Hello community, here is the log from the commit of package shorewall for openSUSE:Factory checked in at 2020-03-17 13:08:25 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/shorewall (Old) and /work/SRC/openSUSE:Factory/.shorewall.new.3160 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shorewall" Tue Mar 17 13:08:25 2020 rev:112 rq:785459 version:5.2.3.7 Changes: -------- --- /work/SRC/openSUSE:Factory/shorewall/shorewall.changes 2020-02-18 13:29:38.872730809 +0100 +++ /work/SRC/openSUSE:Factory/.shorewall.new.3160/shorewall.changes 2020-03-17 13:08:28.525722032 +0100 @@ -1,0 +2,39 @@ +Sun Mar 15 19:34:02 UTC 2020 - Bruno Friedmann <[email protected]> + +- Add version to requires in -lite version + +------------------------------------------------------------------- +Wed Mar 11 13:53:14 UTC 2020 - Bruno Friedmann <[email protected]> + +- Update to minor bugfix version 5.2.3.7 + + When DOCKER=Yes, if both the DOCKER-ISOLATE and + DOCKER-ISOLATE-STAGE-1 existed then the DOCKER-ISOLATE-STAGE-* + chains were not preserved through shorewall state changes. + That has been corrected so that both chains are preserved if + present. + + Previously, the compiler always detected the OLD_CONNTRACK_MATCH + capability as being available in IPv6. When OLD_CONNTRACK_MATCH + was available, the compiler also mishandled inversion ('!') in the + ORIGDEST columns, leading to an assertion failure. + Both the incorrect capability detection and the mishandled + inversion have been corrected. + + During 'enable' processing, if address variables associated with + the interface have values different than those when the firewall + was last started/restarted/reloaded, then a 'reload' is performed + rather than a simple 'enable'. The logic that checks for those + changes was incorrect in some configurations, leading to unneeded + reload operations. That has been corrected. + + When MANGLE_ENABLED=No in shorewall[6].conf, some features + requiring use of the mangle table can be allowed, even though the + mangle table is not updated. That has been corrected such that use + of such features will raise an error. + + When the IfEvent(...,reset) action was invoked, the compiler + previously emitted a spurious "Resetting..." message. That message + has been suppressed. +- Packaging + + Do not provide anymore unsused notrack file + + Introduce define conf_need_update to track when we activate the + post update warning for users when there's minor or major version + update of shorewall bnc#1166114 + +------------------------------------------------------------------- Old: ---- shorewall-5.2.3.6.tar.bz2 shorewall-core-5.2.3.6.tar.bz2 shorewall-docs-html-5.2.3.6.tar.bz2 shorewall-init-5.2.3.6.tar.bz2 shorewall-lite-5.2.3.6.tar.bz2 shorewall6-5.2.3.6.tar.bz2 shorewall6-lite-5.2.3.6.tar.bz2 New: ---- shorewall-5.2.3.7.tar.bz2 shorewall-core-5.2.3.7.tar.bz2 shorewall-docs-html-5.2.3.7.tar.bz2 shorewall-init-5.2.3.7.tar.bz2 shorewall-lite-5.2.3.7.tar.bz2 shorewall6-5.2.3.7.tar.bz2 shorewall6-lite-5.2.3.7.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shorewall.spec ++++++ --- /var/tmp/diff_new_pack.f23beB/_old 2020-03-17 13:08:30.929723878 +0100 +++ /var/tmp/diff_new_pack.f23beB/_new 2020-03-17 13:08:30.969723909 +0100 @@ -19,12 +19,14 @@ %define have_systemd 1 %define dmaj 5.2 %define dmin 5.2.3 +# Warn users for upgrading configuration but only on major or minor version changes +%define conf_need_update 0 #2017+ New fillup location %if ! %{defined _fillupdir} %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: shorewall -Version: 5.2.3.6 +Version: 5.2.3.7 Release: 0 Summary: An iptables-based firewall for Linux systems License: GPL-2.0-only @@ -71,7 +73,7 @@ License: GPL-2.0-only Group: Productivity/Networking/Security Requires: %{_sbindir}/service -Requires: %{name}-core +Requires: %{name}-core = %{version}-%{release} Requires: bc Requires: iproute2 Requires: iptables @@ -110,7 +112,7 @@ License: GPL-2.0-only Group: Productivity/Networking/Security Requires: %{_sbindir}/service -Requires: %{name}-core +Requires: %{name}-core = %{version}-%{release} Requires: logrotate PreReq: %fillup_prereq Provides: shoreline_firewall = %{version}-%{release} @@ -193,7 +195,7 @@ %install -# find the systemd version inorder to install correct service files +# find the systemd version in order to install correct service files %define systemd_version \ systemd --version | awk '/^systemd/ {print $2}' @@ -245,7 +247,6 @@ popd done -# FIXME linkto /usr/sbin/service should follow usr_move thing rctargets="shorewall shorewall-lite shorewall6 shorewall6-lite shorewall-init" mkdir -p %buildroot/%{_sbindir} for i in $rctargets; do @@ -257,18 +258,16 @@ # Since 5.12 we need to remove them again rm -f %{buildroot}/%{_sysconfdir}/sysconfig/%{name}* -touch %{buildroot}%{_sysconfdir}/%{name}/notrack -touch %{buildroot}%{_sysconfdir}/%{name}6/notrack %pretrans -# Warn users for upgrading configuration but only on all version changes -# @TODO test and organize smooth automatic update +%if %conf_need_update echo "upgrade configuration" > /run/%{name}_upgrade +%endif %pretrans -n %{name}6 -# Warn users for upgrading configuration but only on all version changes -# @TODO test and organize smooth automatic update +%if %conf_need_update echo "upgrade configuration" > /run/%{name}6_upgrade +%endif %pre %service_add_pre shorewall.service ++++++ shorewall-5.2.3.6.tar.bz2 -> shorewall-5.2.3.7.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-5.2.3.6/Actions/action.IfEvent new/shorewall-5.2.3.7/Actions/action.IfEvent --- old/shorewall-5.2.3.6/Actions/action.IfEvent 2020-02-16 19:36:16.000000000 +0100 +++ new/shorewall-5.2.3.7/Actions/action.IfEvent 2020-03-06 17:27:18.000000000 +0100 @@ -114,8 +114,6 @@ if ( $command & $RESET_CMD ) { require_capability 'MARK_ANYWHERE', '"reset"', 's'; - - print "Resetting....\n"; my $mark = $globals{EVENT_MARK}; # diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-5.2.3.6/Perl/Shorewall/Chains.pm new/shorewall-5.2.3.7/Perl/Shorewall/Chains.pm --- old/shorewall-5.2.3.6/Perl/Shorewall/Chains.pm 2020-02-16 19:54:50.000000000 +0100 +++ new/shorewall-5.2.3.7/Perl/Shorewall/Chains.pm 2020-03-06 17:38:12.000000000 +0100 @@ -1143,16 +1143,30 @@ # # Consider each subtype as a separate type # - my ( $invert, $subtype, $val, $rest ) = split ' ', $value; + if ( have_capability( 'OLD_CONNTRACK_MATCH' ) ) { + my ( $subtype, $invert, $val, $rest ) = split ' ', $value; - if ( $invert eq '!' ) { - assert( ! supplied $rest ); - $option = join( ' ', $option, $invert, $subtype ); - $value = $val; - } else { - assert( ! supplied $val ); - $option = join( ' ', $option, $invert ); - $value = $subtype; + if ( $invert eq '!' ) { + assert( ! supplied $rest ); + $option = join( ' ', $option, $subtype ); + $value = join( ' ', $invert, $val ); + } else { + assert( ! supplied $val ); + $option = join( ' ', $invert , $option ); + $value = $invert; + } + } else { + my ( $invert, $subtype, $val, $rest ) = split ' ', $value; + + if ( $invert eq '!' ) { + assert( ! supplied $rest ); + $option = join( ' ', $option, $invert, $subtype ); + $value = $val; + } else { + assert( ! supplied $val ); + $option = join( ' ', $option, $invert ); + $value = $subtype; + } } $opttype = EXCLUSIVE; @@ -3369,13 +3383,13 @@ add_commands( $chainref, '[ -f ${VARDIR}/.nat_DOCKER ] && cat ${VARDIR}/.nat_DOCKER >&3' ); $chainref = new_standard_chain( 'DOCKER-INGRESS' ); set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE ); - add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-INGRESS ] && cat ${VARDIR}/.filter_DOCKER-INGRESS >&3' ); - $chainref = new_standard_chain( 'DOCKER-USER' ); + add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-INGRESS ] && cat ${VARDIR}/.filter_DOCKER-INGRESS >&3' ); + $chainref = new_standard_chain( 'DOCKER-USER' ); set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE ); - add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-USER ] && cat ${VARDIR}/.filter_DOCKER-USER >&3' ); + add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-USER ] && cat ${VARDIR}/.filter_DOCKER-USER >&3' ); $chainref = new_standard_chain( 'DOCKER-ISOLATION' ); set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE ); - add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION >&3' ); + add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION >&3' ); $chainref = new_standard_chain( 'DOCKER-ISOLATION-STAGE-1' ); set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE ); add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1 ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1 >&3' ); @@ -8703,20 +8717,15 @@ qq( $tool -t nat -S OUTPUT | tail -n +2 | fgrep DOCKER > \${VARDIR}/.nat_OUTPUT), qq( $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL | fgrep -v LIBVIRT > \${VARDIR}/.nat_POSTROUTING), qq( $tool -t filter -S DOCKER | tail -n +2 > \${VARDIR}/.filter_DOCKER), - qq( [ -n "\$g_dockeringress" ] && $tool -t filter -S DOCKER-INGRESS | tail -n +2 > \${VARDIR}/.filter_DOCKER-INGRESS), - qq( [ -n "\$g_dockeruser" ] && $tool -t filter -S DOCKER-USER | tail -n +2 > \${VARDIR}/.filter_DOCKER-USER), + qq( rm -f \${VARDIR}/.filter_DOCKER-*), + qq( [ -n "\$g_dockeringress" ] && $tool -t filter -S DOCKER-INGRESS | tail -n +2 > \${VARDIR}/.filter_DOCKER-INGRESS), + qq( [ -n "\$g_dockeruser" ] && $tool -t filter -S DOCKER-USER | tail -n +2 > \${VARDIR}/.filter_DOCKER-USER), + qq( [ -n "\$g_dockeriso" ] && $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION), qq(), - qq( case "\$g_dockernetwork" in), - qq( One\)), - qq( rm -f \${VARDIR}/.filter_DOCKER-ISOLATION*), - qq( $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION), - qq( ;;), - qq( Two\)), - qq( rm -f \${VARDIR}/.filter_DOCKER-ISOLATION*), - qq( $tool -t filter -S DOCKER-ISOLATION-STAGE-1 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1), - qq( $tool -t filter -S DOCKER-ISOLATION-STAGE-2 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-2), - qq( ;;), - qq( esac), + qq( if [ -n "\$g_dockerisostage" ]; then), + qq( $tool -t filter -S DOCKER-ISOLATION-STAGE-1 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1), + qq( $tool -t filter -S DOCKER-ISOLATION-STAGE-2 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-2), + qq( fi), qq(), ); @@ -9237,10 +9246,10 @@ emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' ); } elsif ( $name eq 'DOCKER-ISOLATION' ) { ensure_cmd_mode; - emit( '[ "$g_dockernetwork" = One ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' ); - } elsif ( $name =~ /^DOCKER-ISOLATION-/ ) { + emit( '[ -n "$g_dockeriso" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' ); + } elsif ( $name =~ /^DOCKER-ISOLATION/ ) { ensure_cmd_mode; - emit( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) ); + emit( qq([ -n "\$g_dockerisostage" ] && echo ":$name - [0:0]" >&3) ); } elsif ( $name eq 'DOCKER-INGRESS' ) { ensure_cmd_mode; emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' ); @@ -9352,11 +9361,11 @@ print "\n"; } elsif ( $name eq 'DOCKER-ISOLATION' ) { ensure_cmd_mode1; - print( '[ "$g_dockernetwork" = One ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' ); + print( '[ -n "$g_dockeriso" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' ); print "\n"; - } elsif ( $name =~ /^DOCKER-ISOLATION-/ ) { + } elsif ( $name =~ /^DOCKER-ISOLATION/ ) { ensure_cmd_mode1; - print( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) ); + print( qq([ "\$g_dockeisostage" ] && echo ":$name - [0:0]" >&3) ); print "\n"; } elsif ( $name eq 'DOCKER-INGRESS' ) { ensure_cmd_mode1; @@ -9453,10 +9462,10 @@ emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' ); } elsif ( $name eq 'DOCKER-ISOLATION' ) { ensure_cmd_mode; - emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' ); - } elsif ( $name =~ /^DOCKER-ISOLATION-/ ) { + emit( '[ -n "$g_dockeriso" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' ); + } elsif ( $name =~ /^DOCKER-ISOLATION/ ) { ensure_cmd_mode; - emit( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) ); + emit( qq([ -n "\$g_dockerisostage" ] && echo ":$name - [0:0]" >&3) ); } elsif ( $name eq 'DOCKER-INGRESS' ) { ensure_cmd_mode; emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' ); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-5.2.3.6/Perl/Shorewall/Compiler.pm new/shorewall-5.2.3.7/Perl/Shorewall/Compiler.pm --- old/shorewall-5.2.3.6/Perl/Shorewall/Compiler.pm 2020-02-16 19:54:50.000000000 +0100 +++ new/shorewall-5.2.3.7/Perl/Shorewall/Compiler.pm 2020-03-06 17:38:12.000000000 +0100 @@ -268,13 +268,10 @@ emit( '', 'chain_exists DOCKER nat && chain_exists DOCKER && g_docker=Yes', ); - emit( 'chain_exists DOCKER-INGRESS && g_dockeringress=Yes' ); - emit( 'chain_exists DOCKER-USER && g_dockeruser=Yes' ); - emit( 'if chain_exists DOCKER-ISOLATION; then', - ' g_dockernetwork=One', - 'elif chain_exists DOCKER-ISOLATION-STAGE-1; then', - ' g_dockernetwork=Two', - 'fi' ); + emit( 'chain_exists DOCKER-INGRESS && g_dockeringress=Yes' ); + emit( 'chain_exists DOCKER-USER && g_dockeruser=Yes' ); + emit( 'chain_exists DOCKER-ISOLATION && g_dockeriso=Yes' ); + emit( 'chain_exists DOCKER-ISOLATION-STAGE-1 && g_dockerisostage=Yes' ); } pop_indent; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-5.2.3.6/Perl/Shorewall/Config.pm new/shorewall-5.2.3.7/Perl/Shorewall/Config.pm --- old/shorewall-5.2.3.6/Perl/Shorewall/Config.pm 2020-02-16 19:54:50.000000000 +0100 +++ new/shorewall-5.2.3.7/Perl/Shorewall/Config.pm 2020-03-06 17:38:12.000000000 +0100 @@ -162,6 +162,7 @@ have_capability require_capability + require_mangle_capability report_used_capabilities kernel_version @@ -804,7 +805,7 @@ # 2. The compiler can run multiple times in the same process so it has to be # able to re-initialize its dependent modules' state. # -sub initialize( $;$$$) { +sub initialize($;$$$) { ( $family, $export, my ( $shorewallrc, $shorewallrc1 ) ) = @_; if ( $family == F_IPV4 ) { @@ -850,7 +851,7 @@ TC_SCRIPT => '', EXPORT => 0, KLUDGEFREE => '', - VERSION => "5.2.3.6", + VERSION => "5.2.3.7", CAPVERSION => 50200 , BLACKLIST_LOG_TAG => '', RELATED_LOG_TAG => '', @@ -4603,7 +4604,11 @@ } sub Old_Conntrack_Match() { - ! qt1( "$iptables $iptablesw -A $sillyname -m conntrack ! --ctorigdst 1.2.3.4" ); + if ( $family == F_IPV4 ) { + ! qt1( "$iptables $iptablesw -A $sillyname -m conntrack ! --ctorigdst 1.2.3.4" ); + } else { + ! qt1( "$iptables $iptablesw -A $sillyname -m conntrack ! --ctorigdst ::1" ); + } } sub Multiport() { @@ -5263,6 +5268,16 @@ fatal_error "$description require${singular} $capdesc{$capability} in your kernel and iptables" unless have_capability $capability, 1; } +sub require_mangle_capability( $$$ ) { + my ( $capability, $description, $singular ) = @_; + + if ( $config{MANGLE_ENABLED} ) { + &require_capability( @_ ); + } else { + fatal_error "$description " . ( $singular ? 'is' : 'are' ) . " not available when MANGLE_ENABLED=No in $shorewallrc{PRODUCT}.conf"; + } +} + # # Return Kernel Version # @@ -6607,6 +6622,7 @@ if ( supplied $config{ACCOUNTING_TABLE} ) { my $value = $config{ACCOUNTING_TABLE}; fatal_error "Invalid ACCOUNTING_TABLE setting ($value)" unless $value eq 'filter' || $value eq 'mangle'; + fatal_error "ACCOUNTING_TABLE=mangle not allowed with MANGLE_ENABLED=No" if $value eq 'mangle' and ! $config{MANGLE_ENABLED}; } else { $config{ACCOUNTING_TABLE} = 'filter'; } @@ -6682,7 +6698,7 @@ $config{IPSET} = '' if supplied $config{IPSET} && $config{IPSET} eq 'ipset'; - require_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK}; + require_mangle_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK}; numeric_option 'TC_BITS' , 8, 0; numeric_option 'MASK_BITS' , 8, 0; @@ -6926,7 +6942,7 @@ if ( $config{TC_ENABLED} ) { fatal_error "TC_ENABLED=$config{TC_ENABLED} is not allowed with MANGLE_ENABLED=No" unless $config{MANGLE_ENABLED}; - require_capability 'MANGLE_ENABLED', "TC_ENABLED=$config{TC_ENABLED}", 's'; + require_mangle_capability 'MANGLE_ENABLED', "TC_ENABLED=$config{TC_ENABLED}", 's'; } if ( supplied( $val = $config{TC_PRIOMAP} ) ) { @@ -6943,9 +6959,7 @@ } default 'RESTOREFILE' , 'restore'; - default 'DROP_DEFAULT' , 'none'; - default 'REJECT_DEFAULT' , 'none'; default 'BLACKLIST_DEFAULT' , 'none'; default 'QUEUE_DEFAULT' , 'none'; @@ -7009,9 +7023,9 @@ } require_capability( 'MULTIPORT' , "Shorewall $globals{VERSION}" , 's' ); - require_capability( 'RECENT_MATCH' , 'MACLIST_TTL' , 's' ) if $config{MACLIST_TTL}; - require_capability( 'XCONNMARK' , 'HIGH_ROUTE_MARKS=Yes' , 's' ) if $config{PROVIDER_OFFSET} > 0; - require_capability( 'MANGLE_ENABLED' , 'Traffic Shaping' , 's' ) if $config{TC_ENABLED}; + require_capability( 'RECENT_MATCH' , 'MACLIST_TTL' , 's' ) if $config{MACLIST_TTL}; + require_capability( 'XCONNMARK' , 'HIGH_ROUTE_MARKS=Yes' , 's' ) if $config{PROVIDER_OFFSET} > 0; + require_capability( 'MANGLE_ENABLED' , 'Traffic Shaping' , 's' ) if $config{TC_ENABLED}; if ( $config{WARNOLDCAPVERSION} ) { if ( $capabilities{CAPVERSION} ) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-5.2.3.6/Perl/Shorewall/Misc.pm new/shorewall-5.2.3.7/Perl/Shorewall/Misc.pm --- old/shorewall-5.2.3.6/Perl/Shorewall/Misc.pm 2020-02-16 19:54:50.000000000 +0100 +++ new/shorewall-5.2.3.7/Perl/Shorewall/Misc.pm 2020-03-06 17:38:12.000000000 +0100 @@ -97,7 +97,7 @@ if ( my $fn = open_file 'ecn' ) { first_entry( sub { progress_message2 "$doing $fn..."; - require_capability 'MANGLE_ENABLED', 'Entries in the ecn file', ''; + require_mangle_capability 'MANGLE_ENABLED', 'Entries in the ecn file', ''; warning_message 'ECN will not be applied to forwarded packets' unless have_capability 'MANGLE_FORWARD'; } ); @@ -679,18 +679,10 @@ my $chainref = $filter_table->{FORWARD}; - add_commands( $chainref, '[ -n "$g_dockeringress" ] && echo "-A FORWARD -j DOCKER-INGRESS" >&3', ); - add_commands( $chainref, '[ -n "$g_dockeruser" ] && echo "-A FORWARD -j DOCKER-USER" >&3', ); - add_commands( $chainref , - '', - 'case "$g_dockernetwork" in', - ' One)', - ' echo "-A FORWARD -j DOCKER-ISOLATION" >&3', - ' ;;', - ' Two)', - ' echo "-A FORWARD -j DOCKER-ISOLATION-STAGE-1" >&3', - ' ;;', - 'esac' ); + add_commands( $chainref, '[ -n "$g_dockeringress" ] && echo "-A FORWARD -j DOCKER-INGRESS" >&3' ); + add_commands( $chainref, '[ -n "$g_dockeruser" ] && echo "-A FORWARD -j DOCKER-USER" >&3' ); + add_commands( $chainref, '[ -n "$g_dockeriso" ] && echo "-A FORWARD -j DOCKER-ISOLATION" >&3' ); + add_commands( $chainref, '[ -n "$g_dockerisostage" ] && echo "-A FORWARD -j DOCKER-ISOLATION-STAGE-1" >&3' ); if ( my $dockerref = known_interface('docker0') ) { add_commands( $chainref, 'if [ -n "$g_docker" ]; then' ); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-5.2.3.6/Perl/Shorewall/Providers.pm new/shorewall-5.2.3.7/Perl/Shorewall/Providers.pm --- old/shorewall-5.2.3.6/Perl/Shorewall/Providers.pm 2020-02-16 19:54:50.000000000 +0100 +++ new/shorewall-5.2.3.7/Perl/Shorewall/Providers.pm 2020-03-06 17:38:12.000000000 +0100 @@ -594,7 +594,7 @@ unless ( $options eq '-' ) { for my $option ( split_list $options, 'option' ) { if ( $option eq 'track' ) { - require_capability( 'MANGLE_ENABLED' , q(The 'track' option) , 's' ); + require_mangle_capability( 'MANGLE_ENABLED' , q(The 'track' option) , 's' ); $track = 1; } elsif ( $option eq 'notrack' ) { $track = 0; @@ -714,7 +714,7 @@ $mark = ( $lastmark += ( 1 << $config{PROVIDER_OFFSET} ) ) if $mark eq '-' && $track; if ( $mark ne '-' ) { - require_capability( 'MANGLE_ENABLED' , 'Provider marks' , '' ); + require_mangle_capability( 'MANGLE_ENABLED' , 'Provider marks' , '' ); if ( $tproxy && ! $local ) { $val = $globals{TPROXY_MARK}; @@ -1180,14 +1180,14 @@ emit "fi\n"; if ( get_interface_option( $interface, 'used_address_variable' ) ) { - my $variable = interface_address( $interface ); + my $variable = get_interface_address( $interface ); - emit( "echo \$$variable > \${VARDIR}/${physical}.address" ); + emit( "echo $variable > \${VARDIR}/${physical}.address" ); } if ( get_interface_option( $interface, 'used_gateway_variable' ) ) { - my $variable = interface_gateway( $interface ); - emit( qq(echo "\$$variable" > \${VARDIR}/${physical}.gateway\n) ); + my $variable = get_interface_gateway( $interface ); + emit( qq(echo "$variable" > \${VARDIR}/${physical}.gateway\n) ); } } else { emit( qq(progress_message "Provider $table ($number) Started") ); @@ -2323,22 +2323,22 @@ emit( 'fi' ); if ( get_interface_option( $interface, 'used_address_variable' ) ) { - my $variable = interface_address( $interface ); + my $variable = get_interface_address( $interface ); emit( '', "if [ -f \${VARDIR}/${physical}.address ]; then", - " if [ \$(cat \${VARDIR}/${physical}.address) != \$$variable ]; then", + " if [ \$(cat \${VARDIR}/${physical}.address) != $variable ]; then", ' g_forcereload=Yes', ' fi', 'fi' ); } if ( get_interface_option( $interface, 'used_gateway_variable' ) ) { - my $variable = interface_gateway( $interface ); + my $variable = get_interface_gateway( $interface ); emit( '', "if [ -f \${VARDIR}/${physical}.gateway ]; then", - " if [ \$(cat \${VARDIR}/${physical}.gateway) != \"\$$variable\" ]; then", + " if [ \$(cat \${VARDIR}/${physical}.gateway) != \"$variable\" ]; then", ' g_forcereload=Yes', ' fi', 'fi' ); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-5.2.3.6/Perl/Shorewall/Tc.pm new/shorewall-5.2.3.7/Perl/Shorewall/Tc.pm --- old/shorewall-5.2.3.6/Perl/Shorewall/Tc.pm 2020-02-16 19:54:50.000000000 +0100 +++ new/shorewall-5.2.3.7/Perl/Shorewall/Tc.pm 2020-03-06 17:38:12.000000000 +0100 @@ -2455,7 +2455,7 @@ } } } elsif ( -f ( my $fn = find_file( 'tcrules' ) ) ) { - warning_message "The tcrules file is no longer supported -- use '$product update' to convert $fn to an equivalent 'mangle' file"; + warning_message "The tcrules file is no longer supported -- use '$shorewallrc{product} update' to convert $fn to an equivalent 'mangle' file"; } if ( my $fn = open_file( 'mangle', 1, 1 ) ) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-5.2.3.6/Perl/prog.footer new/shorewall-5.2.3.7/Perl/prog.footer --- old/shorewall-5.2.3.6/Perl/prog.footer 2020-02-16 19:36:16.000000000 +0100 +++ new/shorewall-5.2.3.7/Perl/prog.footer 2020-03-06 17:27:18.000000000 +0100 @@ -148,7 +148,8 @@ g_file= g_docker= g_dockeringress= -g_dockernetwork= +g_dockeriso= +g_dockerisostage= g_forcereload= g_fallback= diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-5.2.3.6/changelog.txt new/shorewall-5.2.3.7/changelog.txt --- old/shorewall-5.2.3.6/changelog.txt 2020-02-16 19:54:50.000000000 +0100 +++ new/shorewall-5.2.3.7/changelog.txt 2020-03-06 17:38:12.000000000 +0100 @@ -1,3 +1,24 @@ +Changes in 5.2.3.7 + +1) Update release documents + +2) Track DOCKER-ISOLATION and DOCKER-ISOLATION-STAGE-* using + separate variables. + +3) Correct detection of OLD_CONNTRACK_MATCH in the compiler. + +4) Correct handling of ORIGDEST inversion when OLD_CONNTRACK_MATCH is + available. + +5) Correct logic that detects when 'reload' is required during + 'enable'. + +6) Add checks for features requiring the mangle table when + MANGLE_ENABLED=No. + +7) Eliminate suprious 'Resetting...' message during compilation of + 'IfEvent(...,reset)' invocations. + Changes in 5.2.3.6 1) Update release documents diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-5.2.3.6/configure new/shorewall-5.2.3.7/configure --- old/shorewall-5.2.3.6/configure 2020-02-16 19:54:50.000000000 +0100 +++ new/shorewall-5.2.3.7/configure 2020-03-06 17:38:12.000000000 +0100 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=5.2.3.6 +VERSION=5.2.3.7 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-5.2.3.6/configure.pl new/shorewall-5.2.3.7/configure.pl --- old/shorewall-5.2.3.6/configure.pl 2020-02-16 19:54:50.000000000 +0100 +++ new/shorewall-5.2.3.7/configure.pl 2020-03-06 17:38:12.000000000 +0100 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '5.2.3.6' + VERSION => '5.2.3.7' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-5.2.3.6/install.sh new/shorewall-5.2.3.7/install.sh --- old/shorewall-5.2.3.6/install.sh 2020-02-16 19:54:50.000000000 +0100 +++ new/shorewall-5.2.3.7/install.sh 2020-03-06 17:38:12.000000000 +0100 @@ -22,7 +22,7 @@ # along with this program; if not, see <http://www.gnu.org/licenses/>. # -VERSION=5.2.3.6 +VERSION=5.2.3.7 usage() # $1 = exit status { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-5.2.3.6/known_problems.txt new/shorewall-5.2.3.7/known_problems.txt --- old/shorewall-5.2.3.6/known_problems.txt 2020-02-16 19:54:50.000000000 +0100 +++ new/shorewall-5.2.3.7/known_problems.txt 2020-03-06 17:38:12.000000000 +0100 @@ -13,7 +13,30 @@ uses a "delete..add.." sequence on these routes rather than a single "replace" command. -4) If more than one zone is excluded in a policy file entry, an error +4) On Debian-derived systems, when DOCKER=Yes, the 'systemctl restart + shorewall' command looses Docker rules. + + Workaround (courtesy of J Cliff Armstrong): + + Type (as root): + + `systemctl edit shorewall.service`. + + This will open the default terminal editor to a blank file in + which you can paste the following: + + [Service] + # reset ExecStop + ExecStop= + # set ExecStop to "stop" instead of "clear" + ExecStop=/sbin/shorewall $OPTIONS stop + + Then type `systemctl daemon-reload` to activate the changes. This + change will survive future updates of the shorewall package from apt + repositories. The override file itself will be saved to + `/etc/systemd/system/shorewall.service.d/`. + +5) If more than one zone is excluded in a policy file entry, an error similar to the following is raised: ERROR: 'all' is not allowed in a source zone list @@ -21,7 +44,7 @@ Corrected in Shorewall 5.2.3.1 -5) Shorewall 5.2 automatically converts and existing 'masq' file to an +6) Shorewall 5.2 automatically converts and existing 'masq' file to an equivalent 'snat' file. Regrettably, Shorewall 5.2.3 broke that automatic update, such that the following error message was issued: @@ -39,14 +62,14 @@ Corrected in 5.2.3.2. -6) If an ipset is listed in the SPORT column, the compiler raises +7) If an ipset is listed in the SPORT column, the compiler raises an error similar to: ERROR: Invalid ipset name () /etc/shorewall/rules (line 44) Corrected in 5.2.3.3. -7) If multi-queue NFQUEUE (e.g., NFQUEUE(0:1) ) is used as a policy, +8) If multi-queue NFQUEUE (e.g., NFQUEUE(0:1) ) is used as a policy, an error such as the following is incorrectly raised. ERROR: Invalid policy (NFQUEUE(0) /etc/shorewall/policy (line @@ -54,7 +77,7 @@ Corrected in 5.2.3.4. -8) If multi-queue NFQUEUE( e.g., NFQUEUE(0:1,bypass) ) is passed to a +9) If multi-queue NFQUEUE( e.g., NFQUEUE(0:1,bypass) ) is passed to a macro, an error such as the following is incorrectly raised: ERROR: Invalid ACTION (PARAM:1c,bypass))) @@ -63,31 +86,31 @@ Corrected in 5.2.3.4. -9) If shorewall[6].conf doesn't set AUTOMAKE, the 'update' command +10) If shorewall[6].conf doesn't set AUTOMAKE, the 'update' command will produce a new file with 'AUTOMAKE=Yes'. This results in an unexpected change of behavior. Corrected in 5.2.3.4. -10) Shorewall-rules(5) incorrectly states that the 'bypass' option to +11) Shorewall-rules(5) incorrectly states that the 'bypass' option to NFQUEUE causes the rule to be silently bypassed if there is no application attached to the queue. The actual behavior is that the rule acts like ACCEPT. Corrected in 5.2.3.4. -11) An error is raised if the 'bypass' option is given when specifying +12) An error is raised if the 'bypass' option is given when specifying an NFQUEUE policy. Corrected in 5.2.3.5. -12) When an IPv6 address range is specified, it must be of the form +13) When an IPv6 address range is specified, it must be of the form [<addr1>-<addr2>] rather than in the more standard form [<addr1>]-[<addr2>]. Corrected in 5.2.3.5. -13) When a Shorewall6 firewall is in the stopped state, it does not +14) When a Shorewall6 firewall is in the stopped state, it does not automatically accept critical ipv6-icmp packets that are not associated with a particular connection. @@ -103,7 +126,7 @@ Will be corrected in 5.2.4. -14) When both Docker containers and Libvirt VMs are in use, 'shorewall +15) When both Docker containers and Libvirt VMs are in use, 'shorewall start' may fail as follows: Running /sbin/iptables-restore --wait 60... @@ -114,3 +137,44 @@ ERROR: /sbin/iptables-restore --wait 60 Failed. Corrected in Shorewall 5.2.3.6 + +16) When DOCKER=Yes, if both the DOCKER-ISOLATE and + DOCKER-ISOLATE-STAGE-1 exist then the DOCKER-ISOLATE-STAGE-* + chains will not be preserved through shorewall state changes. + + Corrected in Shorewall 5.2.3.7 + +17) The compiler always detects the OLD_CONNTRACK_MATCH capability as + being available in IPv6. Unfortunately, the compiler also mis-handles + inversion ('!') in the ORIGDEST columns when OLD_CONNTRACK_MATCH + is available leading to an assertion failure: + + Shorewall::Config::fatal_error("Internal error in + Shorewall::Chains::set_rule_option at /usr/"...) called at + /usr/share/shorewall/Shorewall/Config.pm line 1619 + + Workaround: Use a capabilities file -- the shorewall6 CLI detects + OLD_CONNTRACK_MATCH accurately. + + Corrected in Shorewall 5.2.3.7 + +18) During 'enable' processing, if address variables associated with + the interface have values different than those when the firewall + was last started/restarted/reloaded, then a reload is performed + rather than a simple enable. The logic that checks for those + changes is incorrect in some configurations, leading to unneeded + reload operations. + + Corrected in Shorewall 5.2.3.7 + +19) When MANGLE_ENABLED=No in shorewall[6].conf, some features + requiring use of the mangle table can be allowed, even though the + mangle table is not updated. + + Corrected in Shorewall 5.2.3.7 + +20) When an invocation of the IfEvent(...,reset) action is invoked, + the compiler emits a spurious "Resetting..." message. + + Corrected in Shorewall 5.2.3.7 + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-5.2.3.6/releasenotes.txt new/shorewall-5.2.3.7/releasenotes.txt --- old/shorewall-5.2.3.6/releasenotes.txt 2020-02-16 19:54:50.000000000 +0100 +++ new/shorewall-5.2.3.7/releasenotes.txt 2020-03-06 17:38:12.000000000 +0100 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 5 . 2 . 3 . 6 + S H O R E W A L L 5 . 2 . 3 . 7 ------------------------------- - F E B R U A R Y 1 6 , 2 0 2 0 + M A R C H 0 5 , 2 0 2 0 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,6 +14,42 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- +5.2.3.7 + +1) When DOCKER=Yes, if both the DOCKER-ISOLATE and + DOCKER-ISOLATE-STAGE-1 existed then the DOCKER-ISOLATE-STAGE-* + chains were not preserved through shorewall state changes. + That has been corrected so that both chains are preserved if + present. + +2) Previously, the compiler always detected the OLD_CONNTRACK_MATCH + capability as being available in IPv6. When OLD_CONNTRACK_MATCH + was available, the compiler also mishandled inversion ('!') in the + ORIGDEST columns, leading to an assertion failure: + + Shorewall::Config::fatal_error("Internal error in + Shorewall::Chains::set_rule_option at /usr/"...) called at + /usr/share/shorewall/Shorewall/Config.pm line 1619 + + Both the incorrect capability detection and the mishandled + inversion have been corrected. + +3) During 'enable' processing, if address variables associated with + the interface have values different than those when the firewall + was last started/restarted/reloaded, then a 'reload' is performed + rather than a simple 'enable'. The logic that checks for those + changes was incorrect in some configurations, leading to unneeded + reload operations. That has been corrected. + +4) When MANGLE_ENABLED=No in shorewall[6].conf, some features + requiring use of the mangle table can be allowed, even though the + mangle table is not updated. That has been corrected such that use + of such features will raise an error. + +5) When an invocation of the IfEvent(...,reset) action was invoked, + the compiler previously emitted a spurious "Resetting..." message. + That message has been suppressed. + 5.2.3.6 1) When both Docker containers and Libvirt VMs were in use, 'shorewall diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-5.2.3.6/shorewall.spec new/shorewall-5.2.3.7/shorewall.spec --- old/shorewall-5.2.3.6/shorewall.spec 2020-02-16 19:54:50.000000000 +0100 +++ new/shorewall-5.2.3.7/shorewall.spec 2020-03-06 17:38:12.000000000 +0100 @@ -1,6 +1,6 @@ %define name shorewall %define version 5.2.3 -%define release 6 +%define release 7 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. Name: %{name} @@ -155,6 +155,8 @@ %doc COPYING INSTALL changelog.txt releasenotes.txt Samples %changelog +* Tue Feb 25 2020 Tom Eastep <[email protected]> +- Updated to 5.2.3-7 * Sun Feb 16 2020 Tom Eastep <[email protected]> - Updated to 5.2.3-6 * Wed Jan 15 2020 Tom Eastep <[email protected]> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-5.2.3.6/uninstall.sh new/shorewall-5.2.3.7/uninstall.sh --- old/shorewall-5.2.3.6/uninstall.sh 2020-02-16 19:54:50.000000000 +0100 +++ new/shorewall-5.2.3.7/uninstall.sh 2020-03-06 17:38:12.000000000 +0100 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=5.2.3.6 +VERSION=5.2.3.7 usage() # $1 = exit status { ++++++ shorewall-core-5.2.3.6.tar.bz2 -> shorewall-core-5.2.3.7.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.3.6/changelog.txt new/shorewall-core-5.2.3.7/changelog.txt --- old/shorewall-core-5.2.3.6/changelog.txt 2020-02-16 19:54:50.000000000 +0100 +++ new/shorewall-core-5.2.3.7/changelog.txt 2020-03-06 17:38:12.000000000 +0100 @@ -1,3 +1,24 @@ +Changes in 5.2.3.7 + +1) Update release documents + +2) Track DOCKER-ISOLATION and DOCKER-ISOLATION-STAGE-* using + separate variables. + +3) Correct detection of OLD_CONNTRACK_MATCH in the compiler. + +4) Correct handling of ORIGDEST inversion when OLD_CONNTRACK_MATCH is + available. + +5) Correct logic that detects when 'reload' is required during + 'enable'. + +6) Add checks for features requiring the mangle table when + MANGLE_ENABLED=No. + +7) Eliminate suprious 'Resetting...' message during compilation of + 'IfEvent(...,reset)' invocations. + Changes in 5.2.3.6 1) Update release documents diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.3.6/configure new/shorewall-core-5.2.3.7/configure --- old/shorewall-core-5.2.3.6/configure 2020-02-16 19:54:50.000000000 +0100 +++ new/shorewall-core-5.2.3.7/configure 2020-03-06 17:38:11.000000000 +0100 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=5.2.3.6 +VERSION=5.2.3.7 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.3.6/configure.pl new/shorewall-core-5.2.3.7/configure.pl --- old/shorewall-core-5.2.3.6/configure.pl 2020-02-16 19:54:50.000000000 +0100 +++ new/shorewall-core-5.2.3.7/configure.pl 2020-03-06 17:38:11.000000000 +0100 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '5.2.3.6' + VERSION => '5.2.3.7' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.3.6/install.sh new/shorewall-core-5.2.3.7/install.sh --- old/shorewall-core-5.2.3.6/install.sh 2020-02-16 19:54:50.000000000 +0100 +++ new/shorewall-core-5.2.3.7/install.sh 2020-03-06 17:38:11.000000000 +0100 @@ -22,7 +22,7 @@ # along with this program; if not, see <http://www.gnu.org/licenses/>. # -VERSION=5.2.3.6 +VERSION=5.2.3.7 PRODUCT=shorewall-core Product="Shorewall Core" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.3.6/known_problems.txt new/shorewall-core-5.2.3.7/known_problems.txt --- old/shorewall-core-5.2.3.6/known_problems.txt 2020-02-16 19:54:50.000000000 +0100 +++ new/shorewall-core-5.2.3.7/known_problems.txt 2020-03-06 17:38:12.000000000 +0100 @@ -13,7 +13,30 @@ uses a "delete..add.." sequence on these routes rather than a single "replace" command. -4) If more than one zone is excluded in a policy file entry, an error +4) On Debian-derived systems, when DOCKER=Yes, the 'systemctl restart + shorewall' command looses Docker rules. + + Workaround (courtesy of J Cliff Armstrong): + + Type (as root): + + `systemctl edit shorewall.service`. + + This will open the default terminal editor to a blank file in + which you can paste the following: + + [Service] + # reset ExecStop + ExecStop= + # set ExecStop to "stop" instead of "clear" + ExecStop=/sbin/shorewall $OPTIONS stop + + Then type `systemctl daemon-reload` to activate the changes. This + change will survive future updates of the shorewall package from apt + repositories. The override file itself will be saved to + `/etc/systemd/system/shorewall.service.d/`. + +5) If more than one zone is excluded in a policy file entry, an error similar to the following is raised: ERROR: 'all' is not allowed in a source zone list @@ -21,7 +44,7 @@ Corrected in Shorewall 5.2.3.1 -5) Shorewall 5.2 automatically converts and existing 'masq' file to an +6) Shorewall 5.2 automatically converts and existing 'masq' file to an equivalent 'snat' file. Regrettably, Shorewall 5.2.3 broke that automatic update, such that the following error message was issued: @@ -39,14 +62,14 @@ Corrected in 5.2.3.2. -6) If an ipset is listed in the SPORT column, the compiler raises +7) If an ipset is listed in the SPORT column, the compiler raises an error similar to: ERROR: Invalid ipset name () /etc/shorewall/rules (line 44) Corrected in 5.2.3.3. -7) If multi-queue NFQUEUE (e.g., NFQUEUE(0:1) ) is used as a policy, +8) If multi-queue NFQUEUE (e.g., NFQUEUE(0:1) ) is used as a policy, an error such as the following is incorrectly raised. ERROR: Invalid policy (NFQUEUE(0) /etc/shorewall/policy (line @@ -54,7 +77,7 @@ Corrected in 5.2.3.4. -8) If multi-queue NFQUEUE( e.g., NFQUEUE(0:1,bypass) ) is passed to a +9) If multi-queue NFQUEUE( e.g., NFQUEUE(0:1,bypass) ) is passed to a macro, an error such as the following is incorrectly raised: ERROR: Invalid ACTION (PARAM:1c,bypass))) @@ -63,31 +86,31 @@ Corrected in 5.2.3.4. -9) If shorewall[6].conf doesn't set AUTOMAKE, the 'update' command +10) If shorewall[6].conf doesn't set AUTOMAKE, the 'update' command will produce a new file with 'AUTOMAKE=Yes'. This results in an unexpected change of behavior. Corrected in 5.2.3.4. -10) Shorewall-rules(5) incorrectly states that the 'bypass' option to +11) Shorewall-rules(5) incorrectly states that the 'bypass' option to NFQUEUE causes the rule to be silently bypassed if there is no application attached to the queue. The actual behavior is that the rule acts like ACCEPT. Corrected in 5.2.3.4. -11) An error is raised if the 'bypass' option is given when specifying +12) An error is raised if the 'bypass' option is given when specifying an NFQUEUE policy. Corrected in 5.2.3.5. -12) When an IPv6 address range is specified, it must be of the form +13) When an IPv6 address range is specified, it must be of the form [<addr1>-<addr2>] rather than in the more standard form [<addr1>]-[<addr2>]. Corrected in 5.2.3.5. -13) When a Shorewall6 firewall is in the stopped state, it does not +14) When a Shorewall6 firewall is in the stopped state, it does not automatically accept critical ipv6-icmp packets that are not associated with a particular connection. @@ -103,7 +126,7 @@ Will be corrected in 5.2.4. -14) When both Docker containers and Libvirt VMs are in use, 'shorewall +15) When both Docker containers and Libvirt VMs are in use, 'shorewall start' may fail as follows: Running /sbin/iptables-restore --wait 60... @@ -114,3 +137,44 @@ ERROR: /sbin/iptables-restore --wait 60 Failed. Corrected in Shorewall 5.2.3.6 + +16) When DOCKER=Yes, if both the DOCKER-ISOLATE and + DOCKER-ISOLATE-STAGE-1 exist then the DOCKER-ISOLATE-STAGE-* + chains will not be preserved through shorewall state changes. + + Corrected in Shorewall 5.2.3.7 + +17) The compiler always detects the OLD_CONNTRACK_MATCH capability as + being available in IPv6. Unfortunately, the compiler also mis-handles + inversion ('!') in the ORIGDEST columns when OLD_CONNTRACK_MATCH + is available leading to an assertion failure: + + Shorewall::Config::fatal_error("Internal error in + Shorewall::Chains::set_rule_option at /usr/"...) called at + /usr/share/shorewall/Shorewall/Config.pm line 1619 + + Workaround: Use a capabilities file -- the shorewall6 CLI detects + OLD_CONNTRACK_MATCH accurately. + + Corrected in Shorewall 5.2.3.7 + +18) During 'enable' processing, if address variables associated with + the interface have values different than those when the firewall + was last started/restarted/reloaded, then a reload is performed + rather than a simple enable. The logic that checks for those + changes is incorrect in some configurations, leading to unneeded + reload operations. + + Corrected in Shorewall 5.2.3.7 + +19) When MANGLE_ENABLED=No in shorewall[6].conf, some features + requiring use of the mangle table can be allowed, even though the + mangle table is not updated. + + Corrected in Shorewall 5.2.3.7 + +20) When an invocation of the IfEvent(...,reset) action is invoked, + the compiler emits a spurious "Resetting..." message. + + Corrected in Shorewall 5.2.3.7 + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.3.6/releasenotes.txt new/shorewall-core-5.2.3.7/releasenotes.txt --- old/shorewall-core-5.2.3.6/releasenotes.txt 2020-02-16 19:54:50.000000000 +0100 +++ new/shorewall-core-5.2.3.7/releasenotes.txt 2020-03-06 17:38:12.000000000 +0100 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 5 . 2 . 3 . 6 + S H O R E W A L L 5 . 2 . 3 . 7 ------------------------------- - F E B R U A R Y 1 6 , 2 0 2 0 + M A R C H 0 5 , 2 0 2 0 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,6 +14,42 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- +5.2.3.7 + +1) When DOCKER=Yes, if both the DOCKER-ISOLATE and + DOCKER-ISOLATE-STAGE-1 existed then the DOCKER-ISOLATE-STAGE-* + chains were not preserved through shorewall state changes. + That has been corrected so that both chains are preserved if + present. + +2) Previously, the compiler always detected the OLD_CONNTRACK_MATCH + capability as being available in IPv6. When OLD_CONNTRACK_MATCH + was available, the compiler also mishandled inversion ('!') in the + ORIGDEST columns, leading to an assertion failure: + + Shorewall::Config::fatal_error("Internal error in + Shorewall::Chains::set_rule_option at /usr/"...) called at + /usr/share/shorewall/Shorewall/Config.pm line 1619 + + Both the incorrect capability detection and the mishandled + inversion have been corrected. + +3) During 'enable' processing, if address variables associated with + the interface have values different than those when the firewall + was last started/restarted/reloaded, then a 'reload' is performed + rather than a simple 'enable'. The logic that checks for those + changes was incorrect in some configurations, leading to unneeded + reload operations. That has been corrected. + +4) When MANGLE_ENABLED=No in shorewall[6].conf, some features + requiring use of the mangle table can be allowed, even though the + mangle table is not updated. That has been corrected such that use + of such features will raise an error. + +5) When an invocation of the IfEvent(...,reset) action was invoked, + the compiler previously emitted a spurious "Resetting..." message. + That message has been suppressed. + 5.2.3.6 1) When both Docker containers and Libvirt VMs were in use, 'shorewall diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.3.6/shorewall-core.spec new/shorewall-core-5.2.3.7/shorewall-core.spec --- old/shorewall-core-5.2.3.6/shorewall-core.spec 2020-02-16 19:54:50.000000000 +0100 +++ new/shorewall-core-5.2.3.7/shorewall-core.spec 2020-03-06 17:38:12.000000000 +0100 @@ -1,6 +1,6 @@ %define name shorewall-core %define version 5.2.3 -%define release 6 +%define release 7 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. Name: %{name} @@ -69,6 +69,8 @@ %doc COPYING INSTALL changelog.txt releasenotes.txt %changelog +* Tue Feb 25 2020 Tom Eastep <[email protected]> +- Updated to 5.2.3-7 * Sun Feb 16 2020 Tom Eastep <[email protected]> - Updated to 5.2.3-6 * Wed Jan 15 2020 Tom Eastep <[email protected]> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.3.6/uninstall.sh new/shorewall-core-5.2.3.7/uninstall.sh --- old/shorewall-core-5.2.3.6/uninstall.sh 2020-02-16 19:54:50.000000000 +0100 +++ new/shorewall-core-5.2.3.7/uninstall.sh 2020-03-06 17:38:11.000000000 +0100 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=5.2.3.6 +VERSION=5.2.3.7 PRODUCT=shorewall-core Product="Shorewall Core" ++++++ shorewall-docs-html-5.2.3.6.tar.bz2 -> shorewall-docs-html-5.2.3.7.tar.bz2 ++++++ ++++ 1710 lines of diff (skipped) ++++++ shorewall-init-5.2.3.6.tar.bz2 -> shorewall-init-5.2.3.7.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.3.6/changelog.txt new/shorewall-init-5.2.3.7/changelog.txt --- old/shorewall-init-5.2.3.6/changelog.txt 2020-02-16 19:54:50.000000000 +0100 +++ new/shorewall-init-5.2.3.7/changelog.txt 2020-03-06 17:38:12.000000000 +0100 @@ -1,3 +1,24 @@ +Changes in 5.2.3.7 + +1) Update release documents + +2) Track DOCKER-ISOLATION and DOCKER-ISOLATION-STAGE-* using + separate variables. + +3) Correct detection of OLD_CONNTRACK_MATCH in the compiler. + +4) Correct handling of ORIGDEST inversion when OLD_CONNTRACK_MATCH is + available. + +5) Correct logic that detects when 'reload' is required during + 'enable'. + +6) Add checks for features requiring the mangle table when + MANGLE_ENABLED=No. + +7) Eliminate suprious 'Resetting...' message during compilation of + 'IfEvent(...,reset)' invocations. + Changes in 5.2.3.6 1) Update release documents diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.3.6/configure new/shorewall-init-5.2.3.7/configure --- old/shorewall-init-5.2.3.6/configure 2020-02-16 19:54:50.000000000 +0100 +++ new/shorewall-init-5.2.3.7/configure 2020-03-06 17:38:12.000000000 +0100 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=5.2.3.6 +VERSION=5.2.3.7 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.3.6/configure.pl new/shorewall-init-5.2.3.7/configure.pl --- old/shorewall-init-5.2.3.6/configure.pl 2020-02-16 19:54:50.000000000 +0100 +++ new/shorewall-init-5.2.3.7/configure.pl 2020-03-06 17:38:12.000000000 +0100 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '5.2.3.6' + VERSION => '5.2.3.7' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.3.6/install.sh new/shorewall-init-5.2.3.7/install.sh --- old/shorewall-init-5.2.3.6/install.sh 2020-02-16 19:54:50.000000000 +0100 +++ new/shorewall-init-5.2.3.7/install.sh 2020-03-06 17:38:12.000000000 +0100 @@ -27,7 +27,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=5.2.3.6 +VERSION=5.2.3.7 PRODUCT=shorewall-init Product="Shorewall Init" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.3.6/releasenotes.txt new/shorewall-init-5.2.3.7/releasenotes.txt --- old/shorewall-init-5.2.3.6/releasenotes.txt 2020-02-16 19:54:50.000000000 +0100 +++ new/shorewall-init-5.2.3.7/releasenotes.txt 2020-03-06 17:38:12.000000000 +0100 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 5 . 2 . 3 . 6 + S H O R E W A L L 5 . 2 . 3 . 7 ------------------------------- - F E B R U A R Y 1 6 , 2 0 2 0 + M A R C H 0 5 , 2 0 2 0 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,6 +14,42 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- +5.2.3.7 + +1) When DOCKER=Yes, if both the DOCKER-ISOLATE and + DOCKER-ISOLATE-STAGE-1 existed then the DOCKER-ISOLATE-STAGE-* + chains were not preserved through shorewall state changes. + That has been corrected so that both chains are preserved if + present. + +2) Previously, the compiler always detected the OLD_CONNTRACK_MATCH + capability as being available in IPv6. When OLD_CONNTRACK_MATCH + was available, the compiler also mishandled inversion ('!') in the + ORIGDEST columns, leading to an assertion failure: + + Shorewall::Config::fatal_error("Internal error in + Shorewall::Chains::set_rule_option at /usr/"...) called at + /usr/share/shorewall/Shorewall/Config.pm line 1619 + + Both the incorrect capability detection and the mishandled + inversion have been corrected. + +3) During 'enable' processing, if address variables associated with + the interface have values different than those when the firewall + was last started/restarted/reloaded, then a 'reload' is performed + rather than a simple 'enable'. The logic that checks for those + changes was incorrect in some configurations, leading to unneeded + reload operations. That has been corrected. + +4) When MANGLE_ENABLED=No in shorewall[6].conf, some features + requiring use of the mangle table can be allowed, even though the + mangle table is not updated. That has been corrected such that use + of such features will raise an error. + +5) When an invocation of the IfEvent(...,reset) action was invoked, + the compiler previously emitted a spurious "Resetting..." message. + That message has been suppressed. + 5.2.3.6 1) When both Docker containers and Libvirt VMs were in use, 'shorewall diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.3.6/shorewall-init.spec new/shorewall-init-5.2.3.7/shorewall-init.spec --- old/shorewall-init-5.2.3.6/shorewall-init.spec 2020-02-16 19:54:50.000000000 +0100 +++ new/shorewall-init-5.2.3.7/shorewall-init.spec 2020-03-06 17:38:12.000000000 +0100 @@ -1,6 +1,6 @@ %define name shorewall-init %define version 5.2.3 -%define release 6 +%define release 7 Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall). Name: %{name} @@ -135,6 +135,8 @@ %doc COPYING changelog.txt releasenotes.txt %changelog +* Tue Feb 25 2020 Tom Eastep <[email protected]> +- Updated to 5.2.3-7 * Sun Feb 16 2020 Tom Eastep <[email protected]> - Updated to 5.2.3-6 * Wed Jan 15 2020 Tom Eastep <[email protected]> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.3.6/uninstall.sh new/shorewall-init-5.2.3.7/uninstall.sh --- old/shorewall-init-5.2.3.6/uninstall.sh 2020-02-16 19:54:50.000000000 +0100 +++ new/shorewall-init-5.2.3.7/uninstall.sh 2020-03-06 17:38:12.000000000 +0100 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=5.2.3.6 +VERSION=5.2.3.7 PRODUCT=shorewall-init Product="Shorewall Init" ++++++ shorewall-lite-5.2.3.6.tar.bz2 -> shorewall-lite-5.2.3.7.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.3.6/changelog.txt new/shorewall-lite-5.2.3.7/changelog.txt --- old/shorewall-lite-5.2.3.6/changelog.txt 2020-02-16 19:54:50.000000000 +0100 +++ new/shorewall-lite-5.2.3.7/changelog.txt 2020-03-06 17:38:12.000000000 +0100 @@ -1,3 +1,24 @@ +Changes in 5.2.3.7 + +1) Update release documents + +2) Track DOCKER-ISOLATION and DOCKER-ISOLATION-STAGE-* using + separate variables. + +3) Correct detection of OLD_CONNTRACK_MATCH in the compiler. + +4) Correct handling of ORIGDEST inversion when OLD_CONNTRACK_MATCH is + available. + +5) Correct logic that detects when 'reload' is required during + 'enable'. + +6) Add checks for features requiring the mangle table when + MANGLE_ENABLED=No. + +7) Eliminate suprious 'Resetting...' message during compilation of + 'IfEvent(...,reset)' invocations. + Changes in 5.2.3.6 1) Update release documents diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.3.6/configure new/shorewall-lite-5.2.3.7/configure --- old/shorewall-lite-5.2.3.6/configure 2020-02-16 19:54:50.000000000 +0100 +++ new/shorewall-lite-5.2.3.7/configure 2020-03-06 17:38:12.000000000 +0100 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=5.2.3.6 +VERSION=5.2.3.7 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.3.6/configure.pl new/shorewall-lite-5.2.3.7/configure.pl --- old/shorewall-lite-5.2.3.6/configure.pl 2020-02-16 19:54:50.000000000 +0100 +++ new/shorewall-lite-5.2.3.7/configure.pl 2020-03-06 17:38:12.000000000 +0100 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '5.2.3.6' + VERSION => '5.2.3.7' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.3.6/install.sh new/shorewall-lite-5.2.3.7/install.sh --- old/shorewall-lite-5.2.3.6/install.sh 2020-02-16 19:54:50.000000000 +0100 +++ new/shorewall-lite-5.2.3.7/install.sh 2020-03-06 17:38:12.000000000 +0100 @@ -22,7 +22,7 @@ # along with this program; if not, see <http://www.gnu.org/licenses/>. # -VERSION=5.2.3.6 +VERSION=5.2.3.7 usage() # $1 = exit status { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.3.6/releasenotes.txt new/shorewall-lite-5.2.3.7/releasenotes.txt --- old/shorewall-lite-5.2.3.6/releasenotes.txt 2020-02-16 19:54:50.000000000 +0100 +++ new/shorewall-lite-5.2.3.7/releasenotes.txt 2020-03-06 17:38:12.000000000 +0100 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 5 . 2 . 3 . 6 + S H O R E W A L L 5 . 2 . 3 . 7 ------------------------------- - F E B R U A R Y 1 6 , 2 0 2 0 + M A R C H 0 5 , 2 0 2 0 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,6 +14,42 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- +5.2.3.7 + +1) When DOCKER=Yes, if both the DOCKER-ISOLATE and + DOCKER-ISOLATE-STAGE-1 existed then the DOCKER-ISOLATE-STAGE-* + chains were not preserved through shorewall state changes. + That has been corrected so that both chains are preserved if + present. + +2) Previously, the compiler always detected the OLD_CONNTRACK_MATCH + capability as being available in IPv6. When OLD_CONNTRACK_MATCH + was available, the compiler also mishandled inversion ('!') in the + ORIGDEST columns, leading to an assertion failure: + + Shorewall::Config::fatal_error("Internal error in + Shorewall::Chains::set_rule_option at /usr/"...) called at + /usr/share/shorewall/Shorewall/Config.pm line 1619 + + Both the incorrect capability detection and the mishandled + inversion have been corrected. + +3) During 'enable' processing, if address variables associated with + the interface have values different than those when the firewall + was last started/restarted/reloaded, then a 'reload' is performed + rather than a simple 'enable'. The logic that checks for those + changes was incorrect in some configurations, leading to unneeded + reload operations. That has been corrected. + +4) When MANGLE_ENABLED=No in shorewall[6].conf, some features + requiring use of the mangle table can be allowed, even though the + mangle table is not updated. That has been corrected such that use + of such features will raise an error. + +5) When an invocation of the IfEvent(...,reset) action was invoked, + the compiler previously emitted a spurious "Resetting..." message. + That message has been suppressed. + 5.2.3.6 1) When both Docker containers and Libvirt VMs were in use, 'shorewall diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.3.6/shorewall-lite.spec new/shorewall-lite-5.2.3.7/shorewall-lite.spec --- old/shorewall-lite-5.2.3.6/shorewall-lite.spec 2020-02-16 19:54:50.000000000 +0100 +++ new/shorewall-lite-5.2.3.7/shorewall-lite.spec 2020-03-06 17:38:12.000000000 +0100 @@ -1,6 +1,6 @@ %define name shorewall-lite %define version 5.2.3 -%define release 6 +%define release 7 %define initdir /etc/init.d Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems. @@ -114,6 +114,8 @@ %doc COPYING changelog.txt releasenotes.txt %changelog +* Tue Feb 25 2020 Tom Eastep <[email protected]> +- Updated to 5.2.3-7 * Sun Feb 16 2020 Tom Eastep <[email protected]> - Updated to 5.2.3-6 * Wed Jan 15 2020 Tom Eastep <[email protected]> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.3.6/uninstall.sh new/shorewall-lite-5.2.3.7/uninstall.sh --- old/shorewall-lite-5.2.3.6/uninstall.sh 2020-02-16 19:54:50.000000000 +0100 +++ new/shorewall-lite-5.2.3.7/uninstall.sh 2020-03-06 17:38:12.000000000 +0100 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=5.2.3.6 +VERSION=5.2.3.7 usage() # $1 = exit status { ++++++ shorewall-5.2.3.6.tar.bz2 -> shorewall6-5.2.3.7.tar.bz2 ++++++ ++++ 121765 lines of diff (skipped) ++++++ shorewall-lite-5.2.3.6.tar.bz2 -> shorewall6-lite-5.2.3.7.tar.bz2 ++++++ ++++ 3065 lines of diff (skipped)
