Hello community, here is the log from the commit of package shorewall for openSUSE:Factory checked in at 2020-04-15 19:54:55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/shorewall (Old) and /work/SRC/openSUSE:Factory/.shorewall.new.2738 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shorewall" Wed Apr 15 19:54:55 2020 rev:113 rq:793944 version:5.2.4 Changes: -------- --- /work/SRC/openSUSE:Factory/shorewall/shorewall.changes 2020-03-17 13:08:28.525722032 +0100 +++ /work/SRC/openSUSE:Factory/.shorewall.new.2738/shorewall.changes 2020-04-15 19:55:05.353615066 +0200 @@ -1,0 +2,48 @@ +Tue Apr 14 14:35:51 UTC 2020 - Bruno Friedmann <[email protected]> + +- Add perl-base as buildrequirement to force choice of SHA-DIGEST + new problem in TW +- To fix boo#1166114 never restart shorewall-init.service + macro service_del_postun is replaced by simplier systemd_postun +- Remove conflict between main and lite package. + A managing station need main to build configuration and can use + -lite to execute it. Users are in charge of choosing which + service has to be started and used. ❤ Freedom + +------------------------------------------------------------------- +Sat Apr 4 07:31:53 UTC 2020 - Bruno Friedmann <[email protected]> + +- Remove shorewall require from shorewall-init (was a forgoten + action) + +------------------------------------------------------------------- +Tue Mar 31 14:37:38 UTC 2020 - Bruno Friedmann <[email protected]> + +- Update to version 5.2.4 + https://shorewall.org/pub/shorewall/5.2/shorewall-5.2.4/releasenotes.txt + + Previously, when a Shorewall6 firewall was placed into the + 'stopped' state, ICMP6 packets required by RFC 4890 were not + automatically accepted by the generated ruleset. + Beginning with this release, those packets are automatically + accepted. + + Previously, the output of 'shorewall[6] help' displayed the + superseded 'load' command. That text has been deleted. + + The QOSExample.html file in the documentation and on the web site + previously showed tcrules content for the /etc/shorewall/mangle + file (recall that 'mangle' superseded 'tcrules'). That page has + been corrected. + + The 'Starting and Stopping' and 'Configuration file basics' + documents have been updated to align them with the current product + behavior. + + The 'ipsets' document has been updated to clarify the use of + ipsets in the stoppedrules file. +- Packaging + + shorewall-init package has a removed %service_del_postun + macro to close bug boo#1166114 Restarting this service can + lock down admin out of the system. + + shorewall(6) and shorewall(6)-lite conflict has they shouldn't + be installed together on the same system. + + conf_update flag is set to 1 to activate update reminder + + Adjust and cleanup requires + +------------------------------------------------------------------- Old: ---- shorewall-5.2.3.7.tar.bz2 shorewall-core-5.2.3.7.tar.bz2 shorewall-docs-html-5.2.3.7.tar.bz2 shorewall-init-5.2.3.7.tar.bz2 shorewall-lite-5.2.3.7.tar.bz2 shorewall6-5.2.3.7.tar.bz2 shorewall6-lite-5.2.3.7.tar.bz2 New: ---- shorewall-5.2.4.tar.bz2 shorewall-core-5.2.4.tar.bz2 shorewall-docs-html-5.2.4.tar.bz2 shorewall-init-5.2.4.tar.bz2 shorewall-lite-5.2.4.tar.bz2 shorewall6-5.2.4.tar.bz2 shorewall6-lite-5.2.4.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shorewall.spec ++++++ --- /var/tmp/diff_new_pack.IeLDlQ/_old 2020-04-15 19:55:08.209616355 +0200 +++ /var/tmp/diff_new_pack.IeLDlQ/_new 2020-04-15 19:55:08.209616355 +0200 @@ -18,15 +18,15 @@ %define have_systemd 1 %define dmaj 5.2 -%define dmin 5.2.3 +%define dmin 5.2.4 # Warn users for upgrading configuration but only on major or minor version changes -%define conf_need_update 0 +%define conf_need_update 1 #2017+ New fillup location %if ! %{defined _fillupdir} %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: shorewall -Version: 5.2.3.7 +Version: 5.2.4 Release: 0 Summary: An iptables-based firewall for Linux systems License: GPL-2.0-only @@ -48,10 +48,12 @@ # PATCH-FIX-OPENSUSE Shorewall-lite (6) use of fillup template Patch3: shorewall-lite-fillup-install.patch BuildRequires: bash >= 4 +BuildRequires: perl-base BuildRequires: perl(Digest::SHA) BuildRequires: pkgconfig(systemd) Requires: %{_sbindir}/service Requires: %{name}-core = %{version}-%{release} +Requires: bc Requires: iproute2 Requires: iptables Requires: logrotate @@ -96,6 +98,9 @@ Group: Productivity/Networking/Security Requires: %{_sbindir}/service Requires: %{name}-core = %{version}-%{release} +Requires: bc +Requires: iproute2 +Requires: iptables Requires: logrotate Requires: perl-base PreReq: %fillup_prereq @@ -113,6 +118,9 @@ Group: Productivity/Networking/Security Requires: %{_sbindir}/service Requires: %{name}-core = %{version}-%{release} +Requires: bc +Requires: iproute2 +Requires: iptables Requires: logrotate PreReq: %fillup_prereq Provides: shoreline_firewall = %{version}-%{release} @@ -127,12 +135,12 @@ administrators to centralize the configuration of Shorewall6-based firewalls. %package init -Summary: Adds functionality to Shoreline Firewall (Shorewall) +Summary: Adds functionality during boot to Shoreline Firewall (Shorewall) License: GPL-2.0-only Group: Productivity/Networking/Security Requires: %{_sbindir}/service -Requires: %{name} >= 5.0 Requires: logrotate +Requires: shoreline_firewall = %{version}-%{release} PreReq: %fillup_prereq %{?systemd_requires} @@ -219,12 +227,8 @@ sbindir=%{_sbindir} \ %if 0%{?have_systemd} servicedir=%{_unitdir} \ + initdir= \ %endif -# ensure correct service files are installed - %if 0%{?systemd_version} >= 214 - servicefile=${i}.service.214 \ - %endif - sharedir=%{_datadir} if [ $i != shorewall-init ];then @@ -356,12 +360,15 @@ %{fillup_only} %service_add_post shorewall-init.service -%postun init -%service_del_postun shorewall-init.service - %preun init %service_del_preun shorewall-init.service +%postun init +# boo#1166114 Never try to restart shorewall-init +# You can lock down the system so never use +#%%service_del_postun shorewall-init.service macro +%systemd_postun + %files %defattr(-,root,root,-) %doc %{name}-%version/{COPYING,changelog.txt,releasenotes.txt,README.openSUSE} ++++++ README.openSUSE ++++++ --- /var/tmp/diff_new_pack.IeLDlQ/_old 2020-04-15 19:55:08.241616369 +0200 +++ /var/tmp/diff_new_pack.IeLDlQ/_new 2020-04-15 19:55:08.241616369 +0200 @@ -12,7 +12,8 @@ This is not the case for Shorewall. Enabling Firewall in /etc/sysconfig/network/config or in individual -ifcfg-xxx files is not enough. /etc/sysconfig/shorewall-init should be +ifcfg-xxx files is not enough. +If using shorewall-init /etc/sysconfig/shorewall-init should be configured. As the shorewall web page states ++++++ shorewall-5.2.3.7.tar.bz2 -> shorewall-5.2.4.tar.bz2 ++++++ ++++ 6025 lines of diff (skipped) ++++++ shorewall-5.2.rpmlintrc ++++++ --- /var/tmp/diff_new_pack.IeLDlQ/_old 2020-04-15 19:55:08.829616634 +0200 +++ /var/tmp/diff_new_pack.IeLDlQ/_new 2020-04-15 19:55:08.829616634 +0200 @@ -8,3 +8,4 @@ addFilter("non-executable-script /usr/share/shorewall6/configfiles/scfilter") addFilter("non-executable-script /etc/shorewall6/scfilter") addFilter("perl5-naming-policy-not-applied") +addFilter("systemd-service-without-service_del_postun shorewall-init.service") ++++++ shorewall-core-5.2.3.7.tar.bz2 -> shorewall-core-5.2.4.tar.bz2 ++++++ ++++ 2134 lines of diff (skipped) ++++++ shorewall-docs-html-5.2.3.7.tar.bz2 -> shorewall-docs-html-5.2.4.tar.bz2 ++++++ ++++ 3124 lines of diff (skipped) ++++++ shorewall-init-5.2.3.7.tar.bz2 -> shorewall-init-5.2.4.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.3.7/changelog.txt new/shorewall-init-5.2.4/changelog.txt --- old/shorewall-init-5.2.3.7/changelog.txt 2020-03-06 17:38:12.000000000 +0100 +++ new/shorewall-init-5.2.4/changelog.txt 2020-03-21 22:40:33.000000000 +0100 @@ -1,74 +1,32 @@ -Changes in 5.2.3.7 +Changes in 5.2.4 Final -1) Update release documents - -2) Track DOCKER-ISOLATION and DOCKER-ISOLATION-STAGE-* using - separate variables. - -3) Correct detection of OLD_CONNTRACK_MATCH in the compiler. - -4) Correct handling of ORIGDEST inversion when OLD_CONNTRACK_MATCH is - available. - -5) Correct logic that detects when 'reload' is required during - 'enable'. - -6) Add checks for features requiring the mangle table when - MANGLE_ENABLED=No. - -7) Eliminate suprious 'Resetting...' message during compilation of - 'IfEvent(...,reset)' invocations. - -Changes in 5.2.3.6 - -1) Update release documents - -2) Don't try to save/restore libvirt rules when DOCKER=Yes. - -Changes in 5.2.3.5 - -1) Correct typo in FTP.xml. - -2) Correct recommended mss with ipcomp. - -3) Correct manpage links in documentation and manpages. - -4) Allow the bypass option in an NFQUEUE policy. - -5) Correct IPv6 Address Range parsing. +1) Update release documents. -6) Correct documentation links. +2) Update the IPSets document. -Changes in 5.2.3.4 +Changes in 5.2.4 RC 1 1) Update release documents. -2) Correct handling of multi-queue NFQUEUE as a policy. +2) Correct QOS Example document's mangle file contents. -3) Correct handling of multi-queue NFQUEUE as a macro parameter. +3) Update the Configuration File basics document. -4) Make 'AUTOMAKE=No' the update default. - -5) Correct the description of the 'bypass' NFQUEUE option in - shorewall-rules(5). - -Changes in 5.2.3.3 +Changes in 5.2.4 Beta 1 1) Update release documents. -2) Document fix for an ipset in the SPORT column. +2) Allow required ICMPv6 packets in stopped state. -Changes in 5.2.3.2 +3) Add DOCKER_BRIDGE option in shorewall.conf. -1) Update release documents. +4) Retire 'trace', 'debug' and 'nolock'. -2) Document fix for masq file auto-update. +5) Remove 'load' from the output of 'shorewall[6] help' -Changes in 5.2.3.1 - -1) Update release documents. +6) Update the CompiledPrograms.xml article -2) Correct issue with policy file zone exclusion. +7) Replace 'shorewall.net' with 'shorewall.org'. Changes in 5.2.3 Final diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.3.7/configure new/shorewall-init-5.2.4/configure --- old/shorewall-init-5.2.3.7/configure 2020-03-06 17:38:12.000000000 +0100 +++ new/shorewall-init-5.2.4/configure 2020-03-21 22:40:33.000000000 +0100 @@ -4,7 +4,7 @@ # # (c) 2012,2014,2017 - Tom Eastep ([email protected]) # -# Shorewall documentation is available at http://www.shorewall.net +# Shorewall documentation is available at http://www.shorewall.org # # This program is part of Shorewall. # @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=5.2.3.7 +VERSION=5.2.4 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.3.7/configure.pl new/shorewall-init-5.2.4/configure.pl --- old/shorewall-init-5.2.3.7/configure.pl 2020-03-06 17:38:12.000000000 +0100 +++ new/shorewall-init-5.2.4/configure.pl 2020-03-21 22:40:33.000000000 +0100 @@ -4,7 +4,7 @@ # # (c) 2012, 2014 - Tom Eastep ([email protected]) # -# Shorewall documentation is available at http://www.shorewall.net +# Shorewall documentation is available at http://www.shorewall.org # # This program is part of Shorewall. # @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '5.2.3.7' + VERSION => '5.2.4' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.3.7/ifupdown.debian.sh new/shorewall-init-5.2.4/ifupdown.debian.sh --- old/shorewall-init-5.2.3.7/ifupdown.debian.sh 2020-03-06 17:27:18.000000000 +0100 +++ new/shorewall-init-5.2.4/ifupdown.debian.sh 2020-03-21 22:37:59.000000000 +0100 @@ -6,7 +6,7 @@ # # (c) 2010,2013 - Tom Eastep ([email protected]) # -# Shorewall documentation is available at http://shorewall.net +# Shorewall documentation is available at http://shorewall.org # # This program is free software; you can redistribute it and/or modify # it under the terms of Version 2 of the GNU General Public License diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.3.7/ifupdown.fedora.sh new/shorewall-init-5.2.4/ifupdown.fedora.sh --- old/shorewall-init-5.2.3.7/ifupdown.fedora.sh 2020-03-06 17:27:18.000000000 +0100 +++ new/shorewall-init-5.2.4/ifupdown.fedora.sh 2020-03-21 22:37:59.000000000 +0100 @@ -6,7 +6,7 @@ # # (c) 2010,2013 - Tom Eastep ([email protected]) # -# Shorewall documentation is available at http://shorewall.net +# Shorewall documentation is available at http://shorewall.org # # This program is free software; you can redistribute it and/or modify # it under the terms of Version 2 of the GNU General Public License diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.3.7/ifupdown.suse.sh new/shorewall-init-5.2.4/ifupdown.suse.sh --- old/shorewall-init-5.2.3.7/ifupdown.suse.sh 2020-03-06 17:27:18.000000000 +0100 +++ new/shorewall-init-5.2.4/ifupdown.suse.sh 2020-03-21 22:37:59.000000000 +0100 @@ -6,7 +6,7 @@ # # (c) 2010,2013 - Tom Eastep ([email protected]) # -# Shorewall documentation is available at http://shorewall.net +# Shorewall documentation is available at http://shorewall.org # # This program is free software; you can redistribute it and/or modify # it under the terms of Version 2 of the GNU General Public License diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.3.7/init.debian.sh new/shorewall-init-5.2.4/init.debian.sh --- old/shorewall-init-5.2.3.7/init.debian.sh 2020-03-06 17:27:18.000000000 +0100 +++ new/shorewall-init-5.2.4/init.debian.sh 2020-03-21 22:37:59.000000000 +0100 @@ -8,7 +8,7 @@ # # On most distributions, this file should be called /etc/init.d/shorewall. # -# Complete documentation is available at http://shorewall.net +# Complete documentation is available at http://shorewall.org # # This program is free software; you can redistribute it and/or modify # it under the terms of Version 2 of the GNU General Public License diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.3.7/init.suse.sh new/shorewall-init-5.2.4/init.suse.sh --- old/shorewall-init-5.2.3.7/init.suse.sh 2020-03-06 17:27:18.000000000 +0100 +++ new/shorewall-init-5.2.4/init.suse.sh 2020-03-21 22:37:59.000000000 +0100 @@ -7,7 +7,7 @@ # # On most distributions, this file should be called /etc/init.d/shorewall. # -# Complete documentation is available at http://shorewall.net +# Complete documentation is available at http://shorewall.org # # This program is free software; you can redistribute it and/or modify # it under the terms of Version 2 of the GNU General Public License diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.3.7/install.sh new/shorewall-init-5.2.4/install.sh --- old/shorewall-init-5.2.3.7/install.sh 2020-03-06 17:38:12.000000000 +0100 +++ new/shorewall-init-5.2.4/install.sh 2020-03-21 22:40:33.000000000 +0100 @@ -5,7 +5,7 @@ # (c) 2000-2016 - Tom Eastep ([email protected]) # (c) 2010 - Roberto C. Sanchez ([email protected]) # -# Shorewall documentation is available at http://shorewall.net +# Shorewall documentation is available at http://shorewall.org # # This program is part of Shorewall. # @@ -27,7 +27,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=5.2.3.7 +VERSION=5.2.4 PRODUCT=shorewall-init Product="Shorewall Init" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.3.7/lib.installer new/shorewall-init-5.2.4/lib.installer --- old/shorewall-init-5.2.3.7/lib.installer 2020-03-06 17:38:12.000000000 +0100 +++ new/shorewall-init-5.2.4/lib.installer 2020-03-21 22:40:33.000000000 +0100 @@ -4,7 +4,7 @@ # (c) 2017 - Tom Eastep ([email protected]) # (c) 2017 - Matt Darfeuille ([email protected]) # -# Complete documentation is available at http://shorewall.net +# Complete documentation is available at http://shorewall.org # # This program is part of Shorewall. # diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.3.7/lib.uninstaller new/shorewall-init-5.2.4/lib.uninstaller --- old/shorewall-init-5.2.3.7/lib.uninstaller 2020-03-06 17:38:12.000000000 +0100 +++ new/shorewall-init-5.2.4/lib.uninstaller 2020-03-21 22:40:33.000000000 +0100 @@ -4,7 +4,7 @@ # (c) 2017 - Tom Eastep ([email protected]) # (c) 2017 - Matt Darfeuille ([email protected]) # -# Complete documentation is available at http://shorewall.net +# Complete documentation is available at http://shorewall.org # # This program is part of Shorewall. # diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.3.7/releasenotes.txt new/shorewall-init-5.2.4/releasenotes.txt --- old/shorewall-init-5.2.3.7/releasenotes.txt 2020-03-06 17:38:12.000000000 +0100 +++ new/shorewall-init-5.2.4/releasenotes.txt 2020-03-21 22:40:33.000000000 +0100 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 5 . 2 . 3 . 7 + S H O R E W A L L 5 . 2 . 4 ------------------------------- - M A R C H 0 5 , 2 0 2 0 + M A R C H 2 4 , 2 0 1 9 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,152 +14,27 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -5.2.3.7 - -1) When DOCKER=Yes, if both the DOCKER-ISOLATE and - DOCKER-ISOLATE-STAGE-1 existed then the DOCKER-ISOLATE-STAGE-* - chains were not preserved through shorewall state changes. - That has been corrected so that both chains are preserved if - present. - -2) Previously, the compiler always detected the OLD_CONNTRACK_MATCH - capability as being available in IPv6. When OLD_CONNTRACK_MATCH - was available, the compiler also mishandled inversion ('!') in the - ORIGDEST columns, leading to an assertion failure: - - Shorewall::Config::fatal_error("Internal error in - Shorewall::Chains::set_rule_option at /usr/"...) called at - /usr/share/shorewall/Shorewall/Config.pm line 1619 - - Both the incorrect capability detection and the mishandled - inversion have been corrected. - -3) During 'enable' processing, if address variables associated with - the interface have values different than those when the firewall - was last started/restarted/reloaded, then a 'reload' is performed - rather than a simple 'enable'. The logic that checks for those - changes was incorrect in some configurations, leading to unneeded - reload operations. That has been corrected. - -4) When MANGLE_ENABLED=No in shorewall[6].conf, some features - requiring use of the mangle table can be allowed, even though the - mangle table is not updated. That has been corrected such that use - of such features will raise an error. - -5) When an invocation of the IfEvent(...,reset) action was invoked, - the compiler previously emitted a spurious "Resetting..." message. - That message has been suppressed. - -5.2.3.6 - -1) When both Docker containers and Libvirt VMs were in use, 'shorewall - start' could fail as follows: - - Running /sbin/iptables-restore --wait 60... - iptables-restore v1.8.3 (legacy): Couldn't load target - `LIBVIRT_PRT':No such file or directory - Error occurred at line: 19 - Try `iptables-restore -h' or 'iptables-restore --help' for more information. - ERROR: /sbin/iptables-restore --wait 60 Failed. - - That has been corrected. - -5.2.3.5 - -1) A typo in the FTP documentation has been corrected. - -2) The recommended mss setting when using IPSec with ipcomp has been - corrected. - -3) A number of incorrect links in the manpages have been corrected. - -4) The 'bypass' option is now allowed when specifying an NFQUEUE - policy. Previously, specifying that option resulted in an error. - -5) Corrected IPv6 Address Range parsing. +1) Previously, when a Shorewall6 firewall was placed into the + 'stopped' state, ICMP6 packets required by RFC 4890 were not + automatically accepted by the generated ruleset. - Previously, such ranges were required to be of the form [<addr1>-<addr2>] - rather than the more standard form [<addr1>]-[<addr2>]. In the snat file - (and in nat actions), the latter form was actually flagged as an error - while in other contexts, it resulted in a less obvious error being - raised. - -6) The manpages have been updated to refer to https://shorewall.org - rather than http://www.shorewall.org. - -5.2.3.4 - -1) If multi-queue NFQUEUE (e.g., NFQUEUE(0:1) ) WAS used as a policy, - an error such as the following was previously incorrectly raised. - - ERROR: Invalid policy (NFQUEUE(0) /etc/shorewall/policy (line - 15) - - That has been corrected such that no error is raised. - -2) If multi-queue NFQUEUE( e.g., NFQUEUE(0:1,bypass) ) was passed to a - macro, an error such as the following was previously incorrectly - raised: - - ERROR: Invalid ACTION (PARAM:1c,bypass))) - /usr/share/shorewall/macro.BitTorrent (line 12) - from /etc/shorewall/rules (line 40) - - Now, the NFQUEUE action is correctly substituted for PARAM in - the Macro body. - -3) If shorewall[6].conf didn't set AUTOMAKE, the 'update' command - previously produced a new file with 'AUTOMAKE=Yes'. This resulted - in an unexpected change of behavior. Now, the new file contains - 'AUTOMAKE=No', which preserves the pre-update behavior. - -4) Shorewall-rules(5) incorrectly stated that the 'bypass' option to - NFQUEUE causes the rule to be silently bypassed if there is no - application attached to the queue. The actual behavior is that the - rule acts like ACCEPT in that case. Shorewall-rules(5) has been - corrected. - -5.2.3.3 - -1) Previously, if an ipset was specified in an SPORT column, the - compiler would raise an error similar to: - - ERROR: Invalid ipset name () /etc/shorewall/rules (line 44) - - That has been corrected. - -5.2.3.2 - -1) Shorewall 5.2 automatically converts and existing 'masq' file to an - equivalent 'snat' file. Regrettably, Shorewall 5.2.3 broke that - automatic update, such that the following error message was issued: - - Use of uninitialized value $Shorewall::Nat::raw::currentline in - pattern match (m//) at /usr/share/shorewall/Shorewall/Nat.pm - line 511, <$currentfile> line nnn. + Beginning with this release, those packets are automatically + accepted. - and the generted 'masq' file contains only initial comments. +2) Previously, the output of 'shorewall[6] help' displayed the + superseded 'load' command. That text has been deleted. - That has been corrected. +3) The QOSExample.html file in the documentation and on the web site + previously showed tcrules content for the /etc/shorewall/mangle + file (recall that 'mangle' superseded 'tcrules'). That page has + been corrected. + +4) The 'Starting and Stopping' and 'Configuration file basics' + documents have been updated to align them with the current product + behavior. -5.2.3.1 - -1) An issue in the implementation of policy file zone exclusion, - released in 5.2.3 has been resolved. In the original release, - if more than one zone was excluded, then the following error was - raised: - - ERROR: 'all' is not allowed in a source zone list - etc/shorewall/policy (line ...) - -5.2.3 - -1) To prevent a helper kernel module from being loaded, it was - previously necessary to list both its current name and its - pre-kernel-2.6.20 name in the DONT_LOAD option in - /etc/shorewall[6].conf. For example, to prevent nf_conntrack_sip - from being loaded, it was necessary to also list ip_conntrack_sip - in DONT_LOAD. That is no longer necessary. +5) The 'ipsets' document has been updated to clarify the use of + ipsets in the stoppedrules file. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -180,27 +55,60 @@ uses a "delete..add.." sequence on these routes rather than a single "replace" command. +4) On Debian-derived systems, when DOCKER=Yes, the 'systemctl restart + shorewall' command looses Docker rules. + + Workaround (courtesy of J Cliff Armstrong): + + Type (as root): + + `systemctl edit shorewall.service`. + + This will open the default terminal editor to a blank file in + which you can paste the following: + + [Service] + # reset ExecStop + ExecStop= + # set ExecStop to "stop" instead of "clear" + ExecStop=/sbin/shorewall $OPTIONS stop + + Then type `systemctl daemon-reload` to activate the changes. This + change will survive future updates of the shorewall package from apt + repositories. The override file itself will be saved to + `/etc/systemd/system/shorewall.service.d/`. + ---------------------------------------------------------------------------- I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) Zone exclusion (e.g., "all!z2,z2,...") is now supported in the - policy file. +1) Previously, Shorewall's Docker support assumed that the default + Docker Bridge (docker0) was being used. Beginning with this + release, the DOCKER_BRIDGE option in Shorewall.conf allows an + arbitrary name to be assigned to the bridge. In particular, when + CNI is being used, DOCKER_BRIDGE=cni0 is the appropriate setting. + +2) The CLI keywords 'debug' and 'trace' have been replaced by -D and + -T options respectively (e.g., 'shorewall trace reload' is now + 'shorewall -T reload'). Like the keywords, only one of these + options can be active at a time; if both are entered, only the + last one is activated. A similar change has been made to the + generated script. + + The -T option (formerly 'trace') now applies only to shell-level + tracing in the CLI and generated script. Those commands that + invoke the rules compiler now accept a -D command option which + causes the compiler to generate debugging information (e.g., + 'shorewall check -D'). + + The 'nolock' keyword is now deprecated in favor of the -N + option (e.g., 'shorewall nolock reload' becomes 'shorewall -N + reload'). -2) With the availability of zone exclusion in the rules file, 'all[+]-' - and 'any[+]-' are equivalent to 'all[+]!$FW' and 'any[+]!$FW' - respectively. Beginning with this release, the former are - deprecated in favor of the latter and will result in a warning - message, if used. + See shorewall(8) for details. -3) Internal documentaton of the undocumented 'test' parameter to - compiler.pl has been added (it is used by the regression test - library to suppress versions and date/times from the generated - script). - -4) The LOAD_HELPERS_ONLY option has been removed from - shorewall[6].conf. Hereafter, Shorewall[6] will behave as if - LOAD_HELPERS_ONLY=Yes had been specified. +3) Within the source code and documentation, 'shorewall.net' has been + replaced by 'shorewall.org'. ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -307,7 +215,7 @@ This issue is not handled by 'shorewall update' and must be corrected manually. -4) The Netfilter team have removed support for the rawpost table, so +3) The Netfilter team have removed support for the rawpost table, so Shorewall no longer supports features requiring that table (stateless netmapping in the netmap file). The good news is that, since kernel 3.7, Netfilter supports stateful IPv6 network mapping @@ -317,10 +225,10 @@ This issue is not handled by 'shorewall update' and must be corrected manually. -5) The (undocumented) Makefiles haven't been maintained for many +4) The (undocumented) Makefiles haven't been maintained for many releases and have been removed. -6) Beginning with Shorewall 5.1.2, The DROP_DEFAULT, REJECT_DEFAULT, +5) Beginning with Shorewall 5.1.2, The DROP_DEFAULT, REJECT_DEFAULT, etc. options may now specify a comma-separated list of actions rather than just a single action. The actions are invoked in the order in which they are listed and each action may optionally be @@ -338,13 +246,13 @@ This issue is partially handled by 'shorewall update' - see the 5.2 issues below. -7) Beginning with Shorewall 5.1.2, the allowBcast, dropBcast, and +6) Beginning with Shorewall 5.1.2, the allowBcast, dropBcast, and Broadcast no longer handle multicast. Multicast is handeled separately in actions allowMcast, dropMcast and Multicast. The now-deprecated Drop and Reject policy actions have been modified so that they continue to silently drop multicast packets. -8) According to the Netfilter team (see +7) According to the Netfilter team (see https://patchwork.kernel.org/patch/9198133/), the --nflog-range option of the NFLOG target has never worked correctly, and they have deprecated that option in favor of the --nflog-size option. @@ -369,14 +277,14 @@ This issue is not handled by 'shorewall update' and must be corrected manually. -9) The MODULE_SUFFIX option in shorewall[6].conf was eliminated in +8) The MODULE_SUFFIX option in shorewall[6].conf was eliminated in Shorewall 5.1.7. Shorewall now finds modules, independent of their filename suffix. 'shorewall [-6] update' will automatically remove any MODULE_SUFFIX setting. -10) Beginning with Shorewall 5.1.8, when RESTORE_DEFAULT_ROUTE=Yes the +9) Beginning with Shorewall 5.1.8, when RESTORE_DEFAULT_ROUTE=Yes the default route is only restored when there are no enabled 'balance/primary' providers and no enabled fallback providers. @@ -385,7 +293,7 @@ successfully enabled, the default route(s) are removed from the main table. -11) Because restoring default routes to the main routing table can +10) Because restoring default routes to the main routing table can break the ability of Foolsm and other link status monitors to properly detect non-functioning provider links, a warning message is issued when the 'persistent' provider option is specified and @@ -399,7 +307,7 @@ This issue is not handled by 'shorewall update' and must be corrected manually. -12) Most interface OPTIONS have always been ignored when the INTERFACE +11) Most interface OPTIONS have always been ignored when the INTERFACE name is '+'. Beginning with the Shorewall 5.1.10 release, a warning is issued when an ignored option is specified with interface name '+'. @@ -444,7 +352,7 @@ This issue is not handled by 'shorewall update' and must be corrected manually. -13) INLINE_MATCHES=Yes has been documented as deprecated for some +12) INLINE_MATCHES=Yes has been documented as deprecated for some time, but it has not generated a warning. Beginning with the Shorewall 5.1.12 release, a warning is issued: @@ -600,9 +508,220 @@ ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 5 . 2 R E L E A S E S ---------------------------------------------------------------------------- + N E W F E A T U R E S I N 5 . 2 . 3 +---------------------------------------------------------------------------- + +1) Zone exclusion (e.g., "all!z2,z2,...") is now supported in the + policy file. + +2) With the availability of zone exclusion in the rules file, 'all[+]-' + and 'any[+]-' are equivalent to 'all[+]!$FW' and 'any[+]!$FW' + respectively. Beginning with this release, the former are + deprecated in favor of the latter and will result in a warning + message, if used. + +3) Internal documentaton of the undocumented 'test' parameter to + compiler.pl has been added (it is used by the regression test + library to suppress versions and date/times from the generated + script). + +4) The LOAD_HELPERS_ONLY option has been removed from + shorewall[6].conf. Hereafter, Shorewall[6] will behave as if + LOAD_HELPERS_ONLY=Yes had been specified. + +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 5 . 2 . 3 +---------------------------------------------------------------------------- + +5.2.3.7 + +1) When DOCKER=Yes, if both the DOCKER-ISOLATE and + DOCKER-ISOLATE-STAGE-1 existed then the DOCKER-ISOLATE-STAGE-* + chains were not preserved through shorewall state changes. + That has been corrected so that both chains are preserved if + present. + +2) Previously, the compiler always detected the OLD_CONNTRACK_MATCH + capability as being available in IPv6. When OLD_CONNTRACK_MATCH + was available, the compiler also mishandled inversion ('!') in the + ORIGDEST columns, leading to an assertion failure: + + Shorewall::Config::fatal_error("Internal error in + Shorewall::Chains::set_rule_option at /usr/"...) called at + /usr/share/shorewall/Shorewall/Config.pm line 1619 + + Both the incorrect capability detection and the mishandled + inversion have been corrected. + +3) During 'enable' processing, if address variables associated with + the interface have values different than those when the firewall + was last started/restarted/reloaded, then a 'reload' is performed + rather than a simple 'enable'. The logic that checks for those + changes was incorrect in some configurations, leading to unneeded + reload operations. That has been corrected. + +4) When MANGLE_ENABLED=No in shorewall[6].conf, some features + requiring use of the mangle table can be allowed, even though the + mangle table is not updated. That has been corrected such that use + of such features will raise an error. + +5) When an invocation of the IfEvent(...,reset) action was invoked, + the compiler previously emitted a spurious "Resetting..." message. + That message has been suppressed. + +5.2.3.6 + +1) When both Docker containers and Libvirt VMs were in use, 'shorewall + start' could fail as follows: + + Running /sbin/iptables-restore --wait 60... + iptables-restore v1.8.3 (legacy): Couldn't load target + `LIBVIRT_PRT':No such file or directory + Error occurred at line: 19 + Try `iptables-restore -h' or 'iptables-restore --help' for more information. + ERROR: /sbin/iptables-restore --wait 60 Failed. + + That has been corrected. + +5.2.3.5 + +1) A typo in the FTP documentation has been corrected. + +2) The recommended mss setting when using IPSec with ipcomp has been + corrected. + +3) A number of incorrect links in the manpages have been corrected. + +4) The 'bypass' option is now allowed when specifying an NFQUEUE + policy. Previously, specifying that option resulted in an error. + +5) Corrected IPv6 Address Range parsing. + + Previously, such ranges were required to be of the form [<addr1>-<addr2>] + rather than the more standard form [<addr1>]-[<addr2>]. In the snat file + (and in nat actions), the latter form was actually flagged as an error + while in other contexts, it resulted in a less obvious error being + raised. + +6) The manpages have been updated to refer to https://shorewall.org + rather than http://www.shorewall.org. + +5.2.3.4 + +1) If multi-queue NFQUEUE (e.g., NFQUEUE(0:1) ) WAS used as a policy, + an error such as the following was previously incorrectly raised. + + ERROR: Invalid policy (NFQUEUE(0) /etc/shorewall/policy (line + 15) + + That has been corrected such that no error is raised. + +2) If multi-queue NFQUEUE( e.g., NFQUEUE(0:1,bypass) ) was passed to a + macro, an error such as the following was previously incorrectly + raised: + + ERROR: Invalid ACTION (PARAM:1c,bypass))) + /usr/share/shorewall/macro.BitTorrent (line 12) + from /etc/shorewall/rules (line 40) + + Now, the NFQUEUE action is correctly substituted for PARAM in + the Macro body. + +3) If shorewall[6].conf didn't set AUTOMAKE, the 'update' command + previously produced a new file with 'AUTOMAKE=Yes'. This resulted + in an unexpected change of behavior. Now, the new file contains + 'AUTOMAKE=No', which preserves the pre-update behavior. + +4) Shorewall-rules(5) incorrectly stated that the 'bypass' option to + NFQUEUE causes the rule to be silently bypassed if there is no + application attached to the queue. The actual behavior is that the + rule acts like ACCEPT in that case. Shorewall-rules(5) has been + corrected. + +5.2.3.3 + +1) Previously, if an ipset was specified in an SPORT column, the + compiler would raise an error similar to: + + ERROR: Invalid ipset name () /etc/shorewall/rules (line 44) + + That has been corrected. + +5.2.3.2 + +1) Shorewall 5.2 automatically converts and existing 'masq' file to an + equivalent 'snat' file. Regrettably, Shorewall 5.2.3 broke that + automatic update, such that the following error message was issued: + + Use of uninitialized value $Shorewall::Nat::raw::currentline in + pattern match (m//) at /usr/share/shorewall/Shorewall/Nat.pm + line 511, <$currentfile> line nnn. + + and the generted 'masq' file contains only initial comments. + + That has been corrected. + +5.2.3.1 + +1) An issue in the implementation of policy file zone exclusion, + released in 5.2.3 has been resolved. In the original release, + if more than one zone was excluded, then the following error was + raised: + + ERROR: 'all' is not allowed in a source zone list + etc/shorewall/policy (line ...) + +5.2.3 + +1) To prevent a helper kernel module from being loaded, it was + previously necessary to list both its current name and its + pre-kernel-2.6.20 name in the DONT_LOAD option in + /etc/shorewall[6].conf. For example, to prevent nf_conntrack_sip + from being loaded, it was necessary to also list ip_conntrack_sip + in DONT_LOAD. That is no longer necessary. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 5 . 2 . 2 +---------------------------------------------------------------------------- +1) New macros have been contributed by Vincas Dargis: + + Bitcoin + Tor + ONCRPC + + Additionally, Tuomo Soini has contributed a WUDO (Windows Update + Delivery Optimization) macro. + +2) The Perl modules have undergone some cleanup/optimization. + +3) Given that recent kernels have dropped ULOG support, use of ULOG in + Shorewall is now deprecated and results in a warning message. The + warning can be eliminated by switching to NFLOG and ulogd2. + +4) Shorewall can now detect interface default gateways configured by + Network Manager. + +5) Inline matches are now supported in the 'conntrack' file. + +6) In the 'accounting' file, Inline matches in an INLINE(...) rule now + allow a leading '+' to cause the matches to be evaluated before + those generated by the column specifications. + +7) If view of the fact that some modems take an eternity to recover + from a power failure, the limit of the 'wait' interface option + setting has been increased from 120 seconds (2 minutes) to 300 + seconds (5 minutes). + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 5 . 2 . 2 ---------------------------------------------------------------------------- +5.2.2.1 + +1) A typo has been corrected in shorewall-providers(5). The manpage + previously referred to RESTORE_DEFAULT_OPTION; that should have + been RESTORE_DEFAULT_GATEWAY. + 1) This release includes defect repair through Shorewall 5.2.1.4. 2) When processing inline matches, the compiler previously inserted diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.3.7/shorewall-init new/shorewall-init-5.2.4/shorewall-init --- old/shorewall-init-5.2.3.7/shorewall-init 2020-03-06 17:27:18.000000000 +0100 +++ new/shorewall-init-5.2.4/shorewall-init 2020-03-21 22:37:59.000000000 +0100 @@ -6,7 +6,7 @@ # On most distributions, this file should be called # /etc/init.d/shorewall. # -# Complete documentation is available at http://shorewall.net +# Complete documentation is available at http://shorewall.org # # This program is part of Shorewall. # diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.3.7/shorewall-init.spec new/shorewall-init-5.2.4/shorewall-init.spec --- old/shorewall-init-5.2.3.7/shorewall-init.spec 2020-03-06 17:38:12.000000000 +0100 +++ new/shorewall-init-5.2.4/shorewall-init.spec 2020-03-21 22:40:33.000000000 +0100 @@ -1,6 +1,6 @@ %define name shorewall-init -%define version 5.2.3 -%define release 7 +%define version 5.2.4 +%define release 0base Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall). Name: %{name} @@ -135,20 +135,12 @@ %doc COPYING changelog.txt releasenotes.txt %changelog -* Tue Feb 25 2020 Tom Eastep <[email protected]> -- Updated to 5.2.3-7 -* Sun Feb 16 2020 Tom Eastep <[email protected]> -- Updated to 5.2.3-6 -* Wed Jan 15 2020 Tom Eastep <[email protected]> -- Updated to 5.2.3-5 -* Sun Aug 25 2019 Tom Eastep <[email protected]> -- Updated to 5.2.3-4 -* Thu Apr 11 2019 Tom Eastep [email protected] -- Updated to 5.2.3-3 -* Sun Mar 17 2019 Tom Eastep [email protected] -- Updated to 5.2.3-2 -* Tue Feb 26 2019 Tom Eastep [email protected] -- Updated to 5.2.3-1 +* Tue Mar 17 2020 Tom Eastep <[email protected]> +- Updated to 5.2.4-0base +* Sat Mar 14 2020 Tom Eastep <[email protected]> +- Updated to 5.2.4-0RC1 +* Fri Mar 06 2020 Tom Eastep <[email protected]> +- Updated to 5.2.4-0Beta1 * Mon Feb 11 2019 Tom Eastep [email protected] - Updated to 5.2.3-0base * Wed Feb 06 2019 Tom Eastep [email protected] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.3.7/uninstall.sh new/shorewall-init-5.2.4/uninstall.sh --- old/shorewall-init-5.2.3.7/uninstall.sh 2020-03-06 17:38:12.000000000 +0100 +++ new/shorewall-init-5.2.4/uninstall.sh 2020-03-21 22:40:33.000000000 +0100 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=5.2.3.7 +VERSION=5.2.4 PRODUCT=shorewall-init Product="Shorewall Init" ++++++ shorewall-lite-5.2.3.7.tar.bz2 -> shorewall-lite-5.2.4.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.3.7/Shorewall-lite-targetname new/shorewall-lite-5.2.4/Shorewall-lite-targetname --- old/shorewall-lite-5.2.3.7/Shorewall-lite-targetname 1970-01-01 01:00:00.000000000 +0100 +++ new/shorewall-lite-5.2.4/Shorewall-lite-targetname 2020-03-21 22:37:59.000000000 +0100 @@ -0,0 +1 @@ +5.2.4-Beta1 \ No newline at end of file diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.3.7/changelog.txt new/shorewall-lite-5.2.4/changelog.txt --- old/shorewall-lite-5.2.3.7/changelog.txt 2020-03-06 17:38:12.000000000 +0100 +++ new/shorewall-lite-5.2.4/changelog.txt 2020-03-21 22:40:33.000000000 +0100 @@ -1,74 +1,32 @@ -Changes in 5.2.3.7 +Changes in 5.2.4 Final -1) Update release documents - -2) Track DOCKER-ISOLATION and DOCKER-ISOLATION-STAGE-* using - separate variables. - -3) Correct detection of OLD_CONNTRACK_MATCH in the compiler. - -4) Correct handling of ORIGDEST inversion when OLD_CONNTRACK_MATCH is - available. - -5) Correct logic that detects when 'reload' is required during - 'enable'. - -6) Add checks for features requiring the mangle table when - MANGLE_ENABLED=No. - -7) Eliminate suprious 'Resetting...' message during compilation of - 'IfEvent(...,reset)' invocations. - -Changes in 5.2.3.6 - -1) Update release documents - -2) Don't try to save/restore libvirt rules when DOCKER=Yes. - -Changes in 5.2.3.5 - -1) Correct typo in FTP.xml. - -2) Correct recommended mss with ipcomp. - -3) Correct manpage links in documentation and manpages. - -4) Allow the bypass option in an NFQUEUE policy. - -5) Correct IPv6 Address Range parsing. +1) Update release documents. -6) Correct documentation links. +2) Update the IPSets document. -Changes in 5.2.3.4 +Changes in 5.2.4 RC 1 1) Update release documents. -2) Correct handling of multi-queue NFQUEUE as a policy. +2) Correct QOS Example document's mangle file contents. -3) Correct handling of multi-queue NFQUEUE as a macro parameter. +3) Update the Configuration File basics document. -4) Make 'AUTOMAKE=No' the update default. - -5) Correct the description of the 'bypass' NFQUEUE option in - shorewall-rules(5). - -Changes in 5.2.3.3 +Changes in 5.2.4 Beta 1 1) Update release documents. -2) Document fix for an ipset in the SPORT column. +2) Allow required ICMPv6 packets in stopped state. -Changes in 5.2.3.2 +3) Add DOCKER_BRIDGE option in shorewall.conf. -1) Update release documents. +4) Retire 'trace', 'debug' and 'nolock'. -2) Document fix for masq file auto-update. +5) Remove 'load' from the output of 'shorewall[6] help' -Changes in 5.2.3.1 - -1) Update release documents. +6) Update the CompiledPrograms.xml article -2) Correct issue with policy file zone exclusion. +7) Replace 'shorewall.net' with 'shorewall.org'. Changes in 5.2.3 Final diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.3.7/configure new/shorewall-lite-5.2.4/configure --- old/shorewall-lite-5.2.3.7/configure 2020-03-06 17:38:12.000000000 +0100 +++ new/shorewall-lite-5.2.4/configure 2020-03-21 22:40:33.000000000 +0100 @@ -4,7 +4,7 @@ # # (c) 2012,2014,2017 - Tom Eastep ([email protected]) # -# Shorewall documentation is available at http://www.shorewall.net +# Shorewall documentation is available at http://www.shorewall.org # # This program is part of Shorewall. # @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=5.2.3.7 +VERSION=5.2.4 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.3.7/configure.pl new/shorewall-lite-5.2.4/configure.pl --- old/shorewall-lite-5.2.3.7/configure.pl 2020-03-06 17:38:12.000000000 +0100 +++ new/shorewall-lite-5.2.4/configure.pl 2020-03-21 22:40:33.000000000 +0100 @@ -4,7 +4,7 @@ # # (c) 2012, 2014 - Tom Eastep ([email protected]) # -# Shorewall documentation is available at http://www.shorewall.net +# Shorewall documentation is available at http://www.shorewall.org # # This program is part of Shorewall. # @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '5.2.3.7' + VERSION => '5.2.4' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.3.7/init.openwrt.sh new/shorewall-lite-5.2.4/init.openwrt.sh --- old/shorewall-lite-5.2.3.7/init.openwrt.sh 2020-03-06 17:27:18.000000000 +0100 +++ new/shorewall-lite-5.2.4/init.openwrt.sh 2020-03-21 22:37:59.000000000 +0100 @@ -7,7 +7,7 @@ # # On most distributions, this file should be called /etc/init.d/shorewall. # -# Complete documentation is available at http://shorewall.net +# Complete documentation is available at http://shorewall.org # # This program is part of Shorewall. # diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.3.7/init.sh new/shorewall-lite-5.2.4/init.sh --- old/shorewall-lite-5.2.3.7/init.sh 2020-03-06 17:27:18.000000000 +0100 +++ new/shorewall-lite-5.2.4/init.sh 2020-03-21 22:37:59.000000000 +0100 @@ -7,7 +7,7 @@ # # On most distributions, this file should be called /etc/init.d/shorewall. # -# Complete documentation is available at http://shorewall.net +# Complete documentation is available at http://shorewall.org # # This program is part of Shorewall. # diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.3.7/init.suse.sh new/shorewall-lite-5.2.4/init.suse.sh --- old/shorewall-lite-5.2.3.7/init.suse.sh 2020-03-06 17:27:18.000000000 +0100 +++ new/shorewall-lite-5.2.4/init.suse.sh 2020-03-21 22:37:59.000000000 +0100 @@ -8,7 +8,7 @@ # # On most distributions, this file should be called /etc/init.d/shorewall. # -# Complete documentation is available at http://shorewall.net +# Complete documentation is available at http://shorewall.org # # This program is free software; you can redistribute it and/or modify # it under the terms of Version 2 of the GNU General Public License diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.3.7/install.sh new/shorewall-lite-5.2.4/install.sh --- old/shorewall-lite-5.2.3.7/install.sh 2020-03-06 17:38:12.000000000 +0100 +++ new/shorewall-lite-5.2.4/install.sh 2020-03-21 22:40:33.000000000 +0100 @@ -4,7 +4,7 @@ # # (c) 2000-2016 - Tom Eastep ([email protected]) # -# Shorewall documentation is available at http://shorewall.net +# Shorewall documentation is available at http://shorewall.org # # This program is part of Shorewall. # @@ -22,7 +22,7 @@ # along with this program; if not, see <http://www.gnu.org/licenses/>. # -VERSION=5.2.3.7 +VERSION=5.2.4 usage() # $1 = exit status { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.3.7/lib.base new/shorewall-lite-5.2.4/lib.base --- old/shorewall-lite-5.2.3.7/lib.base 2020-03-06 17:27:18.000000000 +0100 +++ new/shorewall-lite-5.2.4/lib.base 2020-03-21 22:37:59.000000000 +0100 @@ -3,7 +3,7 @@ # # (c) 2011,2014 - Tom Eastep ([email protected]) # -# Complete documentation is available at http://shorewall.net +# Complete documentation is available at http://shorewall.org # # This program is part of Shorewall. # diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.3.7/lib.installer new/shorewall-lite-5.2.4/lib.installer --- old/shorewall-lite-5.2.3.7/lib.installer 2020-03-06 17:38:12.000000000 +0100 +++ new/shorewall-lite-5.2.4/lib.installer 2020-03-21 22:40:33.000000000 +0100 @@ -4,7 +4,7 @@ # (c) 2017 - Tom Eastep ([email protected]) # (c) 2017 - Matt Darfeuille ([email protected]) # -# Complete documentation is available at http://shorewall.net +# Complete documentation is available at http://shorewall.org # # This program is part of Shorewall. # diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.3.7/lib.uninstaller new/shorewall-lite-5.2.4/lib.uninstaller --- old/shorewall-lite-5.2.3.7/lib.uninstaller 2020-03-06 17:38:12.000000000 +0100 +++ new/shorewall-lite-5.2.4/lib.uninstaller 2020-03-21 22:40:33.000000000 +0100 @@ -4,7 +4,7 @@ # (c) 2017 - Tom Eastep ([email protected]) # (c) 2017 - Matt Darfeuille ([email protected]) # -# Complete documentation is available at http://shorewall.net +# Complete documentation is available at http://shorewall.org # # This program is part of Shorewall. # diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.3.7/manpages/shorewall-lite-vardir.5 new/shorewall-lite-5.2.4/manpages/shorewall-lite-vardir.5 --- old/shorewall-lite-5.2.3.7/manpages/shorewall-lite-vardir.5 2020-01-15 22:08:03.000000000 +0100 +++ new/shorewall-lite-5.2.4/manpages/shorewall-lite-vardir.5 2020-03-21 22:42:04.000000000 +0100 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite-vardir .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 01/15/2020 +.\" Date: 03/21/2020 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-LITE\-VAR" "5" "01/15/2020" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-LITE\-VAR" "5" "03/21/2020" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.3.7/manpages/shorewall-lite.8 new/shorewall-lite-5.2.4/manpages/shorewall-lite.8 --- old/shorewall-lite-5.2.3.7/manpages/shorewall-lite.8 2020-01-15 22:08:03.000000000 +0100 +++ new/shorewall-lite-5.2.4/manpages/shorewall-lite.8 2020-03-21 22:42:05.000000000 +0100 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 01/15/2020 +.\" Date: 03/21/2020 .\" Manual: Administrative Commands .\" Source: Administrative Commands .\" Language: English .\" -.TH "SHOREWALL\-LITE" "8" "01/15/2020" "Administrative Commands" "Administrative Commands" +.TH "SHOREWALL\-LITE" "8" "03/21/2020" "Administrative Commands" "Administrative Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.3.7/manpages/shorewall-lite.conf.5 new/shorewall-lite-5.2.4/manpages/shorewall-lite.conf.5 --- old/shorewall-lite-5.2.3.7/manpages/shorewall-lite.conf.5 2020-01-15 22:08:02.000000000 +0100 +++ new/shorewall-lite-5.2.4/manpages/shorewall-lite.conf.5 2020-03-21 22:42:04.000000000 +0100 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite.conf .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 01/15/2020 +.\" Date: 03/21/2020 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-LITE\&.CO" "5" "01/15/2020" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-LITE\&.CO" "5" "03/21/2020" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -123,6 +123,6 @@ /etc/shorewall\-lite/shorewall\&.conf .SH "SEE ALSO" .PP -\m[blue]\fBhttp://www\&.shorewall\&.net/Documentation_Index\&.html\fR\m[] +\m[blue]\fBhttp://www\&.shorewall\&.org/Documentation_Index\&.html\fR\m[] .PP shorewall\-lite(8), shorewall\-accounting(5), shorewall\-actions(5), shorewall\-blacklist(5), shorewall\-hosts(5), shorewall\-interfaces(5), shorewall\-ipsec(5), shorewall\-maclist(5), shorewall\-masq(5), shorewall\-nat(5), shorewall\-netmap(5), shorewall\-params(5), shorewall\-policy(5), shorewall\-providers(5), shorewall\-proxyarp(5), shorewall\-route_rules(5), shorewall\-routestopped(5), shorewall\-rules(5), shorewall\-tcclasses(5), shorewall\-tcdevices(5), shorewall\-tcrules(5), shorewall\-tos(5), shorewall\-tunnels(5), shorewall\-zones(5) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.3.7/manpages/shorewall-lite.conf.xml new/shorewall-lite-5.2.4/manpages/shorewall-lite.conf.xml --- old/shorewall-lite-5.2.3.7/manpages/shorewall-lite.conf.xml 2020-03-06 17:27:18.000000000 +0100 +++ new/shorewall-lite-5.2.4/manpages/shorewall-lite.conf.xml 2020-03-21 22:37:59.000000000 +0100 @@ -183,7 +183,7 @@ <title>See ALSO</title> <para><ulink - url="http://www.shorewall.net/Documentation_Index.html";>http://www.shorewall.net/Documentation_Index.html</ulink></para> + url="http://www.shorewall.org/Documentation_Index.html";>http://www.shorewall.org/Documentation_Index.html</ulink></para> <para>shorewall-lite(8), shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5), diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.3.7/releasenotes.txt new/shorewall-lite-5.2.4/releasenotes.txt --- old/shorewall-lite-5.2.3.7/releasenotes.txt 2020-03-06 17:38:12.000000000 +0100 +++ new/shorewall-lite-5.2.4/releasenotes.txt 2020-03-21 22:40:33.000000000 +0100 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 5 . 2 . 3 . 7 + S H O R E W A L L 5 . 2 . 4 ------------------------------- - M A R C H 0 5 , 2 0 2 0 + M A R C H 2 4 , 2 0 1 9 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,152 +14,27 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -5.2.3.7 - -1) When DOCKER=Yes, if both the DOCKER-ISOLATE and - DOCKER-ISOLATE-STAGE-1 existed then the DOCKER-ISOLATE-STAGE-* - chains were not preserved through shorewall state changes. - That has been corrected so that both chains are preserved if - present. - -2) Previously, the compiler always detected the OLD_CONNTRACK_MATCH - capability as being available in IPv6. When OLD_CONNTRACK_MATCH - was available, the compiler also mishandled inversion ('!') in the - ORIGDEST columns, leading to an assertion failure: - - Shorewall::Config::fatal_error("Internal error in - Shorewall::Chains::set_rule_option at /usr/"...) called at - /usr/share/shorewall/Shorewall/Config.pm line 1619 - - Both the incorrect capability detection and the mishandled - inversion have been corrected. - -3) During 'enable' processing, if address variables associated with - the interface have values different than those when the firewall - was last started/restarted/reloaded, then a 'reload' is performed - rather than a simple 'enable'. The logic that checks for those - changes was incorrect in some configurations, leading to unneeded - reload operations. That has been corrected. - -4) When MANGLE_ENABLED=No in shorewall[6].conf, some features - requiring use of the mangle table can be allowed, even though the - mangle table is not updated. That has been corrected such that use - of such features will raise an error. - -5) When an invocation of the IfEvent(...,reset) action was invoked, - the compiler previously emitted a spurious "Resetting..." message. - That message has been suppressed. - -5.2.3.6 - -1) When both Docker containers and Libvirt VMs were in use, 'shorewall - start' could fail as follows: - - Running /sbin/iptables-restore --wait 60... - iptables-restore v1.8.3 (legacy): Couldn't load target - `LIBVIRT_PRT':No such file or directory - Error occurred at line: 19 - Try `iptables-restore -h' or 'iptables-restore --help' for more information. - ERROR: /sbin/iptables-restore --wait 60 Failed. - - That has been corrected. - -5.2.3.5 - -1) A typo in the FTP documentation has been corrected. - -2) The recommended mss setting when using IPSec with ipcomp has been - corrected. - -3) A number of incorrect links in the manpages have been corrected. - -4) The 'bypass' option is now allowed when specifying an NFQUEUE - policy. Previously, specifying that option resulted in an error. - -5) Corrected IPv6 Address Range parsing. +1) Previously, when a Shorewall6 firewall was placed into the + 'stopped' state, ICMP6 packets required by RFC 4890 were not + automatically accepted by the generated ruleset. - Previously, such ranges were required to be of the form [<addr1>-<addr2>] - rather than the more standard form [<addr1>]-[<addr2>]. In the snat file - (and in nat actions), the latter form was actually flagged as an error - while in other contexts, it resulted in a less obvious error being - raised. - -6) The manpages have been updated to refer to https://shorewall.org - rather than http://www.shorewall.org. - -5.2.3.4 - -1) If multi-queue NFQUEUE (e.g., NFQUEUE(0:1) ) WAS used as a policy, - an error such as the following was previously incorrectly raised. - - ERROR: Invalid policy (NFQUEUE(0) /etc/shorewall/policy (line - 15) - - That has been corrected such that no error is raised. - -2) If multi-queue NFQUEUE( e.g., NFQUEUE(0:1,bypass) ) was passed to a - macro, an error such as the following was previously incorrectly - raised: - - ERROR: Invalid ACTION (PARAM:1c,bypass))) - /usr/share/shorewall/macro.BitTorrent (line 12) - from /etc/shorewall/rules (line 40) - - Now, the NFQUEUE action is correctly substituted for PARAM in - the Macro body. - -3) If shorewall[6].conf didn't set AUTOMAKE, the 'update' command - previously produced a new file with 'AUTOMAKE=Yes'. This resulted - in an unexpected change of behavior. Now, the new file contains - 'AUTOMAKE=No', which preserves the pre-update behavior. - -4) Shorewall-rules(5) incorrectly stated that the 'bypass' option to - NFQUEUE causes the rule to be silently bypassed if there is no - application attached to the queue. The actual behavior is that the - rule acts like ACCEPT in that case. Shorewall-rules(5) has been - corrected. - -5.2.3.3 - -1) Previously, if an ipset was specified in an SPORT column, the - compiler would raise an error similar to: - - ERROR: Invalid ipset name () /etc/shorewall/rules (line 44) - - That has been corrected. - -5.2.3.2 - -1) Shorewall 5.2 automatically converts and existing 'masq' file to an - equivalent 'snat' file. Regrettably, Shorewall 5.2.3 broke that - automatic update, such that the following error message was issued: - - Use of uninitialized value $Shorewall::Nat::raw::currentline in - pattern match (m//) at /usr/share/shorewall/Shorewall/Nat.pm - line 511, <$currentfile> line nnn. + Beginning with this release, those packets are automatically + accepted. - and the generted 'masq' file contains only initial comments. +2) Previously, the output of 'shorewall[6] help' displayed the + superseded 'load' command. That text has been deleted. - That has been corrected. +3) The QOSExample.html file in the documentation and on the web site + previously showed tcrules content for the /etc/shorewall/mangle + file (recall that 'mangle' superseded 'tcrules'). That page has + been corrected. + +4) The 'Starting and Stopping' and 'Configuration file basics' + documents have been updated to align them with the current product + behavior. -5.2.3.1 - -1) An issue in the implementation of policy file zone exclusion, - released in 5.2.3 has been resolved. In the original release, - if more than one zone was excluded, then the following error was - raised: - - ERROR: 'all' is not allowed in a source zone list - etc/shorewall/policy (line ...) - -5.2.3 - -1) To prevent a helper kernel module from being loaded, it was - previously necessary to list both its current name and its - pre-kernel-2.6.20 name in the DONT_LOAD option in - /etc/shorewall[6].conf. For example, to prevent nf_conntrack_sip - from being loaded, it was necessary to also list ip_conntrack_sip - in DONT_LOAD. That is no longer necessary. +5) The 'ipsets' document has been updated to clarify the use of + ipsets in the stoppedrules file. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -180,27 +55,60 @@ uses a "delete..add.." sequence on these routes rather than a single "replace" command. +4) On Debian-derived systems, when DOCKER=Yes, the 'systemctl restart + shorewall' command looses Docker rules. + + Workaround (courtesy of J Cliff Armstrong): + + Type (as root): + + `systemctl edit shorewall.service`. + + This will open the default terminal editor to a blank file in + which you can paste the following: + + [Service] + # reset ExecStop + ExecStop= + # set ExecStop to "stop" instead of "clear" + ExecStop=/sbin/shorewall $OPTIONS stop + + Then type `systemctl daemon-reload` to activate the changes. This + change will survive future updates of the shorewall package from apt + repositories. The override file itself will be saved to + `/etc/systemd/system/shorewall.service.d/`. + ---------------------------------------------------------------------------- I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) Zone exclusion (e.g., "all!z2,z2,...") is now supported in the - policy file. +1) Previously, Shorewall's Docker support assumed that the default + Docker Bridge (docker0) was being used. Beginning with this + release, the DOCKER_BRIDGE option in Shorewall.conf allows an + arbitrary name to be assigned to the bridge. In particular, when + CNI is being used, DOCKER_BRIDGE=cni0 is the appropriate setting. + +2) The CLI keywords 'debug' and 'trace' have been replaced by -D and + -T options respectively (e.g., 'shorewall trace reload' is now + 'shorewall -T reload'). Like the keywords, only one of these + options can be active at a time; if both are entered, only the + last one is activated. A similar change has been made to the + generated script. + + The -T option (formerly 'trace') now applies only to shell-level + tracing in the CLI and generated script. Those commands that + invoke the rules compiler now accept a -D command option which + causes the compiler to generate debugging information (e.g., + 'shorewall check -D'). + + The 'nolock' keyword is now deprecated in favor of the -N + option (e.g., 'shorewall nolock reload' becomes 'shorewall -N + reload'). -2) With the availability of zone exclusion in the rules file, 'all[+]-' - and 'any[+]-' are equivalent to 'all[+]!$FW' and 'any[+]!$FW' - respectively. Beginning with this release, the former are - deprecated in favor of the latter and will result in a warning - message, if used. + See shorewall(8) for details. -3) Internal documentaton of the undocumented 'test' parameter to - compiler.pl has been added (it is used by the regression test - library to suppress versions and date/times from the generated - script). - -4) The LOAD_HELPERS_ONLY option has been removed from - shorewall[6].conf. Hereafter, Shorewall[6] will behave as if - LOAD_HELPERS_ONLY=Yes had been specified. +3) Within the source code and documentation, 'shorewall.net' has been + replaced by 'shorewall.org'. ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -307,7 +215,7 @@ This issue is not handled by 'shorewall update' and must be corrected manually. -4) The Netfilter team have removed support for the rawpost table, so +3) The Netfilter team have removed support for the rawpost table, so Shorewall no longer supports features requiring that table (stateless netmapping in the netmap file). The good news is that, since kernel 3.7, Netfilter supports stateful IPv6 network mapping @@ -317,10 +225,10 @@ This issue is not handled by 'shorewall update' and must be corrected manually. -5) The (undocumented) Makefiles haven't been maintained for many +4) The (undocumented) Makefiles haven't been maintained for many releases and have been removed. -6) Beginning with Shorewall 5.1.2, The DROP_DEFAULT, REJECT_DEFAULT, +5) Beginning with Shorewall 5.1.2, The DROP_DEFAULT, REJECT_DEFAULT, etc. options may now specify a comma-separated list of actions rather than just a single action. The actions are invoked in the order in which they are listed and each action may optionally be @@ -338,13 +246,13 @@ This issue is partially handled by 'shorewall update' - see the 5.2 issues below. -7) Beginning with Shorewall 5.1.2, the allowBcast, dropBcast, and +6) Beginning with Shorewall 5.1.2, the allowBcast, dropBcast, and Broadcast no longer handle multicast. Multicast is handeled separately in actions allowMcast, dropMcast and Multicast. The now-deprecated Drop and Reject policy actions have been modified so that they continue to silently drop multicast packets. -8) According to the Netfilter team (see +7) According to the Netfilter team (see https://patchwork.kernel.org/patch/9198133/), the --nflog-range option of the NFLOG target has never worked correctly, and they have deprecated that option in favor of the --nflog-size option. @@ -369,14 +277,14 @@ This issue is not handled by 'shorewall update' and must be corrected manually. -9) The MODULE_SUFFIX option in shorewall[6].conf was eliminated in +8) The MODULE_SUFFIX option in shorewall[6].conf was eliminated in Shorewall 5.1.7. Shorewall now finds modules, independent of their filename suffix. 'shorewall [-6] update' will automatically remove any MODULE_SUFFIX setting. -10) Beginning with Shorewall 5.1.8, when RESTORE_DEFAULT_ROUTE=Yes the +9) Beginning with Shorewall 5.1.8, when RESTORE_DEFAULT_ROUTE=Yes the default route is only restored when there are no enabled 'balance/primary' providers and no enabled fallback providers. @@ -385,7 +293,7 @@ successfully enabled, the default route(s) are removed from the main table. -11) Because restoring default routes to the main routing table can +10) Because restoring default routes to the main routing table can break the ability of Foolsm and other link status monitors to properly detect non-functioning provider links, a warning message is issued when the 'persistent' provider option is specified and @@ -399,7 +307,7 @@ This issue is not handled by 'shorewall update' and must be corrected manually. -12) Most interface OPTIONS have always been ignored when the INTERFACE +11) Most interface OPTIONS have always been ignored when the INTERFACE name is '+'. Beginning with the Shorewall 5.1.10 release, a warning is issued when an ignored option is specified with interface name '+'. @@ -444,7 +352,7 @@ This issue is not handled by 'shorewall update' and must be corrected manually. -13) INLINE_MATCHES=Yes has been documented as deprecated for some +12) INLINE_MATCHES=Yes has been documented as deprecated for some time, but it has not generated a warning. Beginning with the Shorewall 5.1.12 release, a warning is issued: @@ -600,9 +508,220 @@ ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 5 . 2 R E L E A S E S ---------------------------------------------------------------------------- + N E W F E A T U R E S I N 5 . 2 . 3 +---------------------------------------------------------------------------- + +1) Zone exclusion (e.g., "all!z2,z2,...") is now supported in the + policy file. + +2) With the availability of zone exclusion in the rules file, 'all[+]-' + and 'any[+]-' are equivalent to 'all[+]!$FW' and 'any[+]!$FW' + respectively. Beginning with this release, the former are + deprecated in favor of the latter and will result in a warning + message, if used. + +3) Internal documentaton of the undocumented 'test' parameter to + compiler.pl has been added (it is used by the regression test + library to suppress versions and date/times from the generated + script). + +4) The LOAD_HELPERS_ONLY option has been removed from + shorewall[6].conf. Hereafter, Shorewall[6] will behave as if + LOAD_HELPERS_ONLY=Yes had been specified. + +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 5 . 2 . 3 +---------------------------------------------------------------------------- + +5.2.3.7 + +1) When DOCKER=Yes, if both the DOCKER-ISOLATE and + DOCKER-ISOLATE-STAGE-1 existed then the DOCKER-ISOLATE-STAGE-* + chains were not preserved through shorewall state changes. + That has been corrected so that both chains are preserved if + present. + +2) Previously, the compiler always detected the OLD_CONNTRACK_MATCH + capability as being available in IPv6. When OLD_CONNTRACK_MATCH + was available, the compiler also mishandled inversion ('!') in the + ORIGDEST columns, leading to an assertion failure: + + Shorewall::Config::fatal_error("Internal error in + Shorewall::Chains::set_rule_option at /usr/"...) called at + /usr/share/shorewall/Shorewall/Config.pm line 1619 + + Both the incorrect capability detection and the mishandled + inversion have been corrected. + +3) During 'enable' processing, if address variables associated with + the interface have values different than those when the firewall + was last started/restarted/reloaded, then a 'reload' is performed + rather than a simple 'enable'. The logic that checks for those + changes was incorrect in some configurations, leading to unneeded + reload operations. That has been corrected. + +4) When MANGLE_ENABLED=No in shorewall[6].conf, some features + requiring use of the mangle table can be allowed, even though the + mangle table is not updated. That has been corrected such that use + of such features will raise an error. + +5) When an invocation of the IfEvent(...,reset) action was invoked, + the compiler previously emitted a spurious "Resetting..." message. + That message has been suppressed. + +5.2.3.6 + +1) When both Docker containers and Libvirt VMs were in use, 'shorewall + start' could fail as follows: + + Running /sbin/iptables-restore --wait 60... + iptables-restore v1.8.3 (legacy): Couldn't load target + `LIBVIRT_PRT':No such file or directory + Error occurred at line: 19 + Try `iptables-restore -h' or 'iptables-restore --help' for more information. + ERROR: /sbin/iptables-restore --wait 60 Failed. + + That has been corrected. + +5.2.3.5 + +1) A typo in the FTP documentation has been corrected. + +2) The recommended mss setting when using IPSec with ipcomp has been + corrected. + +3) A number of incorrect links in the manpages have been corrected. + +4) The 'bypass' option is now allowed when specifying an NFQUEUE + policy. Previously, specifying that option resulted in an error. + +5) Corrected IPv6 Address Range parsing. + + Previously, such ranges were required to be of the form [<addr1>-<addr2>] + rather than the more standard form [<addr1>]-[<addr2>]. In the snat file + (and in nat actions), the latter form was actually flagged as an error + while in other contexts, it resulted in a less obvious error being + raised. + +6) The manpages have been updated to refer to https://shorewall.org + rather than http://www.shorewall.org. + +5.2.3.4 + +1) If multi-queue NFQUEUE (e.g., NFQUEUE(0:1) ) WAS used as a policy, + an error such as the following was previously incorrectly raised. + + ERROR: Invalid policy (NFQUEUE(0) /etc/shorewall/policy (line + 15) + + That has been corrected such that no error is raised. + +2) If multi-queue NFQUEUE( e.g., NFQUEUE(0:1,bypass) ) was passed to a + macro, an error such as the following was previously incorrectly + raised: + + ERROR: Invalid ACTION (PARAM:1c,bypass))) + /usr/share/shorewall/macro.BitTorrent (line 12) + from /etc/shorewall/rules (line 40) + + Now, the NFQUEUE action is correctly substituted for PARAM in + the Macro body. + +3) If shorewall[6].conf didn't set AUTOMAKE, the 'update' command + previously produced a new file with 'AUTOMAKE=Yes'. This resulted + in an unexpected change of behavior. Now, the new file contains + 'AUTOMAKE=No', which preserves the pre-update behavior. + +4) Shorewall-rules(5) incorrectly stated that the 'bypass' option to + NFQUEUE causes the rule to be silently bypassed if there is no + application attached to the queue. The actual behavior is that the + rule acts like ACCEPT in that case. Shorewall-rules(5) has been + corrected. + +5.2.3.3 + +1) Previously, if an ipset was specified in an SPORT column, the + compiler would raise an error similar to: + + ERROR: Invalid ipset name () /etc/shorewall/rules (line 44) + + That has been corrected. + +5.2.3.2 + +1) Shorewall 5.2 automatically converts and existing 'masq' file to an + equivalent 'snat' file. Regrettably, Shorewall 5.2.3 broke that + automatic update, such that the following error message was issued: + + Use of uninitialized value $Shorewall::Nat::raw::currentline in + pattern match (m//) at /usr/share/shorewall/Shorewall/Nat.pm + line 511, <$currentfile> line nnn. + + and the generted 'masq' file contains only initial comments. + + That has been corrected. + +5.2.3.1 + +1) An issue in the implementation of policy file zone exclusion, + released in 5.2.3 has been resolved. In the original release, + if more than one zone was excluded, then the following error was + raised: + + ERROR: 'all' is not allowed in a source zone list + etc/shorewall/policy (line ...) + +5.2.3 + +1) To prevent a helper kernel module from being loaded, it was + previously necessary to list both its current name and its + pre-kernel-2.6.20 name in the DONT_LOAD option in + /etc/shorewall[6].conf. For example, to prevent nf_conntrack_sip + from being loaded, it was necessary to also list ip_conntrack_sip + in DONT_LOAD. That is no longer necessary. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 5 . 2 . 2 +---------------------------------------------------------------------------- +1) New macros have been contributed by Vincas Dargis: + + Bitcoin + Tor + ONCRPC + + Additionally, Tuomo Soini has contributed a WUDO (Windows Update + Delivery Optimization) macro. + +2) The Perl modules have undergone some cleanup/optimization. + +3) Given that recent kernels have dropped ULOG support, use of ULOG in + Shorewall is now deprecated and results in a warning message. The + warning can be eliminated by switching to NFLOG and ulogd2. + +4) Shorewall can now detect interface default gateways configured by + Network Manager. + +5) Inline matches are now supported in the 'conntrack' file. + +6) In the 'accounting' file, Inline matches in an INLINE(...) rule now + allow a leading '+' to cause the matches to be evaluated before + those generated by the column specifications. + +7) If view of the fact that some modems take an eternity to recover + from a power failure, the limit of the 'wait' interface option + setting has been increased from 120 seconds (2 minutes) to 300 + seconds (5 minutes). + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 5 . 2 . 2 ---------------------------------------------------------------------------- +5.2.2.1 + +1) A typo has been corrected in shorewall-providers(5). The manpage + previously referred to RESTORE_DEFAULT_OPTION; that should have + been RESTORE_DEFAULT_GATEWAY. + 1) This release includes defect repair through Shorewall 5.2.1.4. 2) When processing inline matches, the compiler previously inserted diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.3.7/shorewall-lite.conf new/shorewall-lite-5.2.4/shorewall-lite.conf --- old/shorewall-lite-5.2.3.7/shorewall-lite.conf 2020-03-06 17:27:18.000000000 +0100 +++ new/shorewall-lite-5.2.4/shorewall-lite.conf 2020-03-21 22:37:59.000000000 +0100 @@ -8,7 +8,7 @@ # "man shorewall-lite.conf" # # Manpage also online at -# http://www.shorewall.net/manpages/shorewall-lite.conf.html +# http://www.shorewall.org/manpages/shorewall-lite.conf.html ############################################################################### # N 0 T E ############################################################################### diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.3.7/shorewall-lite.spec new/shorewall-lite-5.2.4/shorewall-lite.spec --- old/shorewall-lite-5.2.3.7/shorewall-lite.spec 2020-03-06 17:38:12.000000000 +0100 +++ new/shorewall-lite-5.2.4/shorewall-lite.spec 2020-03-21 22:40:33.000000000 +0100 @@ -1,6 +1,6 @@ %define name shorewall-lite -%define version 5.2.3 -%define release 7 +%define version 5.2.4 +%define release 0base %define initdir /etc/init.d Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems. @@ -114,20 +114,12 @@ %doc COPYING changelog.txt releasenotes.txt %changelog -* Tue Feb 25 2020 Tom Eastep <[email protected]> -- Updated to 5.2.3-7 -* Sun Feb 16 2020 Tom Eastep <[email protected]> -- Updated to 5.2.3-6 -* Wed Jan 15 2020 Tom Eastep <[email protected]> -- Updated to 5.2.3-5 -* Sun Aug 25 2019 Tom Eastep <[email protected]> -- Updated to 5.2.3-4 -* Thu Apr 11 2019 Tom Eastep [email protected] -- Updated to 5.2.3-3 -* Sun Mar 17 2019 Tom Eastep [email protected] -- Updated to 5.2.3-2 -* Tue Feb 26 2019 Tom Eastep [email protected] -- Updated to 5.2.3-1 +* Tue Mar 17 2020 Tom Eastep <[email protected]> +- Updated to 5.2.4-0base +* Sat Mar 14 2020 Tom Eastep <[email protected]> +- Updated to 5.2.4-0RC1 +* Fri Mar 06 2020 Tom Eastep <[email protected]> +- Updated to 5.2.4-0Beta1 * Mon Feb 11 2019 Tom Eastep [email protected] - Updated to 5.2.3-0base * Wed Feb 06 2019 Tom Eastep [email protected] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.3.7/uninstall.sh new/shorewall-lite-5.2.4/uninstall.sh --- old/shorewall-lite-5.2.3.7/uninstall.sh 2020-03-06 17:38:12.000000000 +0100 +++ new/shorewall-lite-5.2.4/uninstall.sh 2020-03-21 22:40:33.000000000 +0100 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=5.2.3.7 +VERSION=5.2.4 usage() # $1 = exit status { ++++++ shorewall-5.2.3.7.tar.bz2 -> shorewall6-5.2.4.tar.bz2 ++++++ ++++ 122824 lines of diff (skipped) ++++++ shorewall-lite-5.2.3.7.tar.bz2 -> shorewall6-lite-5.2.4.tar.bz2 ++++++ ++++ 3715 lines of diff (skipped)
