Hello community, here is the log from the commit of package shorewall for openSUSE:Factory checked in at 2019-02-25 17:56:19 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/shorewall (Old) and /work/SRC/openSUSE:Factory/.shorewall.new.28833 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shorewall" Mon Feb 25 17:56:19 2019 rev:105 rq:678539 version:5.2.3 Changes: -------- --- /work/SRC/openSUSE:Factory/shorewall/shorewall.changes 2019-02-06 14:06:22.654660608 +0100 +++ /work/SRC/openSUSE:Factory/.shorewall.new.28833/shorewall.changes 2019-02-25 17:56:41.286322354 +0100 @@ -1,0 +2,10 @@ +Sat Feb 23 09:46:07 UTC 2019 - Bruno Friedmann <[email protected]> + +- Update to new 5.2.3 bugfix release + http://www.shorewall.net/pub/shorewall/5.2/shorewall-5.2.3/releasenotes.txt + This is the retirement of Tom Eastep see. + https://sourceforge.net/p/shorewall/mailman/message/36589782/ +- Removed module* in file section +- Clean-up changes and spec (trailing slashes) + +------------------------------------------------------------------- Old: ---- shorewall-5.2.2.tar.bz2 shorewall-core-5.2.2.tar.bz2 shorewall-docs-html-5.2.2.tar.bz2 shorewall-init-5.2.2.tar.bz2 shorewall-lite-5.2.2.tar.bz2 shorewall6-5.2.2.tar.bz2 shorewall6-lite-5.2.2.tar.bz2 New: ---- shorewall-5.2.3.tar.bz2 shorewall-core-5.2.3.tar.bz2 shorewall-docs-html-5.2.3.tar.bz2 shorewall-init-5.2.3.tar.bz2 shorewall-lite-5.2.3.tar.bz2 shorewall6-5.2.3.tar.bz2 shorewall6-lite-5.2.3.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shorewall.spec ++++++ --- /var/tmp/diff_new_pack.L8lowv/_old 2019-02-25 17:56:42.146321706 +0100 +++ /var/tmp/diff_new_pack.L8lowv/_new 2019-02-25 17:56:42.150321704 +0100 @@ -18,13 +18,13 @@ %define have_systemd 1 %define dmaj 5.2 -%define dmin 5.2.2 +%define dmin 5.2.3 #2017+ New fillup location %if ! %{defined _fillupdir} %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: shorewall -Version: 5.2.2 +Version: 5.2.3 Release: 0 Summary: An iptables-based firewall for Linux systems License: GPL-2.0-only @@ -384,7 +384,6 @@ %{_datadir}/%{name}/action.* %{_datadir}/%{name}/lib.base %{_datadir}/%{name}/macro.* -%{_datadir}/%{name}/modules* %{_datadir}/%{name}/prog.* %{_datadir}/%{name}/helpers %{_datadir}/%{name}/configpath @@ -417,7 +416,7 @@ %{_datadir}/%{name}-lite/configpath %attr(- ,root,root) %{_datadir}/%{name}-lite/functions %{_datadir}/%{name}-lite/lib.base -%{_datadir}/%{name}-lite/modules* +# Removed in 5.2.3 %%{_datadir}/%%{name}-lite/modules* %{_datadir}/%{name}-lite/helpers %attr(0544,root,root) %{_libexecdir}/%{name}-lite/shorecap %{_mandir}/man5/%{name}-lite*.5* @@ -445,13 +444,10 @@ %{_datadir}/%{name}6/functions %{_datadir}/%{name}6/lib.base %{_datadir}/%{name}6/macro.* -%{_datadir}/%{name}6/modules* %{_datadir}/%{name}6/helpers %{_datadir}/%{name}6/configpath %{_datadir}/%{name}6/configfiles/* %{_mandir}/man5/%{name}6-[a-k,m-z]*.5* -# bug upstream ? -#%%{_mandir}/man5/%%{name}6-logging.5* %{_mandir}/man5/%{name}6.conf.5* %{_mandir}/man8/%{name}6.8* %attr(644,root,root) %{_unitdir}/%{name}6.service @@ -474,7 +470,6 @@ %{_datadir}/%{name}6-lite/configpath %attr(- ,root,root) %{_datadir}/%{name}6-lite/functions %{_datadir}/%{name}6-lite/lib.base -%{_datadir}/%{name}6-lite/modules* %{_datadir}/%{name}6-lite/helpers %attr(0544,root,root) %{_libexecdir}/%{name}6-lite/shorecap %attr(644,root,root) %{_unitdir}/%{name}6-lite.service ++++++ README.openSUSE ++++++ --- /var/tmp/diff_new_pack.L8lowv/_old 2019-02-25 17:56:42.174321685 +0100 +++ /var/tmp/diff_new_pack.L8lowv/_new 2019-02-25 17:56:42.174321685 +0100 @@ -2,13 +2,14 @@ ======== Some openSUSE packages include a service file for ease of the -SuSEfirewall2 configuration and opening the necessary ports. +SuSEfirewall2 or firewalld configuration, opening the necessary ports. You have to open the required ports yourself using the Shorewall configuration files. -SuSEfirewall2 is integrated with Yast so configuration can be done via -a GUI. This is not the case for Shorewall. +SuSEfirewall2, firewalld are integrated with Yast so configuration +can be done via a GUI. +This is not the case for Shorewall. Enabling Firewall in /etc/sysconfig/network/config or in individual ifcfg-xxx files is not enough. /etc/sysconfig/shorewall-init should be @@ -26,5 +27,5 @@ upgrade your configuration with the shorewall update -a command. -Now that you are warned remember to have fun +Now that you are warned, remember to have fun ! ++++++ shorewall-5.2.2.tar.bz2 -> shorewall-5.2.3.tar.bz2 ++++++ ++++ 2677 lines of diff (skipped) ++++++ shorewall-core-5.2.2.tar.bz2 -> shorewall-core-5.2.3.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.2/changelog.txt new/shorewall-core-5.2.3/changelog.txt --- old/shorewall-core-5.2.2/changelog.txt 2019-01-17 21:37:22.000000000 +0100 +++ new/shorewall-core-5.2.3/changelog.txt 2019-02-11 23:48:19.000000000 +0100 @@ -1,3 +1,33 @@ +Changes in 5.2.3 Final + +1) Update release documents. + +2) Correct problem corrected (mention helper). + +Changes in 5.2.3 RC 1 + +1) Update release documents. + +2) Delete pre-2.6.20 modules from the helpers file + +3) Delete modules* during install + +Changes in 5.2.3 Beta 2 + +1) Update release documents. + +2) Remove LOAD_HELPERS_ONLY option. + +Changes in 5.2.3 Beta 1 + +1) Update release documents. + +2) Support zone exclusion in the policy file. + +3) Deprecate all/any[+]-. + +4) Document 'test' argument to compiler.pl + Changes in 5.2.2 Final 1) Update release documents. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.2/configure new/shorewall-core-5.2.3/configure --- old/shorewall-core-5.2.2/configure 2019-01-17 21:37:22.000000000 +0100 +++ new/shorewall-core-5.2.3/configure 2019-02-11 23:48:19.000000000 +0100 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=5.2.2 +VERSION=5.2.3 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.2/configure.pl new/shorewall-core-5.2.3/configure.pl --- old/shorewall-core-5.2.2/configure.pl 2019-01-17 21:37:22.000000000 +0100 +++ new/shorewall-core-5.2.3/configure.pl 2019-02-11 23:48:19.000000000 +0100 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '5.2.2' + VERSION => '5.2.3' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.2/install.sh new/shorewall-core-5.2.3/install.sh --- old/shorewall-core-5.2.2/install.sh 2019-01-17 21:37:22.000000000 +0100 +++ new/shorewall-core-5.2.3/install.sh 2019-02-11 23:48:19.000000000 +0100 @@ -22,7 +22,7 @@ # along with this program; if not, see <http://www.gnu.org/licenses/>. # -VERSION=5.2.2 +VERSION=5.2.3 PRODUCT=shorewall-core Product="Shorewall Core" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.2/lib.common new/shorewall-core-5.2.3/lib.common --- old/shorewall-core-5.2.2/lib.common 2019-01-16 22:09:42.000000000 +0100 +++ new/shorewall-core-5.2.3/lib.common 2019-02-08 19:47:43.000000000 +0100 @@ -411,7 +411,7 @@ [ -d $directory ] && moduledirectories="$moduledirectories $directory" done - [ -n "$LOAD_HELPERS_ONLY" ] && modules=$(find_file helpers) || modules=$(find_file modules) + modules=$(find_file helpers) if [ -f $modules -a -n "$moduledirectories" ]; then [ -d /sys/module/ ] || MODULES=$(lsmod | cut -d ' ' -f1) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.2/manpages/shorewall.8 new/shorewall-core-5.2.3/manpages/shorewall.8 --- old/shorewall-core-5.2.2/manpages/shorewall.8 2019-01-17 21:39:23.000000000 +0100 +++ new/shorewall-core-5.2.3/manpages/shorewall.8 2019-02-11 23:50:19.000000000 +0100 @@ -2,12 +2,12 @@ .\" Title: shorewall .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 01/17/2019 +.\" Date: 02/11/2019 .\" Manual: Administrative Commands .\" Source: Administrative Commands .\" Language: English .\" -.TH "SHOREWALL" "8" "01/17/2019" "Administrative Commands" "Administrative Commands" +.TH "SHOREWALL" "8" "02/11/2019" "Administrative Commands" "Administrative Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.2/releasenotes.txt new/shorewall-core-5.2.3/releasenotes.txt --- old/shorewall-core-5.2.2/releasenotes.txt 2019-01-17 21:37:22.000000000 +0100 +++ new/shorewall-core-5.2.3/releasenotes.txt 2019-02-11 23:48:19.000000000 +0100 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 5 . 2 . 2 + S H O R E W A L L 5 . 2 . 3 ------------------------------- - J A N U A R Y 1 7 , 2 0 1 9 + F E B R U A R Y 1 5 , 2 0 1 9 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,12 +14,12 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) This release includes defect repair through Shorewall 5.2.1.4. - -2) When processing inline matches, the compiler previously inserted - the matches before the column-generated matches if there was a plus - sign ("+") anywhere in the matches. Now, it only does so if the - first non-blank character in the matches is a plus sign. +1) Previously, to prevent a helper kernel module from being loaded, it + was necessary to list both its current name and its + pre-kernel-2.6.20 name in the DONT_LOAD option in + /etc/shorewall[6].conf. For example, to prevent nf_conntrack_sip + from being loaded, it was necessary to also list ip_conntrack_sip + in DONT_LOAD. That is no longer necessary. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -44,34 +44,25 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) New macros have been contributed by Vincas Dargis: - - Bitcoin - Tor - ONCRPC - - Additionally, Tuomo Soini has contributed a WUDO (Windows Update - Delivery Optimization) macro. - -2) The Perl modules have undergone some cleanup/optimization. - -3) Given that recent kernels have dropped ULOG support, use of ULOG in - Shorewall is now deprecated and results in a warning message. The - warning can be eliminated by switching to NFLOG and ulogd2. +1) Zone exclusion (e.g., "all!z2,z2,...") is now supported in the + policy file. -4) Shorewall can now detect interface default gateways configured by - Network Manager. - -5) Inline matches are now supported in the 'conntrack' file. - -6) In the 'accounting' file, Inline matches in an INLINE(...) rule now - allow a leading '+' to cause the matches to be evaluated before - those generated by the column specifications. - -7) If view of the fact that some modems take an eternity to recover - from a power failure, the limit of the 'wait' interface option - setting has been increased from 120 seconds (2 minutes) to 300 - seconds (5 minutes). +2) With the availability of zone exclusion in the rules file, 'all[+]-' + and 'any[+]-' are equivalent to 'all[+]!$FW' and 'any[+]!$FW' + respectively. Beginning with this release, the former are + deprecated in favor of the latter and will result in a warning + message, if used. + +3) Internal documentaton of the undocumented 'test' parameter to + compiler.pl has been added (it is used by the regression test + library to suppress versions and date/times from the generated + script). + +4) The LOAD_HELPERS_ONLY option has been removed from + shorewall[6].conf. Hereafter, Shorewall[6] will behave as if + LOAD_HELPERS_ONLY=Yes had been specified. As part of this change, + the pre-kernel 2.6.20 modules have been removed from the helpers + file. ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -419,7 +410,7 @@ instances will generate an error which must be corrected manually. It should also be noted that, in prior releases, Drop and Reject - silently dropped more traffic than thir replacements. As a + silently dropped more traffic than their replacements. As a consequence, you will see more traffic being logged with Shorewall 5.2 than you did on earlier releases. The translations performed by 'update' can be extended after the update to drop additional @@ -457,9 +448,64 @@ Beginning with Shorewall 5.2.1, the 'optional' option is disallowed on such interfaces and providers. +8) With the availability of zone exclusion in the rules file, 'all[+]-' + and 'any[+]-' are equivalent to 'all[+]!$FW' and 'any[+]!$FW' + respectively. Beginning with Shorewall 5.2.3, the former are + deprecated in favor of the latter and will result in a warning + message, if used. + +9) Beginning with Shorewall 5.2.3, the LOAD_HELPERS_ONLY option in + shorewall[6].conf has been removed, and the behavior is as if + LOAD_HELPERS_ONLY=Yes had been specified. 'shorewall[6] update' + will remove the option from shorewall[6].conf. + ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 5 . 2 R E L E A S E S ---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 5 . 2 . 2 +---------------------------------------------------------------------------- + +1) This release includes defect repair through Shorewall 5.2.1.4. + +2) When processing inline matches, the compiler previously inserted + the matches before the column-generated matches if there was a plus + sign ("+") anywhere in the matches. Now, it only does so if the + first non-blank character in the matches is a plus sign. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 5 . 2 . 1 +---------------------------------------------------------------------------- + +1) New macros have been contributed by Vincas Dargis: + + Bitcoin + Tor + ONCRPC + + Additionally, Tuomo Soini has contributed a WUDO (Windows Update + Delivery Optimization) macro. + +2) The Perl modules have undergone some cleanup/optimization. + +3) Given that recent kernels have dropped ULOG support, use of ULOG in + Shorewall is now deprecated and results in a warning message. The + warning can be eliminated by switching to NFLOG and ulogd2. + +4) Shorewall can now detect interface default gateways configured by + Network Manager. + +5) Inline matches are now supported in the 'conntrack' file. + +6) In the 'accounting' file, Inline matches in an INLINE(...) rule now + allow a leading '+' to cause the matches to be evaluated before + those generated by the column specifications. + +7) If view of the fact that some modems take an eternity to recover + from a power failure, the limit of the 'wait' interface option + setting has been increased from 120 seconds (2 minutes) to 300 + seconds (5 minutes). + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 5 . 2 . 1 ---------------------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.2/shorewall-core.spec new/shorewall-core-5.2.3/shorewall-core.spec --- old/shorewall-core-5.2.2/shorewall-core.spec 2019-01-17 21:37:22.000000000 +0100 +++ new/shorewall-core-5.2.3/shorewall-core.spec 2019-02-11 23:48:19.000000000 +0100 @@ -1,5 +1,5 @@ %define name shorewall-core -%define version 5.2.2 +%define version 5.2.3 %define release 0base Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. @@ -69,6 +69,14 @@ %doc COPYING INSTALL changelog.txt releasenotes.txt %changelog +* Mon Feb 11 2019 Tom Eastep [email protected] +- Updated to 5.2.3-0base +* Wed Feb 06 2019 Tom Eastep [email protected] +- Updated to 5.2.3-0RC1 +* Sun Feb 03 2019 Tom Eastep [email protected] +- Updated to 5.2.3-0Beta2 +* Tue Jan 22 2019 Tom Eastep [email protected] +- Updated to 5.2.3-0Beta1 * Wed Jan 16 2019 Tom Eastep [email protected] - Updated to 5.2.2-0base * Tue Jan 08 2019 Tom Eastep [email protected] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.2/uninstall.sh new/shorewall-core-5.2.3/uninstall.sh --- old/shorewall-core-5.2.2/uninstall.sh 2019-01-17 21:37:22.000000000 +0100 +++ new/shorewall-core-5.2.3/uninstall.sh 2019-02-11 23:48:19.000000000 +0100 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=5.2.2 +VERSION=5.2.3 PRODUCT=shorewall-core Product="Shorewall Core" ++++++ shorewall-docs-html-5.2.2.tar.bz2 -> shorewall-docs-html-5.2.3.tar.bz2 ++++++ ++++ 1732 lines of diff (skipped) ++++++ shorewall-init-5.2.2.tar.bz2 -> shorewall-init-5.2.3.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.2/changelog.txt new/shorewall-init-5.2.3/changelog.txt --- old/shorewall-init-5.2.2/changelog.txt 2019-01-17 21:37:22.000000000 +0100 +++ new/shorewall-init-5.2.3/changelog.txt 2019-02-11 23:48:20.000000000 +0100 @@ -1,3 +1,33 @@ +Changes in 5.2.3 Final + +1) Update release documents. + +2) Correct problem corrected (mention helper). + +Changes in 5.2.3 RC 1 + +1) Update release documents. + +2) Delete pre-2.6.20 modules from the helpers file + +3) Delete modules* during install + +Changes in 5.2.3 Beta 2 + +1) Update release documents. + +2) Remove LOAD_HELPERS_ONLY option. + +Changes in 5.2.3 Beta 1 + +1) Update release documents. + +2) Support zone exclusion in the policy file. + +3) Deprecate all/any[+]-. + +4) Document 'test' argument to compiler.pl + Changes in 5.2.2 Final 1) Update release documents. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.2/configure new/shorewall-init-5.2.3/configure --- old/shorewall-init-5.2.2/configure 2019-01-17 21:37:22.000000000 +0100 +++ new/shorewall-init-5.2.3/configure 2019-02-11 23:48:20.000000000 +0100 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=5.2.2 +VERSION=5.2.3 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.2/configure.pl new/shorewall-init-5.2.3/configure.pl --- old/shorewall-init-5.2.2/configure.pl 2019-01-17 21:37:22.000000000 +0100 +++ new/shorewall-init-5.2.3/configure.pl 2019-02-11 23:48:20.000000000 +0100 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '5.2.2' + VERSION => '5.2.3' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.2/install.sh new/shorewall-init-5.2.3/install.sh --- old/shorewall-init-5.2.2/install.sh 2019-01-17 21:37:22.000000000 +0100 +++ new/shorewall-init-5.2.3/install.sh 2019-02-11 23:48:20.000000000 +0100 @@ -27,7 +27,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=5.2.2 +VERSION=5.2.3 PRODUCT=shorewall-init Product="Shorewall Init" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.2/releasenotes.txt new/shorewall-init-5.2.3/releasenotes.txt --- old/shorewall-init-5.2.2/releasenotes.txt 2019-01-17 21:37:22.000000000 +0100 +++ new/shorewall-init-5.2.3/releasenotes.txt 2019-02-11 23:48:20.000000000 +0100 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 5 . 2 . 2 + S H O R E W A L L 5 . 2 . 3 ------------------------------- - J A N U A R Y 1 7 , 2 0 1 9 + F E B R U A R Y 1 5 , 2 0 1 9 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,12 +14,12 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) This release includes defect repair through Shorewall 5.2.1.4. - -2) When processing inline matches, the compiler previously inserted - the matches before the column-generated matches if there was a plus - sign ("+") anywhere in the matches. Now, it only does so if the - first non-blank character in the matches is a plus sign. +1) Previously, to prevent a helper kernel module from being loaded, it + was necessary to list both its current name and its + pre-kernel-2.6.20 name in the DONT_LOAD option in + /etc/shorewall[6].conf. For example, to prevent nf_conntrack_sip + from being loaded, it was necessary to also list ip_conntrack_sip + in DONT_LOAD. That is no longer necessary. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -44,34 +44,25 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) New macros have been contributed by Vincas Dargis: - - Bitcoin - Tor - ONCRPC - - Additionally, Tuomo Soini has contributed a WUDO (Windows Update - Delivery Optimization) macro. - -2) The Perl modules have undergone some cleanup/optimization. - -3) Given that recent kernels have dropped ULOG support, use of ULOG in - Shorewall is now deprecated and results in a warning message. The - warning can be eliminated by switching to NFLOG and ulogd2. +1) Zone exclusion (e.g., "all!z2,z2,...") is now supported in the + policy file. -4) Shorewall can now detect interface default gateways configured by - Network Manager. - -5) Inline matches are now supported in the 'conntrack' file. - -6) In the 'accounting' file, Inline matches in an INLINE(...) rule now - allow a leading '+' to cause the matches to be evaluated before - those generated by the column specifications. - -7) If view of the fact that some modems take an eternity to recover - from a power failure, the limit of the 'wait' interface option - setting has been increased from 120 seconds (2 minutes) to 300 - seconds (5 minutes). +2) With the availability of zone exclusion in the rules file, 'all[+]-' + and 'any[+]-' are equivalent to 'all[+]!$FW' and 'any[+]!$FW' + respectively. Beginning with this release, the former are + deprecated in favor of the latter and will result in a warning + message, if used. + +3) Internal documentaton of the undocumented 'test' parameter to + compiler.pl has been added (it is used by the regression test + library to suppress versions and date/times from the generated + script). + +4) The LOAD_HELPERS_ONLY option has been removed from + shorewall[6].conf. Hereafter, Shorewall[6] will behave as if + LOAD_HELPERS_ONLY=Yes had been specified. As part of this change, + the pre-kernel 2.6.20 modules have been removed from the helpers + file. ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -419,7 +410,7 @@ instances will generate an error which must be corrected manually. It should also be noted that, in prior releases, Drop and Reject - silently dropped more traffic than thir replacements. As a + silently dropped more traffic than their replacements. As a consequence, you will see more traffic being logged with Shorewall 5.2 than you did on earlier releases. The translations performed by 'update' can be extended after the update to drop additional @@ -457,9 +448,64 @@ Beginning with Shorewall 5.2.1, the 'optional' option is disallowed on such interfaces and providers. +8) With the availability of zone exclusion in the rules file, 'all[+]-' + and 'any[+]-' are equivalent to 'all[+]!$FW' and 'any[+]!$FW' + respectively. Beginning with Shorewall 5.2.3, the former are + deprecated in favor of the latter and will result in a warning + message, if used. + +9) Beginning with Shorewall 5.2.3, the LOAD_HELPERS_ONLY option in + shorewall[6].conf has been removed, and the behavior is as if + LOAD_HELPERS_ONLY=Yes had been specified. 'shorewall[6] update' + will remove the option from shorewall[6].conf. + ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 5 . 2 R E L E A S E S ---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 5 . 2 . 2 +---------------------------------------------------------------------------- + +1) This release includes defect repair through Shorewall 5.2.1.4. + +2) When processing inline matches, the compiler previously inserted + the matches before the column-generated matches if there was a plus + sign ("+") anywhere in the matches. Now, it only does so if the + first non-blank character in the matches is a plus sign. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 5 . 2 . 1 +---------------------------------------------------------------------------- + +1) New macros have been contributed by Vincas Dargis: + + Bitcoin + Tor + ONCRPC + + Additionally, Tuomo Soini has contributed a WUDO (Windows Update + Delivery Optimization) macro. + +2) The Perl modules have undergone some cleanup/optimization. + +3) Given that recent kernels have dropped ULOG support, use of ULOG in + Shorewall is now deprecated and results in a warning message. The + warning can be eliminated by switching to NFLOG and ulogd2. + +4) Shorewall can now detect interface default gateways configured by + Network Manager. + +5) Inline matches are now supported in the 'conntrack' file. + +6) In the 'accounting' file, Inline matches in an INLINE(...) rule now + allow a leading '+' to cause the matches to be evaluated before + those generated by the column specifications. + +7) If view of the fact that some modems take an eternity to recover + from a power failure, the limit of the 'wait' interface option + setting has been increased from 120 seconds (2 minutes) to 300 + seconds (5 minutes). + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 5 . 2 . 1 ---------------------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.2/shorewall-init.spec new/shorewall-init-5.2.3/shorewall-init.spec --- old/shorewall-init-5.2.2/shorewall-init.spec 2019-01-17 21:37:22.000000000 +0100 +++ new/shorewall-init-5.2.3/shorewall-init.spec 2019-02-11 23:48:20.000000000 +0100 @@ -1,5 +1,5 @@ %define name shorewall-init -%define version 5.2.2 +%define version 5.2.3 %define release 0base Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall). @@ -135,6 +135,14 @@ %doc COPYING changelog.txt releasenotes.txt %changelog +* Mon Feb 11 2019 Tom Eastep [email protected] +- Updated to 5.2.3-0base +* Wed Feb 06 2019 Tom Eastep [email protected] +- Updated to 5.2.3-0RC1 +* Sun Feb 03 2019 Tom Eastep [email protected] +- Updated to 5.2.3-0Beta2 +* Tue Jan 22 2019 Tom Eastep [email protected] +- Updated to 5.2.3-0Beta1 * Wed Jan 16 2019 Tom Eastep [email protected] - Updated to 5.2.2-0base * Tue Jan 08 2019 Tom Eastep [email protected] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.2/uninstall.sh new/shorewall-init-5.2.3/uninstall.sh --- old/shorewall-init-5.2.2/uninstall.sh 2019-01-17 21:37:22.000000000 +0100 +++ new/shorewall-init-5.2.3/uninstall.sh 2019-02-11 23:48:20.000000000 +0100 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=5.2.2 +VERSION=5.2.3 PRODUCT=shorewall-init Product="Shorewall Init" ++++++ shorewall-lite-5.2.2.tar.bz2 -> shorewall-lite-5.2.3.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.2/changelog.txt new/shorewall-lite-5.2.3/changelog.txt --- old/shorewall-lite-5.2.2/changelog.txt 2019-01-17 21:37:22.000000000 +0100 +++ new/shorewall-lite-5.2.3/changelog.txt 2019-02-11 23:48:20.000000000 +0100 @@ -1,3 +1,33 @@ +Changes in 5.2.3 Final + +1) Update release documents. + +2) Correct problem corrected (mention helper). + +Changes in 5.2.3 RC 1 + +1) Update release documents. + +2) Delete pre-2.6.20 modules from the helpers file + +3) Delete modules* during install + +Changes in 5.2.3 Beta 2 + +1) Update release documents. + +2) Remove LOAD_HELPERS_ONLY option. + +Changes in 5.2.3 Beta 1 + +1) Update release documents. + +2) Support zone exclusion in the policy file. + +3) Deprecate all/any[+]-. + +4) Document 'test' argument to compiler.pl + Changes in 5.2.2 Final 1) Update release documents. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.2/configure new/shorewall-lite-5.2.3/configure --- old/shorewall-lite-5.2.2/configure 2019-01-17 21:37:22.000000000 +0100 +++ new/shorewall-lite-5.2.3/configure 2019-02-11 23:48:20.000000000 +0100 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=5.2.2 +VERSION=5.2.3 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.2/configure.pl new/shorewall-lite-5.2.3/configure.pl --- old/shorewall-lite-5.2.2/configure.pl 2019-01-17 21:37:22.000000000 +0100 +++ new/shorewall-lite-5.2.3/configure.pl 2019-02-11 23:48:20.000000000 +0100 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '5.2.2' + VERSION => '5.2.3' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.2/helpers new/shorewall-lite-5.2.3/helpers --- old/shorewall-lite-5.2.2/helpers 2019-01-17 21:37:22.000000000 +0100 +++ new/shorewall-lite-5.2.3/helpers 2019-02-11 23:48:20.000000000 +0100 @@ -16,25 +16,6 @@ # Helpers # -loadmodule ip_conntrack_amanda -loadmodule ip_conntrack_ftp -loadmodule ip_conntrack_h323 -loadmodule ip_conntrack_irc -loadmodule ip_conntrack_netbios_ns -loadmodule ip_conntrack_pptp -loadmodule ip_conntrack_sip -loadmodule ip_conntrack_tftp -loadmodule ip_nat_amanda -loadmodule ip_nat_ftp -loadmodule ip_nat_h323 -loadmodule ip_nat_irc -loadmodule ip_nat_pptp -loadmodule ip_nat_sip -loadmodule ip_nat_snmp_basic -loadmodule ip_nat_tftp -# -# 2.6.20+ helpers -# loadmodule nf_conntrack_ftp loadmodule nf_conntrack_h323 loadmodule nf_conntrack_irc diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.2/install.sh new/shorewall-lite-5.2.3/install.sh --- old/shorewall-lite-5.2.2/install.sh 2019-01-17 21:37:22.000000000 +0100 +++ new/shorewall-lite-5.2.3/install.sh 2019-02-11 23:48:20.000000000 +0100 @@ -22,7 +22,7 @@ # along with this program; if not, see <http://www.gnu.org/licenses/>. # -VERSION=5.2.2 +VERSION=5.2.3 usage() # $1 = exit status { @@ -426,6 +426,11 @@ if [ -f modules ]; then install_file modules ${DESTDIR}${SHAREDIR}/$PRODUCT/modules 0600 echo "Modules file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/modules" + + for f in modules.*; do + install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644 + echo "Module file $f installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f" + done fi if [ -f helpers ]; then @@ -433,11 +438,6 @@ echo "Helper modules file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/helpers" fi -for f in modules.*; do - install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644 - echo "Module file $f installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f" -done - # # Install the Man Pages # diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.2/manpages/shorewall-lite-vardir.5 new/shorewall-lite-5.2.3/manpages/shorewall-lite-vardir.5 --- old/shorewall-lite-5.2.2/manpages/shorewall-lite-vardir.5 2019-01-17 21:39:12.000000000 +0100 +++ new/shorewall-lite-5.2.3/manpages/shorewall-lite-vardir.5 2019-02-11 23:50:08.000000000 +0100 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite-vardir .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 01/17/2019 +.\" Date: 02/11/2019 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-LITE\-VAR" "5" "01/17/2019" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-LITE\-VAR" "5" "02/11/2019" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.2/manpages/shorewall-lite.8 new/shorewall-lite-5.2.3/manpages/shorewall-lite.8 --- old/shorewall-lite-5.2.2/manpages/shorewall-lite.8 2019-01-17 21:39:12.000000000 +0100 +++ new/shorewall-lite-5.2.3/manpages/shorewall-lite.8 2019-02-11 23:50:09.000000000 +0100 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 01/17/2019 +.\" Date: 02/11/2019 .\" Manual: Administrative Commands .\" Source: Administrative Commands .\" Language: English .\" -.TH "SHOREWALL\-LITE" "8" "01/17/2019" "Administrative Commands" "Administrative Commands" +.TH "SHOREWALL\-LITE" "8" "02/11/2019" "Administrative Commands" "Administrative Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.2/manpages/shorewall-lite.conf.5 new/shorewall-lite-5.2.3/manpages/shorewall-lite.conf.5 --- old/shorewall-lite-5.2.2/manpages/shorewall-lite.conf.5 2019-01-17 21:39:11.000000000 +0100 +++ new/shorewall-lite-5.2.3/manpages/shorewall-lite.conf.5 2019-02-11 23:50:07.000000000 +0100 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite.conf .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 01/17/2019 +.\" Date: 02/11/2019 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-LITE\&.CO" "5" "01/17/2019" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-LITE\&.CO" "5" "02/11/2019" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.2/modules new/shorewall-lite-5.2.3/modules --- old/shorewall-lite-5.2.2/modules 2019-01-17 21:37:22.000000000 +0100 +++ new/shorewall-lite-5.2.3/modules 1970-01-01 01:00:00.000000000 +0100 @@ -1,39 +0,0 @@ -# -# Shorewall version 5 - Modules File -# -# /usr/share/shorewall/modules -# -# This file loads the modules that may be needed by the firewall. -# -# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in -# dependency order. i.e., if M2 depends on M1 then you must load M1 -# before you load M2. -# -# If you need to modify this file, copy it to /etc/shorewall and modify the -# copy. -# -############################################################################### -# -# Essential Modules -# -INCLUDE modules.essential -# -# Other xtables modules -# -INCLUDE modules.xtables -# -# Helpers -# -INCLUDE helpers -# -# Ipset -# -INCLUDE modules.ipset -# -# Traffic Shaping -# -INCLUDE modules.tc -# -# Extensions -# -INCLUDE modules.extensions diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.2/modules.essential new/shorewall-lite-5.2.3/modules.essential --- old/shorewall-lite-5.2.2/modules.essential 2019-01-17 21:37:22.000000000 +0100 +++ new/shorewall-lite-5.2.3/modules.essential 1970-01-01 01:00:00.000000000 +0100 @@ -1,32 +0,0 @@ -# -# Shorewall -- /usr/share/shorewall/modules.essential -# -# Essential Modules File -# -# This file loads the modules that may be needed by the firewall. -# -# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in -# dependency order. i.e., if M2 depends on M1 then you must load M1 -# before you load M2. -# -# If you need to modify this file, copy it to /etc/shorewall and modify the -# copy. -# -############################################################################### -# -# Essential Modules -# -loadmodule nfnetlink -loadmodule x_tables -loadmodule ip_tables -loadmodule iptable_filter -loadmodule iptable_mangle -loadmodule ip_conntrack -loadmodule nf_conntrack -loadmodule nf_conntrack_ipv4 -loadmodule iptable_nat -loadmodule nf_nat -loadmodule nf_nat_ipv4 -loadmodule iptable_raw -loadmodule xt_state -loadmodule xt_tcpudp diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.2/modules.extensions new/shorewall-lite-5.2.3/modules.extensions --- old/shorewall-lite-5.2.2/modules.extensions 2019-01-17 21:37:22.000000000 +0100 +++ new/shorewall-lite-5.2.3/modules.extensions 1970-01-01 01:00:00.000000000 +0100 @@ -1,59 +0,0 @@ -# -# Shorewall -- /usr/share/shorewall/modules.extensions -# -# Extensions Modules File -# -# This file loads the modules that may be needed by the firewall. -# -# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in -# dependency order. i.e., if M2 depends on M1 then you must load M1 -# before you load M2. -# -# If you need to modify this file, copy it to /etc/shorewall and modify the -# copy. -# -############################################################################### -loadmodule ipt_addrtype -loadmodule ipt_ah -loadmodule ipt_CLASSIFY -loadmodule ipt_CLUSTERIP -loadmodule ipt_comment -loadmodule ipt_connmark -loadmodule ipt_CONNMARK -loadmodule ipt_conntrack -loadmodule ipt_dscp -loadmodule ipt_DSCP -loadmodule ipt_ecn -loadmodule ipt_ECN -loadmodule ipt_esp -loadmodule ipt_hashlimit -loadmodule ipt_helper -loadmodule ipt_ipp2p -loadmodule ipt_iprange -loadmodule ipt_length -loadmodule ipt_limit -loadmodule ipt_mac -loadmodule ipt_mark -loadmodule ipt_MARK -loadmodule ipt_MASQUERADE -loadmodule ipt_multiport -loadmodule ipt_NETMAP -loadmodule ipt_NOTRACK -loadmodule ipt_owner -loadmodule ipt_physdev -loadmodule ipt_pkttype -loadmodule ipt_policy -loadmodule ipt_realm -loadmodule ipt_recent -loadmodule ipt_REDIRECT -loadmodule ipt_REJECT -loadmodule ipt_SAME -loadmodule ipt_sctp -loadmodule ipt_set -loadmodule ipt_state -loadmodule ipt_tcpmss -loadmodule ipt_TCPMSS -loadmodule ipt_tos -loadmodule ipt_TOS -loadmodule ipt_ttl -loadmodule ipt_TTL diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.2/modules.ipset new/shorewall-lite-5.2.3/modules.ipset --- old/shorewall-lite-5.2.2/modules.ipset 2019-01-17 21:37:22.000000000 +0100 +++ new/shorewall-lite-5.2.3/modules.ipset 1970-01-01 01:00:00.000000000 +0100 @@ -1,27 +0,0 @@ -# -# Shorewall -- /usr/share/shorewall/modules.ipset -# -# IP Set Modules File -# -# This file loads the modules that may be needed by the firewall. -# -# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in -# dependency order. i.e., if M2 depends on M1 then you must load M1 -# before you load M2. -# -# If you need to modify this file, copy it to /etc/shorewall and modify the -# copy. -# -############################################################################### -loadmodule xt_set -loadmodule ip_set -loadmodule ip_set_iphash -loadmodule ip_set_ipmap -loadmodule ip_set_ipporthash -loadmodule ip_set_iptree -loadmodule ip_set_iptreemap -loadmodule ip_set_macipmap -loadmodule ip_set_nethash -loadmodule ip_set_portmap -loadmodule ipt_SET -loadmodule ipt_set diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.2/modules.tc new/shorewall-lite-5.2.3/modules.tc --- old/shorewall-lite-5.2.2/modules.tc 2019-01-17 21:37:22.000000000 +0100 +++ new/shorewall-lite-5.2.3/modules.tc 1970-01-01 01:00:00.000000000 +0100 @@ -1,27 +0,0 @@ -# -# Shorewall -- /usr/share/shorewall/modules.tc -# -# Traffic Shaping Modules File -# -# This file loads the modules that may be needed by the firewall. -# -# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in -# dependency order. i.e., if M2 depends on M1 then you must load M1 -# before you load M2. -# -# If you need to modify this file, copy it to /etc/shorewall and modify the -# copy. -# -############################################################################### -loadmodule sch_sfq -loadmodule sch_ingress -loadmodule sch_hfsc -loadmodule sch_htb -loadmodule sch_prio -loadmodule sch_tbf -loadmodule sch_fq_codel -loadmodule cls_u32 -loadmodule cls_fw -loadmodule cls_flow -loadmodule cls_basic -loadmodule act_police diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.2/modules.xtables new/shorewall-lite-5.2.3/modules.xtables --- old/shorewall-lite-5.2.2/modules.xtables 2019-01-17 21:37:22.000000000 +0100 +++ new/shorewall-lite-5.2.3/modules.xtables 1970-01-01 01:00:00.000000000 +0100 @@ -1,53 +0,0 @@ -# -# Shorewall -- /usr/share/shorewall/modules.xtables -# -# Xtables Modules File -# -# This file loads the modules that may be needed by the firewall. -# -# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in -# dependency order. i.e., if M2 depends on M1 then you must load M1 -# before you load M2. -# -# If you need to modify this file, copy it to /etc/shorewall and modify the -# copy. -# -############################################################################### -loadmodule xt_AUDIT -loadmodule xt_CLASSIFY -loadmodule xt_connmark -loadmodule xt_CONNMARK -loadmodule xt_conntrack -loadmodule xt_dccp -loadmodule xt_dscp -loadmodule xt_DSCP -loadmodule xt_hashlimit -loadmodule xt_helper -loadmodule xt_ipp2p -loadmodule xt_iprange -loadmodule xt_length -loadmodule xt_limit -loadmodule xt_mac -loadmodule xt_mark -loadmodule xt_MARK -loadmodule xt_multiport -loadmodule xt_nat -loadmodule xt_NFQUEUE -loadmodule xt_owner -loadmodule xt_physdev -loadmodule xt_pkttype -loadmodule xt_policy -loadmodule xt_sctp -loadmodule xt_tcpmss -loadmodule xt_TCPMSS -loadmodule xt_time -loadmodule xt_IPMARK -loadmodule xt_TPROXY -# -# From xtables-addons -# -loadmodule xt_condition -loadmodule xt_geoip -loadmodule xt_ipp2p -loadmodule xt_LOGMARK -loadmodule xt_RAWNAT diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.2/releasenotes.txt new/shorewall-lite-5.2.3/releasenotes.txt --- old/shorewall-lite-5.2.2/releasenotes.txt 2019-01-17 21:37:22.000000000 +0100 +++ new/shorewall-lite-5.2.3/releasenotes.txt 2019-02-11 23:48:20.000000000 +0100 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 5 . 2 . 2 + S H O R E W A L L 5 . 2 . 3 ------------------------------- - J A N U A R Y 1 7 , 2 0 1 9 + F E B R U A R Y 1 5 , 2 0 1 9 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,12 +14,12 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) This release includes defect repair through Shorewall 5.2.1.4. - -2) When processing inline matches, the compiler previously inserted - the matches before the column-generated matches if there was a plus - sign ("+") anywhere in the matches. Now, it only does so if the - first non-blank character in the matches is a plus sign. +1) Previously, to prevent a helper kernel module from being loaded, it + was necessary to list both its current name and its + pre-kernel-2.6.20 name in the DONT_LOAD option in + /etc/shorewall[6].conf. For example, to prevent nf_conntrack_sip + from being loaded, it was necessary to also list ip_conntrack_sip + in DONT_LOAD. That is no longer necessary. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -44,34 +44,25 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) New macros have been contributed by Vincas Dargis: - - Bitcoin - Tor - ONCRPC - - Additionally, Tuomo Soini has contributed a WUDO (Windows Update - Delivery Optimization) macro. - -2) The Perl modules have undergone some cleanup/optimization. - -3) Given that recent kernels have dropped ULOG support, use of ULOG in - Shorewall is now deprecated and results in a warning message. The - warning can be eliminated by switching to NFLOG and ulogd2. +1) Zone exclusion (e.g., "all!z2,z2,...") is now supported in the + policy file. -4) Shorewall can now detect interface default gateways configured by - Network Manager. - -5) Inline matches are now supported in the 'conntrack' file. - -6) In the 'accounting' file, Inline matches in an INLINE(...) rule now - allow a leading '+' to cause the matches to be evaluated before - those generated by the column specifications. - -7) If view of the fact that some modems take an eternity to recover - from a power failure, the limit of the 'wait' interface option - setting has been increased from 120 seconds (2 minutes) to 300 - seconds (5 minutes). +2) With the availability of zone exclusion in the rules file, 'all[+]-' + and 'any[+]-' are equivalent to 'all[+]!$FW' and 'any[+]!$FW' + respectively. Beginning with this release, the former are + deprecated in favor of the latter and will result in a warning + message, if used. + +3) Internal documentaton of the undocumented 'test' parameter to + compiler.pl has been added (it is used by the regression test + library to suppress versions and date/times from the generated + script). + +4) The LOAD_HELPERS_ONLY option has been removed from + shorewall[6].conf. Hereafter, Shorewall[6] will behave as if + LOAD_HELPERS_ONLY=Yes had been specified. As part of this change, + the pre-kernel 2.6.20 modules have been removed from the helpers + file. ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -419,7 +410,7 @@ instances will generate an error which must be corrected manually. It should also be noted that, in prior releases, Drop and Reject - silently dropped more traffic than thir replacements. As a + silently dropped more traffic than their replacements. As a consequence, you will see more traffic being logged with Shorewall 5.2 than you did on earlier releases. The translations performed by 'update' can be extended after the update to drop additional @@ -457,9 +448,64 @@ Beginning with Shorewall 5.2.1, the 'optional' option is disallowed on such interfaces and providers. +8) With the availability of zone exclusion in the rules file, 'all[+]-' + and 'any[+]-' are equivalent to 'all[+]!$FW' and 'any[+]!$FW' + respectively. Beginning with Shorewall 5.2.3, the former are + deprecated in favor of the latter and will result in a warning + message, if used. + +9) Beginning with Shorewall 5.2.3, the LOAD_HELPERS_ONLY option in + shorewall[6].conf has been removed, and the behavior is as if + LOAD_HELPERS_ONLY=Yes had been specified. 'shorewall[6] update' + will remove the option from shorewall[6].conf. + ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 5 . 2 R E L E A S E S ---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 5 . 2 . 2 +---------------------------------------------------------------------------- + +1) This release includes defect repair through Shorewall 5.2.1.4. + +2) When processing inline matches, the compiler previously inserted + the matches before the column-generated matches if there was a plus + sign ("+") anywhere in the matches. Now, it only does so if the + first non-blank character in the matches is a plus sign. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 5 . 2 . 1 +---------------------------------------------------------------------------- + +1) New macros have been contributed by Vincas Dargis: + + Bitcoin + Tor + ONCRPC + + Additionally, Tuomo Soini has contributed a WUDO (Windows Update + Delivery Optimization) macro. + +2) The Perl modules have undergone some cleanup/optimization. + +3) Given that recent kernels have dropped ULOG support, use of ULOG in + Shorewall is now deprecated and results in a warning message. The + warning can be eliminated by switching to NFLOG and ulogd2. + +4) Shorewall can now detect interface default gateways configured by + Network Manager. + +5) Inline matches are now supported in the 'conntrack' file. + +6) In the 'accounting' file, Inline matches in an INLINE(...) rule now + allow a leading '+' to cause the matches to be evaluated before + those generated by the column specifications. + +7) If view of the fact that some modems take an eternity to recover + from a power failure, the limit of the 'wait' interface option + setting has been increased from 120 seconds (2 minutes) to 300 + seconds (5 minutes). + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 5 . 2 . 1 ---------------------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.2/shorewall-lite.spec new/shorewall-lite-5.2.3/shorewall-lite.spec --- old/shorewall-lite-5.2.2/shorewall-lite.spec 2019-01-17 21:37:22.000000000 +0100 +++ new/shorewall-lite-5.2.3/shorewall-lite.spec 2019-02-11 23:48:20.000000000 +0100 @@ -1,5 +1,5 @@ %define name shorewall-lite -%define version 5.2.2 +%define version 5.2.3 %define release 0base %define initdir /etc/init.d @@ -104,7 +104,6 @@ %attr(0644,root,root) /usr/share/shorewall-lite/configpath %attr(- ,root,root) /usr/share/shorewall-lite/functions %attr(0644,root,root) /usr/share/shorewall-lite/lib.base -%attr(0644,root,root) /usr/share/shorewall-lite/modules* %attr(0644,root,root) /usr/share/shorewall-lite/helpers %attr(0544,root,root) %{_libexecdir}/shorewall-lite/shorecap @@ -115,6 +114,14 @@ %doc COPYING changelog.txt releasenotes.txt %changelog +* Mon Feb 11 2019 Tom Eastep [email protected] +- Updated to 5.2.3-0base +* Wed Feb 06 2019 Tom Eastep [email protected] +- Updated to 5.2.3-0RC1 +* Sun Feb 03 2019 Tom Eastep [email protected] +- Updated to 5.2.3-0Beta2 +* Tue Jan 22 2019 Tom Eastep [email protected] +- Updated to 5.2.3-0Beta1 * Wed Jan 16 2019 Tom Eastep [email protected] - Updated to 5.2.2-0base * Tue Jan 08 2019 Tom Eastep [email protected] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.2/uninstall.sh new/shorewall-lite-5.2.3/uninstall.sh --- old/shorewall-lite-5.2.2/uninstall.sh 2019-01-17 21:37:22.000000000 +0100 +++ new/shorewall-lite-5.2.3/uninstall.sh 2019-02-11 23:48:20.000000000 +0100 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=5.2.2 +VERSION=5.2.3 usage() # $1 = exit status { ++++++ shorewall-5.2.2.tar.bz2 -> shorewall6-5.2.3.tar.bz2 ++++++ ++++ 122152 lines of diff (skipped) ++++++ shorewall-lite-5.2.2.tar.bz2 -> shorewall6-lite-5.2.3.tar.bz2 ++++++ ++++ 3448 lines of diff (skipped)
