Hello community, here is the log from the commit of package shorewall for openSUSE:Factory checked in at 2018-03-16 10:44:27 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/shorewall (Old) and /work/SRC/openSUSE:Factory/.shorewall.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shorewall" Fri Mar 16 10:44:27 2018 rev:102 rq:587570 version:5.1.12.3 Changes: -------- --- /work/SRC/openSUSE:Factory/shorewall/shorewall.changes 2017-11-20 17:06:10.228102321 +0100 +++ /work/SRC/openSUSE:Factory/.shorewall.new/shorewall.changes 2018-03-16 10:45:24.608020407 +0100 @@ -1,0 +2,107 @@ +Mon Mar 5 17:27:11 UTC 2018 - [email protected] + +- spec : + + Minimal changes with spec-cleaner + + Stop conflicting with other firewall (SuSEFirewall2, firewalld) + User can have several management tools, and it help preparing + a migration + +- Run shorewall(6) update -A to update your configurations + Check and adapt them before restarting. + +- Changes in 5.1.12.3 + + Update release documents. + + Ensure that mutex gets released at exit. +- Changes in 5.1.12.2 + + Alter documentation to prefer ';;' over ';' in INLINE and + IP[6]TABLES rules. + + Make 'update' convert ';' to ';;' in INLINE, IPTABLES and + IP6TABLES rules. + + Correct typo that resulted in an "unknown function" Perl + diagnostic. + + Correct "Invalid policy" message. + + Fix omitted SYN limiting. +- Changes in 5.1.12.1 + + Replace macro.SSDPServer with corrected macro.SSDPserver. +- Changes in 5.1.12 Final + + Update release documents. + + Add INLINE_MATCHES=Yes to the deprecated list. +- Changes in 5.1.12 RC 1 + + Update release documents. + + Minor performance enhancements to Optimize Category 8. + + Always report IPSET_MATCH. +- Changes in 5.1.12 Beta 2 + + Delete undocumented OPTIMIZE_USE_FIRST option. + + Merge 5.1.11. + + Suppress trailing whitespace. + + Avoid awkward blank lines. +- Changes in 5.1.12 Beta 1 + + Code and manpage cleanup. + + Allow SNAT in the INPUT chain. +- Changes in 5.1.11 Final + + Update release documents. +- Changes in 5.1.11 RC 1 + + Update versions and copyrights. + + Clear the connection mark on forwarded IPSEC tunneled connections + + Make TRACK_PROVIDERS=Yes the default. +- Changes in 5.1.11 Beta 2 + + Be selective about verification of the conntrack utility when + + DYNAMIC_BLACKLIST=ipset,disconnect... + + Don't require shorewall to be started for 'allow' with + ipset-based DBL. + + Make address variables play nice with the 'clear' command. + + Don't unconditionally enable forwarding during 'clear'. +- Changes in 5.1.11 Beta 1 + + Allow non-root to run some 'show' commands. + + Use synchain name in log messages rather than base chain name. + + Assume :syn for TCP CT entries in the conntrack file and HELPER. + + Limit depth of 'find' search when AUTOMAKE=Yes. +- Changes in 5.1.10.2 + + Limit 'find' to depth 1. + + Don't run find in an empty entry in $CONFIG_PATH +- Changes in 5.1.10.1 + + Fix Shorewall-core installer for sandbox case. + + Make /etc and /configfiles the same. +- Changes in 5.1.10 Final + + Add warning re wildcard and OPTIONS. + + Correct IPv6 Universal interfaces file. +- Changes in 5.1.10 RC 1 + + Correct ingress policing. + + Fix Shorewall-init recompilation problem. +- Changes in 5.1.10 Beta 2 + + Allow a protocol to be associated with a regular action. + + Remove the PSH flag from the FIN action. +- Changes in 5.1.10 Beta 1 + + Allow CONFIG_PATH setting to begin with ':' to allow dropping + the first directory by non-root. + + Correct several typos in the manpages (Roberto Sánchez). + + Correct typo in 'dump' processing. + + Reset all table counters during 'reset'. +- Changes in 5.1.9 Final + + Use logical interface names in the Sample configs. +- Changes in 5.1.9 RC 1 + + Apply W Van den Akker's OpenWRT/Lede patches. + + Don't verify IP and SHOREWALL_SHELL paths when compiling for + export. + + Support for Redfish remote console in macro.IPMI +- Changes in 5.1.9 Beta 2 + + Merge content from 5.1.8. +- Changes in 5.1.9 Beta 1 + + Update release documents. + + Add TCPMSS action in the mangle file. + + Inline the Broadcast action when ADDRTYPE match is available. + + Support logging in the snat file. + + Add shorewall-logging(5). +- Changes in 5.1.8 Final + + Correct 'delete_default_routes()'. + + Delete default routes from 'main' when a fallback provider is + successfully enabled. + + Don't restore default route when a fallback provider is enabled. + + Issue a warning when 'persistent' is used with + RESTORE_DEFAULT_ROUTE=Yes. + + Don't dump SPD entries for the other address family. + + Fix 'persistent' provider issues. + + Treat LOG_TARGET the same as all other capabilities. + + Allow merging of rules with IPSEC policies + +------------------------------------------------------------------- Old: ---- shorewall-5.1.8.1.tar.bz2 shorewall-core-5.1.8.1.tar.bz2 shorewall-docs-html-5.1.8.1.tar.bz2 shorewall-init-5.1.8.1.tar.bz2 shorewall-lite-5.1.8.1.tar.bz2 shorewall6-5.1.8.1.tar.bz2 shorewall6-lite-5.1.8.1.tar.bz2 New: ---- shorewall-5.1.12.3.tar.bz2 shorewall-core-5.1.12.3.tar.bz2 shorewall-docs-html-5.1.12.3.tar.bz2 shorewall-init-5.1.12.3.tar.bz2 shorewall-lite-5.1.12.3.tar.bz2 shorewall6-5.1.12.3.tar.bz2 shorewall6-lite-5.1.12.3.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shorewall.spec ++++++ --- /var/tmp/diff_new_pack.qibdR0/_old 2018-03-16 10:45:27.083931254 +0100 +++ /var/tmp/diff_new_pack.qibdR0/_new 2018-03-16 10:45:27.091930966 +0100 @@ -1,7 +1,7 @@ # # spec file for package shorewall # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,18 +16,18 @@ # +%define have_systemd 1 +%define dmaj 5.1 +%define dmin 5.1.12 #2017+ New fillup location %if ! %{defined _fillupdir} - %define _fillupdir /var/adm/fillup-templates + %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif -%define have_systemd 1 -%define dmaj 5.1 -%define dmin 5.1.8 Name: shorewall -Version: 5.1.8.1 +Version: 5.1.12.3 Release: 0 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems -License: GPL-2.0 +License: GPL-2.0-only Group: Productivity/Networking/Security Url: http://www.shorewall.net/ Source: http://www.shorewall.net/pub/shorewall/%{dmaj}/shorewall-%{dmin}/%{name}-%version.tar.bz2 @@ -54,11 +54,9 @@ Requires: iptables Requires: logrotate Requires: perl-base -Suggests: xtables-addons PreReq: %fillup_prereq -Conflicts: SuSEfirewall2 firewalld +Suggests: xtables-addons Provides: shoreline_firewall = %{version}-%{release} -BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch %{?systemd_requires} %{perl_requires} @@ -70,7 +68,7 @@ %package lite Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems -License: GPL-2.0 +License: GPL-2.0-only Group: Productivity/Networking/Security Requires: %{_sbindir}/service Requires: %{name}-core @@ -79,7 +77,6 @@ Requires: iptables Requires: logrotate PreReq: %fillup_prereq -Conflicts: SuSEfirewall2 firewalld Provides: shoreline_firewall = %{version}-%{release} %{?systemd_requires} @@ -93,14 +90,13 @@ %package -n %{name}6 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems -License: GPL-2.0 +License: GPL-2.0-only Group: Productivity/Networking/Security Requires: %{_sbindir}/service Requires: %{name}-core = %{version}-%{release} Requires: logrotate Requires: perl-base PreReq: %fillup_prereq -Conflicts: SuSEfirewall2 firewalld Provides: shoreline_firewall = %{version}-%{release} %{?systemd_requires} @@ -111,13 +107,12 @@ %package -n %{name}6-lite Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems -License: GPL-2.0 +License: GPL-2.0-only Group: Productivity/Networking/Security Requires: %{_sbindir}/service Requires: %{name}-core Requires: logrotate PreReq: %fillup_prereq -Conflicts: SuSEfirewall2 firewalld Provides: shoreline_firewall = %{version}-%{release} %{?systemd_requires} @@ -131,13 +126,12 @@ %package init Summary: Adds functionality to Shoreline Firewall (Shorewall) -License: GPL-2.0 +License: GPL-2.0-only Group: Productivity/Networking/Security Requires: %{_sbindir}/service Requires: %{name} >= 5.0 Requires: logrotate PreReq: %fillup_prereq -Conflicts: SuSEfirewall2 firewalld %{?systemd_requires} %description init @@ -151,7 +145,7 @@ %package docs Summary: HTML documentation for shorewall configuration -License: GFDL-1.1 +License: GFDL-1.1-only Group: Documentation/Other %description docs @@ -160,11 +154,10 @@ %package core Summary: Core libraries for Shorewall -License: GPL-2.0 +License: GPL-2.0-only Group: Productivity/Networking/Security Requires: iptables Requires: perl-base -Conflicts: SuSEfirewall2 firewalld %description core This package contains the core libraries for Shorewall. @@ -262,8 +255,8 @@ # starting with 12.3 drop sysv-init support fedora already did rm -rf %buildroot%_initddir -#touch %%{buildroot}/%%{_sysconfdir}/%%{name}/isusable -#touch %%{buildroot}/%%{_sysconfdir}/%%{name}6/isusable +# Since 5.12 we need to remove them again +rm -f %{buildroot}/%{_sysconfdir}/sysconfig/%{name}* touch %{buildroot}%{_sysconfdir}/%{name}/notrack touch %{buildroot}%{_sysconfdir}/%{name}6/notrack @@ -384,7 +377,6 @@ %{_fillupdir}/sysconfig.%{name} %dir %{_sysconfdir}/%{name} %ghost %{_sysconfdir}/%{name}/isusable -%ghost %{_sysconfdir}/%{name}/masq %config(noreplace) %{_sysconfdir}/%{name}/* %dir %{_datadir}/%{name} %dir %{_libexecdir}/%{name} @@ -410,6 +402,7 @@ %dir %{perl_vendorlib}/Shorewall %{perl_vendorlib}/Shorewall/*.pm %{_mandir}/man5/%{name}-[a-k,m-z]*.5* +%{_mandir}/man5/%{name}-logging.5* %{_mandir}/man5/%{name}.conf.5* %{_mandir}/man8/%{name}.8* %attr(644,root,root) %{_unitdir}/%{name}.service @@ -447,7 +440,6 @@ %{_fillupdir}/sysconfig.%{name}6 %dir %{_sysconfdir}/%{name}6 %ghost %{_sysconfdir}/%{name}6/isusable -%ghost %{_sysconfdir}/%{name}6/masq %config(noreplace) %{_sysconfdir}/%{name}6/* %dir %{_datadir}/%{name}6 %dir %{_libexecdir}/%{name}6 @@ -466,6 +458,8 @@ %{_datadir}/%{name}6/configpath %{_datadir}/%{name}6/configfiles/* %{_mandir}/man5/%{name}6-[a-k,m-z]*.5* +# bug upstream ? +#%%{_mandir}/man5/%%{name}6-logging.5* %{_mandir}/man5/%{name}6.conf.5* %{_mandir}/man8/%{name}6.8* %attr(644,root,root) %{_unitdir}/%{name}6.service ++++++ shorewall-5.1.8.1.tar.bz2 -> shorewall-5.1.12.3.tar.bz2 ++++++ ++++ 10808 lines of diff (skipped) ++++++ shorewall-core-5.1.8.1.tar.bz2 -> shorewall-core-5.1.12.3.tar.bz2 ++++++ ++++ 1830 lines of diff (skipped) ++++++ shorewall-docs-html-5.1.8.1.tar.bz2 -> shorewall-docs-html-5.1.12.3.tar.bz2 ++++++ ++++ 3304 lines of diff (skipped) ++++++ shorewall-fillup-install.patch ++++++ --- /var/tmp/diff_new_pack.qibdR0/_old 2018-03-16 10:45:31.139785209 +0100 +++ /var/tmp/diff_new_pack.qibdR0/_new 2018-03-16 10:45:31.159784489 +0100 @@ -1,7 +1,7 @@ diff -rup a/install.sh b/install.sh ---- a/install.sh 2017-03-14 21:59:06.000000000 +0100 -+++ b/install.sh 2017-03-15 18:15:18.339204349 +0100 -@@ -1175,7 +1175,13 @@ if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFI +--- a/install.sh 2018-03-01 17:47:59.000000000 +0100 ++++ b/install.sh 2018-03-05 17:47:03.045587938 +0100 +@@ -1227,6 +1227,13 @@ if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFI make_parent_directory ${DESTDIR}${SYSCONFDIR} 0755 fi @@ -9,9 +9,9 @@ + mkdir -p ${DESTDIR}/${FILLUPDIR} + run_install $OWNERSHIP -m 0644 ${SYSCONFFILE} ${DESTDIR}/${FILLUPDIR}/sysconfig.${PRODUCT} + else - run_install $OWNERSHIP -m 0644 ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/$PRODUCT ++ run_install $OWNERSHIP -m 0644 ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/$PRODUCT + fi + + run_install $OWNERSHIP -m 0644 ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/${PRODUCT} echo "$SYSCONFFILE file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}" fi - ++++++ shorewall-init-5.1.8.1.tar.bz2 -> shorewall-init-5.1.12.3.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.1.8.1/changelog.txt new/shorewall-init-5.1.12.3/changelog.txt --- old/shorewall-init-5.1.8.1/changelog.txt 2017-11-08 19:50:09.000000000 +0100 +++ new/shorewall-init-5.1.12.3/changelog.txt 2018-03-01 17:44:42.000000000 +0100 @@ -1,10 +1,198 @@ -Changes in 5.1.8.1 +Changes in 5.1.12.3 1) Update release documents. -2) Make persistent routes and rules independent of 'autosrc'. +2) Ensure that mutex gets released at exit. -Changes in 5.1.8 +Changes in 5.1.12.2 + +1) Update release documents. + +2) Alter documentation to prefer ';;' over ';' in INLINE and + IP[6]TABLES rules. + +3) Make 'update' convert ';' to ';;' in INLINE, IPTABLES and IP6TABLES + rules. + +4) Correct typo that resulted in an "unknown function" Perl diagnostic. + +4) Correct "Invalid policy" message. + +5) Fix omitted SYN limiting. + +Changes in 5.1.12.1 + +1) Update release documents. + +2) Replace macro.SSDPServer with corrected macro.SSDPserver. + +Changes in 5.1.12 Final + +1) Update release documents. + +2) Add INLINE_MATCHES=Yes to the deprecated list. + +Changes in 5.1.12 RC 1 + +1) Update release documents. + +2) Minor performance enhancements to Optimize Category 8. + +3) Always report IPSET_MATCH. + +Changes in 5.1.12 Beta 2 + +1) Update release documents. + +2) Delete undocumented OPTIMIZE_USE_FIRST option. + +3) Merge 5.1.11. + +4) Suppress trailing whitespace. + +5) Avoid awkward blank lines. + +Changes in 5.1.12 Beta 1 + +1) Update release documents. + +2) Code and manpage cleanup. + +3) Allow SNAT in the INPUT chain. + +Changes in 5.1.11 Final + +1) Update release documents. + +Changes in 5.1.11 RC 1 + +1) Update release documents. + +2) Update versions and copyrights. + +3) Clear the connection mark on forwarded IPSEC tunneled connections. + +4) Make TRACK_PROVIDERS=Yes the default. + +Changes in 5.1.11 Beta 2 + +1) Update release documents. + +2) Be selective about verification of the conntrack utility when + DYNAMIC_BLACKLIST=ipset,disconnect... + +3) Don't require shorewall to be started for 'allow' with ipset-based + DBL. + +4) Make address variables play nice with the 'clear' command. + +5) Don't unconditionally enable forwarding during 'clear'. + +Changes in 5.1.11 Beta 1 + +1) Update release documents. + +2) Allow non-root to run some 'show' commands. + +3) Use synchain name in log messages rather than base chain name. + +3) Assume :syn for TCP CT entries in the conntrack file and HELPER. + +4) Limit depth of 'find' search when AUTOMAKE=Yes. + +Changes in 5.1.10.2 + +1) Update release documents. + +2) Limit 'find' to depth 1. + +3) Don't run find in an empty entry in $CONFIG_PATH + +Changes in 5.1.10.1 + +1) Update release documents. + +2) Fix Shorewall-core installer for sandbox case. + +3) Make /etc and /configfiles the same. + +Changes in 5.1.10 Final + +1) Update release documents. + +Changes in 5.1.10 RC 2 + +1) Update release documents. + +2) Add warning re wildcard and OPTIONS. + +3) Correct IPv6 Universal interfaces file. + +Changes in 5.1.10 RC 1 + +1) Update release documents. + +2) Correct ingress policing. + +3) Fix Shorewall-init recompilation problem. + +Changes in 5.1.10 Beta 2 + +1) Update release documents. + +2) Allow a protocol to be associated with a regular action. + +3) Remove the PSH flag from the FIN action. + +Changes in 5.1.10 Beta 1 + +1) Update release documents. + +2) Allow CONFIG_PATH setting to begin with ':' to allow dropping the + first directory by non-root. + +3) Correct several typos in the manpages (Roberto Sánchez). + +4) Correct typo in 'dump' processing. + +5) Reset all table counters during 'reset'. + +Changes in 5.1.9 Final + +1) Update release documents. + +2) Use logical interface names in the Sample configs. + +Changes in 5.1.9 RC 1 + +1) Update release documents. + +2) Apply W Van den Akker's OpenWRT/Lede patches. + +3) Don't verify IP and SHOREWALL_SHELL paths when compiling + for export. + +4) Support for Redfish remote console in macro.IPMI + +Changes in 5.1.9 Beta 2 + +1) Update release documents. + +2) Merge content from 5.1.8. + +Changes in 5.1.9 Beta 1 + +1) Update release documents. + +2) Add TCPMSS action in the mangle file. + +3) Inline the Broadcast action when ADDRTYPE match is available. + +4) Support logging in the snat file. + +5) Add shorewall-logging(5). + +Changes in 5.1.8 Final 1) Update release documents. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.1.8.1/configure new/shorewall-init-5.1.12.3/configure --- old/shorewall-init-5.1.8.1/configure 2017-11-08 19:50:09.000000000 +0100 +++ new/shorewall-init-5.1.12.3/configure 2018-03-01 17:44:42.000000000 +0100 @@ -2,7 +2,7 @@ # # Shorewall Packet Filtering Firewall RPM configuration program - V4.6 # -# (c) 2012,2014 - Tom Eastep ([email protected]) +# (c) 2012,2014,2017 - Tom Eastep ([email protected]) # # Shorewall documentation is available at http://www.shorewall.net # @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=5.1.8.1 +VERSION=5.1.12.3 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.1.8.1/configure.pl new/shorewall-init-5.1.12.3/configure.pl --- old/shorewall-init-5.1.8.1/configure.pl 2017-11-08 19:50:09.000000000 +0100 +++ new/shorewall-init-5.1.12.3/configure.pl 2018-03-01 17:44:42.000000000 +0100 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '5.1.8.1' + VERSION => '5.1.12.3' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.1.8.1/init.debian.sh new/shorewall-init-5.1.12.3/init.debian.sh --- old/shorewall-init-5.1.8.1/init.debian.sh 2017-11-08 18:46:25.000000000 +0100 +++ new/shorewall-init-5.1.12.3/init.debian.sh 2018-03-01 00:04:52.000000000 +0100 @@ -73,12 +73,16 @@ [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT} - if [ $PRODUCT = shorewall ]; then - ${SBINDIR}/shorewall compile - elif [ $PRODUCT = shorewall6 ]; then - ${SBINDIR}/shorewall -6 compile + if [ -x ${STATEDIR}/firewall ]; then + return 0 else - return 0 + if [ $PRODUCT = shorewall ]; then + ${SBINDIR}/shorewall compile + elif [ $PRODUCT = shorewall6 ]; then + ${SBINDIR}/shorewall -6 compile + else + return 1 + fi fi } @@ -108,16 +112,14 @@ for PRODUCT in $PRODUCTS; do if setstatedir; then - if [ -x ${STATEDIR}/firewall ]; then - # - # Run in a sub-shell to avoid name collisions - # - ( - if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then - ${STATEDIR}/firewall ${OPTIONS} stop - fi - ) - fi + # + # Run in a sub-shell to avoid name collisions + # + ( + if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then + ${STATEDIR}/firewall ${OPTIONS} stop + fi + ) fi done @@ -145,9 +147,7 @@ printf "Clearing \"Shorewall-based firewalls\": " for PRODUCT in $PRODUCTS; do if setstatedir; then - if [ -x ${STATEDIR}/firewall ]; then - ${STATEDIR}/firewall ${OPTIONS} clear - fi + ${STATEDIR}/firewall ${OPTIONS} clear fi done diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.1.8.1/init.fedora.sh new/shorewall-init-5.1.12.3/init.fedora.sh --- old/shorewall-init-5.1.8.1/init.fedora.sh 2017-11-08 18:46:25.000000000 +0100 +++ new/shorewall-init-5.1.12.3/init.fedora.sh 2018-03-01 00:04:52.000000000 +0100 @@ -44,12 +44,14 @@ [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT} - if [ $PRODUCT = shorewall ]; then + if [ -x ${STATEDIR}/firewall ]; then + return 0 + elif [ $PRODUCT = shorewall ]; then ${SBINDIR}/shorewall compile elif [ $PRODUCT = shorewall6 ]; then ${SBINDIR}/shorewall -6 compile else - return 0 + return 1 fi } @@ -75,15 +77,11 @@ retval=$? if [ $retval -eq 0 ]; then - if [ -x "${STATEDIR}/firewall" ]; then - ${STATEDIR}/firewall ${OPTIONS} stop 2>&1 | $logger - retval=${PIPESTATUS[0]} - [ $retval -ne 0 ] && break - else - retval=6 #Product not configured - break - fi + ${STATEDIR}/firewall ${OPTIONS} stop 2>&1 | $logger + retval=${PIPESTATUS[0]} + [ $retval -ne 0 ] && break else + retval=6 #Product not configured break fi done @@ -110,15 +108,11 @@ retval=$? if [ $retval -eq 0 ]; then - if [ -x "${STATEDIR}/firewall" ]; then - ${STATEDIR}/firewall ${OPTIONS} clear 2>&1 | $logger - retval=${PIPESTATUS[0]} - [ $retval -ne 0 ] && break - else - retval=6 #Product not configured - break - fi + ${STATEDIR}/firewall ${OPTIONS} clear 2>&1 | $logger + retval=${PIPESTATUS[0]} + [ $retval -ne 0 ] && break else + retval=6 #Product not configured break fi done diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.1.8.1/init.openwrt.sh new/shorewall-init-5.1.12.3/init.openwrt.sh --- old/shorewall-init-5.1.8.1/init.openwrt.sh 2017-11-08 18:46:25.000000000 +0100 +++ new/shorewall-init-5.1.12.3/init.openwrt.sh 2018-03-01 00:04:52.000000000 +0100 @@ -75,12 +75,14 @@ [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT} - if [ $PRODUCT = shorewall ]; then + if [ -x ${STATEDIR}/firewall ]; then + return 0 + elif [ $PRODUCT = shorewall ]; then ${SBINDIR}/shorewall compile elif [ $PRODUCT = shorewall6 ]; then ${SBINDIR}/shorewall -6 compile else - return 0 + return 1 fi } @@ -92,10 +94,8 @@ printf "Initializing \"Shorewall-based firewalls\": " for PRODUCT in $PRODUCTS; do if setstatedir; then - if [ -x ${STATEDIR}/firewall ]; then - if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then - ${STATEDIR}/firewall ${OPTIONS} stop - fi + if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then + ${STATEDIR}/firewall ${OPTIONS} stop fi fi done @@ -103,6 +103,8 @@ if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then ipset -R < "$SAVE_IPSETS" fi + + return 0 } boot () { @@ -117,9 +119,7 @@ printf "Clearing \"Shorewall-based firewalls\": " for PRODUCT in $PRODUCTS; do if setstatedir; then - if [ -x ${STATEDIR}/firewall ]; then - ${STATEDIR}/firewall ${OPTIONS} clear - fi + ${STATEDIR}/firewall ${OPTIONS} clear fi done @@ -131,5 +131,7 @@ rm -f "${SAVE_IPSETS}.tmp" fi fi + + return 0 } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.1.8.1/init.sh new/shorewall-init-5.1.12.3/init.sh --- old/shorewall-init-5.1.8.1/init.sh 2017-11-08 18:46:25.000000000 +0100 +++ new/shorewall-init-5.1.12.3/init.sh 2018-03-01 00:04:52.000000000 +0100 @@ -69,10 +69,12 @@ [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT} - if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then + if [ -x ${STATEDIR}/firewall ]; then + return 0 + elif [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then ${SBINDIR}/$PRODUCT ${OPTIONS} compile $STATEDIR/firewall else - return 0 + return 1 fi } @@ -84,10 +86,8 @@ printf "Initializing \"Shorewall-based firewalls\": " for PRODUCT in $PRODUCTS; do if setstatedir; then - if [ -x ${STATEDIR}/firewall ]; then - if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then - ${STATEDIR}/firewall ${OPTIONS} stop - fi + if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then + ${STATEDIR}/firewall ${OPTIONS} stop fi fi done @@ -107,9 +107,7 @@ printf "Clearing \"Shorewall-based firewalls\": " for PRODUCT in $PRODUCTS; do if setstatedir; then - if [ -x ${STATEDIR}/firewall ]; then - ${STATEDIR}/firewall ${OPTIONS} clear - fi + ${STATEDIR}/firewall ${OPTIONS} clear fi done diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.1.8.1/init.suse.sh new/shorewall-init-5.1.12.3/init.suse.sh --- old/shorewall-init-5.1.8.1/init.suse.sh 2017-11-08 18:46:25.000000000 +0100 +++ new/shorewall-init-5.1.12.3/init.suse.sh 2018-03-01 00:04:52.000000000 +0100 @@ -79,12 +79,14 @@ [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT} - if [ $PRODUCT = shorewall ]; then + if [ -x ${STATEDIR}/firewall ]; then + return 0 + elif [ $PRODUCT = shorewall ]; then ${SBINDIR}/shorewall compile elif [ $PRODUCT = shorewall6 ]; then ${SBINDIR}/shorewall -6 compile else - return 0 + return 6 fi } @@ -96,10 +98,8 @@ printf "Initializing \"Shorewall-based firewalls\": " for PRODUCT in $PRODUCTS; do if setstatedir; then - if [ -x $STATEDIR/firewall ]; then - if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then - $STATEDIR/$PRODUCT/firewall ${OPTIONS} stop - fi + if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then + $STATEDIR/$PRODUCT/firewall ${OPTIONS} stop fi fi done @@ -117,9 +117,7 @@ printf "Clearing \"Shorewall-based firewalls\": " for PRODUCT in $PRODUCTS; do if setstatedir; then - if [ -x ${STATEDIR}/firewall ]; then - ${STATEDIR}/firewall ${OPTIONS} clear - fi + ${STATEDIR}/firewall ${OPTIONS} clear fi done diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.1.8.1/install.sh new/shorewall-init-5.1.12.3/install.sh --- old/shorewall-init-5.1.8.1/install.sh 2017-11-08 19:50:09.000000000 +0100 +++ new/shorewall-init-5.1.12.3/install.sh 2018-03-01 17:44:42.000000000 +0100 @@ -27,7 +27,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=5.1.8.1 +VERSION=5.1.12.3 PRODUCT=shorewall-init Product="Shorewall Init" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.1.8.1/releasenotes.txt new/shorewall-init-5.1.12.3/releasenotes.txt --- old/shorewall-init-5.1.8.1/releasenotes.txt 2017-11-08 19:50:09.000000000 +0100 +++ new/shorewall-init-5.1.12.3/releasenotes.txt 2018-03-01 17:44:42.000000000 +0100 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 5 . 1 . 8 . 1 + S H O R E W A L L 5 . 1 . 1 2 . 3 ------------------------------- - N o v e m b e r 0 8 , 2 0 1 7 + M a r c h 0 1 , 2 0 1 8 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,42 +14,76 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -5.1.8.1 +5.1.12.3 -1) Previously, if 'noautosrc' was specified on a provider, then - persistent routes and rules for that provider were treated as - ordinary routes and rules (not persistent). That has been corrected - so that persistent routes and rules are retained when the provider - is disabled. +1) Previously, the Shorewall[6][-lite] lock file was not always + released when an error occurred. This resulted in: -5.1.8 + - A warning message saying that a stale lock file has been removed + - 'lock' processes remaining after shorewall[6][-lite] terminated + (only reported on OpenWRT). -1) This release includes defect repair through Shorewall 5.1.7.2. + That has been corrected so that the lock file is released at exit + if it hasn't been released already. -2) The copyright dates and product version comments have been updated - in a number of files. +5.1.12.2 -3) The undocumented and unmaintained Makefile files for Shorewall-lite - and Shorewall6-lite have been removed from Shorewall and Shorewall6 - respectively. +1) The 5.1.12 change that emits warnings when INLINE_MATCHES=Yes did + not issue a warning when a single semicolon was used to introduce + inline matches in INLINE, IPTABLES and IP6TABLES rules. That has + been corrected. Additionally, 'shorewall[6] update' now replaces + ';' with ';;' in those rules. -4) The 'dump' command logic now does a better job of detecting - and suppressing the printing of empty IPSec SPD entries. + As part of that change, the documentation has been modified to + prefer ';;' over ';' to introduce inline matches in those rules. -5) A number of issues with persistent providers that resulted in - 'ip rule add' and 'ip route add' failures have been corrected. The - most common senario involved a 'reload' while a persistent - interface was disabled. +2) A typo has been corrected so that the following error message is + now printed correctly. -6) Previously, the generated script contained incorrect logic for - deleting default routes with metric zero ('balanced' routes and - routes generated by 'fallback=nn'); the logic only worked correctly - when applied to the 'main' routing table. It now works correctly - for all routing tables. + ERROR: The REJECT_ACTION (<action name>) is not terminating -7) The 'ip xfrm policy' command ignores the -4 and -6 options and - dumps the policies for both address families. This release contains - a workaround that suppresses entries for the other family. + Previously, an "unknown function" Perl diagnostic was issued in its + place. + +3) Previously, if a policy action specification in shorewall[6].conf + or in the policy file included a log tag, a garbled error message + was issued. That has been corrected. + +4) Under rare rare circumstances, syn flood limiting specified in a + policy was previously not enforced by the generated ruleset. That + has been corrected. + +5.1.12.1 + +1) The macro SSDPServer released in 5.1.12 inadvertently contained the + content of macro.SSDP. The corrected macro is now available as + macro.SSDPserver (note the lower case 's' in 'server'). + +2) When double semicolons (";;") were used to introduce inline + matches, column/value pairs enclosed in braces ("{...}") were not + recongnized correctly if there was any white space between the + closing brace ("}") and the semicolons. That problem has been + corrected. + +5.1.12 + +1) This release contains defect repair from releases through 5.1.11.2. + +2) Many typos in comments in the chains module have been corrected. + +3) Dead code was removed. + +4) A function that is called only from lib.cli-std had been moved + there from lib.cli. + +5) Trailing white space is now omitted from the generated script. + +6) Apparently random blank lines in the generated script have been + eliminated. + +7) Previously, the output of 'shorewall show capabilties' only + displayed the 'Ipset Match (IPSET_MATCH)' capability if it was + available. Now, it is also displayed when it is not available. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -74,37 +108,43 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) For historical reasons, Shorewall has always assumed that LOG target - support is present unless proven otherwise. While this has worked - correctly when a capabilities file is used and when - LOAD_HELPERS_ONLY=No, it can generate an unworkable firewall - script when LOAD_HELPERS_ONLY=Yes. +1) Beginning with this release, SNAT can be performed on flows + destined for the firewall itself. In this case, SNAT will be + performed in the INPUT chain of the nat table; see + shorewall-snat(5) for details. - Beginning with this release, Shorewall will treat LOG target like - any other capability and will verify its presense in all cases - where the target is used. + This change introduced a new capability: -2) The level 4 optimizer now does a better job of handling small - chains with rules specifying an IPSEC policy. This can result in - elimination of these chains. + INPUT chain in the nat table (NAT_INPUT_CHAIN) -3) Beginning with this release, when RESTORE_DEFAULT_ROUTE=Yes the - default route is only restored when there are no enabled - 'balance/primary' providers and no enabled fallback providers. +2) The undocumented optimize option OPTIMIZE_USE_FIRST (0x1000) + has been removed. - Also beginning with this release, if the default route(s) have been - restored to the 'main' table, and a fallback provider is - successfully enabled, the default route(s) are removed from the - main table. +3) Some minor performance enhancements have been make to optimization + category 8. -4) Because restoring default routes to the main routing table can - break the ability of Foolsm and other link status monitors to - properly detect non-functioning provider links, a warning message - is now issued when the 'persistent' provider option is specified - and RESTORE_DEFAULT_ROUTE=Yes. +4) While INLINE_MATCHES=Yes has been documented as deprecated for some + time, it has thus far not generated a warning. Beginning with this + release, a warning is issued: + + WARNING: Option INLINE_MATCHES=Yes is deprecated - WARNING: When RESTORE_DEFAULT_ROUTE=Yes, the 'persistent' option - may not work as expected + See the Migration Issues section for additional information. + +5) The IPMI macro has been extended to include additional protocols + (Tuomo Soini). + +6) Several new macros have been added: + + Apcupsd + FreeIPA + Kpasswd + RedisSecure + Rwhois + SSDP + SSDPServer + + (Tuomo Soini) ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -275,9 +315,474 @@ This change was released in Shorewall 5.1.8. +12) Most interface OPTIONS have always been ignored when the INTERFACE + name is '+'. Beginning with the Shorewall 5.1.10 release, a warning + is issued when an ignored option is specified with interface name '+'. + + Example: The 'sourceroute' option is ignored when used with + interface name '+' + + In many cases, this issue can be worked around by a change similar + to the following: + + Original: + + net + dhcp,routeback,sourceroute=0 + + Change to: + + net all dhcp,physical=+,routeback,sourceroute=0 + --- ---------- + + As part of this change, interfaces that specify a wildcard physical + interface name will generate a warning if any of the following + options are specified: + + accept_ra + arp_filter + arp_ignore + forward + logmartians + proxyarp + proxyndp + routefilter + sourceroute + + When the warning is issued, the specified option is then ignored + for the interface. + + Example: + + WARNING: The 'sourceroute' option is ignored when used with a + wildcard physical name + /etc/shorewall6.universal/interfaces (line 14) + +13) INLINE_MATCHES=Yes has been documented as deprecated for some + time, but it has not generated a warning. Beginning with the + Shorewall 5.1.12 release, a warning is issued: + + WARNING: Option INLINE_MATCHES=Yes is deprecated + + Additionally, each line that requires modification to work with + INLINE_MATCHES=No is flagged with the warning: + + WARNING: This entry needs to be changed (replace ';' with ';;') + before the INLINE_MATCHES option is removed in + Shorewall 5.2 + + You can eliminate the warnings by setting INLINE_MATCHES=No and + by replacing the single semicolon (";") separating inline matches + from the column-oriented part of the rule with two semicolons + (";;") in each entry flagged by the second warning. + ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 5 . 1 R E L E A S E S ---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 5 . 1 . 1 1 +---------------------------------------------------------------------------- + +5.1.11.1 + +1) When AUTOMAKE=Yes and the 'find' utility is Busybox-based, + Shorewall 5.1.11 would fail during compilation with the error: + + find: unrecognized: -quit + + That has been corrected. + +5.1.11 + +1) This release contains defect repair from releases through 5.1.10.2. + +2) Previously, if DYNAMIC_BLACKLIST=ipset,disconnect..., the CLI would + verify the existence of the 'conntrack' utility on the local system + when the command was 'remote-start', 'remote-reload' or + 'remote-restart'. Now, that verification is only done for the + blacklist-oriented commands ('blacklist', 'allow', 'drop', etc.). + +3) Previously, when DYNAMIC_BLACKLIST=ipsec..., the CLI required the + firewall to be started in order to run the 'allow' command. Now, + the command only requires that the dynamic blacklist ipset + exists. + +4) Previously, if an address variable was used in the stoppedrules + file, the 'clear' command could fail in two different ways, + depending on whether the related interface was optional or not. + + If the interface was optional, the failure message was similar to + the following: + + $ shorewall clear + Clearing Shorewall.... + Preparing iptables-restore input... + /var/lib/shorewall/firewall: 3064: [: !=: unexpected operator + Running /sbin/iptables-restore... + IPv4 Forwarding Enabled + done. + + If the interface was not optional, the result was similar to: + + $ shorewall debug clear + Clearing Shorewall.... + Preparing iptables-restore input... + Running debug_restore_input... + Bad argument `6' + Try `iptables -h' or 'iptables --help' for more information. + ERROR: Command "/sbin/iptables --wait -t filter -A INPUT -s + 172.17.211.254 -d -p 6 --dport 22 -i enp2s0 -j ACCEPT" + Failed + Terminated + + This problem has been corrected. + +5) Previously, the 'clear' command enabled forwarding + unconditionally. Beginning with this release, 'clear' will + conditionally enable/disable forwarding in the same manner as + 'stop'. + +6) In multi-ISP configurations, it is possible for an IPSEC-tunneled + connection from the Internet to be forwarded back out to the + Internet (for example, if all traffic from the remote endpoint is + sent through the tunnel). If the provider handling the tunnel has + the 'track' option (or if TRACK_PROVIDERS=Yes), then the outgoing + tunneled connection is sent back out that interface by + default (since the encapsulated initial packet arrived through that + interface). Since this is not always desirable, Shorewall now + clears the tracking mark on the connection while processing the + first packet, allowing the connection to not match routing rules + that are dependent on the tracking mark. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 5 . 1 . 1 1 +---------------------------------------------------------------------------- + +1) Previously, the 'show' command was not available to non-root + users. Beginning with this release, non-root users may now + run the following 'show' commands: + + show action <action> + show actions + show ip + show macro <macro> + show macros + show routing + +2) When a RATE is specified on a policy, the rate is enforced in a + chain whose name begins with '@' (e.g., @net-dmz). Previously, log + messages in the chain omitted the '@', leading to possible + confusion. Beginning with this release, the log message will + reflect the chain's actual name (including the '@'). + +3) To improve efficiency, TCP CT entries in the conntrack file and + TCP entries in the rules file that specify a HELPER will now + assume that 'tcp:syn' had been specified. That way, the generated + ip[6]tables rule will only match on the first packet of the + three-way handshake. + +4) Now that the route caches have been removed from the kernel, + Multi-ISP really doesn't work without the 'track' provider option. + As a consequence, TRACK_PROVIDERS=Yes is now the default. Note that + the 'track' option may still be turned off using 'notrack', when + TRACK_PROVIDERS=Yes. + +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 5 . 1 . 1 0 +---------------------------------------------------------------------------- + +5.1.10.2 + +1) When AUTOMAKE=Yes, the commands 'start', 'restart' and 'reload' + cause the 'find' utility to be run in each entry in the CONFIG_PATH + to look for files that have been modified since the current + firewall script was created.There are two related defects in 5.1.10 + and 5.1.10.1 that manifest when AUTOMAKE=Yes. + + a) While the compiler only searches in the directories themselves, + 'find' was not limited to just those directories, but was rather + searched the entire tree rooted in each path in CONFIG_PATH. + + b) If the CONFIG_PATH was prefixed by ":", then there was + effectively an empty path in CONFIG_PATH, which resulted in a + search of the entire tree rooted in the current working + directory. + + Both problems have been corrected: + + a) Find is run with '-maxdepth 1', to limit the search to just the + files in the directory. + + b) Find is not run on empty paths in CONFIG_PATH. + +5.1.10.1 + +1) The Shorewall-core installer previously failed to update the shell library + files correctly when SHAREDIR was not set to /usr/share/. That has + been corrected. + +2) Previously, the installer modified the shorewall[6].conf installed + in /etc/shorewall[6] based on the Linux distribution (HOST in + shorewallrc) but installed an unmodified file in + /usr/share/shorewall/configfiles/. Beginning with this release, + the modified file is also installed in the latter directory. + +5.1.10 + +1) Several typos have been corrected in the manpages (Roberto + Sánchez). + +2) Regarding Known Problem 3 below, the code added in 5.0.15 could + fail to delete an existing default route if the new default route + was not identical to the one being replaced. Now, the default route + is deleted, even the new route is different. + +3) Previously, if the 'ss' utility was not installed but 'netstat' was + installed, the 'dump' command would issue the error message + + /sbin/shorewall: line 1: netatat: not found + + and the dump would not contain socket information. That problem + has been corrected. + +4) Previously, a plain 'reset' command would only reset counters in + the 'filter' and 'mangle' tables. Now, all four tables have their + counters reset. + +5) Specifying IN-BANDWIDTH would previously cause a run-time + start/restart/reload failure when a later version of iproute2 was + installed. The problem has been observed on both iproute2 4.13.0 + and 4.14.0. The failure message was similar to the following: + + Setting up Traffic Control... + "rate" or "avrate" MUST be specified. + Illegal "police" + ERROR: Command "tc filter add dev ppp0 parent ffff: protocol all + prio 10 basic police mpu 64 drop rate 55378kbit burst 10kb" Failed + + This problem has been resolved. + +6) Previously, Shorewall-init would recompile the firewall script each + time that it ran. Now, it only compiles the script if it doesn't + exist. + +7) Most interface OPTIONS have always been ignored when the INTERFACE + name is '+'. Beginning with this release, a warning is issued when + an ignored option is specified with interface name '+'. + + Example: The 'sourceroute' option is ignored when used with + interface name '+' + + In most cases, this issue can be worked around by a change similar + to the following: + + Original: + + net + dhcp,routeback,sourceroute=0 + + Change to: + + net all dhcp,physical=+,routeback,sourceroute=0 + --- ---------- + + As part of this change, interfaces that specify a wildcard physical + interface name will generate a warning if any of the following + options are specified: + + accept_ra + arp_filter + arp_ignore + forward + logmartians + proxyarp + proxyndp + routefilter + sourceroute + + When the warning is issued, the specified option is then ignored + for the interface. + + Example: + + WARNING: The 'sourceroute' option is ignored when used with a + wildcard physical name + /etc/shorewall6.universal/interfaces (line 14) + +8) When the IPv6 Universal sample configuration was used, the + following warning was issued during start/restart/reload: + + WARNING: Cannot set Accept Source Routing on + + + The Universal interfaces file has been corrected to eliminate that + error. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 5 . 1 . 1 0 +---------------------------------------------------------------------------- + +1) Previously, it was necessary to remove ${CONFDIR}/shorewall[6] from + the CONFIG_PATH to create a configuration directory for a remote + firewall managed by shorewall[6]-lite. Without this modification, + when the compiler looked for a file that was not present in the + configuration directory, it would attempt to read the file by the + same name residing in ${CONFDIR}/shorewall[6]. + + Now, if the setting of CONFIG_PATH begins with a colon (":"), + the first directory in the path is ignored when compiling for + export or when the user running the compiler is not root. + The released copies of shorewall[6].conf have all been modified to + set CONFIG_PATH with a leading colon. + +2) The documentation surrounding use of DNS names in Shorewall + configuration has been improved. + +3) It is now possible to associate a particular protocol with an + action in shorewall[6]-actions(5). When a protocol is specified in + that file, it is not necessary to specify the protocol in the PROTO + column when invoking the action. If a protocol is included in the + PROTO column then it must match the one specified in the actions + file. If an action defined with a protocol is used as a Policy + Action, then only packets with the specified protocol will be + passed to the action. + + A number of standard actions definitions in + /usr/share/shorewall[6]/actions.std have had a protocol added. + + The protocol has no effect if 'builtin' or 'inline' is also + specified; specifying 'builtin' with a protocol results in a + warning message. No warning is issued when 'inline' is specified + with a protocol, thus allowing 'inline' and a protocol to appear + together in actions.std. Note that 'noinline' in + shorewall-actions(5) can override an 'inline' specification in + actions.std. + +4) The FIN action previously included the PSH flag (FIN,ACK,PSH). To + make the action a bit more general, the PSH flag is now removed and + TCP packets with just the FIN and ACK flags set will now match. + +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 5 . 1 . 9 +---------------------------------------------------------------------------- + +1) This release includes defect repair through Shorewall 5.1.8.1. + +2) Previously, Shorewall6 did not accept square brackets ("[...]") + around the GATEWAY address in a Providers file entry. That has been + corrected, so that the usual convention of enclosing IPv6 addresses + in square brackets is allowed in that context. + +3) Previously, if the IP variables was set in a remote firewall's + configuration directory, and the named file did not exist on the + local administrative system, then a fatal error was raised. + + Example: + + ERROR: The program specified in IP (/usr/bin/ip) does not exist + or is not executable + + Beginning with this release, the contents of the IP option will not + be verified at compile time when compiling for export. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 5 . 1 . 9 +---------------------------------------------------------------------------- + +1) The mangle file now supports a TCPMSS action for setting the MSS + value in TCP SYN packets. See shorewall-mangle(5) for details. As + part of this change, the TCPMSS rule generated by the CLAMPMSS + option has been moved from the filter table FOWARD chain to the + mangle table FORWARD chain. + +2) The Broadcast and Multicast actions are now inlined when the + Address Type Match capability is available. + +3) It is now possible to specify 'noinline' in an entry in + /etc/shorewall[6]/actions to override the 'inline' option + specified in /usr/share/shorewall/actions.std. + +4) Logging is now supported in the snat file. + + - Log levels may be specified on SNAT, MASQUERADE and CONTINUE + rules. + + - The NFLOG, ULOG and LOG actions are now supported. + + See shorewall-snat(5) for details. + +5) A logging manpage (shorewall-logging(5)) has been added. + +6) The IPMI macro now includes support for Redfish remote consoles. + +7) The Sample configuration files now use logical interface names to + simplify adapting them to fit the newer interface naming + convention adopted by the kernel. + +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 5 . 1 . 8 +---------------------------------------------------------------------------- + +1) This release includes defect repair through Shorewall 5.1.7.2. + +2) The copyright dates and product version comments have been updated + in a number of files. + +3) The undocumented and unmaintained Makefile files for Shorewall-lite + and Shorewall6-lite have been removed from Shorewall and Shorewall6 + respectively. + +4) The 'dump' command logic now does a better job of detecting + and suppressing the printing of empty IPSec SPD entries. + +5) A number of issues with persistent providers that resulted in + 'ip rule add' and 'ip route add' failures have been corrected. The + most common senario involved a 'reload' while a persistent + interface was disabled. + +6) Previously, the generated script contained incorrect logic for + deleting default routes with metric zero ('balanced' routes and + routes generated by 'fallback=nn'); the logic only worked correctly + when applied to the 'main' routing table. It now works correctly + for all routing tables. + +7) The 'ip xfrm policy' command ignores the -4 and -6 options and + dumps the policies for both address families. This release contains + a workaround that suppresses entries for the other family. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 5 . 1 . 8 +---------------------------------------------------------------------------- + +1) For historical reasons, Shorewall has always assumed that LOG target + support is present unless proven otherwise. While this has worked + correctly when a capabilities file is used and when + LOAD_HELPERS_ONLY=No, it can generate an unworkable firewall + script when LOAD_HELPERS_ONLY=Yes. + + Beginning with this release, Shorewall will treat LOG target like + any other capability and will verify its presense in all cases + where the target is used. + +2) The level 4 optimizer now does a better job of handling small + chains with rules specifying an IPSEC policy. This can result in + elimination of these chains. + +3) Beginning with this release, when RESTORE_DEFAULT_ROUTE=Yes the + default route is only restored when there are no enabled + 'balance/primary' providers and no enabled fallback providers. + + Also beginning with this release, if the default route(s) have been + restored to the 'main' table, and a fallback provider is + successfully enabled, the default route(s) are removed from the + main table. + +4) Because restoring default routes to the main routing table can + break the ability of Foolsm and other link status monitors to + properly detect non-functioning provider links, a warning message + is now issued when the 'persistent' provider option is specified + and RESTORE_DEFAULT_ROUTE=Yes. + + WARNING: When RESTORE_DEFAULT_ROUTE=Yes, the 'persistent' option + may not work as expected + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 5 . 1 . 7 ---------------------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.1.8.1/shorewall-init new/shorewall-init-5.1.12.3/shorewall-init --- old/shorewall-init-5.1.8.1/shorewall-init 2017-11-08 18:46:25.000000000 +0100 +++ new/shorewall-init-5.1.12.3/shorewall-init 2018-03-01 00:04:52.000000000 +0100 @@ -33,12 +33,12 @@ [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT} - if [ $PRODUCT = shorewall ]; then + if [ -x ${STATEDIR}/firewall ]; then + return 0 + elif [ $PRODUCT = shorewall ]; then ${SBINDIR}/shorewall compile elif [ $PRODUCT = shorewall6 ]; then ${SBINDIR}/shorewall -6 compile - else - return 0 fi } @@ -67,16 +67,14 @@ printf "Initializing \"Shorewall-based firewalls\": " for PRODUCT in $PRODUCTS; do if setstatedir; then - if [ -x ${STATEDIR}/firewall ]; then - # - # Run in a sub-shell to avoid name collisions - # - ( - if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then - ${STATEDIR}/firewall ${OPTIONS} stop - fi - ) - fi + # + # Run in a sub-shell to avoid name collisions + # + ( + if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then + ${STATEDIR}/firewall ${OPTIONS} stop + fi + ) fi done @@ -95,9 +93,7 @@ printf "Clearing \"Shorewall-based firewalls\": " for PRODUCT in $PRODUCTS; do if setstatedir; then - if [ -x ${STATEDIR}/firewall ]; then - ${STATEDIR}/firewall ${OPTIONS} clear - fi + ${STATEDIR}/firewall ${OPTIONS} clear fi done diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.1.8.1/shorewall-init.spec new/shorewall-init-5.1.12.3/shorewall-init.spec --- old/shorewall-init-5.1.8.1/shorewall-init.spec 2017-11-08 19:50:09.000000000 +0100 +++ new/shorewall-init-5.1.12.3/shorewall-init.spec 2018-03-01 17:44:42.000000000 +0100 @@ -1,6 +1,6 @@ %define name shorewall-init -%define version 5.1.8 -%define release 1 +%define version 5.1.12 +%define release 3 Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall). Name: %{name} @@ -135,8 +135,46 @@ %doc COPYING changelog.txt releasenotes.txt %changelog -* Wed Nov 08 2017 Tom Eastep [email protected] -- Updated to 5.1.8-1 +* Wed Feb 28 2018 Tom Eastep [email protected] +- Updated to 5.1.12-3 +* Sat Feb 10 2018 Tom Eastep [email protected] +- Updated to 5.1.12-2 +* Fri Feb 09 2018 Tom Eastep [email protected] +- Updated to 5.1.12-1 +* Tue Feb 06 2018 Tom Eastep [email protected] +- Updated to 5.1.12-0base +* Wed Jan 31 2018 Tom Eastep [email protected] +- Updated to 5.1.12-0RC1 +* Tue Jan 23 2018 Tom Eastep [email protected] +- Updated to 5.1.12-0Beta2 +* Wed Jan 17 2018 Tom Eastep [email protected] +- Updated to 5.1.12-0Beta1 +* Wed Jan 10 2018 Tom Eastep [email protected] +- Updated to 5.1.11-0base +* Fri Jan 05 2018 Tom Eastep [email protected] +- Updated to 5.1.11-0RC1 +* Sun Dec 31 2017 Tom Eastep [email protected] +- Updated to 5.1.11-0Beta2 +* Tue Dec 26 2017 Tom Eastep [email protected] +- Updated to 5.1.11-0Beta1 +* Sat Dec 23 2017 Tom Eastep [email protected] +- Updated to 5.1.10-0base +* Mon Dec 18 2017 Tom Eastep [email protected] +- Updated to 5.1.10-0RC2 +* Sat Dec 09 2017 Tom Eastep [email protected] +- Updated to 5.1.10-0RC1 +* Fri Dec 01 2017 Tom Eastep [email protected] +- Updated to 5.1.10-0Beta2 +* Wed Nov 22 2017 Tom Eastep [email protected] +- Updated to 5.1.10-0Beta1 +* Wed Nov 15 2017 Tom Eastep [email protected] +- Updated to 5.1.9-0base +* Sat Nov 11 2017 Tom Eastep [email protected] +- Updated to 5.1.9-0RC1 +* Fri Nov 03 2017 Tom Eastep [email protected] +- Updated to 5.1.9-0Beta2 +* Thu Oct 19 2017 Tom Eastep [email protected] +- Updated to 5.1.9-0Beta1 * Sun Oct 15 2017 Tom Eastep [email protected] - Updated to 5.1.8-0base * Tue Oct 10 2017 Tom Eastep [email protected] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.1.8.1/uninstall.sh new/shorewall-init-5.1.12.3/uninstall.sh --- old/shorewall-init-5.1.8.1/uninstall.sh 2017-11-08 19:50:09.000000000 +0100 +++ new/shorewall-init-5.1.12.3/uninstall.sh 2018-03-01 17:44:42.000000000 +0100 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=5.1.8.1 +VERSION=5.1.12.3 PRODUCT=shorewall-init Product="Shorewall Init" ++++++ shorewall-init-fillup-install.patch ++++++ --- /var/tmp/diff_new_pack.qibdR0/_old 2018-03-16 10:45:31.415775272 +0100 +++ /var/tmp/diff_new_pack.qibdR0/_new 2018-03-16 10:45:31.427774840 +0100 @@ -1,10 +1,11 @@ diff -rup a/install.sh b/install.sh ---- a/install.sh 2017-03-14 16:18:03.000000000 +0100 -+++ b/install.sh 2017-03-15 18:20:28.532434546 +0100 -@@ -386,9 +386,14 @@ else +--- a/install.sh 2018-03-01 17:44:42.000000000 +0100 ++++ b/install.sh 2018-03-05 17:50:06.242326227 +0100 +@@ -385,10 +385,14 @@ else + fi fi fi - +- - if [ -n "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PRODUCT} ]; then - install_file ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/$PRODUCT 0644 - echo "${SYSCONFFILE} file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}" ++++++ shorewall-lite-5.1.8.1.tar.bz2 -> shorewall-lite-5.1.12.3.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.1.8.1/changelog.txt new/shorewall-lite-5.1.12.3/changelog.txt --- old/shorewall-lite-5.1.8.1/changelog.txt 2017-11-08 19:50:09.000000000 +0100 +++ new/shorewall-lite-5.1.12.3/changelog.txt 2018-03-01 17:44:42.000000000 +0100 @@ -1,10 +1,198 @@ -Changes in 5.1.8.1 +Changes in 5.1.12.3 1) Update release documents. -2) Make persistent routes and rules independent of 'autosrc'. +2) Ensure that mutex gets released at exit. -Changes in 5.1.8 +Changes in 5.1.12.2 + +1) Update release documents. + +2) Alter documentation to prefer ';;' over ';' in INLINE and + IP[6]TABLES rules. + +3) Make 'update' convert ';' to ';;' in INLINE, IPTABLES and IP6TABLES + rules. + +4) Correct typo that resulted in an "unknown function" Perl diagnostic. + +4) Correct "Invalid policy" message. + +5) Fix omitted SYN limiting. + +Changes in 5.1.12.1 + +1) Update release documents. + +2) Replace macro.SSDPServer with corrected macro.SSDPserver. + +Changes in 5.1.12 Final + +1) Update release documents. + +2) Add INLINE_MATCHES=Yes to the deprecated list. + +Changes in 5.1.12 RC 1 + +1) Update release documents. + +2) Minor performance enhancements to Optimize Category 8. + +3) Always report IPSET_MATCH. + +Changes in 5.1.12 Beta 2 + +1) Update release documents. + +2) Delete undocumented OPTIMIZE_USE_FIRST option. + +3) Merge 5.1.11. + +4) Suppress trailing whitespace. + +5) Avoid awkward blank lines. + +Changes in 5.1.12 Beta 1 + +1) Update release documents. + +2) Code and manpage cleanup. + +3) Allow SNAT in the INPUT chain. + +Changes in 5.1.11 Final + +1) Update release documents. + +Changes in 5.1.11 RC 1 + +1) Update release documents. + +2) Update versions and copyrights. + +3) Clear the connection mark on forwarded IPSEC tunneled connections. + +4) Make TRACK_PROVIDERS=Yes the default. + +Changes in 5.1.11 Beta 2 + +1) Update release documents. + +2) Be selective about verification of the conntrack utility when + DYNAMIC_BLACKLIST=ipset,disconnect... + +3) Don't require shorewall to be started for 'allow' with ipset-based + DBL. + +4) Make address variables play nice with the 'clear' command. + +5) Don't unconditionally enable forwarding during 'clear'. + +Changes in 5.1.11 Beta 1 + +1) Update release documents. + +2) Allow non-root to run some 'show' commands. + +3) Use synchain name in log messages rather than base chain name. + +3) Assume :syn for TCP CT entries in the conntrack file and HELPER. + +4) Limit depth of 'find' search when AUTOMAKE=Yes. + +Changes in 5.1.10.2 + +1) Update release documents. + +2) Limit 'find' to depth 1. + +3) Don't run find in an empty entry in $CONFIG_PATH + +Changes in 5.1.10.1 + +1) Update release documents. + +2) Fix Shorewall-core installer for sandbox case. + +3) Make /etc and /configfiles the same. + +Changes in 5.1.10 Final + +1) Update release documents. + +Changes in 5.1.10 RC 2 + +1) Update release documents. + +2) Add warning re wildcard and OPTIONS. + +3) Correct IPv6 Universal interfaces file. + +Changes in 5.1.10 RC 1 + +1) Update release documents. + +2) Correct ingress policing. + +3) Fix Shorewall-init recompilation problem. + +Changes in 5.1.10 Beta 2 + +1) Update release documents. + +2) Allow a protocol to be associated with a regular action. + +3) Remove the PSH flag from the FIN action. + +Changes in 5.1.10 Beta 1 + +1) Update release documents. + +2) Allow CONFIG_PATH setting to begin with ':' to allow dropping the + first directory by non-root. + +3) Correct several typos in the manpages (Roberto Sánchez). + +4) Correct typo in 'dump' processing. + +5) Reset all table counters during 'reset'. + +Changes in 5.1.9 Final + +1) Update release documents. + +2) Use logical interface names in the Sample configs. + +Changes in 5.1.9 RC 1 + +1) Update release documents. + +2) Apply W Van den Akker's OpenWRT/Lede patches. + +3) Don't verify IP and SHOREWALL_SHELL paths when compiling + for export. + +4) Support for Redfish remote console in macro.IPMI + +Changes in 5.1.9 Beta 2 + +1) Update release documents. + +2) Merge content from 5.1.8. + +Changes in 5.1.9 Beta 1 + +1) Update release documents. + +2) Add TCPMSS action in the mangle file. + +3) Inline the Broadcast action when ADDRTYPE match is available. + +4) Support logging in the snat file. + +5) Add shorewall-logging(5). + +Changes in 5.1.8 Final 1) Update release documents. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.1.8.1/configure new/shorewall-lite-5.1.12.3/configure --- old/shorewall-lite-5.1.8.1/configure 2017-11-08 19:50:09.000000000 +0100 +++ new/shorewall-lite-5.1.12.3/configure 2018-03-01 17:44:42.000000000 +0100 @@ -2,7 +2,7 @@ # # Shorewall Packet Filtering Firewall RPM configuration program - V4.6 # -# (c) 2012,2014 - Tom Eastep ([email protected]) +# (c) 2012,2014,2017 - Tom Eastep ([email protected]) # # Shorewall documentation is available at http://www.shorewall.net # @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=5.1.8.1 +VERSION=5.1.12.3 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.1.8.1/configure.pl new/shorewall-lite-5.1.12.3/configure.pl --- old/shorewall-lite-5.1.8.1/configure.pl 2017-11-08 19:50:09.000000000 +0100 +++ new/shorewall-lite-5.1.12.3/configure.pl 2018-03-01 17:44:42.000000000 +0100 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '5.1.8.1' + VERSION => '5.1.12.3' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.1.8.1/install.sh new/shorewall-lite-5.1.12.3/install.sh --- old/shorewall-lite-5.1.8.1/install.sh 2017-11-08 19:50:09.000000000 +0100 +++ new/shorewall-lite-5.1.12.3/install.sh 2018-03-01 17:44:42.000000000 +0100 @@ -22,7 +22,7 @@ # along with this program; if not, see <http://www.gnu.org/licenses/>. # -VERSION=5.1.8.1 +VERSION=5.1.12.3 usage() # $1 = exit status { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.1.8.1/manpages/shorewall-lite-vardir.5 new/shorewall-lite-5.1.12.3/manpages/shorewall-lite-vardir.5 --- old/shorewall-lite-5.1.8.1/manpages/shorewall-lite-vardir.5 2017-11-08 19:51:33.000000000 +0100 +++ new/shorewall-lite-5.1.12.3/manpages/shorewall-lite-vardir.5 2018-03-01 17:46:32.000000000 +0100 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite-vardir .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 11/08/2017 +.\" Date: 03/01/2018 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-LITE\-VAR" "5" "11/08/2017" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-LITE\-VAR" "5" "03/01/2018" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.1.8.1/manpages/shorewall-lite.8 new/shorewall-lite-5.1.12.3/manpages/shorewall-lite.8 --- old/shorewall-lite-5.1.8.1/manpages/shorewall-lite.8 2017-11-08 19:51:34.000000000 +0100 +++ new/shorewall-lite-5.1.12.3/manpages/shorewall-lite.8 2018-03-01 17:46:33.000000000 +0100 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 11/08/2017 +.\" Date: 03/01/2018 .\" Manual: Administrative Commands .\" Source: Administrative Commands .\" Language: English .\" -.TH "SHOREWALL\-LITE" "8" "11/08/2017" "Administrative Commands" "Administrative Commands" +.TH "SHOREWALL\-LITE" "8" "03/01/2018" "Administrative Commands" "Administrative Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.1.8.1/manpages/shorewall-lite.conf.5 new/shorewall-lite-5.1.12.3/manpages/shorewall-lite.conf.5 --- old/shorewall-lite-5.1.8.1/manpages/shorewall-lite.conf.5 2017-11-08 19:51:32.000000000 +0100 +++ new/shorewall-lite-5.1.12.3/manpages/shorewall-lite.conf.5 2018-03-01 17:46:31.000000000 +0100 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite.conf .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 11/08/2017 +.\" Date: 03/01/2018 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-LITE\&.CO" "5" "11/08/2017" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-LITE\&.CO" "5" "03/01/2018" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.1.8.1/releasenotes.txt new/shorewall-lite-5.1.12.3/releasenotes.txt --- old/shorewall-lite-5.1.8.1/releasenotes.txt 2017-11-08 19:50:09.000000000 +0100 +++ new/shorewall-lite-5.1.12.3/releasenotes.txt 2018-03-01 17:44:42.000000000 +0100 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 5 . 1 . 8 . 1 + S H O R E W A L L 5 . 1 . 1 2 . 3 ------------------------------- - N o v e m b e r 0 8 , 2 0 1 7 + M a r c h 0 1 , 2 0 1 8 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,42 +14,76 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -5.1.8.1 +5.1.12.3 -1) Previously, if 'noautosrc' was specified on a provider, then - persistent routes and rules for that provider were treated as - ordinary routes and rules (not persistent). That has been corrected - so that persistent routes and rules are retained when the provider - is disabled. +1) Previously, the Shorewall[6][-lite] lock file was not always + released when an error occurred. This resulted in: -5.1.8 + - A warning message saying that a stale lock file has been removed + - 'lock' processes remaining after shorewall[6][-lite] terminated + (only reported on OpenWRT). -1) This release includes defect repair through Shorewall 5.1.7.2. + That has been corrected so that the lock file is released at exit + if it hasn't been released already. -2) The copyright dates and product version comments have been updated - in a number of files. +5.1.12.2 -3) The undocumented and unmaintained Makefile files for Shorewall-lite - and Shorewall6-lite have been removed from Shorewall and Shorewall6 - respectively. +1) The 5.1.12 change that emits warnings when INLINE_MATCHES=Yes did + not issue a warning when a single semicolon was used to introduce + inline matches in INLINE, IPTABLES and IP6TABLES rules. That has + been corrected. Additionally, 'shorewall[6] update' now replaces + ';' with ';;' in those rules. -4) The 'dump' command logic now does a better job of detecting - and suppressing the printing of empty IPSec SPD entries. + As part of that change, the documentation has been modified to + prefer ';;' over ';' to introduce inline matches in those rules. -5) A number of issues with persistent providers that resulted in - 'ip rule add' and 'ip route add' failures have been corrected. The - most common senario involved a 'reload' while a persistent - interface was disabled. +2) A typo has been corrected so that the following error message is + now printed correctly. -6) Previously, the generated script contained incorrect logic for - deleting default routes with metric zero ('balanced' routes and - routes generated by 'fallback=nn'); the logic only worked correctly - when applied to the 'main' routing table. It now works correctly - for all routing tables. + ERROR: The REJECT_ACTION (<action name>) is not terminating -7) The 'ip xfrm policy' command ignores the -4 and -6 options and - dumps the policies for both address families. This release contains - a workaround that suppresses entries for the other family. + Previously, an "unknown function" Perl diagnostic was issued in its + place. + +3) Previously, if a policy action specification in shorewall[6].conf + or in the policy file included a log tag, a garbled error message + was issued. That has been corrected. + +4) Under rare rare circumstances, syn flood limiting specified in a + policy was previously not enforced by the generated ruleset. That + has been corrected. + +5.1.12.1 + +1) The macro SSDPServer released in 5.1.12 inadvertently contained the + content of macro.SSDP. The corrected macro is now available as + macro.SSDPserver (note the lower case 's' in 'server'). + +2) When double semicolons (";;") were used to introduce inline + matches, column/value pairs enclosed in braces ("{...}") were not + recongnized correctly if there was any white space between the + closing brace ("}") and the semicolons. That problem has been + corrected. + +5.1.12 + +1) This release contains defect repair from releases through 5.1.11.2. + +2) Many typos in comments in the chains module have been corrected. + +3) Dead code was removed. + +4) A function that is called only from lib.cli-std had been moved + there from lib.cli. + +5) Trailing white space is now omitted from the generated script. + +6) Apparently random blank lines in the generated script have been + eliminated. + +7) Previously, the output of 'shorewall show capabilties' only + displayed the 'Ipset Match (IPSET_MATCH)' capability if it was + available. Now, it is also displayed when it is not available. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -74,37 +108,43 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) For historical reasons, Shorewall has always assumed that LOG target - support is present unless proven otherwise. While this has worked - correctly when a capabilities file is used and when - LOAD_HELPERS_ONLY=No, it can generate an unworkable firewall - script when LOAD_HELPERS_ONLY=Yes. +1) Beginning with this release, SNAT can be performed on flows + destined for the firewall itself. In this case, SNAT will be + performed in the INPUT chain of the nat table; see + shorewall-snat(5) for details. - Beginning with this release, Shorewall will treat LOG target like - any other capability and will verify its presense in all cases - where the target is used. + This change introduced a new capability: -2) The level 4 optimizer now does a better job of handling small - chains with rules specifying an IPSEC policy. This can result in - elimination of these chains. + INPUT chain in the nat table (NAT_INPUT_CHAIN) -3) Beginning with this release, when RESTORE_DEFAULT_ROUTE=Yes the - default route is only restored when there are no enabled - 'balance/primary' providers and no enabled fallback providers. +2) The undocumented optimize option OPTIMIZE_USE_FIRST (0x1000) + has been removed. - Also beginning with this release, if the default route(s) have been - restored to the 'main' table, and a fallback provider is - successfully enabled, the default route(s) are removed from the - main table. +3) Some minor performance enhancements have been make to optimization + category 8. -4) Because restoring default routes to the main routing table can - break the ability of Foolsm and other link status monitors to - properly detect non-functioning provider links, a warning message - is now issued when the 'persistent' provider option is specified - and RESTORE_DEFAULT_ROUTE=Yes. +4) While INLINE_MATCHES=Yes has been documented as deprecated for some + time, it has thus far not generated a warning. Beginning with this + release, a warning is issued: + + WARNING: Option INLINE_MATCHES=Yes is deprecated - WARNING: When RESTORE_DEFAULT_ROUTE=Yes, the 'persistent' option - may not work as expected + See the Migration Issues section for additional information. + +5) The IPMI macro has been extended to include additional protocols + (Tuomo Soini). + +6) Several new macros have been added: + + Apcupsd + FreeIPA + Kpasswd + RedisSecure + Rwhois + SSDP + SSDPServer + + (Tuomo Soini) ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -275,9 +315,474 @@ This change was released in Shorewall 5.1.8. +12) Most interface OPTIONS have always been ignored when the INTERFACE + name is '+'. Beginning with the Shorewall 5.1.10 release, a warning + is issued when an ignored option is specified with interface name '+'. + + Example: The 'sourceroute' option is ignored when used with + interface name '+' + + In many cases, this issue can be worked around by a change similar + to the following: + + Original: + + net + dhcp,routeback,sourceroute=0 + + Change to: + + net all dhcp,physical=+,routeback,sourceroute=0 + --- ---------- + + As part of this change, interfaces that specify a wildcard physical + interface name will generate a warning if any of the following + options are specified: + + accept_ra + arp_filter + arp_ignore + forward + logmartians + proxyarp + proxyndp + routefilter + sourceroute + + When the warning is issued, the specified option is then ignored + for the interface. + + Example: + + WARNING: The 'sourceroute' option is ignored when used with a + wildcard physical name + /etc/shorewall6.universal/interfaces (line 14) + +13) INLINE_MATCHES=Yes has been documented as deprecated for some + time, but it has not generated a warning. Beginning with the + Shorewall 5.1.12 release, a warning is issued: + + WARNING: Option INLINE_MATCHES=Yes is deprecated + + Additionally, each line that requires modification to work with + INLINE_MATCHES=No is flagged with the warning: + + WARNING: This entry needs to be changed (replace ';' with ';;') + before the INLINE_MATCHES option is removed in + Shorewall 5.2 + + You can eliminate the warnings by setting INLINE_MATCHES=No and + by replacing the single semicolon (";") separating inline matches + from the column-oriented part of the rule with two semicolons + (";;") in each entry flagged by the second warning. + ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 5 . 1 R E L E A S E S ---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 5 . 1 . 1 1 +---------------------------------------------------------------------------- + +5.1.11.1 + +1) When AUTOMAKE=Yes and the 'find' utility is Busybox-based, + Shorewall 5.1.11 would fail during compilation with the error: + + find: unrecognized: -quit + + That has been corrected. + +5.1.11 + +1) This release contains defect repair from releases through 5.1.10.2. + +2) Previously, if DYNAMIC_BLACKLIST=ipset,disconnect..., the CLI would + verify the existence of the 'conntrack' utility on the local system + when the command was 'remote-start', 'remote-reload' or + 'remote-restart'. Now, that verification is only done for the + blacklist-oriented commands ('blacklist', 'allow', 'drop', etc.). + +3) Previously, when DYNAMIC_BLACKLIST=ipsec..., the CLI required the + firewall to be started in order to run the 'allow' command. Now, + the command only requires that the dynamic blacklist ipset + exists. + +4) Previously, if an address variable was used in the stoppedrules + file, the 'clear' command could fail in two different ways, + depending on whether the related interface was optional or not. + + If the interface was optional, the failure message was similar to + the following: + + $ shorewall clear + Clearing Shorewall.... + Preparing iptables-restore input... + /var/lib/shorewall/firewall: 3064: [: !=: unexpected operator + Running /sbin/iptables-restore... + IPv4 Forwarding Enabled + done. + + If the interface was not optional, the result was similar to: + + $ shorewall debug clear + Clearing Shorewall.... + Preparing iptables-restore input... + Running debug_restore_input... + Bad argument `6' + Try `iptables -h' or 'iptables --help' for more information. + ERROR: Command "/sbin/iptables --wait -t filter -A INPUT -s + 172.17.211.254 -d -p 6 --dport 22 -i enp2s0 -j ACCEPT" + Failed + Terminated + + This problem has been corrected. + +5) Previously, the 'clear' command enabled forwarding + unconditionally. Beginning with this release, 'clear' will + conditionally enable/disable forwarding in the same manner as + 'stop'. + +6) In multi-ISP configurations, it is possible for an IPSEC-tunneled + connection from the Internet to be forwarded back out to the + Internet (for example, if all traffic from the remote endpoint is + sent through the tunnel). If the provider handling the tunnel has + the 'track' option (or if TRACK_PROVIDERS=Yes), then the outgoing + tunneled connection is sent back out that interface by + default (since the encapsulated initial packet arrived through that + interface). Since this is not always desirable, Shorewall now + clears the tracking mark on the connection while processing the + first packet, allowing the connection to not match routing rules + that are dependent on the tracking mark. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 5 . 1 . 1 1 +---------------------------------------------------------------------------- + +1) Previously, the 'show' command was not available to non-root + users. Beginning with this release, non-root users may now + run the following 'show' commands: + + show action <action> + show actions + show ip + show macro <macro> + show macros + show routing + +2) When a RATE is specified on a policy, the rate is enforced in a + chain whose name begins with '@' (e.g., @net-dmz). Previously, log + messages in the chain omitted the '@', leading to possible + confusion. Beginning with this release, the log message will + reflect the chain's actual name (including the '@'). + +3) To improve efficiency, TCP CT entries in the conntrack file and + TCP entries in the rules file that specify a HELPER will now + assume that 'tcp:syn' had been specified. That way, the generated + ip[6]tables rule will only match on the first packet of the + three-way handshake. + +4) Now that the route caches have been removed from the kernel, + Multi-ISP really doesn't work without the 'track' provider option. + As a consequence, TRACK_PROVIDERS=Yes is now the default. Note that + the 'track' option may still be turned off using 'notrack', when + TRACK_PROVIDERS=Yes. + +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 5 . 1 . 1 0 +---------------------------------------------------------------------------- + +5.1.10.2 + +1) When AUTOMAKE=Yes, the commands 'start', 'restart' and 'reload' + cause the 'find' utility to be run in each entry in the CONFIG_PATH + to look for files that have been modified since the current + firewall script was created.There are two related defects in 5.1.10 + and 5.1.10.1 that manifest when AUTOMAKE=Yes. + + a) While the compiler only searches in the directories themselves, + 'find' was not limited to just those directories, but was rather + searched the entire tree rooted in each path in CONFIG_PATH. + + b) If the CONFIG_PATH was prefixed by ":", then there was + effectively an empty path in CONFIG_PATH, which resulted in a + search of the entire tree rooted in the current working + directory. + + Both problems have been corrected: + + a) Find is run with '-maxdepth 1', to limit the search to just the + files in the directory. + + b) Find is not run on empty paths in CONFIG_PATH. + +5.1.10.1 + +1) The Shorewall-core installer previously failed to update the shell library + files correctly when SHAREDIR was not set to /usr/share/. That has + been corrected. + +2) Previously, the installer modified the shorewall[6].conf installed + in /etc/shorewall[6] based on the Linux distribution (HOST in + shorewallrc) but installed an unmodified file in + /usr/share/shorewall/configfiles/. Beginning with this release, + the modified file is also installed in the latter directory. + +5.1.10 + +1) Several typos have been corrected in the manpages (Roberto + Sánchez). + +2) Regarding Known Problem 3 below, the code added in 5.0.15 could + fail to delete an existing default route if the new default route + was not identical to the one being replaced. Now, the default route + is deleted, even the new route is different. + +3) Previously, if the 'ss' utility was not installed but 'netstat' was + installed, the 'dump' command would issue the error message + + /sbin/shorewall: line 1: netatat: not found + + and the dump would not contain socket information. That problem + has been corrected. + +4) Previously, a plain 'reset' command would only reset counters in + the 'filter' and 'mangle' tables. Now, all four tables have their + counters reset. + +5) Specifying IN-BANDWIDTH would previously cause a run-time + start/restart/reload failure when a later version of iproute2 was + installed. The problem has been observed on both iproute2 4.13.0 + and 4.14.0. The failure message was similar to the following: + + Setting up Traffic Control... + "rate" or "avrate" MUST be specified. + Illegal "police" + ERROR: Command "tc filter add dev ppp0 parent ffff: protocol all + prio 10 basic police mpu 64 drop rate 55378kbit burst 10kb" Failed + + This problem has been resolved. + +6) Previously, Shorewall-init would recompile the firewall script each + time that it ran. Now, it only compiles the script if it doesn't + exist. + +7) Most interface OPTIONS have always been ignored when the INTERFACE + name is '+'. Beginning with this release, a warning is issued when + an ignored option is specified with interface name '+'. + + Example: The 'sourceroute' option is ignored when used with + interface name '+' + + In most cases, this issue can be worked around by a change similar + to the following: + + Original: + + net + dhcp,routeback,sourceroute=0 + + Change to: + + net all dhcp,physical=+,routeback,sourceroute=0 + --- ---------- + + As part of this change, interfaces that specify a wildcard physical + interface name will generate a warning if any of the following + options are specified: + + accept_ra + arp_filter + arp_ignore + forward + logmartians + proxyarp + proxyndp + routefilter + sourceroute + + When the warning is issued, the specified option is then ignored + for the interface. + + Example: + + WARNING: The 'sourceroute' option is ignored when used with a + wildcard physical name + /etc/shorewall6.universal/interfaces (line 14) + +8) When the IPv6 Universal sample configuration was used, the + following warning was issued during start/restart/reload: + + WARNING: Cannot set Accept Source Routing on + + + The Universal interfaces file has been corrected to eliminate that + error. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 5 . 1 . 1 0 +---------------------------------------------------------------------------- + +1) Previously, it was necessary to remove ${CONFDIR}/shorewall[6] from + the CONFIG_PATH to create a configuration directory for a remote + firewall managed by shorewall[6]-lite. Without this modification, + when the compiler looked for a file that was not present in the + configuration directory, it would attempt to read the file by the + same name residing in ${CONFDIR}/shorewall[6]. + + Now, if the setting of CONFIG_PATH begins with a colon (":"), + the first directory in the path is ignored when compiling for + export or when the user running the compiler is not root. + The released copies of shorewall[6].conf have all been modified to + set CONFIG_PATH with a leading colon. + +2) The documentation surrounding use of DNS names in Shorewall + configuration has been improved. + +3) It is now possible to associate a particular protocol with an + action in shorewall[6]-actions(5). When a protocol is specified in + that file, it is not necessary to specify the protocol in the PROTO + column when invoking the action. If a protocol is included in the + PROTO column then it must match the one specified in the actions + file. If an action defined with a protocol is used as a Policy + Action, then only packets with the specified protocol will be + passed to the action. + + A number of standard actions definitions in + /usr/share/shorewall[6]/actions.std have had a protocol added. + + The protocol has no effect if 'builtin' or 'inline' is also + specified; specifying 'builtin' with a protocol results in a + warning message. No warning is issued when 'inline' is specified + with a protocol, thus allowing 'inline' and a protocol to appear + together in actions.std. Note that 'noinline' in + shorewall-actions(5) can override an 'inline' specification in + actions.std. + +4) The FIN action previously included the PSH flag (FIN,ACK,PSH). To + make the action a bit more general, the PSH flag is now removed and + TCP packets with just the FIN and ACK flags set will now match. + +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 5 . 1 . 9 +---------------------------------------------------------------------------- + +1) This release includes defect repair through Shorewall 5.1.8.1. + +2) Previously, Shorewall6 did not accept square brackets ("[...]") + around the GATEWAY address in a Providers file entry. That has been + corrected, so that the usual convention of enclosing IPv6 addresses + in square brackets is allowed in that context. + +3) Previously, if the IP variables was set in a remote firewall's + configuration directory, and the named file did not exist on the + local administrative system, then a fatal error was raised. + + Example: + + ERROR: The program specified in IP (/usr/bin/ip) does not exist + or is not executable + + Beginning with this release, the contents of the IP option will not + be verified at compile time when compiling for export. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 5 . 1 . 9 +---------------------------------------------------------------------------- + +1) The mangle file now supports a TCPMSS action for setting the MSS + value in TCP SYN packets. See shorewall-mangle(5) for details. As + part of this change, the TCPMSS rule generated by the CLAMPMSS + option has been moved from the filter table FOWARD chain to the + mangle table FORWARD chain. + +2) The Broadcast and Multicast actions are now inlined when the + Address Type Match capability is available. + +3) It is now possible to specify 'noinline' in an entry in + /etc/shorewall[6]/actions to override the 'inline' option + specified in /usr/share/shorewall/actions.std. + +4) Logging is now supported in the snat file. + + - Log levels may be specified on SNAT, MASQUERADE and CONTINUE + rules. + + - The NFLOG, ULOG and LOG actions are now supported. + + See shorewall-snat(5) for details. + +5) A logging manpage (shorewall-logging(5)) has been added. + +6) The IPMI macro now includes support for Redfish remote consoles. + +7) The Sample configuration files now use logical interface names to + simplify adapting them to fit the newer interface naming + convention adopted by the kernel. + +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 5 . 1 . 8 +---------------------------------------------------------------------------- + +1) This release includes defect repair through Shorewall 5.1.7.2. + +2) The copyright dates and product version comments have been updated + in a number of files. + +3) The undocumented and unmaintained Makefile files for Shorewall-lite + and Shorewall6-lite have been removed from Shorewall and Shorewall6 + respectively. + +4) The 'dump' command logic now does a better job of detecting + and suppressing the printing of empty IPSec SPD entries. + +5) A number of issues with persistent providers that resulted in + 'ip rule add' and 'ip route add' failures have been corrected. The + most common senario involved a 'reload' while a persistent + interface was disabled. + +6) Previously, the generated script contained incorrect logic for + deleting default routes with metric zero ('balanced' routes and + routes generated by 'fallback=nn'); the logic only worked correctly + when applied to the 'main' routing table. It now works correctly + for all routing tables. + +7) The 'ip xfrm policy' command ignores the -4 and -6 options and + dumps the policies for both address families. This release contains + a workaround that suppresses entries for the other family. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 5 . 1 . 8 +---------------------------------------------------------------------------- + +1) For historical reasons, Shorewall has always assumed that LOG target + support is present unless proven otherwise. While this has worked + correctly when a capabilities file is used and when + LOAD_HELPERS_ONLY=No, it can generate an unworkable firewall + script when LOAD_HELPERS_ONLY=Yes. + + Beginning with this release, Shorewall will treat LOG target like + any other capability and will verify its presense in all cases + where the target is used. + +2) The level 4 optimizer now does a better job of handling small + chains with rules specifying an IPSEC policy. This can result in + elimination of these chains. + +3) Beginning with this release, when RESTORE_DEFAULT_ROUTE=Yes the + default route is only restored when there are no enabled + 'balance/primary' providers and no enabled fallback providers. + + Also beginning with this release, if the default route(s) have been + restored to the 'main' table, and a fallback provider is + successfully enabled, the default route(s) are removed from the + main table. + +4) Because restoring default routes to the main routing table can + break the ability of Foolsm and other link status monitors to + properly detect non-functioning provider links, a warning message + is now issued when the 'persistent' provider option is specified + and RESTORE_DEFAULT_ROUTE=Yes. + + WARNING: When RESTORE_DEFAULT_ROUTE=Yes, the 'persistent' option + may not work as expected + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 5 . 1 . 7 ---------------------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.1.8.1/shorewall-lite.spec new/shorewall-lite-5.1.12.3/shorewall-lite.spec --- old/shorewall-lite-5.1.8.1/shorewall-lite.spec 2017-11-08 19:50:09.000000000 +0100 +++ new/shorewall-lite-5.1.12.3/shorewall-lite.spec 2018-03-01 17:44:42.000000000 +0100 @@ -1,6 +1,6 @@ %define name shorewall-lite -%define version 5.1.8 -%define release 1 +%define version 5.1.12 +%define release 3 %define initdir /etc/init.d Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems. @@ -115,8 +115,46 @@ %doc COPYING changelog.txt releasenotes.txt %changelog -* Wed Nov 08 2017 Tom Eastep [email protected] -- Updated to 5.1.8-1 +* Wed Feb 28 2018 Tom Eastep [email protected] +- Updated to 5.1.12-3 +* Sat Feb 10 2018 Tom Eastep [email protected] +- Updated to 5.1.12-2 +* Fri Feb 09 2018 Tom Eastep [email protected] +- Updated to 5.1.12-1 +* Tue Feb 06 2018 Tom Eastep [email protected] +- Updated to 5.1.12-0base +* Wed Jan 31 2018 Tom Eastep [email protected] +- Updated to 5.1.12-0RC1 +* Tue Jan 23 2018 Tom Eastep [email protected] +- Updated to 5.1.12-0Beta2 +* Wed Jan 17 2018 Tom Eastep [email protected] +- Updated to 5.1.12-0Beta1 +* Wed Jan 10 2018 Tom Eastep [email protected] +- Updated to 5.1.11-0base +* Fri Jan 05 2018 Tom Eastep [email protected] +- Updated to 5.1.11-0RC1 +* Sun Dec 31 2017 Tom Eastep [email protected] +- Updated to 5.1.11-0Beta2 +* Tue Dec 26 2017 Tom Eastep [email protected] +- Updated to 5.1.11-0Beta1 +* Sat Dec 23 2017 Tom Eastep [email protected] +- Updated to 5.1.10-0base +* Mon Dec 18 2017 Tom Eastep [email protected] +- Updated to 5.1.10-0RC2 +* Sat Dec 09 2017 Tom Eastep [email protected] +- Updated to 5.1.10-0RC1 +* Fri Dec 01 2017 Tom Eastep [email protected] +- Updated to 5.1.10-0Beta2 +* Wed Nov 22 2017 Tom Eastep [email protected] +- Updated to 5.1.10-0Beta1 +* Wed Nov 15 2017 Tom Eastep [email protected] +- Updated to 5.1.9-0base +* Sat Nov 11 2017 Tom Eastep [email protected] +- Updated to 5.1.9-0RC1 +* Fri Nov 03 2017 Tom Eastep [email protected] +- Updated to 5.1.9-0Beta2 +* Thu Oct 19 2017 Tom Eastep [email protected] +- Updated to 5.1.9-0Beta1 * Sun Oct 15 2017 Tom Eastep [email protected] - Updated to 5.1.8-0base * Tue Oct 10 2017 Tom Eastep [email protected] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.1.8.1/uninstall.sh new/shorewall-lite-5.1.12.3/uninstall.sh --- old/shorewall-lite-5.1.8.1/uninstall.sh 2017-11-08 19:50:09.000000000 +0100 +++ new/shorewall-lite-5.1.12.3/uninstall.sh 2018-03-01 17:44:42.000000000 +0100 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=5.1.8.1 +VERSION=5.1.12.3 usage() # $1 = exit status { ++++++ shorewall-lite-fillup-install.patch ++++++ --- /var/tmp/diff_new_pack.qibdR0/_old 2018-03-16 10:45:31.587769078 +0100 +++ /var/tmp/diff_new_pack.qibdR0/_new 2018-03-16 10:45:31.587769078 +0100 @@ -1,19 +1,18 @@ diff -rup a/install.sh b/install.sh ---- a/install.sh 2017-03-14 16:18:03.000000000 +0100 -+++ b/install.sh 2017-03-15 18:23:39.401190183 +0100 -@@ -492,8 +492,13 @@ ln -sf shorewall ${DESTDIR}${SBINDIR}/${ +--- a/install.sh 2018-03-01 17:44:42.000000000 +0100 ++++ b/install.sh 2018-03-05 17:52:49.746987573 +0100 +@@ -492,7 +492,13 @@ ln -sf shorewall ${DESTDIR}${SBINDIR}/${ if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PRODUCT} ]; then [ ${DESTDIR} ] && make_parent_directory ${DESTDIR}${SYSCONFDIR} 0755 - install_file ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/${PRODUCT} 0640 -- echo "$SYSCONFFILE file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}" + if [ $HOST = suse ]; then + mkdir -p ${DESTDIR}/${FILLUPDIR} + install_file ${SYSCONFFILE} ${DESTDIR}/${FILLUPDIR}/sysconfig.${PRODUCT} 0644 + else + install_file ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/$PRODUCT 0644 + fi -+ echo "$SYSCONFFILE file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}" ++ + echo "$SYSCONFFILE file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}" fi - if [ ${SHAREDIR} != /usr/share ]; then ++++++ shorewall-5.1.8.1.tar.bz2 -> shorewall6-5.1.12.3.tar.bz2 ++++++ ++++ 120394 lines of diff (skipped) ++++++ shorewall-lite-5.1.8.1.tar.bz2 -> shorewall6-lite-5.1.12.3.tar.bz2 ++++++ ++++ 3894 lines of diff (skipped)
