=' + + Shorewall6-generated Netfilter messages may be matched using: + + 'IN=.* OUT=.* SRC=.*:.* DST=' + + And all Netfilter messages (IPv4 and IPv6) are matched using: + + 'IN=.* OUT=.* SRC=.* DST=' + Shorewall6-generated Netfilter messages may be idd b) The LOGLIMIT setting has been changed from empty to "s:1/sec:10", to enable log trottling by default. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.1.3.2/shorewall-core.spec new/shorewall-core-5.1.4.2/shorewall-core.spec --- old/shorewall-core-5.1.3.2/shorewall-core.spec 2017-03-24 19:49:23.000000000 +0100 +++ new/shorewall-core-5.1.4.2/shorewall-core.spec 2017-06-12 16:53:04.000000000 +0200 @@ -1,5 +1,5 @@ %define name shorewall-core -%define version 5.1.3 +%define version 5.1.4 %define release 2 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. @@ -69,10 +69,18 @@ %doc COPYING INSTALL changelog.txt releasenotes.txt %changelog -* Wed Mar 22 2017 Tom Eastep [email protected] -- Updated to 5.1.3-2 -* Wed Mar 15 2017 Tom Eastep [email protected] -- Updated to 5.1.3-1 +* Mon Jun 12 2017 Tom Eastep [email protected] +- Updated to 5.1.4-2 +* Fri May 19 2017 Tom Eastep [email protected] +- Updated to 5.1.4-1 +* Fri May 05 2017 Tom Eastep [email protected] +- Updated to 5.1.4-0base +* Mon Apr 24 2017 Tom Eastep [email protected] +- Updated to 5.1.4-0RC1 +* Fri Mar 24 2017 Tom Eastep [email protected] +- Updated to 5.1.4-0Beta2 +* Mon Mar 13 2017 Tom Eastep [email protected] +- Updated to 5.1.4-0Beta1 * Mon Mar 13 2017 Tom Eastep [email protected] - Updated to 5.1.3-0base * Sun Mar 12 2017 Tom Eastep [email protected] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.1.3.2/uninstall.sh new/shorewall-core-5.1.4.2/uninstall.sh --- old/shorewall-core-5.1.3.2/uninstall.sh 2017-03-24 19:49:23.000000000 +0100 +++ new/shorewall-core-5.1.4.2/uninstall.sh 2017-06-12 16:53:03.000000000 +0200 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=5.1.3.2 +VERSION=5.1.4.2 PRODUCT=shorewall-core Product="Shorewall Core" ++++++ shorewall-docs-html-5.1.3.2.tar.bz2 -> shorewall-docs-html-5.1.4.2.tar.bz2 ++++++ ++++ 7813 lines of diff (skipped) ++++++ shorewall-init-5.1.3.2.tar.bz2 -> shorewall-init-5.1.4.2.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.1.3.2/changelog.txt new/shorewall-init-5.1.4.2/changelog.txt --- old/shorewall-init-5.1.3.2/changelog.txt 2017-03-24 19:49:23.000000000 +0100 +++ new/shorewall-init-5.1.4.2/changelog.txt 2017-06-12 16:53:04.000000000 +0200 @@ -1,10 +1,61 @@ -Changes in 5.1.3.1 +Changes in 5.1.4.2 + +1) Update release documents. + +2) Correct many broken links in the manpages. + +3) Correct NFQUEUE without the 'c' option. + +Changes in 5.1.4.1 + +1) Update release documents. + +2) Update shorewall-rules(5). + +3) Expand LOGFORMAT documentation. + +4) Restore the BLACKLIST action in Shorewall6. + +Changes in 5.1.4 Final 1) Update release documents. -2) Set $parmsmodified on ?reset +2) Clean up introduction to shorewall-rules(5). + +3) Clarify LOGFORMAT in shorewall[6].conf(5) and + shorewall[6]-zones(5). + +4) Add BLACKLIST to the IPv6 actions.std file. + +Changes in 5.1.4 RC 1 + +1) Update release documents. + +2) Add PERL_HASH_SEED option. + +Changes in 5.1.4 Beta 2 + +1) Update release documents. + +2) Correct validation of string interface options. + +3) Correct handling of IPv6 tunnel-src and tunnel-dst. + +4) Documentation cleanup. + +Changes in 5.1.4 Beta 1 + +1) Update release documents. + +2) Unify Actions + +3) Report invocation site when generating ?info and ?warning messages + +4) Add IPv6 UPnP support. + +5) ?reset of action variable now sets $parmsmodified. -3) Clean up column/value pair editing. +6) Clean up column/value pair editing. Changes in 5.1.3.1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.1.3.2/configure new/shorewall-init-5.1.4.2/configure --- old/shorewall-init-5.1.3.2/configure 2017-03-24 19:49:23.000000000 +0100 +++ new/shorewall-init-5.1.4.2/configure 2017-06-12 16:53:04.000000000 +0200 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=5.1.3.2 +VERSION=5.1.4.2 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.1.3.2/configure.pl new/shorewall-init-5.1.4.2/configure.pl --- old/shorewall-init-5.1.3.2/configure.pl 2017-03-24 19:49:23.000000000 +0100 +++ new/shorewall-init-5.1.4.2/configure.pl 2017-06-12 16:53:04.000000000 +0200 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '5.1.3.2' + VERSION => '5.1.4.2' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.1.3.2/install.sh new/shorewall-init-5.1.4.2/install.sh --- old/shorewall-init-5.1.3.2/install.sh 2017-03-24 19:49:23.000000000 +0100 +++ new/shorewall-init-5.1.4.2/install.sh 2017-06-12 16:53:04.000000000 +0200 @@ -27,7 +27,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=5.1.3.2 +VERSION=5.1.4.2 PRODUCT=shorewall-init Product="Shorewall Init" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.1.3.2/releasenotes.txt new/shorewall-init-5.1.4.2/releasenotes.txt --- old/shorewall-init-5.1.3.2/releasenotes.txt 2017-03-24 19:49:23.000000000 +0100 +++ new/shorewall-init-5.1.4.2/releasenotes.txt 2017-06-12 16:53:04.000000000 +0200 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 5 . 1 . 3 . 2 - ----------------------------- - M a r c h 2 5 , 2 0 1 7 + S H O R E W A L L 5 . 1 . 4 . 2 + ------------------------------ + J u n e 1 2 , 2 0 1 7 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,45 +14,70 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -5.1.3.2 +5.1.4.2 -1) Previously, if a Shorewall Variable ( e.g., @chain ) was the target +1) Many broken links in the manpages have been corrected. + +2) Support for the NFQUEUE '--queue-cpu-fanout' option, introduced in + Shorewall 5.1.0, contained a defect which could result in the + following compile-time error: + + Use of uninitialized value $fanout in concatenation (.) or string + at /usr/share/shorewall/Shorewall/Rules.pm line 643, + <$currentfile> line 2. + + That has been corrected. + +5.1.4.1 + +1) The introductory material in shorewall-rules(5) has been cleaned + up. + +2) The information about LOGFORMAT in shorewall[6].conf(5) and + shorewall[6]-zones(5) has been expanded. + + In Shorewall 5.1.0, the setting of LOGFORMAT in the default and + sample .conf files was changed to "%s:%s " to enable 10-character + zone names (up from 5 characters using the default + "Shorewall:%s:%s:" setting). As part of this change, if a + shorewall.conf file which did not set LOGFORMAT is updated using + "shorewall update", LOGFORMAT is set to "Shorewall:%s:%s:" to + preserve the existing behavior. + + This can have an effect on new installations, however in that + scipts or log analyzers can no longer be configured to simply look + for "Shorewall:" in log messages unless the setting of LOGFORMAT is + changed. The manpages (and the Migration Considerations below) have + been updated to describe how to locate these messages using the new + "%s:%s " setting. + +3) The BLACKLIST action was inadvertently omitted from Shorewall6 in + Shorewall 5.1.1. That has been corrected. + +5.1.4 + +1) This release contains defect repair through Shorewall 5.1.3.1. + +2) Previously, if a Shorewall Variable ( e.g., @chain ) was the target of a conditional ?RESET directive (one that was enclosed in ?if... ?else...?endif logic), the compiler could incorrectly use an existing chain created from the action rather than creating a new (and different) chain. That has been corrected. -2) Previously, if alternate input format specified a column that had +3) Previously, if alternate input format specified a column that had already been specified, the contents of that column were silently overwritten. Now, a warning message is issued stating that the prior value has been replaced by the newer value. - - -5.1.3.1 - -1) There was a typo in the BLACKLIST_DEFAULT settings in the 5.1.3 - sample config files, which resulted in a compilation error. - That typo has been corrected. - -2) There was also a typo in the two-interface IPv4 sample snat file; - 192.168.0.0/16 was inadvertently entered as 92.168.0.0/16. That has - been corrected. - -3) Previously, when processing the policy file, 'all+' was incorrectly - treated the same as 'all'. That has been corrected so that 'all+' - causes intra-zone traffic to be included in the policy. - -5.1.3 - -1) This release includes defect repair for releases through 5.1.2.4. -2) The documentation for 'reload' has been corrected: +4) Previously, a string-valued interface option, such as + 'physical', could be given an empty value (e.g., "physical=,"), and + the compiler would fail to flag it. Now, this usage raises an + error. - - A command synopsis has been added in shorewall(8). - - The command synopsis in the 'help' output has been corrected. +5) Previously, the 'tunnel-src' and 'tunnel-dst' zone options would + generate an error under Shorewall6. That has been corrected. -3) The CONFIG_PATH setting has been corrected in the IPv6 Universal - sample configuration. +6) A number of small documentation corrections have been made. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -77,51 +102,44 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) The tarball installers and uninstallers have been unified and - now use a common library that is included in each tarball (Matt - Darfuille). +1) All IPv6 standard actions have been deleted and their logic + has been added to their IPv4 counterparts who can now handle + both address families. -2) The installers now print a diagnostic if the relevant shorewallrc - file cannot be loaded (Matt Darfuille). +2) Previously, ?error and ?require messages as well as verbose ?info + and ?warning messages (those that report the file and line numbers) + generated from an action file would report the action file name and + line number rather than the file and line number where the action + was invoked. The file and line number where the action was invoked + were listed second. Beginning with this release, the invoking file + and line number are listed first and the action file and line number + are not reported. This allows for creation of clearer messages. -3) The /etc/default/... files installed on Debian are now dependent on - whether systemd is used or not (Matt Darfuille). + Example: -4) In Perl 5.8.1 and again in 5.18.0, the Perl developers altered the - behavior of the hash function used in the implementation of - hashes. The hash key is now chosen randomly as a defense against - DOS attacks targeting Perl programs. Such attacks supply input data - that causes a single hash bucket to be used. While those changes - improved security, they cause non-deterministic program behavior - when the 'keys', 'values' and 'each' functions are used. + Previously, when an invalid value was passed for the 'bricks' + parameter to the GlusterFS action on line 45 of the rules file, a + message such as the following was issued (folded to 76 columns): - Prior to this release, Shorewall sorted the lists produced by those - functions to ensure that consecutive compilations of the same - configuration produced the same ruleset. In this release, - compilation speed has been improved by removing the sort calls and - by instructing Perl to use a constant hash key. + ERROR: Invalid value for Bricks (2000) + /usr/share/shorewall/action.GlusterFS (line 15) + from /etc/shorewall/rules (line 45) - Note: The ruleset produced by this release will be equivalent - to that produced by 5.1.2, but will likely be different. + Note that the message seems to imply that the error is in + action.GlusterFS rather than in the rules file. -5) All builtin actions have been replaced with standard actions. In - some cases. the standard action produces different but equivalent - rules when compared to those produced by the corresponding builtin - action. + Beginning with this release, the message will be: -6) The PROTO columns may now specify tcp:!syn (6:!syn) which matches - TCP packets with the SYN flag reset or one or more of ACK, RST or - FIN set. The dropNotSyn and rejNotSyn actions have been modified to - use this feature. + ERROR: Invalid value (2000) for the GlusterFS Bricks argument + /etc/shorewall/rules (line 45) -7) During 'update', the settings of all _LEVEL and _DEFAULT options - are now enclosed in quotes. This is done because these settings - often contain parentheses and the .conf files are process by - the shell. The sample configurations also have these settings - enclosed in quotes. + Note: This change only affects actions, including inline actions. + Macros will continue to report the old way. - Update will continue to also enclose in quotes any settings that - contains characters other than alphanumeric, '/', and '.'. +3) IPv6 UPnP support (including MINIUPNPD) is now available. + +4) A PERL_HASH_SEED option has been added to allow the Perl hash seed + to be specified. See shorewall.conf(5) and perlsec(1) for details. ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -246,6 +264,86 @@ ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 5 . 1 R E L E A S E S ---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 5 . 1 . 3 +---------------------------------------------------------------------------- + +5.1.3.1 + +1) There was a typo in the BLACKLIST_DEFAULT settings in the 5.1.3 + sample config files, which resulted in a compilation error. + That typo has been corrected. + +2) There was also a typo in the two-interface IPv4 sample snat file; + 192.168.0.0/16 was inadvertently entered as 92.168.0.0/16. That has + been corrected. + +3) Previously, when processing the policy file, 'all+' was incorrectly + treated the same as 'all'. That has been corrected so that 'all+' + causes intra-zone traffic to be included in the policy. + +5.1.3 + +1) This release includes defect repair for releases through 5.1.2.4. + +2) The documentation for 'reload' has been corrected: + + - A command synopsis has been added in shorewall(8). + - The command synopsis in the 'help' output has been corrected. + +3) The CONFIG_PATH setting has been corrected in the IPv6 Universal + sample configuration. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 5 . 1 . 2 +---------------------------------------------------------------------------- + +1) The tarball installers and uninstallers have been unified and + now use a common library that is included in each tarball (Matt + Darfuille). + +2) The installers now print a diagnostic if the relevant shorewallrc + file cannot be loaded (Matt Darfuille). + +3) The /etc/default/... files installed on Debian are now dependent on + whether systemd is used or not (Matt Darfuille). + +4) In Perl 5.8.1 and again in 5.18.0, the Perl developers altered the + behavior of the hash function used in the implementation of + hashes. The hash key is now chosen randomly as a defense against + DOS attacks targeting Perl programs. Such attacks supply input data + that causes a single hash bucket to be used. While those changes + improved security, they cause non-deterministic program behavior + when the 'keys', 'values' and 'each' functions are used. + + Prior to this release, Shorewall sorted the lists produced by those + functions to ensure that consecutive compilations of the same + configuration produced the same ruleset. In this release, + compilation speed has been improved by removing the sort calls and + by instructing Perl to use a constant hash key. + + Note: The ruleset produced by this release will be equivalent + to that produced by 5.1.2, but will likely be different. + +5) All builtin actions have been replaced with standard actions. In + some cases. the standard action produces different but equivalent + rules when compared to those produced by the corresponding builtin + action. + +6) The PROTO columns may now specify tcp:!syn (6:!syn) which matches + TCP packets with the SYN flag reset or one or more of ACK, RST or + FIN set. The dropNotSyn and rejNotSyn actions have been modified to + use this feature. + +7) During 'update', the settings of all _LEVEL and _DEFAULT options + are now enclosed in quotes. This is done because these settings + often contain parentheses and the .conf files are process by + the shell. The sample configurations also have these settings + enclosed in quotes. + + Update will continue to also enclose in quotes any settings that + contains characters other than alphanumeric, '/', and '.'. + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 5 . 1 . 2 ---------------------------------------------------------------------------- 1) Previously, when the 5.1 CLI program was run with no command given, @@ -517,9 +615,32 @@ 2) Several settings in the default/sample .conf files have been modified: - a) The LOGFORMAT setting has been changed from "Shorewall:%s:%s:" - to "%s %s " to enable longer zone names. + a) In Shorewall 5.1.0, the setting of LOGFORMAT in the default and + sample .conf files was changed to "%s:%s " to enable + 10-character zone names (up from 5 characters using the default + "Shorewall:%s:%s:" setting). As part of this change, if a + shorewall.conf file which did not set LOGFORMAT is updated using + "shorewall update", LOGFORMAT is set to "Shorewall:%s:%s:" to + preserve the existing behavior. + + This can have an effect on new installations, however in that + scipts or log analyzers can no longer be configured to simply look + for "Shorewall:" in log messages unless the setting of LOGFORMAT is + changed. If you use the new "%s:%s " setting then + Shorewall-generated Netfilter messages may be matched using + this regular expression: + + 'IN=.* OUT=.* SRC=.*\..* DST=' + + Shorewall6-generated Netfilter messages may be matched using: + + 'IN=.* OUT=.* SRC=.*:.* DST=' + + And all Netfilter messages (IPv4 and IPv6) are matched using: + + 'IN=.* OUT=.* SRC=.* DST=' + Shorewall6-generated Netfilter messages may be idd b) The LOGLIMIT setting has been changed from empty to "s:1/sec:10", to enable log trottling by default. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.1.3.2/shorewall-init.spec new/shorewall-init-5.1.4.2/shorewall-init.spec --- old/shorewall-init-5.1.3.2/shorewall-init.spec 2017-03-24 19:49:23.000000000 +0100 +++ new/shorewall-init-5.1.4.2/shorewall-init.spec 2017-06-12 16:53:04.000000000 +0200 @@ -1,5 +1,5 @@ %define name shorewall-init -%define version 5.1.3 +%define version 5.1.4 %define release 2 Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall). @@ -135,10 +135,18 @@ %doc COPYING changelog.txt releasenotes.txt %changelog -* Wed Mar 22 2017 Tom Eastep [email protected] -- Updated to 5.1.3-2 -* Wed Mar 15 2017 Tom Eastep [email protected] -- Updated to 5.1.3-1 +* Mon Jun 12 2017 Tom Eastep [email protected] +- Updated to 5.1.4-2 +* Fri May 19 2017 Tom Eastep [email protected] +- Updated to 5.1.4-1 +* Fri May 05 2017 Tom Eastep [email protected] +- Updated to 5.1.4-0base +* Mon Apr 24 2017 Tom Eastep [email protected] +- Updated to 5.1.4-0RC1 +* Fri Mar 24 2017 Tom Eastep [email protected] +- Updated to 5.1.4-0Beta2 +* Mon Mar 13 2017 Tom Eastep [email protected] +- Updated to 5.1.4-0Beta1 * Mon Mar 13 2017 Tom Eastep [email protected] - Updated to 5.1.3-0base * Sun Mar 12 2017 Tom Eastep [email protected] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.1.3.2/uninstall.sh new/shorewall-init-5.1.4.2/uninstall.sh --- old/shorewall-init-5.1.3.2/uninstall.sh 2017-03-24 19:49:23.000000000 +0100 +++ new/shorewall-init-5.1.4.2/uninstall.sh 2017-06-12 16:53:04.000000000 +0200 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=5.1.3.2 +VERSION=5.1.4.2 PRODUCT=shorewall-init Product="Shorewall Init" ++++++ shorewall-lite-5.1.3.2.tar.bz2 -> shorewall-lite-5.1.4.2.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.1.3.2/changelog.txt new/shorewall-lite-5.1.4.2/changelog.txt --- old/shorewall-lite-5.1.3.2/changelog.txt 2017-03-24 19:49:23.000000000 +0100 +++ new/shorewall-lite-5.1.4.2/changelog.txt 2017-06-12 16:53:04.000000000 +0200 @@ -1,10 +1,61 @@ -Changes in 5.1.3.1 +Changes in 5.1.4.2 + +1) Update release documents. + +2) Correct many broken links in the manpages. + +3) Correct NFQUEUE without the 'c' option. + +Changes in 5.1.4.1 + +1) Update release documents. + +2) Update shorewall-rules(5). + +3) Expand LOGFORMAT documentation. + +4) Restore the BLACKLIST action in Shorewall6. + +Changes in 5.1.4 Final 1) Update release documents. -2) Set $parmsmodified on ?reset +2) Clean up introduction to shorewall-rules(5). + +3) Clarify LOGFORMAT in shorewall[6].conf(5) and + shorewall[6]-zones(5). + +4) Add BLACKLIST to the IPv6 actions.std file. + +Changes in 5.1.4 RC 1 + +1) Update release documents. + +2) Add PERL_HASH_SEED option. + +Changes in 5.1.4 Beta 2 + +1) Update release documents. + +2) Correct validation of string interface options. + +3) Correct handling of IPv6 tunnel-src and tunnel-dst. + +4) Documentation cleanup. + +Changes in 5.1.4 Beta 1 + +1) Update release documents. + +2) Unify Actions + +3) Report invocation site when generating ?info and ?warning messages + +4) Add IPv6 UPnP support. + +5) ?reset of action variable now sets $parmsmodified. -3) Clean up column/value pair editing. +6) Clean up column/value pair editing. Changes in 5.1.3.1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.1.3.2/configure new/shorewall-lite-5.1.4.2/configure --- old/shorewall-lite-5.1.3.2/configure 2017-03-24 19:49:23.000000000 +0100 +++ new/shorewall-lite-5.1.4.2/configure 2017-06-12 16:53:04.000000000 +0200 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=5.1.3.2 +VERSION=5.1.4.2 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.1.3.2/configure.pl new/shorewall-lite-5.1.4.2/configure.pl --- old/shorewall-lite-5.1.3.2/configure.pl 2017-03-24 19:49:23.000000000 +0100 +++ new/shorewall-lite-5.1.4.2/configure.pl 2017-06-12 16:53:04.000000000 +0200 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '5.1.3.2' + VERSION => '5.1.4.2' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.1.3.2/install.sh new/shorewall-lite-5.1.4.2/install.sh --- old/shorewall-lite-5.1.3.2/install.sh 2017-03-24 19:49:23.000000000 +0100 +++ new/shorewall-lite-5.1.4.2/install.sh 2017-06-12 16:53:04.000000000 +0200 @@ -22,7 +22,7 @@ # along with this program; if not, see <http://www.gnu.org/licenses/>. # -VERSION=5.1.3.2 +VERSION=5.1.4.2 usage() # $1 = exit status { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.1.3.2/manpages/shorewall-lite-vardir.5 new/shorewall-lite-5.1.4.2/manpages/shorewall-lite-vardir.5 --- old/shorewall-lite-5.1.3.2/manpages/shorewall-lite-vardir.5 2017-03-24 19:51:02.000000000 +0100 +++ new/shorewall-lite-5.1.4.2/manpages/shorewall-lite-vardir.5 2017-06-12 16:54:28.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite-vardir .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 03/24/2017 +.\" Date: 06/12/2017 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-LITE\-VAR" "5" "03/24/2017" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-LITE\-VAR" "5" "06/12/2017" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.1.3.2/manpages/shorewall-lite.8 new/shorewall-lite-5.1.4.2/manpages/shorewall-lite.8 --- old/shorewall-lite-5.1.3.2/manpages/shorewall-lite.8 2017-03-24 19:51:02.000000000 +0100 +++ new/shorewall-lite-5.1.4.2/manpages/shorewall-lite.8 2017-06-12 16:54:28.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 03/24/2017 +.\" Date: 06/12/2017 .\" Manual: Administrative Commands .\" Source: Administrative Commands .\" Language: English .\" -.TH "SHOREWALL\-LITE" "8" "03/24/2017" "Administrative Commands" "Administrative Commands" +.TH "SHOREWALL\-LITE" "8" "06/12/2017" "Administrative Commands" "Administrative Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.1.3.2/manpages/shorewall-lite.conf.5 new/shorewall-lite-5.1.4.2/manpages/shorewall-lite.conf.5 --- old/shorewall-lite-5.1.3.2/manpages/shorewall-lite.conf.5 2017-03-24 19:51:01.000000000 +0100 +++ new/shorewall-lite-5.1.4.2/manpages/shorewall-lite.conf.5 2017-06-12 16:54:27.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite.conf .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 03/24/2017 +.\" Date: 06/12/2017 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-LITE\&.CO" "5" "03/24/2017" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-LITE\&.CO" "5" "06/12/2017" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.1.3.2/releasenotes.txt new/shorewall-lite-5.1.4.2/releasenotes.txt --- old/shorewall-lite-5.1.3.2/releasenotes.txt 2017-03-24 19:49:23.000000000 +0100 +++ new/shorewall-lite-5.1.4.2/releasenotes.txt 2017-06-12 16:53:04.000000000 +0200 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 5 . 1 . 3 . 2 - ----------------------------- - M a r c h 2 5 , 2 0 1 7 + S H O R E W A L L 5 . 1 . 4 . 2 + ------------------------------ + J u n e 1 2 , 2 0 1 7 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,45 +14,70 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -5.1.3.2 +5.1.4.2 -1) Previously, if a Shorewall Variable ( e.g., @chain ) was the target +1) Many broken links in the manpages have been corrected. + +2) Support for the NFQUEUE '--queue-cpu-fanout' option, introduced in + Shorewall 5.1.0, contained a defect which could result in the + following compile-time error: + + Use of uninitialized value $fanout in concatenation (.) or string + at /usr/share/shorewall/Shorewall/Rules.pm line 643, + <$currentfile> line 2. + + That has been corrected. + +5.1.4.1 + +1) The introductory material in shorewall-rules(5) has been cleaned + up. + +2) The information about LOGFORMAT in shorewall[6].conf(5) and + shorewall[6]-zones(5) has been expanded. + + In Shorewall 5.1.0, the setting of LOGFORMAT in the default and + sample .conf files was changed to "%s:%s " to enable 10-character + zone names (up from 5 characters using the default + "Shorewall:%s:%s:" setting). As part of this change, if a + shorewall.conf file which did not set LOGFORMAT is updated using + "shorewall update", LOGFORMAT is set to "Shorewall:%s:%s:" to + preserve the existing behavior. + + This can have an effect on new installations, however in that + scipts or log analyzers can no longer be configured to simply look + for "Shorewall:" in log messages unless the setting of LOGFORMAT is + changed. The manpages (and the Migration Considerations below) have + been updated to describe how to locate these messages using the new + "%s:%s " setting. + +3) The BLACKLIST action was inadvertently omitted from Shorewall6 in + Shorewall 5.1.1. That has been corrected. + +5.1.4 + +1) This release contains defect repair through Shorewall 5.1.3.1. + +2) Previously, if a Shorewall Variable ( e.g., @chain ) was the target of a conditional ?RESET directive (one that was enclosed in ?if... ?else...?endif logic), the compiler could incorrectly use an existing chain created from the action rather than creating a new (and different) chain. That has been corrected. -2) Previously, if alternate input format specified a column that had +3) Previously, if alternate input format specified a column that had already been specified, the contents of that column were silently overwritten. Now, a warning message is issued stating that the prior value has been replaced by the newer value. - - -5.1.3.1 - -1) There was a typo in the BLACKLIST_DEFAULT settings in the 5.1.3 - sample config files, which resulted in a compilation error. - That typo has been corrected. - -2) There was also a typo in the two-interface IPv4 sample snat file; - 192.168.0.0/16 was inadvertently entered as 92.168.0.0/16. That has - been corrected. - -3) Previously, when processing the policy file, 'all+' was incorrectly - treated the same as 'all'. That has been corrected so that 'all+' - causes intra-zone traffic to be included in the policy. - -5.1.3 - -1) This release includes defect repair for releases through 5.1.2.4. -2) The documentation for 'reload' has been corrected: +4) Previously, a string-valued interface option, such as + 'physical', could be given an empty value (e.g., "physical=,"), and + the compiler would fail to flag it. Now, this usage raises an + error. - - A command synopsis has been added in shorewall(8). - - The command synopsis in the 'help' output has been corrected. +5) Previously, the 'tunnel-src' and 'tunnel-dst' zone options would + generate an error under Shorewall6. That has been corrected. -3) The CONFIG_PATH setting has been corrected in the IPv6 Universal - sample configuration. +6) A number of small documentation corrections have been made. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -77,51 +102,44 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) The tarball installers and uninstallers have been unified and - now use a common library that is included in each tarball (Matt - Darfuille). +1) All IPv6 standard actions have been deleted and their logic + has been added to their IPv4 counterparts who can now handle + both address families. -2) The installers now print a diagnostic if the relevant shorewallrc - file cannot be loaded (Matt Darfuille). +2) Previously, ?error and ?require messages as well as verbose ?info + and ?warning messages (those that report the file and line numbers) + generated from an action file would report the action file name and + line number rather than the file and line number where the action + was invoked. The file and line number where the action was invoked + were listed second. Beginning with this release, the invoking file + and line number are listed first and the action file and line number + are not reported. This allows for creation of clearer messages. -3) The /etc/default/... files installed on Debian are now dependent on - whether systemd is used or not (Matt Darfuille). + Example: -4) In Perl 5.8.1 and again in 5.18.0, the Perl developers altered the - behavior of the hash function used in the implementation of - hashes. The hash key is now chosen randomly as a defense against - DOS attacks targeting Perl programs. Such attacks supply input data - that causes a single hash bucket to be used. While those changes - improved security, they cause non-deterministic program behavior - when the 'keys', 'values' and 'each' functions are used. + Previously, when an invalid value was passed for the 'bricks' + parameter to the GlusterFS action on line 45 of the rules file, a + message such as the following was issued (folded to 76 columns): - Prior to this release, Shorewall sorted the lists produced by those - functions to ensure that consecutive compilations of the same - configuration produced the same ruleset. In this release, - compilation speed has been improved by removing the sort calls and - by instructing Perl to use a constant hash key. + ERROR: Invalid value for Bricks (2000) + /usr/share/shorewall/action.GlusterFS (line 15) + from /etc/shorewall/rules (line 45) - Note: The ruleset produced by this release will be equivalent - to that produced by 5.1.2, but will likely be different. + Note that the message seems to imply that the error is in + action.GlusterFS rather than in the rules file. -5) All builtin actions have been replaced with standard actions. In - some cases. the standard action produces different but equivalent - rules when compared to those produced by the corresponding builtin - action. + Beginning with this release, the message will be: -6) The PROTO columns may now specify tcp:!syn (6:!syn) which matches - TCP packets with the SYN flag reset or one or more of ACK, RST or - FIN set. The dropNotSyn and rejNotSyn actions have been modified to - use this feature. + ERROR: Invalid value (2000) for the GlusterFS Bricks argument + /etc/shorewall/rules (line 45) -7) During 'update', the settings of all _LEVEL and _DEFAULT options - are now enclosed in quotes. This is done because these settings - often contain parentheses and the .conf files are process by - the shell. The sample configurations also have these settings - enclosed in quotes. + Note: This change only affects actions, including inline actions. + Macros will continue to report the old way. - Update will continue to also enclose in quotes any settings that - contains characters other than alphanumeric, '/', and '.'. +3) IPv6 UPnP support (including MINIUPNPD) is now available. + +4) A PERL_HASH_SEED option has been added to allow the Perl hash seed + to be specified. See shorewall.conf(5) and perlsec(1) for details. ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -246,6 +264,86 @@ ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 5 . 1 R E L E A S E S ---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 5 . 1 . 3 +---------------------------------------------------------------------------- + +5.1.3.1 + +1) There was a typo in the BLACKLIST_DEFAULT settings in the 5.1.3 + sample config files, which resulted in a compilation error. + That typo has been corrected. + +2) There was also a typo in the two-interface IPv4 sample snat file; + 192.168.0.0/16 was inadvertently entered as 92.168.0.0/16. That has + been corrected. + +3) Previously, when processing the policy file, 'all+' was incorrectly + treated the same as 'all'. That has been corrected so that 'all+' + causes intra-zone traffic to be included in the policy. + +5.1.3 + +1) This release includes defect repair for releases through 5.1.2.4. + +2) The documentation for 'reload' has been corrected: + + - A command synopsis has been added in shorewall(8). + - The command synopsis in the 'help' output has been corrected. + +3) The CONFIG_PATH setting has been corrected in the IPv6 Universal + sample configuration. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 5 . 1 . 2 +---------------------------------------------------------------------------- + +1) The tarball installers and uninstallers have been unified and + now use a common library that is included in each tarball (Matt + Darfuille). + +2) The installers now print a diagnostic if the relevant shorewallrc + file cannot be loaded (Matt Darfuille). + +3) The /etc/default/... files installed on Debian are now dependent on + whether systemd is used or not (Matt Darfuille). + +4) In Perl 5.8.1 and again in 5.18.0, the Perl developers altered the + behavior of the hash function used in the implementation of + hashes. The hash key is now chosen randomly as a defense against + DOS attacks targeting Perl programs. Such attacks supply input data + that causes a single hash bucket to be used. While those changes + improved security, they cause non-deterministic program behavior + when the 'keys', 'values' and 'each' functions are used. + + Prior to this release, Shorewall sorted the lists produced by those + functions to ensure that consecutive compilations of the same + configuration produced the same ruleset. In this release, + compilation speed has been improved by removing the sort calls and + by instructing Perl to use a constant hash key. + + Note: The ruleset produced by this release will be equivalent + to that produced by 5.1.2, but will likely be different. + +5) All builtin actions have been replaced with standard actions. In + some cases. the standard action produces different but equivalent + rules when compared to those produced by the corresponding builtin + action. + +6) The PROTO columns may now specify tcp:!syn (6:!syn) which matches + TCP packets with the SYN flag reset or one or more of ACK, RST or + FIN set. The dropNotSyn and rejNotSyn actions have been modified to + use this feature. + +7) During 'update', the settings of all _LEVEL and _DEFAULT options + are now enclosed in quotes. This is done because these settings + often contain parentheses and the .conf files are process by + the shell. The sample configurations also have these settings + enclosed in quotes. + + Update will continue to also enclose in quotes any settings that + contains characters other than alphanumeric, '/', and '.'. + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 5 . 1 . 2 ---------------------------------------------------------------------------- 1) Previously, when the 5.1 CLI program was run with no command given, @@ -517,9 +615,32 @@ 2) Several settings in the default/sample .conf files have been modified: - a) The LOGFORMAT setting has been changed from "Shorewall:%s:%s:" - to "%s %s " to enable longer zone names. + a) In Shorewall 5.1.0, the setting of LOGFORMAT in the default and + sample .conf files was changed to "%s:%s " to enable + 10-character zone names (up from 5 characters using the default + "Shorewall:%s:%s:" setting). As part of this change, if a + shorewall.conf file which did not set LOGFORMAT is updated using + "shorewall update", LOGFORMAT is set to "Shorewall:%s:%s:" to + preserve the existing behavior. + + This can have an effect on new installations, however in that + scipts or log analyzers can no longer be configured to simply look + for "Shorewall:" in log messages unless the setting of LOGFORMAT is + changed. If you use the new "%s:%s " setting then + Shorewall-generated Netfilter messages may be matched using + this regular expression: + + 'IN=.* OUT=.* SRC=.*\..* DST=' + + Shorewall6-generated Netfilter messages may be matched using: + + 'IN=.* OUT=.* SRC=.*:.* DST=' + + And all Netfilter messages (IPv4 and IPv6) are matched using: + + 'IN=.* OUT=.* SRC=.* DST=' + Shorewall6-generated Netfilter messages may be idd b) The LOGLIMIT setting has been changed from empty to "s:1/sec:10", to enable log trottling by default. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.1.3.2/shorewall-lite.spec new/shorewall-lite-5.1.4.2/shorewall-lite.spec --- old/shorewall-lite-5.1.3.2/shorewall-lite.spec 2017-03-24 19:49:23.000000000 +0100 +++ new/shorewall-lite-5.1.4.2/shorewall-lite.spec 2017-06-12 16:53:04.000000000 +0200 @@ -1,5 +1,5 @@ %define name shorewall-lite -%define version 5.1.3 +%define version 5.1.4 %define release 2 %define initdir /etc/init.d @@ -115,10 +115,18 @@ %doc COPYING changelog.txt releasenotes.txt %changelog -* Wed Mar 22 2017 Tom Eastep [email protected] -- Updated to 5.1.3-2 -* Wed Mar 15 2017 Tom Eastep [email protected] -- Updated to 5.1.3-1 +* Mon Jun 12 2017 Tom Eastep [email protected] +- Updated to 5.1.4-2 +* Fri May 19 2017 Tom Eastep [email protected] +- Updated to 5.1.4-1 +* Fri May 05 2017 Tom Eastep [email protected] +- Updated to 5.1.4-0base +* Mon Apr 24 2017 Tom Eastep [email protected] +- Updated to 5.1.4-0RC1 +* Fri Mar 24 2017 Tom Eastep [email protected] +- Updated to 5.1.4-0Beta2 +* Mon Mar 13 2017 Tom Eastep [email protected] +- Updated to 5.1.4-0Beta1 * Mon Mar 13 2017 Tom Eastep [email protected] - Updated to 5.1.3-0base * Sun Mar 12 2017 Tom Eastep [email protected] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.1.3.2/uninstall.sh new/shorewall-lite-5.1.4.2/uninstall.sh --- old/shorewall-lite-5.1.3.2/uninstall.sh 2017-03-24 19:49:23.000000000 +0100 +++ new/shorewall-lite-5.1.4.2/uninstall.sh 2017-06-12 16:53:04.000000000 +0200 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=5.1.3.2 +VERSION=5.1.4.2 usage() # $1 = exit status { ++++++ shorewall-5.1.3.2.tar.bz2 -> shorewall6-5.1.4.2.tar.bz2 ++++++ ++++ 132456 lines of diff (skipped) ++++++ shorewall-lite-5.1.3.2.tar.bz2 -> shorewall6-lite-5.1.4.2.tar.bz2 ++++++ ++++ 3282 lines of diff (skipped)
