Hello community, here is the log from the commit of package shorewall for openSUSE:Factory checked in at 2020-07-05 01:14:07 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/shorewall (Old) and /work/SRC/openSUSE:Factory/.shorewall.new.3060 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shorewall" Sun Jul 5 01:14:07 2020 rev:117 rq:818356 version:5.2.5.2 Changes: -------- --- /work/SRC/openSUSE:Factory/shorewall/shorewall.changes 2020-06-03 20:35:10.305670851 +0200 +++ /work/SRC/openSUSE:Factory/.shorewall.new.3060/shorewall.changes 2020-07-05 01:15:17.744444694 +0200 @@ -1,0 +2,50 @@ +Thu Jul 2 13:24:45 UTC 2020 - Bruno Friedmann <[email protected]> + +- Update to version 5.2.5.2 + https://shorewall.org/pub/shorewall/5.2/shorewall-5.2.5/releasenotes.txt + + 5.2.5.2 + Previously, ";;+" was mishandled in the snat file; the generated + rule incorrectly included the leading "+". That has been corrected + so that the generated rule is now correct. + Example (SNAT OpenVPN server traffic leaving on eth0): + SNAT(192.2.0.4) - eth0 ;;+ -p udp --sport 1194 + + 5.2.5.1 + - The change in 5.2.5 base which changed the 'user' facility to the + 'daemon' facility in Shorewall syslog messages did not change the + messages with severity 'err'. That has been corrected such that + all syslog messages now use the 'daemon' facility. + - The actions.std file contains "?IF...?ELSE...?ENDIF" sequences + that provide different action options depending on the availabilty + of certain capabilities. This has resulted in the Broadcast and + Multicast options being listed twice in the output of + "shorewall[6] show actions". Beginning with this release, this + duplication is eliminated. Note, however, that the options shown + will be incomplete if they were continued onto another line, and + may be incorrect for Broadcast and Multicast. + - A typo in shorewall-providers(5) has been corrected. + + 5.2.5 Base + - Previously, Shorewall-init installed a 'shorewall' script in + /etc/network/if-down.d on Debian and derivatives. This script was + unnecessary and required Debian-specific code in the generated + firewall script. The Shorewall-init script is no longer installed + and the generated firewall script is now free of + distribution-specific code. + - Also on Debian and derivatives, Shorewall-init installed + /etc//NetworkManager/dispatcher.d/01-shorewall which was also + unnecessary. Beginning with this release, that file is no longer + installed. + - Previously, if the dynamic-blacklisting default timeout was set in + a variable in the params file and the variable was used in setting + DYNAMIC_BLACKLIST, then the 'allow' command would fail with + the message: + ERROR: Invalid value (ipset-only,disconnect,timeout=) for + DYNAMIC_BLACKLIST + That has been corrected. + - When EXPAND_POLICIES=No in shorewall[6].conf, policies in complex + rulesets are enforced in chains such as 'net-all' and + 'all-all'. Previously, these chains included redundant + state-oriented rules. In addition to being redundant. these rules + could actually break complex IPv6 configurations. The extra rules are + now omitted. + +------------------------------------------------------------------- Old: ---- shorewall-5.2.4.5.tar.bz2 shorewall-core-5.2.4.5.tar.bz2 shorewall-docs-html-5.2.4.5.tar.bz2 shorewall-init-5.2.4.5.tar.bz2 shorewall-lite-5.2.4.5.tar.bz2 shorewall6-5.2.4.5.tar.bz2 shorewall6-lite-5.2.4.5.tar.bz2 New: ---- shorewall-5.2.5.2.tar.bz2 shorewall-core-5.2.5.2.tar.bz2 shorewall-docs-html-5.2.5.2.tar.bz2 shorewall-init-5.2.5.2.tar.bz2 shorewall-lite-5.2.5.2.tar.bz2 shorewall6-5.2.5.2.tar.bz2 shorewall6-lite-5.2.5.2.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shorewall.spec ++++++ --- /var/tmp/diff_new_pack.ZIZOFw/_old 2020-07-05 01:15:29.064480769 +0200 +++ /var/tmp/diff_new_pack.ZIZOFw/_new 2020-07-05 01:15:29.068480781 +0200 @@ -18,7 +18,7 @@ %define have_systemd 1 %define dmaj 5.2 -%define dmin 5.2.4 +%define dmin 5.2.5 # Warn users for upgrading configuration but only on major or minor version changes %define conf_need_update 0 #2017+ New fillup location @@ -26,7 +26,7 @@ %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: shorewall -Version: 5.2.4.5 +Version: 5.2.5.2 Release: 0 Summary: An iptables-based firewall for Linux systems License: GPL-2.0-only ++++++ shorewall-5.2.4.5.tar.bz2 -> shorewall-5.2.5.2.tar.bz2 ++++++ ++++ 2262 lines of diff (skipped) ++++++ shorewall-core-5.2.4.5.tar.bz2 -> shorewall-core-5.2.5.2.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.4.5/Shorewall-core-targetname new/shorewall-core-5.2.5.2/Shorewall-core-targetname --- old/shorewall-core-5.2.4.5/Shorewall-core-targetname 2020-05-14 18:22:44.000000000 +0200 +++ new/shorewall-core-5.2.5.2/Shorewall-core-targetname 1970-01-01 01:00:00.000000000 +0100 @@ -1 +0,0 @@ -5.2.4.1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.4.5/changelog.txt new/shorewall-core-5.2.5.2/changelog.txt --- old/shorewall-core-5.2.4.5/changelog.txt 2020-05-14 18:36:02.000000000 +0200 +++ new/shorewall-core-5.2.5.2/changelog.txt 2020-06-28 20:27:29.000000000 +0200 @@ -1,3 +1,55 @@ +Changes in 5.2.5.2 + +1) Update release documents + +2) Correct handling of ";;+" in the snat file. + +Changes in 5.2.5.1 + +1) Update release documents + +2) Replace 'kern.err' sith 'daemon.err'. + +3) Remove duplicates from the output of 'show actions'. + +4) Correct a typo in shorewall-providers(5). + +Changes in 5.2.5 Final + +1) Update release documents + +2) Zone name too long error message added. + +Changes in 5.2.5 RC 1 + +1) Update release documents + +2) Update module versions + +3) Omit STATE-oriented rules from wildcard policy chains. + +Changes in 5.2.5 Beta 2 + +1) Update release documents + +2) Read the params file during 'allow' processing. + +3) Store exported config params in a named array. + +4) Add the 'log' option to the DYNAMIC_BLACKLIST setting. + +5) Add the 'blacklist!' command. + +6) Add the 'noupdate' DYNAMIC_BLACKLIST option. + +Changes in 5.2.5 Beta 1 + +1) Update release documents + +2) Don't install /etc/network/if-down.d/shorewall on Debian. + +3) Create DBL ipset with 'timeout 0' + Changes in 5.2.4.5 1) Update release documents diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.4.5/configure new/shorewall-core-5.2.5.2/configure --- old/shorewall-core-5.2.4.5/configure 2020-05-14 18:36:01.000000000 +0200 +++ new/shorewall-core-5.2.5.2/configure 2020-06-28 20:27:28.000000000 +0200 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=5.2.4.5 +VERSION=5.2.5.2 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.4.5/configure.pl new/shorewall-core-5.2.5.2/configure.pl --- old/shorewall-core-5.2.4.5/configure.pl 2020-05-14 18:36:01.000000000 +0200 +++ new/shorewall-core-5.2.5.2/configure.pl 2020-06-28 20:27:28.000000000 +0200 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '5.2.4.5' + VERSION => '5.2.5.2' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.4.5/install.sh new/shorewall-core-5.2.5.2/install.sh --- old/shorewall-core-5.2.4.5/install.sh 2020-05-14 18:36:01.000000000 +0200 +++ new/shorewall-core-5.2.5.2/install.sh 2020-06-28 20:27:28.000000000 +0200 @@ -22,7 +22,7 @@ # along with this program; if not, see <http://www.gnu.org/licenses/>. # -VERSION=5.2.4.5 +VERSION=5.2.5.2 PRODUCT=shorewall-core Product="Shorewall Core" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.4.5/known_problems.txt new/shorewall-core-5.2.5.2/known_problems.txt --- old/shorewall-core-5.2.4.5/known_problems.txt 2020-05-14 18:36:02.000000000 +0200 +++ new/shorewall-core-5.2.5.2/known_problems.txt 2020-06-28 20:27:29.000000000 +0200 @@ -36,65 +36,23 @@ repositories. The override file itself will be saved to `/etc/systemd/system/shorewall.service.d/`. -5) OpenSuSE users running systemd complain that the firewalls are - stopped after a Shorewall product upgrade. +5) When ';;+" appears in the snat file, the '+' incorrectly appears + in the generated ip[6]tables rule. - Corrected in 5.2.4.1. + Corrected in Shorewall 5.2.5.2. -6) On Redhat-based systems and on OpenSuSE, the Shorewall-init log - contains spurious log messages regarding invalid commands. These - messages are harmless. +6) When compiling for export, the compiler generates a firewall.conf + file which is later installed on the remote firewall system as + ${VARDIR}/firewall.conf. Currently, the CLI on that firewall is + not processing the file, resulting in some features not being + available: - Corrected in 5.2.4.1. + - Default values for VERBOSITY, LOGFILE, LOGFORMAT, PATH, + SHOREWALL_SHELL, SUBSYSLOCK, RESTOREFILE, RESTART, + DYNAMIC_BLACKLIST and PAGER are not supplied. -7) There are two problems associated with Debian Shorewall-init when - IFUPDOWN=1 in the Shorewall-init configuration file - (/etc/default/shorewall-init). + - scfilter file supplied at compile time. - a) Down events are ignored when Network Manager is being used. + - dumpfilter file supplied at compile time. - b) Up events are processed twice on dual-stack interfaces. - - Corrected in 5.2.4.2. - -8) When interfaces are managed by Network Manager and IFUPDOWN=1 is - specified in the Shorewall-init configuration file, when an optional - interface is brought up, enabling the interface in - Shorewall6[-lite] may fail. - - Corrected in 5.2.4.3. - -9) When DYNAMIC_BLACKLIST="ipset...." in shorewall[6].conf, and - additional ipsets are used in the configuration, specifying - SAVE_IPSETS in the Shorewall-init configuration file does not work - correctly. Shorewall-init restores the ipsets but the generated - firewall deletes them. It is necessary to specify SAVE_IPSETS=Yes - in shorewall[6].conf to work around this problem. - - Corrected in 5.2.4.3. - -10) The 'shorewall-init start' command restores ipsets after it has - stopped the firewall, precluding using ipsets in the stoppedrules - file. - - Corrected in 5.2.4.3. - -11) Setting OPTIMIZE to a value > 15 (or 'all') may cause compilation - to be extreamly slow on large configurations. - - Corrected in 5.2.4.3. - -12) When 5.2.4.3 is installed, two issues have been observed: - - a) When DYNAMIC_BLACKLIST=ipset... or when SAVE_IPSETS=Yes in - shorewall[6].conf, 'shorewall[6] start' can hang. - - b) 'shorewall[6] start' does not automatically create dynamic - blacklisting ipsets. - - Corrected in 5.2.4.4. - -13) The AUTOMAKE option doesn't work correctly when /etc/shorewall[6] - is a symbolic link. - - Corrected in 5.2.4.5. + Corrected in 5.2.6 Beta 1. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.4.5/lib.cli new/shorewall-core-5.2.5.2/lib.cli --- old/shorewall-core-5.2.4.5/lib.cli 2020-05-14 18:22:44.000000000 +0200 +++ new/shorewall-core-5.2.5.2/lib.cli 2020-06-28 20:05:00.000000000 +0200 @@ -1109,7 +1109,7 @@ } show_actions_sorted() { - show_actions | sort + show_actions | sort -u -k 1,1 } show_macros() { @@ -2651,6 +2651,7 @@ if [ -n "$g_blacklistipset" ]; then if qt $IPSET -D $g_blacklistipset $1; then allowed=Yes + [ -n "$g_dbllog" ] && mylogger daemon.info "$g_product: $1 Allowed" fi fi @@ -2667,6 +2668,7 @@ *) if [ -n "$g_blacklistipset" ]; then if qt $IPSET -D $g_blacklistipset $1; then + [ -n "$g_dbllog" ] && mylogger daemon.info "$g_product: $1 Allowed" allowed=Yes fi fi @@ -3622,6 +3624,7 @@ blacklist_command() { local family + local timeout [ $# -gt 0 ] || fatal_error "Missing address" @@ -3639,10 +3642,17 @@ ;; esac - if $IPSET -A $g_blacklistipset $@ -exist; then + if [ $COMMAND = 'blacklist!' ]; then + timeout='timeout 0' + else + echo "$@" | fgrep -q ' timeout ' || timeout="timeout $g_dbltimeout" + fi + + if $IPSET -A $g_blacklistipset $@ $timeout -exist; then local message progress_message2 "$1 Blacklisted" + [ -n "$g_dbllog" ] && mylogger daemon.info "$g_product: $1 Blacklisted" if [ -n "$g_disconnect" ]; then message="$(conntrack -D -s $1 2>&1)" @@ -3897,7 +3907,7 @@ case $DYNAMIC_BLACKLIST in ipset*,src-dst*) # - # This utility doesn't need to know about 'src-dst' + # Capture 'src-dst' # DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed 's/,src-dst//') @@ -3906,10 +3916,48 @@ esac case $DYNAMIC_BLACKLIST in + ipset*,log*) + # + # Capture 'log' + # + DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed 's/,log//') + + g_dbllog=Yes + ;; + esac + + case $DYNAMIC_BLACKLIST in + ipset*,noupdate*) + # + # This utility doesn't use this option + # + DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed 's/,noupdate//') + ;; + esac + + case $DYNAMIC_BLACKLIST in ipset*,timeout*) # - # This utility doesn't need to know about 'timeout=nnn' + # Capture timeout # + local ifs + local f + + ifs=$IFS + IFS=',' + + for f in $DYNAMIC_BLACKLIST; do + case $f in + timeout=*) + g_dbltimeout=${f#timeout=} + g_dbltimeout=${g_dbltimeout%%:*} + break + ;; + esac + done + + IFS=$ifs + DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed -r 's/,timeout=[[:digit:]]+//') ;; esac @@ -4127,7 +4175,7 @@ rc=$? else error_message "$g_firewall is missing or is not executable" - mylogger kern.err "ERROR:$g_product start failed" + mylogger daemon.err "ERROR:$g_product start failed" rc=6 fi @@ -4260,7 +4308,7 @@ rc=$? else error_message "$g_firewall is missing or is not executable" - mylogger kern.err "ERROR:$g_product $COMMAND failed" + mylogger daemon.err "ERROR:$g_product $COMMAND failed" rc=6 fi @@ -4458,6 +4506,8 @@ g_disconnect= g_havemutex= g_trace= + g_dbltimeout= + g_dbllog= VERBOSE= VERBOSITY=1 @@ -4679,7 +4729,7 @@ fatal_error "$g_product is not running" fi ;; - blacklist) + blacklist|blacklist!) only_root get_config Yes shift @@ -4757,7 +4807,7 @@ ;; allow) only_root - get_config + get_config Yes allow_command $@ ;; add) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.4.5/lib.common new/shorewall-core-5.2.5.2/lib.common --- old/shorewall-core-5.2.4.5/lib.common 2020-05-14 18:22:44.000000000 +0200 +++ new/shorewall-core-5.2.5.2/lib.common 2020-06-28 20:05:00.000000000 +0200 @@ -55,13 +55,13 @@ case $COMMAND in start) - mylogger kern.err "ERROR:$g_product start failed:Firewall state not changed" + mylogger daemon.err "ERROR:$g_product start failed:Firewall state not changed" ;; restart) - mylogger kern.err "ERROR:$g_product restart failed:Firewall state not changed" + mylogger daemon.err "ERROR:$g_product restart failed:Firewall state not changed" ;; restore) - mylogger kern.err "ERROR:$g_product restore failed:Firewall state not changed" + mylogger daemon.err "ERROR:$g_product restore failed:Firewall state not changed" ;; esac diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.4.5/manpages/shorewall.8 new/shorewall-core-5.2.5.2/manpages/shorewall.8 --- old/shorewall-core-5.2.4.5/manpages/shorewall.8 2020-04-29 22:37:00.000000000 +0200 +++ new/shorewall-core-5.2.5.2/manpages/shorewall.8 2020-06-13 22:10:45.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 04/29/2020 +.\" Date: 06/13/2020 .\" Manual: Administrative Commands .\" Source: Administrative Commands .\" Language: English .\" -.TH "SHOREWALL" "8" "04/29/2020" "Administrative Commands" "Administrative Commands" +.TH "SHOREWALL" "8" "06/13/2020" "Administrative Commands" "Administrative Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -35,7 +35,7 @@ .HP \w'\fBshorewall[6][\-lite]\fR\ 'u \fBshorewall[6][\-lite]\fR [options] \fBallow\fR \fIaddress\fR .HP \w'\fBshorewall[6][\-lite]\fR\ 'u -\fBshorewall[6][\-lite]\fR [options] \fBblacklist\fR \fIaddress\fR\ [\fIoption\fR\ \&.\&.\&.] +\fBshorewall[6][\-lite]\fR [options] \fBblacklist[!]\fR \fIaddress\fR\ [\fIoption\fR\ \&.\&.\&.] .HP \w'\fBshorewall[6][\-lite]\fR\ 'u \fBshorewall[6][\-lite]\fR [options] \fBcall\fR \fIfunction\fR\ [\fIparameter\fR\ \&.\&.\&.] .HP \w'\fBshorewall[6]\fR\ 'u @@ -398,7 +398,7 @@ command\&. .RE .PP -\fBblacklist\fR \fIaddress\fR [ \fIoption\fR \&.\&.\&. ] +\fBblacklist[!]\fR \fIaddress\fR [ \fIoption\fR \&.\&.\&. ] .RS 4 Added in Shorewall 5\&.0\&.8 and requires DYNAMIC_BLACKLIST=ipset\&.\&. in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2(5)\&. Causes packets from the given host or network @@ -409,7 +409,33 @@ along with any \fIoption\fRs are passed to the \fBipset add\fR -command\&. +command\&. Probably the most useful +\fIoption\fR +is the +\fBtimeout\fR +option\&. For example, to permanently blacklist 192\&.0\&.2\&.22, the command would be: +.sp +.if n \{\ +.RS 4 +.\} +.nf + shorewall blacklist 192\&.0\&.2\&.22 timeout 0 +.fi +.if n \{\ +.RE +.\} +.sp +Beginning with Shorewall 5\&.2\&.5, the above command can be shortened to: +.sp +.if n \{\ +.RS 4 +.\} +.nf + shorewall blacklist! 192\&.0\&.2\&.22 +.fi +.if n \{\ +.RE +.\} .sp If the \fBdisconnect\fR @@ -1756,21 +1782,13 @@ .RE .RE .PP -\fBstop\fR [\-\fBf\fR] +\fBstop\fR .RS 4 Stops the firewall\&. All existing connections, except those listed in -\m[blue]\fBshorewall\-routestopped\fR\m[]\&\s-2\u[8]\d\s+2(5) or permitted by the ADMINISABSENTMINDED option in -\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2(5), are taken down\&. The only new traffic permitted through the firewall is from systems listed in -\m[blue]\fBshorewall\-routestopped\fR\m[]\&\s-2\u[8]\d\s+2(5) or by ADMINISABSENTMINDED\&. -.sp -If -\fB\-f\fR -is given, the command will be processed by the compiled script that executed the last successful -\fBstart\fR, -\fBrestart\fR -or -\fBreload\fR -command if that script exists\&. +\m[blue]\fBshorewall\-stoppedrules\fR\m[]\&\s-2\u[8]\d\s+2(5) or permitted by the ADMINISABSENTMINDED option in +\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2 +The only new traffic permitted through the firewall is from systems listed in +\m[blue]\fBshorewall\-stoppedrules\fR\m[]\&\s-2\u[8]\d\s+2(5) or by ADMINISABSENTMINDED\&. .RE .PP \fBstatus\fR [\-\fBi\fR] @@ -2146,9 +2164,9 @@ \%https://shorewall.org/manpages//manpages/shorewall-accounting.html .RE .IP " 8." 4 -shorewall-routestopped +shorewall-stoppedrules .RS 4 -\%https://shorewall.org/manpages//manpages/shorewall-routestopped.html +\%https://shorewall.org/manpages//manpages/shorewall-stoppedrules.html .RE .IP " 9." 4 https://shorewall.org/starting_and_stopping_shorewall.htm diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.4.5/releasenotes.txt new/shorewall-core-5.2.5.2/releasenotes.txt --- old/shorewall-core-5.2.4.5/releasenotes.txt 2020-05-14 18:36:02.000000000 +0200 +++ new/shorewall-core-5.2.5.2/releasenotes.txt 2020-06-28 20:27:29.000000000 +0200 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 5 . 2 . 4 . 5 - -------------------------------- - M A Y 1 4 , 2 0 1 9 + S H O R E W A L L 5 . 2 . 5 . 2 + ------------------------------- + J U N E 2 8 , 2 0 2 0 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -13,127 +13,65 @@ ---------------------------------------------------------------------------- I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -5.2.4.5 -1) The description of the 'optional' option has been expanded in - shorewall-interfaces(5). +5.2.5.2 -2) Previously, the AUTOMAKE option did not work properly when - /etc/shorewall[6] was a symbolic link. That has been corrected. - -5.2.4.4 - -1) When DYNAMIC_BLACKLIST=ipset... or when SAVE_IPSETS=Yes in - shorewall[6].conf, 'shorewall[6] start' could hang when 5.2.4.3 - was installed. That has been corrected. - -2) When 5.2.4.3 was installed, 'shorewall[6] start' would not - automatically create dynamic blacklisting ipsets. That has been - corrected. - -5.2.4.3 - -1) When interfaces was managed by Network Manager and IFUPDOWN=1 was - specified in the Shorewall-init configuration file, when an optional - interface was brought up, enabling the interface in - Shorewall6[-lite] could fail. - - Correcting this issue involves corrected code in this release of - Shorewall, but also may require a configuration change in - /etc/shorewall6/interfaces. The change in Shorewall makes the - generated script honor the 'wait=<seconds>' specification in - /etc/shorewall6/interfaces when executing the 'enable' command. - If there are optional interfaces that do not specify 'wait=...', - then the interfaces file must be altered to include such - specifications. - -2) An unnecessary test during command initialization in the generated - script has been eliminated. - -3) Previously, 'shorewall[6] stop' or 'shorewall[6] clear' would - create the dynamic blacklist ipset if it did not exist. Creation - of the ipset is now defered until the next 'start'. - -4) Previously, 'shorewall[6] start' would delete all corresponding - ipsets before restoring. It now deletes only those sets that will - be restored, thus allowing SAVE_IPSETS to be specified in the - Shorewall-init configuration when ipset-based dynamic blacklisting - is also enabled. Previously, if any additional ipsets were used, - it was necessary to set SAVE_IPSETS=Yes in shorewall[6].conf as - well. - -5) Previously, 'Shorewall-init start' restored ipsets after stopping - the firewalls, precluding use of ipsets in the stoppedrules file. - Shorewall-init now restores the ipsets before stopping the - firewalls. - -6) Optimize level 16 has been speeded up by an order of magnitude. - Tests using a large user-supplied configuration showed compilation - time with OPTIMIZE=all was reduced from 22min 40 seconds to 21.5 - seconds. - -5.2.4.2 - -1) This release corrects two problems associated with Debian - Shorewall-init when IFUPDOWN=1 in the Shorewall-init - configuration file (/etc/default/shorewall-init): - - a) Down events were ignored when Network Manager was being used. - - b) Up events were processed twice when a dual-stack interface - was brought up. - - Both problems have been corrected. To make the fixes effective, - it is necessary to recompile the firewall script (shorewall[6] - compile, start, restart or reload). - -5.2.4.1 - -1) The web site and documentation have been improved to correct some - invalid links in the manpages (including the manpages released - in Shorewall components) and to link directly to the current - website at https://shorewall.org. (Tuomo Soini) - -2) Cautions regarding SAVE_IPSETS have been added to the ipsets - article. - -3) OpenSuSE users running systemd have complained that the firewalls - are stopped after a Shorewall product upgrade. The problem is that - OpenSuSE restarts all running products that have been - upgraded. Recall that 'systemctl restart' is equivalent to - 'systemctl stop && systemctl start'. But starting Shorewall-init - results in the firewall products specified in the Shorewall-init - config file to be stopped. To address this issue, Shorewall-init - will now ignore 'start' and 'stop' commands, for running firewalls - (Tuomo Soini). - -4) On Redhat-based system and on OpenSuSE, extraneous Shorewall-init - log messages regarding invalid commands were being issued. These - harmless messages are now suppressed (Tuomo Soini). - -5.2.4 Final - -1) Previously, when a Shorewall6 firewall was placed into the - 'stopped' state, ICMP6 packets required by RFC 4890 were not - automatically accepted by the generated ruleset. - - Beginning with this release, those packets are automatically - accepted. - -2) Previously, the output of 'shorewall[6] help' displayed the - superseded 'load' command. That text has been deleted. - -3) The QOSExample.html file in the documentation and on the web site - previously showed tcrules content for the /etc/shorewall/mangle - file (recall that 'mangle' superseded 'tcrules'). That page has - been corrected. - -4) The 'Starting and Stopping' and 'Configuration file basics' - documents have been updated to align them with the current product - behavior. - -5) The 'ipsets' document has been updated to clarify the use of - ipsets in the stoppedrules file. +1) Previously, ";;+" was mishandled in the snat file; the generated + rule incorrectly included the leading "+". That has been corrected + so that the generated rule is now correct. + + Example (SNAT OpenVPN server traffic leaving on eth0): + + SNAT(192.2.0.4) - eth0 ;;+ -p udp --sport 1194 + +5.2.5.1 + +1) The change in 5.2.5 base which changed the 'user' facility to the + 'daemon' facility in Shorewall syslog messages did not change the + messages with severity 'err'. That has been corrected such that + all syslog messages now use the 'daemon' facility. + +2) The actions.std file contains "?IF...?ELSE...?ENDIF" sequences + that provide different action options depending on the availabilty + of certain capabilities. This has resulted in the Broadcast and + Multicast options being listed twice in the output of + "shorewall[6] show actions". Beginning with this release, this + duplication is eliminated. Note, however, that the options shown + will be incomplete if they were continued onto another line, and + may be incorrect for Broadcast and Multicast. + +3) A typo in shorewall-providers(5) has been corrected. + +5.2.5 Base + +1) Previously, Shorewall-init installed a 'shorewall' script in + /etc/network/if-down.d on Debian and derivatives. This script was + unnecessary and required Debian-specific code in the generated + firewall script. The Shorewall-init script is no longer installed + and the generated firewall script is now free of + distribution-specific code. + +2) Also on Debian and derivatives, Shorewall-init installed + /etc//NetworkManager/dispatcher.d/01-shorewall which was also + unnecessary. Beginning with this release, that file is no longer + installed. + +3) Previously, if the dynamic-blacklisting default timeout was set in + a variable in the params file and the variable was used in setting + DYNAMIC_BLACKLIST, then the 'allow' command would fail with + the message: + + ERROR: Invalid value (ipset-only,disconnect,timeout=) for + DYNAMIC_BLACKLIST + + That has been corrected. + +4) When EXPAND_POLICIES=No in shorewall[6].conf, policies in complex + rulesets are enforced in chains such as 'net-all' and + 'all-all'. Previously, these chains included redundant + state-oriented rules. In addition to being redundant. these rules + could actually break complex IPv6 configurations. The extra rules are + now omitted. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -181,33 +119,79 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) Previously, Shorewall's Docker support assumed that the default - Docker Bridge (docker0) was being used. Beginning with this - release, the DOCKER_BRIDGE option in Shorewall.conf allows an - arbitrary name to be assigned to the bridge. In particular, when - CNI is being used, DOCKER_BRIDGE=cni0 is the appropriate setting. +1) Prior to this release, when a 'timeout' value was specified in the + DYNAMIC_BLACKLIST setting, the dynamic-blacklisting ipset was + created with this default timeout. This had the unfortunate + disadvantage that it was not possible to add permanent entries + into the ipset. Even if 'timeout 0' was specified in a 'blacklist' + command, the entry would still age out of the ipset after the + default timeout had elapsed. + + Beginning with this release, the dynamic-blacklisting ipset is + created with 'timeout 0'. When an address is added to the set, + either by BLACKLIST policy enforcement, by the BLACKLIST action, + or by the CLI 'blacklist' command (where no 'timeout' is + specified), the default timeout is applied to the new entry. + + Once you have upgraded to this version of Shorewall, you can + convert your existing dynamic-blacklisting ipset (with a non-zero + default timeout) to have a default timeout of zero as follows: + + a) If RESTART=restart in shorewall[6].conf, then simply + 'shorewall[6] restart'. + + b) Otherwise, 'shorewall[6] stop && shorewall[6] start'. + +2) Previously, when an ADD or DEL rule specified logging, the entire + action (e.g. 'ADD(+NET_BL:src:7200)') was included in the log + message. This could easily lead to a "Log prefix shortened..." + warning during compilation. + + Beginning with this release, such log messages will contain only + the basic action ('ADD' or 'DEL') and the set name (e.g., + 'ADD(NET_BL)') to reduce the liklihood of producing the warning. + +3) Traditionally, Shorewall has logged state change messages using + the 'user' syslog facility. Beginning with this release, these + messages will be logged using the 'daemon' facility to more + accurately reflect that these messages relate to a service. + +4) The DYNAMIC_BLACKLIST setting now allows a 'log' option to be + specified for ipset-based blacklisting. When this option is given, + successful 'blacklist' and 'allow' commands generate a 'daemon.info' + log message. + +5) When ipset-based dynamic blacklisting is enabled, the generated + ruleset has traditionally refreshed the 'timeout' of an ipset + entry when a packet from blacklisted host is received. This has + the unfortunate side effect that it can change a permanent entry + (timeout 0) to a temporary (one with non-zero timeout). Beginning + with this release, this timeout refresh can be avoided by + specifying the 'noupdate' option in the DYNAMIC_BLACKLIST + setting. -2) The CLI keywords 'debug' and 'trace' have been replaced by -D and - -T options respectively (e.g., 'shorewall trace reload' is now - 'shorewall -T reload'). Like the keywords, only one of these - options can be active at a time; if both are entered, only the - last one is activated. A similar change has been made to the - generated script. +6) To allow Shorewall's ipset-based blacklisting to play nicely with + fail2ban, the 'blacklist!' CLI command has been added. - The -T option (formerly 'trace') now applies only to shell-level - tracing in the CLI and generated script. Those commands that - invoke the rules compiler now accept a -D command option which - causes the compiler to generate debugging information (e.g., - 'shorewall check -D'). + The command - The 'nolock' keyword is now deprecated in favor of the -N - option (e.g., 'shorewall nolock reload' becomes 'shorewall -N - reload'). + blacklist! <ip> - See shorewall(8) for details. + is equivalent to -3) Within the source code and documentation, 'shorewall.net' has been - replaced by 'shorewall.org'. + blacklist <ip> timeout 0 + + thus allowing 'blacklist!' to be specified as the 'blocktype' in + /etc/fail2ban/actions.d/shorewall.conf. + + See https://shorewall.org/blacklisting_support.htm#fail2ban for + further information about using Shorewall dynamic blacklisting + with fail2ban. + +7) Previously, when a zone name was too long, the resulting error + message was "Invalid zone name (<name>)". To make the cause of + the failur4e clearer, the message is now "Zone name (<name>) too + long". ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -314,7 +298,7 @@ This issue is not handled by 'shorewall update' and must be corrected manually. -3) The Netfilter team have removed support for the rawpost table, so +4) The Netfilter team have removed support for the rawpost table, so Shorewall no longer supports features requiring that table (stateless netmapping in the netmap file). The good news is that, since kernel 3.7, Netfilter supports stateful IPv6 network mapping @@ -324,10 +308,10 @@ This issue is not handled by 'shorewall update' and must be corrected manually. -4) The (undocumented) Makefiles haven't been maintained for many +5) The (undocumented) Makefiles haven't been maintained for many releases and have been removed. -5) Beginning with Shorewall 5.1.2, The DROP_DEFAULT, REJECT_DEFAULT, +6) Beginning with Shorewall 5.1.2, The DROP_DEFAULT, REJECT_DEFAULT, etc. options may now specify a comma-separated list of actions rather than just a single action. The actions are invoked in the order in which they are listed and each action may optionally be @@ -345,13 +329,13 @@ This issue is partially handled by 'shorewall update' - see the 5.2 issues below. -6) Beginning with Shorewall 5.1.2, the allowBcast, dropBcast, and +7) Beginning with Shorewall 5.1.2, the allowBcast, dropBcast, and Broadcast no longer handle multicast. Multicast is handeled separately in actions allowMcast, dropMcast and Multicast. The now-deprecated Drop and Reject policy actions have been modified so that they continue to silently drop multicast packets. -7) According to the Netfilter team (see +8) According to the Netfilter team (see https://patchwork.kernel.org/patch/9198133/), the --nflog-range option of the NFLOG target has never worked correctly, and they have deprecated that option in favor of the --nflog-size option. @@ -376,14 +360,14 @@ This issue is not handled by 'shorewall update' and must be corrected manually. -8) The MODULE_SUFFIX option in shorewall[6].conf was eliminated in +9) The MODULE_SUFFIX option in shorewall[6].conf was eliminated in Shorewall 5.1.7. Shorewall now finds modules, independent of their filename suffix. 'shorewall [-6] update' will automatically remove any MODULE_SUFFIX setting. -9) Beginning with Shorewall 5.1.8, when RESTORE_DEFAULT_ROUTE=Yes the +10) Beginning with Shorewall 5.1.8, when RESTORE_DEFAULT_ROUTE=Yes the default route is only restored when there are no enabled 'balance/primary' providers and no enabled fallback providers. @@ -392,7 +376,7 @@ successfully enabled, the default route(s) are removed from the main table. -10) Because restoring default routes to the main routing table can +11) Because restoring default routes to the main routing table can break the ability of Foolsm and other link status monitors to properly detect non-functioning provider links, a warning message is issued when the 'persistent' provider option is specified and @@ -406,7 +390,7 @@ This issue is not handled by 'shorewall update' and must be corrected manually. -11) Most interface OPTIONS have always been ignored when the INTERFACE +12) Most interface OPTIONS have always been ignored when the INTERFACE name is '+'. Beginning with the Shorewall 5.1.10 release, a warning is issued when an ignored option is specified with interface name '+'. @@ -451,7 +435,7 @@ This issue is not handled by 'shorewall update' and must be corrected manually. -12) INLINE_MATCHES=Yes has been documented as deprecated for some +13) INLINE_MATCHES=Yes has been documented as deprecated for some time, but it has not generated a warning. Beginning with the Shorewall 5.1.12 release, a warning is issued: @@ -607,7 +591,39 @@ ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 5 . 2 R E L E A S E S ---------------------------------------------------------------------------- - N E W F E A T U R E S I N 5 . 2 . 3 + N E W F E A T U R E S I N 5 . 2 . 4 +---------------------------------------------------------------------------- + +1) Previously, Shorewall's Docker support assumed that the default + Docker Bridge (docker0) was being used. Beginning with this + release, the DOCKER_BRIDGE option in Shorewall.conf allows an + arbitrary name to be assigned to the bridge. In particular, when + CNI is being used, DOCKER_BRIDGE=cni0 is the appropriate setting. + +2) The CLI keywords 'debug' and 'trace' have been replaced by -D and + -T options respectively (e.g., 'shorewall trace reload' is now + 'shorewall -T reload'). Like the keywords, only one of these + options can be active at a time; if both are entered, only the + last one is activated. A similar change has been made to the + generated script. + + The -T option (formerly 'trace') now applies only to shell-level + tracing in the CLI and generated script. Those commands that + invoke the rules compiler now accept a -D command option which + causes the compiler to generate debugging information (e.g., + 'shorewall check -D'). + + The 'nolock' keyword is now deprecated in favor of the -N + option (e.g., 'shorewall nolock reload' becomes 'shorewall -N + reload'). + + See shorewall(8) for details. + +3) Within the source code and documentation, 'shorewall.net' has been + replaced by 'shorewall.org'. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 5 . 2 . 4 ---------------------------------------------------------------------------- 1) Zone exclusion (e.g., "all!z2,z2,...") is now supported in the @@ -629,6 +645,124 @@ LOAD_HELPERS_ONLY=Yes had been specified. ---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 5 . 2 . 4 +---------------------------------------------------------------------------- + +5.2.4.4 + +1) When DYNAMIC_BLACKLIST=ipset... or when SAVE_IPSETS=Yes in + shorewall[6].conf, 'shorewall[6] start' could hang when 5.2.4.3 + was installed. That has been corrected. + +2) When 5.2.4.3 was installed, 'shorewall[6] start' would not + automatically create dynamic blacklisting ipsets. That has been + corrected. + +5.2.4.3 + +1) When interfaces was managed by Network Manager and IFUPDOWN=1 was + specified in the Shorewall-init configuration file, when an optional + interface was brought up, enabling the interface in + Shorewall6[-lite] could fail. + + Correcting this issue involves corrected code in this release of + Shorewall, but also may require a configuration change in + /etc/shorewall6/interfaces. The change in Shorewall makes the + generated script honor the 'wait=<seconds>' specification in + /etc/shorewall6/interfaces when executing the 'enable' command. + If there are optional interfaces that do not specify 'wait=...', + then the interfaces file must be altered to include such + specifications. + +2) An unnecessary test during command initialization in the generated + script has been eliminated. + +3) Previously, 'shorewall[6] stop' or 'shorewall[6] clear' would + create the dynamic blacklist ipset if it did not exist. Creation + of the ipset is now defered until the next 'start'. + +4) Previously, 'shorewall[6] start' would delete all corresponding + ipsets before restoring. It now deletes only those sets that will + be restored, thus allowing SAVE_IPSETS to be specified in the + Shorewall-init configuration when ipset-based dynamic blacklisting + is also enabled. Previously, if any additional ipsets were used, + it was necessary to set SAVE_IPSETS=Yes in shorewall[6].conf as + well. + +5) Previously, 'Shorewall-init start' restored ipsets after stopping + the firewalls, precluding use of ipsets in the stoppedrules file. + Shorewall-init now restores the ipsets before stopping the + firewalls. + +6) Optimize level 16 has been speeded up by an order of magnitude. + Tests using a large user-supplied configuration showed compilation + time with OPTIMIZE=all was reduced from 22min 40 seconds to 21.5 + seconds. + +5.2.4.2 + +1) This release corrects two problems associated with Debian + Shorewall-init when IFUPDOWN=1 in the Shorewall-init + configuration file (/etc/default/shorewall-init): + + a) Down events were ignored when Network Manager was being used. + + b) Up events were processed twice when a dual-stack interface + was brought up. + + Both problems have been corrected. To make the fixes effective, + it is necessary to recompile the firewall script (shorewall[6] + compile, start, restart or reload). + +5.2.4.1 + +1) The web site and documentation have been improved to correct some + invalid links in the manpages (including the manpages released + in Shorewall components) and to link directly to the current + website at https://shorewall.org. (Tuomo Soini) + +2) Cautions regarding SAVE_IPSETS have been added to the ipsets + article. + +3) OpenSuSE users running systemd have complained that the firewalls + are stopped after a Shorewall product upgrade. The problem is that + OpenSuSE restarts all running products that have been + upgraded. Recall that 'systemctl restart' is equivalent to + 'systemctl stop && systemctl start'. But starting Shorewall-init + results in the firewall products specified in the Shorewall-init + config file to be stopped. To address this issue, Shorewall-init + will now ignore 'start' and 'stop' commands, for running firewalls + (Tuomo Soini). + +4) On Redhat-based system and on OpenSuSE, extraneous Shorewall-init + log messages regarding invalid commands were being issued. These + harmless messages are now suppressed (Tuomo Soini). + +5.2.4 Final + +1) Previously, when a Shorewall6 firewall was placed into the + 'stopped' state, ICMP6 packets required by RFC 4890 were not + automatically accepted by the generated ruleset. + + Beginning with this release, those packets are automatically + accepted. + +2) Previously, the output of 'shorewall[6] help' displayed the + superseded 'load' command. That text has been deleted. + +3) The QOSExample.html file in the documentation and on the web site + previously showed tcrules content for the /etc/shorewall/mangle + file (recall that 'mangle' superseded 'tcrules'). That page has + been corrected. + +4) The 'Starting and Stopping' and 'Configuration file basics' + documents have been updated to align them with the current product + behavior. + +5) The 'ipsets' document has been updated to clarify the use of + ipsets in the stoppedrules file. + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 5 . 2 . 3 ---------------------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.4.5/shorewall-core.spec new/shorewall-core-5.2.5.2/shorewall-core.spec --- old/shorewall-core-5.2.4.5/shorewall-core.spec 2020-05-14 18:36:02.000000000 +0200 +++ new/shorewall-core-5.2.5.2/shorewall-core.spec 2020-06-28 20:27:29.000000000 +0200 @@ -1,6 +1,6 @@ %define name shorewall-core -%define version 5.2.4 -%define release 5 +%define version 5.2.5 +%define release 2 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. Name: %{name} @@ -69,18 +69,18 @@ %doc COPYING INSTALL changelog.txt releasenotes.txt %changelog -* Sun May 10 2020 Tom Eastep <[email protected]> -- Updated to 5.2.4-5 -* Wed Apr 29 2020 Tom Eastep <[email protected]> -- Updated to 5.2.4-4 +* Wed Jun 24 2020 Tom Eastep <[email protected]> +- Updated to 5.2.5-2 +* Sat Jun 13 2020 Tom Eastep <[email protected]> +- Updated to 5.2.5-1 +* Wed Jun 10 2020 Tom Eastep <[email protected]> +- Updated to 5.2.5-0base +* Sat Jun 06 2020 Tom Eastep <[email protected]> +- Updated to 5.2.5-0RC1 +* Wed Jun 03 2020 Tom Eastep <[email protected]> +- Updated to 5.2.5-0Beta2 * Sun Apr 19 2020 Tom Eastep <[email protected]> -- Updated to 5.2.4-3 -* Sat Apr 18 2020 Tom Eastep <[email protected]> -- Updated to 5.2.4-2 -* Fri Mar 27 2020 Tom Eastep <[email protected]> -- Updated to 5.2.4-1 -* Tue Mar 17 2020 Tom Eastep <[email protected]> -- Updated to 5.2.4-0base +- Updated to 5.2.5-0Beta1 * Sat Mar 14 2020 Tom Eastep <[email protected]> - Updated to 5.2.4-0RC1 * Fri Mar 06 2020 Tom Eastep <[email protected]> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.4.5/uninstall.sh new/shorewall-core-5.2.5.2/uninstall.sh --- old/shorewall-core-5.2.4.5/uninstall.sh 2020-05-14 18:36:01.000000000 +0200 +++ new/shorewall-core-5.2.5.2/uninstall.sh 2020-06-28 20:27:28.000000000 +0200 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=5.2.4.5 +VERSION=5.2.5.2 PRODUCT=shorewall-core Product="Shorewall Core" ++++++ shorewall-docs-html-5.2.4.5.tar.bz2 -> shorewall-docs-html-5.2.5.2.tar.bz2 ++++++ ++++ 2822 lines of diff (skipped) ++++++ shorewall-init-5.2.4.5.tar.bz2 -> shorewall-init-5.2.5.2.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.4.5/changelog.txt new/shorewall-init-5.2.5.2/changelog.txt --- old/shorewall-init-5.2.4.5/changelog.txt 2020-05-14 18:36:02.000000000 +0200 +++ new/shorewall-init-5.2.5.2/changelog.txt 2020-06-28 20:27:29.000000000 +0200 @@ -1,3 +1,55 @@ +Changes in 5.2.5.2 + +1) Update release documents + +2) Correct handling of ";;+" in the snat file. + +Changes in 5.2.5.1 + +1) Update release documents + +2) Replace 'kern.err' sith 'daemon.err'. + +3) Remove duplicates from the output of 'show actions'. + +4) Correct a typo in shorewall-providers(5). + +Changes in 5.2.5 Final + +1) Update release documents + +2) Zone name too long error message added. + +Changes in 5.2.5 RC 1 + +1) Update release documents + +2) Update module versions + +3) Omit STATE-oriented rules from wildcard policy chains. + +Changes in 5.2.5 Beta 2 + +1) Update release documents + +2) Read the params file during 'allow' processing. + +3) Store exported config params in a named array. + +4) Add the 'log' option to the DYNAMIC_BLACKLIST setting. + +5) Add the 'blacklist!' command. + +6) Add the 'noupdate' DYNAMIC_BLACKLIST option. + +Changes in 5.2.5 Beta 1 + +1) Update release documents + +2) Don't install /etc/network/if-down.d/shorewall on Debian. + +3) Create DBL ipset with 'timeout 0' + Changes in 5.2.4.5 1) Update release documents diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.4.5/configure new/shorewall-init-5.2.5.2/configure --- old/shorewall-init-5.2.4.5/configure 2020-05-14 18:36:02.000000000 +0200 +++ new/shorewall-init-5.2.5.2/configure 2020-06-28 20:27:29.000000000 +0200 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=5.2.4.5 +VERSION=5.2.5.2 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.4.5/configure.pl new/shorewall-init-5.2.5.2/configure.pl --- old/shorewall-init-5.2.4.5/configure.pl 2020-05-14 18:36:02.000000000 +0200 +++ new/shorewall-init-5.2.5.2/configure.pl 2020-06-28 20:27:29.000000000 +0200 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '5.2.4.5' + VERSION => '5.2.5.2' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.4.5/install.sh new/shorewall-init-5.2.5.2/install.sh --- old/shorewall-init-5.2.4.5/install.sh 2020-05-14 18:36:02.000000000 +0200 +++ new/shorewall-init-5.2.5.2/install.sh 2020-06-28 20:27:29.000000000 +0200 @@ -27,7 +27,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=5.2.4.5 +VERSION=5.2.5.2 PRODUCT=shorewall-init Product="Shorewall Init" @@ -169,7 +169,7 @@ ;; *) if [ -f /etc/os-release ]; then - eval $(cat /etc/os-release | grep ^ID=) + ID=$(grep '^ID=' /etc/os-release | sed 's/ID=//; s/"//g;') case $ID in fedora|rhel|centos|foobar) @@ -357,12 +357,11 @@ if [ $HOST = debian ]; then if [ -n "${DESTDIR}" ]; then make_parent_directory ${DESTDIR}${ETC}/network/if-up.d 0755 - make_parent_directory ${DESTDIR}${ETC}/network/if-down.d 0755 make_parent_directory ${DESTDIR}${ETC}/network/if-post-down.d 0755 elif [ $configure -eq 0 ]; then - make_parent_directory ${DESTDIR}${CONFDIR}/network/if-up.d 0755 - make_parent_directory ${DESTDIR}${CONFDIR}/network/if-down.d 0755 - make_parent_directory ${DESTDIR}${CONFDIR}/network/if-post-down.d 0755 + make_parent_directory ${CONFDIR}/network/if-up.d 0755 + make_parent_directory ${CONFDIR}/network/if-post-down.d 0755 + rm -f ${CONFDIR}/network/if-down.d/shorewall fi if [ ! -f ${DESTDIR}${CONFDIR}/default/$PRODUCT ]; then @@ -388,7 +387,7 @@ elif [ $HOST = openwrt ]; then # Not implemented on OpenWRT /bin/true - else + elif [ "$HOST" != debian ]; then make_parent_directory ${DESTDIR}/${ETC}/NetworkManager/dispatcher.d 0755 fi fi @@ -417,19 +416,22 @@ fi if [ -d ${DESTDIR}/etc/NetworkManager ]; then - [ $configure -eq 1 ] || make_parent_directory ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d 0755 - install_file ifupdown ${DESTDIR}${ETC}/NetworkManager/dispatcher.d/01-shorewall 0544 + if [ "$HOST" = debian ]; then + rm -f ${DESTDIR}${ETC}/NetworkManager/dispatcher.d/01-shorewall + else + [ $configure -eq 1 ] || make_parent_directory ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d 0755 + install_file ifupdown ${DESTDIR}${ETC}/NetworkManager/dispatcher.d/01-shorewall 0544 + fi fi case $HOST in debian) if [ $configure -eq 1 ]; then install_file ifupdown ${DESTDIR}/etc/network/if-up.d/shorewall 0544 - install_file ifupdown ${DESTDIR}/etc/network/if-down.d/shorewall 0544 install_file ifupdown ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544 + rm -f ${DESTDIR}/etc/network/if-down.d/shorewall else install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-up.d/shorewall 0544 - install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-down.d/shorewall 0544 install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-post-down.d/shorewall 0544 fi ;; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.4.5/releasenotes.txt new/shorewall-init-5.2.5.2/releasenotes.txt --- old/shorewall-init-5.2.4.5/releasenotes.txt 2020-05-14 18:36:02.000000000 +0200 +++ new/shorewall-init-5.2.5.2/releasenotes.txt 2020-06-28 20:27:29.000000000 +0200 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 5 . 2 . 4 . 5 - -------------------------------- - M A Y 1 4 , 2 0 1 9 + S H O R E W A L L 5 . 2 . 5 . 2 + ------------------------------- + J U N E 2 8 , 2 0 2 0 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -13,127 +13,65 @@ ---------------------------------------------------------------------------- I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -5.2.4.5 -1) The description of the 'optional' option has been expanded in - shorewall-interfaces(5). +5.2.5.2 -2) Previously, the AUTOMAKE option did not work properly when - /etc/shorewall[6] was a symbolic link. That has been corrected. - -5.2.4.4 - -1) When DYNAMIC_BLACKLIST=ipset... or when SAVE_IPSETS=Yes in - shorewall[6].conf, 'shorewall[6] start' could hang when 5.2.4.3 - was installed. That has been corrected. - -2) When 5.2.4.3 was installed, 'shorewall[6] start' would not - automatically create dynamic blacklisting ipsets. That has been - corrected. - -5.2.4.3 - -1) When interfaces was managed by Network Manager and IFUPDOWN=1 was - specified in the Shorewall-init configuration file, when an optional - interface was brought up, enabling the interface in - Shorewall6[-lite] could fail. - - Correcting this issue involves corrected code in this release of - Shorewall, but also may require a configuration change in - /etc/shorewall6/interfaces. The change in Shorewall makes the - generated script honor the 'wait=<seconds>' specification in - /etc/shorewall6/interfaces when executing the 'enable' command. - If there are optional interfaces that do not specify 'wait=...', - then the interfaces file must be altered to include such - specifications. - -2) An unnecessary test during command initialization in the generated - script has been eliminated. - -3) Previously, 'shorewall[6] stop' or 'shorewall[6] clear' would - create the dynamic blacklist ipset if it did not exist. Creation - of the ipset is now defered until the next 'start'. - -4) Previously, 'shorewall[6] start' would delete all corresponding - ipsets before restoring. It now deletes only those sets that will - be restored, thus allowing SAVE_IPSETS to be specified in the - Shorewall-init configuration when ipset-based dynamic blacklisting - is also enabled. Previously, if any additional ipsets were used, - it was necessary to set SAVE_IPSETS=Yes in shorewall[6].conf as - well. - -5) Previously, 'Shorewall-init start' restored ipsets after stopping - the firewalls, precluding use of ipsets in the stoppedrules file. - Shorewall-init now restores the ipsets before stopping the - firewalls. - -6) Optimize level 16 has been speeded up by an order of magnitude. - Tests using a large user-supplied configuration showed compilation - time with OPTIMIZE=all was reduced from 22min 40 seconds to 21.5 - seconds. - -5.2.4.2 - -1) This release corrects two problems associated with Debian - Shorewall-init when IFUPDOWN=1 in the Shorewall-init - configuration file (/etc/default/shorewall-init): - - a) Down events were ignored when Network Manager was being used. - - b) Up events were processed twice when a dual-stack interface - was brought up. - - Both problems have been corrected. To make the fixes effective, - it is necessary to recompile the firewall script (shorewall[6] - compile, start, restart or reload). - -5.2.4.1 - -1) The web site and documentation have been improved to correct some - invalid links in the manpages (including the manpages released - in Shorewall components) and to link directly to the current - website at https://shorewall.org. (Tuomo Soini) - -2) Cautions regarding SAVE_IPSETS have been added to the ipsets - article. - -3) OpenSuSE users running systemd have complained that the firewalls - are stopped after a Shorewall product upgrade. The problem is that - OpenSuSE restarts all running products that have been - upgraded. Recall that 'systemctl restart' is equivalent to - 'systemctl stop && systemctl start'. But starting Shorewall-init - results in the firewall products specified in the Shorewall-init - config file to be stopped. To address this issue, Shorewall-init - will now ignore 'start' and 'stop' commands, for running firewalls - (Tuomo Soini). - -4) On Redhat-based system and on OpenSuSE, extraneous Shorewall-init - log messages regarding invalid commands were being issued. These - harmless messages are now suppressed (Tuomo Soini). - -5.2.4 Final - -1) Previously, when a Shorewall6 firewall was placed into the - 'stopped' state, ICMP6 packets required by RFC 4890 were not - automatically accepted by the generated ruleset. - - Beginning with this release, those packets are automatically - accepted. - -2) Previously, the output of 'shorewall[6] help' displayed the - superseded 'load' command. That text has been deleted. - -3) The QOSExample.html file in the documentation and on the web site - previously showed tcrules content for the /etc/shorewall/mangle - file (recall that 'mangle' superseded 'tcrules'). That page has - been corrected. - -4) The 'Starting and Stopping' and 'Configuration file basics' - documents have been updated to align them with the current product - behavior. - -5) The 'ipsets' document has been updated to clarify the use of - ipsets in the stoppedrules file. +1) Previously, ";;+" was mishandled in the snat file; the generated + rule incorrectly included the leading "+". That has been corrected + so that the generated rule is now correct. + + Example (SNAT OpenVPN server traffic leaving on eth0): + + SNAT(192.2.0.4) - eth0 ;;+ -p udp --sport 1194 + +5.2.5.1 + +1) The change in 5.2.5 base which changed the 'user' facility to the + 'daemon' facility in Shorewall syslog messages did not change the + messages with severity 'err'. That has been corrected such that + all syslog messages now use the 'daemon' facility. + +2) The actions.std file contains "?IF...?ELSE...?ENDIF" sequences + that provide different action options depending on the availabilty + of certain capabilities. This has resulted in the Broadcast and + Multicast options being listed twice in the output of + "shorewall[6] show actions". Beginning with this release, this + duplication is eliminated. Note, however, that the options shown + will be incomplete if they were continued onto another line, and + may be incorrect for Broadcast and Multicast. + +3) A typo in shorewall-providers(5) has been corrected. + +5.2.5 Base + +1) Previously, Shorewall-init installed a 'shorewall' script in + /etc/network/if-down.d on Debian and derivatives. This script was + unnecessary and required Debian-specific code in the generated + firewall script. The Shorewall-init script is no longer installed + and the generated firewall script is now free of + distribution-specific code. + +2) Also on Debian and derivatives, Shorewall-init installed + /etc//NetworkManager/dispatcher.d/01-shorewall which was also + unnecessary. Beginning with this release, that file is no longer + installed. + +3) Previously, if the dynamic-blacklisting default timeout was set in + a variable in the params file and the variable was used in setting + DYNAMIC_BLACKLIST, then the 'allow' command would fail with + the message: + + ERROR: Invalid value (ipset-only,disconnect,timeout=) for + DYNAMIC_BLACKLIST + + That has been corrected. + +4) When EXPAND_POLICIES=No in shorewall[6].conf, policies in complex + rulesets are enforced in chains such as 'net-all' and + 'all-all'. Previously, these chains included redundant + state-oriented rules. In addition to being redundant. these rules + could actually break complex IPv6 configurations. The extra rules are + now omitted. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -181,33 +119,79 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) Previously, Shorewall's Docker support assumed that the default - Docker Bridge (docker0) was being used. Beginning with this - release, the DOCKER_BRIDGE option in Shorewall.conf allows an - arbitrary name to be assigned to the bridge. In particular, when - CNI is being used, DOCKER_BRIDGE=cni0 is the appropriate setting. +1) Prior to this release, when a 'timeout' value was specified in the + DYNAMIC_BLACKLIST setting, the dynamic-blacklisting ipset was + created with this default timeout. This had the unfortunate + disadvantage that it was not possible to add permanent entries + into the ipset. Even if 'timeout 0' was specified in a 'blacklist' + command, the entry would still age out of the ipset after the + default timeout had elapsed. + + Beginning with this release, the dynamic-blacklisting ipset is + created with 'timeout 0'. When an address is added to the set, + either by BLACKLIST policy enforcement, by the BLACKLIST action, + or by the CLI 'blacklist' command (where no 'timeout' is + specified), the default timeout is applied to the new entry. + + Once you have upgraded to this version of Shorewall, you can + convert your existing dynamic-blacklisting ipset (with a non-zero + default timeout) to have a default timeout of zero as follows: + + a) If RESTART=restart in shorewall[6].conf, then simply + 'shorewall[6] restart'. + + b) Otherwise, 'shorewall[6] stop && shorewall[6] start'. + +2) Previously, when an ADD or DEL rule specified logging, the entire + action (e.g. 'ADD(+NET_BL:src:7200)') was included in the log + message. This could easily lead to a "Log prefix shortened..." + warning during compilation. + + Beginning with this release, such log messages will contain only + the basic action ('ADD' or 'DEL') and the set name (e.g., + 'ADD(NET_BL)') to reduce the liklihood of producing the warning. + +3) Traditionally, Shorewall has logged state change messages using + the 'user' syslog facility. Beginning with this release, these + messages will be logged using the 'daemon' facility to more + accurately reflect that these messages relate to a service. + +4) The DYNAMIC_BLACKLIST setting now allows a 'log' option to be + specified for ipset-based blacklisting. When this option is given, + successful 'blacklist' and 'allow' commands generate a 'daemon.info' + log message. + +5) When ipset-based dynamic blacklisting is enabled, the generated + ruleset has traditionally refreshed the 'timeout' of an ipset + entry when a packet from blacklisted host is received. This has + the unfortunate side effect that it can change a permanent entry + (timeout 0) to a temporary (one with non-zero timeout). Beginning + with this release, this timeout refresh can be avoided by + specifying the 'noupdate' option in the DYNAMIC_BLACKLIST + setting. -2) The CLI keywords 'debug' and 'trace' have been replaced by -D and - -T options respectively (e.g., 'shorewall trace reload' is now - 'shorewall -T reload'). Like the keywords, only one of these - options can be active at a time; if both are entered, only the - last one is activated. A similar change has been made to the - generated script. +6) To allow Shorewall's ipset-based blacklisting to play nicely with + fail2ban, the 'blacklist!' CLI command has been added. - The -T option (formerly 'trace') now applies only to shell-level - tracing in the CLI and generated script. Those commands that - invoke the rules compiler now accept a -D command option which - causes the compiler to generate debugging information (e.g., - 'shorewall check -D'). + The command - The 'nolock' keyword is now deprecated in favor of the -N - option (e.g., 'shorewall nolock reload' becomes 'shorewall -N - reload'). + blacklist! <ip> - See shorewall(8) for details. + is equivalent to -3) Within the source code and documentation, 'shorewall.net' has been - replaced by 'shorewall.org'. + blacklist <ip> timeout 0 + + thus allowing 'blacklist!' to be specified as the 'blocktype' in + /etc/fail2ban/actions.d/shorewall.conf. + + See https://shorewall.org/blacklisting_support.htm#fail2ban for + further information about using Shorewall dynamic blacklisting + with fail2ban. + +7) Previously, when a zone name was too long, the resulting error + message was "Invalid zone name (<name>)". To make the cause of + the failur4e clearer, the message is now "Zone name (<name>) too + long". ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -314,7 +298,7 @@ This issue is not handled by 'shorewall update' and must be corrected manually. -3) The Netfilter team have removed support for the rawpost table, so +4) The Netfilter team have removed support for the rawpost table, so Shorewall no longer supports features requiring that table (stateless netmapping in the netmap file). The good news is that, since kernel 3.7, Netfilter supports stateful IPv6 network mapping @@ -324,10 +308,10 @@ This issue is not handled by 'shorewall update' and must be corrected manually. -4) The (undocumented) Makefiles haven't been maintained for many +5) The (undocumented) Makefiles haven't been maintained for many releases and have been removed. -5) Beginning with Shorewall 5.1.2, The DROP_DEFAULT, REJECT_DEFAULT, +6) Beginning with Shorewall 5.1.2, The DROP_DEFAULT, REJECT_DEFAULT, etc. options may now specify a comma-separated list of actions rather than just a single action. The actions are invoked in the order in which they are listed and each action may optionally be @@ -345,13 +329,13 @@ This issue is partially handled by 'shorewall update' - see the 5.2 issues below. -6) Beginning with Shorewall 5.1.2, the allowBcast, dropBcast, and +7) Beginning with Shorewall 5.1.2, the allowBcast, dropBcast, and Broadcast no longer handle multicast. Multicast is handeled separately in actions allowMcast, dropMcast and Multicast. The now-deprecated Drop and Reject policy actions have been modified so that they continue to silently drop multicast packets. -7) According to the Netfilter team (see +8) According to the Netfilter team (see https://patchwork.kernel.org/patch/9198133/), the --nflog-range option of the NFLOG target has never worked correctly, and they have deprecated that option in favor of the --nflog-size option. @@ -376,14 +360,14 @@ This issue is not handled by 'shorewall update' and must be corrected manually. -8) The MODULE_SUFFIX option in shorewall[6].conf was eliminated in +9) The MODULE_SUFFIX option in shorewall[6].conf was eliminated in Shorewall 5.1.7. Shorewall now finds modules, independent of their filename suffix. 'shorewall [-6] update' will automatically remove any MODULE_SUFFIX setting. -9) Beginning with Shorewall 5.1.8, when RESTORE_DEFAULT_ROUTE=Yes the +10) Beginning with Shorewall 5.1.8, when RESTORE_DEFAULT_ROUTE=Yes the default route is only restored when there are no enabled 'balance/primary' providers and no enabled fallback providers. @@ -392,7 +376,7 @@ successfully enabled, the default route(s) are removed from the main table. -10) Because restoring default routes to the main routing table can +11) Because restoring default routes to the main routing table can break the ability of Foolsm and other link status monitors to properly detect non-functioning provider links, a warning message is issued when the 'persistent' provider option is specified and @@ -406,7 +390,7 @@ This issue is not handled by 'shorewall update' and must be corrected manually. -11) Most interface OPTIONS have always been ignored when the INTERFACE +12) Most interface OPTIONS have always been ignored when the INTERFACE name is '+'. Beginning with the Shorewall 5.1.10 release, a warning is issued when an ignored option is specified with interface name '+'. @@ -451,7 +435,7 @@ This issue is not handled by 'shorewall update' and must be corrected manually. -12) INLINE_MATCHES=Yes has been documented as deprecated for some +13) INLINE_MATCHES=Yes has been documented as deprecated for some time, but it has not generated a warning. Beginning with the Shorewall 5.1.12 release, a warning is issued: @@ -607,7 +591,39 @@ ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 5 . 2 R E L E A S E S ---------------------------------------------------------------------------- - N E W F E A T U R E S I N 5 . 2 . 3 + N E W F E A T U R E S I N 5 . 2 . 4 +---------------------------------------------------------------------------- + +1) Previously, Shorewall's Docker support assumed that the default + Docker Bridge (docker0) was being used. Beginning with this + release, the DOCKER_BRIDGE option in Shorewall.conf allows an + arbitrary name to be assigned to the bridge. In particular, when + CNI is being used, DOCKER_BRIDGE=cni0 is the appropriate setting. + +2) The CLI keywords 'debug' and 'trace' have been replaced by -D and + -T options respectively (e.g., 'shorewall trace reload' is now + 'shorewall -T reload'). Like the keywords, only one of these + options can be active at a time; if both are entered, only the + last one is activated. A similar change has been made to the + generated script. + + The -T option (formerly 'trace') now applies only to shell-level + tracing in the CLI and generated script. Those commands that + invoke the rules compiler now accept a -D command option which + causes the compiler to generate debugging information (e.g., + 'shorewall check -D'). + + The 'nolock' keyword is now deprecated in favor of the -N + option (e.g., 'shorewall nolock reload' becomes 'shorewall -N + reload'). + + See shorewall(8) for details. + +3) Within the source code and documentation, 'shorewall.net' has been + replaced by 'shorewall.org'. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 5 . 2 . 4 ---------------------------------------------------------------------------- 1) Zone exclusion (e.g., "all!z2,z2,...") is now supported in the @@ -629,6 +645,124 @@ LOAD_HELPERS_ONLY=Yes had been specified. ---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 5 . 2 . 4 +---------------------------------------------------------------------------- + +5.2.4.4 + +1) When DYNAMIC_BLACKLIST=ipset... or when SAVE_IPSETS=Yes in + shorewall[6].conf, 'shorewall[6] start' could hang when 5.2.4.3 + was installed. That has been corrected. + +2) When 5.2.4.3 was installed, 'shorewall[6] start' would not + automatically create dynamic blacklisting ipsets. That has been + corrected. + +5.2.4.3 + +1) When interfaces was managed by Network Manager and IFUPDOWN=1 was + specified in the Shorewall-init configuration file, when an optional + interface was brought up, enabling the interface in + Shorewall6[-lite] could fail. + + Correcting this issue involves corrected code in this release of + Shorewall, but also may require a configuration change in + /etc/shorewall6/interfaces. The change in Shorewall makes the + generated script honor the 'wait=<seconds>' specification in + /etc/shorewall6/interfaces when executing the 'enable' command. + If there are optional interfaces that do not specify 'wait=...', + then the interfaces file must be altered to include such + specifications. + +2) An unnecessary test during command initialization in the generated + script has been eliminated. + +3) Previously, 'shorewall[6] stop' or 'shorewall[6] clear' would + create the dynamic blacklist ipset if it did not exist. Creation + of the ipset is now defered until the next 'start'. + +4) Previously, 'shorewall[6] start' would delete all corresponding + ipsets before restoring. It now deletes only those sets that will + be restored, thus allowing SAVE_IPSETS to be specified in the + Shorewall-init configuration when ipset-based dynamic blacklisting + is also enabled. Previously, if any additional ipsets were used, + it was necessary to set SAVE_IPSETS=Yes in shorewall[6].conf as + well. + +5) Previously, 'Shorewall-init start' restored ipsets after stopping + the firewalls, precluding use of ipsets in the stoppedrules file. + Shorewall-init now restores the ipsets before stopping the + firewalls. + +6) Optimize level 16 has been speeded up by an order of magnitude. + Tests using a large user-supplied configuration showed compilation + time with OPTIMIZE=all was reduced from 22min 40 seconds to 21.5 + seconds. + +5.2.4.2 + +1) This release corrects two problems associated with Debian + Shorewall-init when IFUPDOWN=1 in the Shorewall-init + configuration file (/etc/default/shorewall-init): + + a) Down events were ignored when Network Manager was being used. + + b) Up events were processed twice when a dual-stack interface + was brought up. + + Both problems have been corrected. To make the fixes effective, + it is necessary to recompile the firewall script (shorewall[6] + compile, start, restart or reload). + +5.2.4.1 + +1) The web site and documentation have been improved to correct some + invalid links in the manpages (including the manpages released + in Shorewall components) and to link directly to the current + website at https://shorewall.org. (Tuomo Soini) + +2) Cautions regarding SAVE_IPSETS have been added to the ipsets + article. + +3) OpenSuSE users running systemd have complained that the firewalls + are stopped after a Shorewall product upgrade. The problem is that + OpenSuSE restarts all running products that have been + upgraded. Recall that 'systemctl restart' is equivalent to + 'systemctl stop && systemctl start'. But starting Shorewall-init + results in the firewall products specified in the Shorewall-init + config file to be stopped. To address this issue, Shorewall-init + will now ignore 'start' and 'stop' commands, for running firewalls + (Tuomo Soini). + +4) On Redhat-based system and on OpenSuSE, extraneous Shorewall-init + log messages regarding invalid commands were being issued. These + harmless messages are now suppressed (Tuomo Soini). + +5.2.4 Final + +1) Previously, when a Shorewall6 firewall was placed into the + 'stopped' state, ICMP6 packets required by RFC 4890 were not + automatically accepted by the generated ruleset. + + Beginning with this release, those packets are automatically + accepted. + +2) Previously, the output of 'shorewall[6] help' displayed the + superseded 'load' command. That text has been deleted. + +3) The QOSExample.html file in the documentation and on the web site + previously showed tcrules content for the /etc/shorewall/mangle + file (recall that 'mangle' superseded 'tcrules'). That page has + been corrected. + +4) The 'Starting and Stopping' and 'Configuration file basics' + documents have been updated to align them with the current product + behavior. + +5) The 'ipsets' document has been updated to clarify the use of + ipsets in the stoppedrules file. + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 5 . 2 . 3 ---------------------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.4.5/shorewall-init new/shorewall-init-5.2.5.2/shorewall-init --- old/shorewall-init-5.2.4.5/shorewall-init 2020-05-14 18:22:44.000000000 +0200 +++ new/shorewall-init-5.2.5.2/shorewall-init 2020-06-28 20:05:00.000000000 +0200 @@ -43,23 +43,6 @@ fi } -# -# This is modified by the installer when ${SHAREDIR} <> /usr/share -# -. /usr/share/shorewall/shorewallrc - -# check if shorewall-init is configured or not -if [ -f "$SYSCONFDIR/shorewall-init" ]; then - . $SYSCONFDIR/shorewall-init - if [ -z "$PRODUCTS" ]; then - echo "ERROR: No products configured" >&2 - exit 1 - fi -else - echo "ERROR: ${SYSCONFDIR}/shorewall-init not found" >&2 - exit 1 -fi - # Initialize the firewalls shorewall_init_start () { @@ -121,6 +104,23 @@ return 0 } +# +# This is modified by the installer when ${SHAREDIR} <> /usr/share +# +. /usr/share/shorewall/shorewallrc + +# check if shorewall-init is configured or not +if [ -f "$SYSCONFDIR/shorewall-init" ]; then + . $SYSCONFDIR/shorewall-init + if [ -z "$PRODUCTS" ]; then + echo "ERROR: No products configured" >&2 + exit 1 + fi +else + echo "ERROR: ${SYSCONFDIR}/shorewall-init not found" >&2 + exit 1 +fi + case "$1" in start) shorewall_init_start diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.4.5/shorewall-init.spec new/shorewall-init-5.2.5.2/shorewall-init.spec --- old/shorewall-init-5.2.4.5/shorewall-init.spec 2020-05-14 18:36:02.000000000 +0200 +++ new/shorewall-init-5.2.5.2/shorewall-init.spec 2020-06-28 20:27:29.000000000 +0200 @@ -1,6 +1,6 @@ %define name shorewall-init -%define version 5.2.4 -%define release 5 +%define version 5.2.5 +%define release 2 Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall). Name: %{name} @@ -135,18 +135,18 @@ %doc COPYING changelog.txt releasenotes.txt %changelog -* Sun May 10 2020 Tom Eastep <[email protected]> -- Updated to 5.2.4-5 -* Wed Apr 29 2020 Tom Eastep <[email protected]> -- Updated to 5.2.4-4 +* Wed Jun 24 2020 Tom Eastep <[email protected]> +- Updated to 5.2.5-2 +* Sat Jun 13 2020 Tom Eastep <[email protected]> +- Updated to 5.2.5-1 +* Wed Jun 10 2020 Tom Eastep <[email protected]> +- Updated to 5.2.5-0base +* Sat Jun 06 2020 Tom Eastep <[email protected]> +- Updated to 5.2.5-0RC1 +* Wed Jun 03 2020 Tom Eastep <[email protected]> +- Updated to 5.2.5-0Beta2 * Sun Apr 19 2020 Tom Eastep <[email protected]> -- Updated to 5.2.4-3 -* Sat Apr 18 2020 Tom Eastep <[email protected]> -- Updated to 5.2.4-2 -* Fri Mar 27 2020 Tom Eastep <[email protected]> -- Updated to 5.2.4-1 -* Tue Mar 17 2020 Tom Eastep <[email protected]> -- Updated to 5.2.4-0base +- Updated to 5.2.5-0Beta1 * Sat Mar 14 2020 Tom Eastep <[email protected]> - Updated to 5.2.4-0RC1 * Fri Mar 06 2020 Tom Eastep <[email protected]> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.4.5/uninstall.sh new/shorewall-init-5.2.5.2/uninstall.sh --- old/shorewall-init-5.2.4.5/uninstall.sh 2020-05-14 18:36:02.000000000 +0200 +++ new/shorewall-init-5.2.5.2/uninstall.sh 2020-06-28 20:27:29.000000000 +0200 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=5.2.4.5 +VERSION=5.2.5.2 PRODUCT=shorewall-init Product="Shorewall Init" ++++++ shorewall-lite-5.2.4.5.tar.bz2 -> shorewall-lite-5.2.5.2.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.4.5/Shorewall-lite-targetname new/shorewall-lite-5.2.5.2/Shorewall-lite-targetname --- old/shorewall-lite-5.2.4.5/Shorewall-lite-targetname 2020-05-14 18:22:44.000000000 +0200 +++ new/shorewall-lite-5.2.5.2/Shorewall-lite-targetname 1970-01-01 01:00:00.000000000 +0100 @@ -1 +0,0 @@ -5.2.4.1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.4.5/changelog.txt new/shorewall-lite-5.2.5.2/changelog.txt --- old/shorewall-lite-5.2.4.5/changelog.txt 2020-05-14 18:36:02.000000000 +0200 +++ new/shorewall-lite-5.2.5.2/changelog.txt 2020-06-28 20:27:29.000000000 +0200 @@ -1,3 +1,55 @@ +Changes in 5.2.5.2 + +1) Update release documents + +2) Correct handling of ";;+" in the snat file. + +Changes in 5.2.5.1 + +1) Update release documents + +2) Replace 'kern.err' sith 'daemon.err'. + +3) Remove duplicates from the output of 'show actions'. + +4) Correct a typo in shorewall-providers(5). + +Changes in 5.2.5 Final + +1) Update release documents + +2) Zone name too long error message added. + +Changes in 5.2.5 RC 1 + +1) Update release documents + +2) Update module versions + +3) Omit STATE-oriented rules from wildcard policy chains. + +Changes in 5.2.5 Beta 2 + +1) Update release documents + +2) Read the params file during 'allow' processing. + +3) Store exported config params in a named array. + +4) Add the 'log' option to the DYNAMIC_BLACKLIST setting. + +5) Add the 'blacklist!' command. + +6) Add the 'noupdate' DYNAMIC_BLACKLIST option. + +Changes in 5.2.5 Beta 1 + +1) Update release documents + +2) Don't install /etc/network/if-down.d/shorewall on Debian. + +3) Create DBL ipset with 'timeout 0' + Changes in 5.2.4.5 1) Update release documents diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.4.5/configure new/shorewall-lite-5.2.5.2/configure --- old/shorewall-lite-5.2.4.5/configure 2020-05-14 18:36:02.000000000 +0200 +++ new/shorewall-lite-5.2.5.2/configure 2020-06-28 20:27:29.000000000 +0200 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=5.2.4.5 +VERSION=5.2.5.2 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.4.5/configure.pl new/shorewall-lite-5.2.5.2/configure.pl --- old/shorewall-lite-5.2.4.5/configure.pl 2020-05-14 18:36:02.000000000 +0200 +++ new/shorewall-lite-5.2.5.2/configure.pl 2020-06-28 20:27:29.000000000 +0200 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '5.2.4.5' + VERSION => '5.2.5.2' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.4.5/install.sh new/shorewall-lite-5.2.5.2/install.sh --- old/shorewall-lite-5.2.4.5/install.sh 2020-05-14 18:36:02.000000000 +0200 +++ new/shorewall-lite-5.2.5.2/install.sh 2020-06-28 20:27:29.000000000 +0200 @@ -22,7 +22,7 @@ # along with this program; if not, see <http://www.gnu.org/licenses/>. # -VERSION=5.2.4.5 +VERSION=5.2.5.2 usage() # $1 = exit status { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.4.5/manpages/shorewall-lite-vardir.5 new/shorewall-lite-5.2.5.2/manpages/shorewall-lite-vardir.5 --- old/shorewall-lite-5.2.4.5/manpages/shorewall-lite-vardir.5 2020-04-29 22:36:52.000000000 +0200 +++ new/shorewall-lite-5.2.5.2/manpages/shorewall-lite-vardir.5 2020-06-13 22:10:37.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite-vardir .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 04/29/2020 +.\" Date: 06/13/2020 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-LITE\-VAR" "5" "04/29/2020" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-LITE\-VAR" "5" "06/13/2020" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.4.5/manpages/shorewall-lite.8 new/shorewall-lite-5.2.5.2/manpages/shorewall-lite.8 --- old/shorewall-lite-5.2.4.5/manpages/shorewall-lite.8 2020-04-29 22:36:53.000000000 +0200 +++ new/shorewall-lite-5.2.5.2/manpages/shorewall-lite.8 2020-06-13 22:10:37.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 04/29/2020 +.\" Date: 06/13/2020 .\" Manual: Administrative Commands .\" Source: Administrative Commands .\" Language: English .\" -.TH "SHOREWALL\-LITE" "8" "04/29/2020" "Administrative Commands" "Administrative Commands" +.TH "SHOREWALL\-LITE" "8" "06/13/2020" "Administrative Commands" "Administrative Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.4.5/manpages/shorewall-lite.conf.5 new/shorewall-lite-5.2.5.2/manpages/shorewall-lite.conf.5 --- old/shorewall-lite-5.2.4.5/manpages/shorewall-lite.conf.5 2020-04-29 22:36:51.000000000 +0200 +++ new/shorewall-lite-5.2.5.2/manpages/shorewall-lite.conf.5 2020-06-13 22:10:36.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite.conf .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 04/29/2020 +.\" Date: 06/13/2020 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-LITE\&.CO" "5" "04/29/2020" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-LITE\&.CO" "5" "06/13/2020" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.4.5/releasenotes.txt new/shorewall-lite-5.2.5.2/releasenotes.txt --- old/shorewall-lite-5.2.4.5/releasenotes.txt 2020-05-14 18:36:02.000000000 +0200 +++ new/shorewall-lite-5.2.5.2/releasenotes.txt 2020-06-28 20:27:29.000000000 +0200 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 5 . 2 . 4 . 5 - -------------------------------- - M A Y 1 4 , 2 0 1 9 + S H O R E W A L L 5 . 2 . 5 . 2 + ------------------------------- + J U N E 2 8 , 2 0 2 0 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -13,127 +13,65 @@ ---------------------------------------------------------------------------- I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -5.2.4.5 -1) The description of the 'optional' option has been expanded in - shorewall-interfaces(5). +5.2.5.2 -2) Previously, the AUTOMAKE option did not work properly when - /etc/shorewall[6] was a symbolic link. That has been corrected. - -5.2.4.4 - -1) When DYNAMIC_BLACKLIST=ipset... or when SAVE_IPSETS=Yes in - shorewall[6].conf, 'shorewall[6] start' could hang when 5.2.4.3 - was installed. That has been corrected. - -2) When 5.2.4.3 was installed, 'shorewall[6] start' would not - automatically create dynamic blacklisting ipsets. That has been - corrected. - -5.2.4.3 - -1) When interfaces was managed by Network Manager and IFUPDOWN=1 was - specified in the Shorewall-init configuration file, when an optional - interface was brought up, enabling the interface in - Shorewall6[-lite] could fail. - - Correcting this issue involves corrected code in this release of - Shorewall, but also may require a configuration change in - /etc/shorewall6/interfaces. The change in Shorewall makes the - generated script honor the 'wait=<seconds>' specification in - /etc/shorewall6/interfaces when executing the 'enable' command. - If there are optional interfaces that do not specify 'wait=...', - then the interfaces file must be altered to include such - specifications. - -2) An unnecessary test during command initialization in the generated - script has been eliminated. - -3) Previously, 'shorewall[6] stop' or 'shorewall[6] clear' would - create the dynamic blacklist ipset if it did not exist. Creation - of the ipset is now defered until the next 'start'. - -4) Previously, 'shorewall[6] start' would delete all corresponding - ipsets before restoring. It now deletes only those sets that will - be restored, thus allowing SAVE_IPSETS to be specified in the - Shorewall-init configuration when ipset-based dynamic blacklisting - is also enabled. Previously, if any additional ipsets were used, - it was necessary to set SAVE_IPSETS=Yes in shorewall[6].conf as - well. - -5) Previously, 'Shorewall-init start' restored ipsets after stopping - the firewalls, precluding use of ipsets in the stoppedrules file. - Shorewall-init now restores the ipsets before stopping the - firewalls. - -6) Optimize level 16 has been speeded up by an order of magnitude. - Tests using a large user-supplied configuration showed compilation - time with OPTIMIZE=all was reduced from 22min 40 seconds to 21.5 - seconds. - -5.2.4.2 - -1) This release corrects two problems associated with Debian - Shorewall-init when IFUPDOWN=1 in the Shorewall-init - configuration file (/etc/default/shorewall-init): - - a) Down events were ignored when Network Manager was being used. - - b) Up events were processed twice when a dual-stack interface - was brought up. - - Both problems have been corrected. To make the fixes effective, - it is necessary to recompile the firewall script (shorewall[6] - compile, start, restart or reload). - -5.2.4.1 - -1) The web site and documentation have been improved to correct some - invalid links in the manpages (including the manpages released - in Shorewall components) and to link directly to the current - website at https://shorewall.org. (Tuomo Soini) - -2) Cautions regarding SAVE_IPSETS have been added to the ipsets - article. - -3) OpenSuSE users running systemd have complained that the firewalls - are stopped after a Shorewall product upgrade. The problem is that - OpenSuSE restarts all running products that have been - upgraded. Recall that 'systemctl restart' is equivalent to - 'systemctl stop && systemctl start'. But starting Shorewall-init - results in the firewall products specified in the Shorewall-init - config file to be stopped. To address this issue, Shorewall-init - will now ignore 'start' and 'stop' commands, for running firewalls - (Tuomo Soini). - -4) On Redhat-based system and on OpenSuSE, extraneous Shorewall-init - log messages regarding invalid commands were being issued. These - harmless messages are now suppressed (Tuomo Soini). - -5.2.4 Final - -1) Previously, when a Shorewall6 firewall was placed into the - 'stopped' state, ICMP6 packets required by RFC 4890 were not - automatically accepted by the generated ruleset. - - Beginning with this release, those packets are automatically - accepted. - -2) Previously, the output of 'shorewall[6] help' displayed the - superseded 'load' command. That text has been deleted. - -3) The QOSExample.html file in the documentation and on the web site - previously showed tcrules content for the /etc/shorewall/mangle - file (recall that 'mangle' superseded 'tcrules'). That page has - been corrected. - -4) The 'Starting and Stopping' and 'Configuration file basics' - documents have been updated to align them with the current product - behavior. - -5) The 'ipsets' document has been updated to clarify the use of - ipsets in the stoppedrules file. +1) Previously, ";;+" was mishandled in the snat file; the generated + rule incorrectly included the leading "+". That has been corrected + so that the generated rule is now correct. + + Example (SNAT OpenVPN server traffic leaving on eth0): + + SNAT(192.2.0.4) - eth0 ;;+ -p udp --sport 1194 + +5.2.5.1 + +1) The change in 5.2.5 base which changed the 'user' facility to the + 'daemon' facility in Shorewall syslog messages did not change the + messages with severity 'err'. That has been corrected such that + all syslog messages now use the 'daemon' facility. + +2) The actions.std file contains "?IF...?ELSE...?ENDIF" sequences + that provide different action options depending on the availabilty + of certain capabilities. This has resulted in the Broadcast and + Multicast options being listed twice in the output of + "shorewall[6] show actions". Beginning with this release, this + duplication is eliminated. Note, however, that the options shown + will be incomplete if they were continued onto another line, and + may be incorrect for Broadcast and Multicast. + +3) A typo in shorewall-providers(5) has been corrected. + +5.2.5 Base + +1) Previously, Shorewall-init installed a 'shorewall' script in + /etc/network/if-down.d on Debian and derivatives. This script was + unnecessary and required Debian-specific code in the generated + firewall script. The Shorewall-init script is no longer installed + and the generated firewall script is now free of + distribution-specific code. + +2) Also on Debian and derivatives, Shorewall-init installed + /etc//NetworkManager/dispatcher.d/01-shorewall which was also + unnecessary. Beginning with this release, that file is no longer + installed. + +3) Previously, if the dynamic-blacklisting default timeout was set in + a variable in the params file and the variable was used in setting + DYNAMIC_BLACKLIST, then the 'allow' command would fail with + the message: + + ERROR: Invalid value (ipset-only,disconnect,timeout=) for + DYNAMIC_BLACKLIST + + That has been corrected. + +4) When EXPAND_POLICIES=No in shorewall[6].conf, policies in complex + rulesets are enforced in chains such as 'net-all' and + 'all-all'. Previously, these chains included redundant + state-oriented rules. In addition to being redundant. these rules + could actually break complex IPv6 configurations. The extra rules are + now omitted. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -181,33 +119,79 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) Previously, Shorewall's Docker support assumed that the default - Docker Bridge (docker0) was being used. Beginning with this - release, the DOCKER_BRIDGE option in Shorewall.conf allows an - arbitrary name to be assigned to the bridge. In particular, when - CNI is being used, DOCKER_BRIDGE=cni0 is the appropriate setting. +1) Prior to this release, when a 'timeout' value was specified in the + DYNAMIC_BLACKLIST setting, the dynamic-blacklisting ipset was + created with this default timeout. This had the unfortunate + disadvantage that it was not possible to add permanent entries + into the ipset. Even if 'timeout 0' was specified in a 'blacklist' + command, the entry would still age out of the ipset after the + default timeout had elapsed. + + Beginning with this release, the dynamic-blacklisting ipset is + created with 'timeout 0'. When an address is added to the set, + either by BLACKLIST policy enforcement, by the BLACKLIST action, + or by the CLI 'blacklist' command (where no 'timeout' is + specified), the default timeout is applied to the new entry. + + Once you have upgraded to this version of Shorewall, you can + convert your existing dynamic-blacklisting ipset (with a non-zero + default timeout) to have a default timeout of zero as follows: + + a) If RESTART=restart in shorewall[6].conf, then simply + 'shorewall[6] restart'. + + b) Otherwise, 'shorewall[6] stop && shorewall[6] start'. + +2) Previously, when an ADD or DEL rule specified logging, the entire + action (e.g. 'ADD(+NET_BL:src:7200)') was included in the log + message. This could easily lead to a "Log prefix shortened..." + warning during compilation. + + Beginning with this release, such log messages will contain only + the basic action ('ADD' or 'DEL') and the set name (e.g., + 'ADD(NET_BL)') to reduce the liklihood of producing the warning. + +3) Traditionally, Shorewall has logged state change messages using + the 'user' syslog facility. Beginning with this release, these + messages will be logged using the 'daemon' facility to more + accurately reflect that these messages relate to a service. + +4) The DYNAMIC_BLACKLIST setting now allows a 'log' option to be + specified for ipset-based blacklisting. When this option is given, + successful 'blacklist' and 'allow' commands generate a 'daemon.info' + log message. + +5) When ipset-based dynamic blacklisting is enabled, the generated + ruleset has traditionally refreshed the 'timeout' of an ipset + entry when a packet from blacklisted host is received. This has + the unfortunate side effect that it can change a permanent entry + (timeout 0) to a temporary (one with non-zero timeout). Beginning + with this release, this timeout refresh can be avoided by + specifying the 'noupdate' option in the DYNAMIC_BLACKLIST + setting. -2) The CLI keywords 'debug' and 'trace' have been replaced by -D and - -T options respectively (e.g., 'shorewall trace reload' is now - 'shorewall -T reload'). Like the keywords, only one of these - options can be active at a time; if both are entered, only the - last one is activated. A similar change has been made to the - generated script. +6) To allow Shorewall's ipset-based blacklisting to play nicely with + fail2ban, the 'blacklist!' CLI command has been added. - The -T option (formerly 'trace') now applies only to shell-level - tracing in the CLI and generated script. Those commands that - invoke the rules compiler now accept a -D command option which - causes the compiler to generate debugging information (e.g., - 'shorewall check -D'). + The command - The 'nolock' keyword is now deprecated in favor of the -N - option (e.g., 'shorewall nolock reload' becomes 'shorewall -N - reload'). + blacklist! <ip> - See shorewall(8) for details. + is equivalent to -3) Within the source code and documentation, 'shorewall.net' has been - replaced by 'shorewall.org'. + blacklist <ip> timeout 0 + + thus allowing 'blacklist!' to be specified as the 'blocktype' in + /etc/fail2ban/actions.d/shorewall.conf. + + See https://shorewall.org/blacklisting_support.htm#fail2ban for + further information about using Shorewall dynamic blacklisting + with fail2ban. + +7) Previously, when a zone name was too long, the resulting error + message was "Invalid zone name (<name>)". To make the cause of + the failur4e clearer, the message is now "Zone name (<name>) too + long". ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -314,7 +298,7 @@ This issue is not handled by 'shorewall update' and must be corrected manually. -3) The Netfilter team have removed support for the rawpost table, so +4) The Netfilter team have removed support for the rawpost table, so Shorewall no longer supports features requiring that table (stateless netmapping in the netmap file). The good news is that, since kernel 3.7, Netfilter supports stateful IPv6 network mapping @@ -324,10 +308,10 @@ This issue is not handled by 'shorewall update' and must be corrected manually. -4) The (undocumented) Makefiles haven't been maintained for many +5) The (undocumented) Makefiles haven't been maintained for many releases and have been removed. -5) Beginning with Shorewall 5.1.2, The DROP_DEFAULT, REJECT_DEFAULT, +6) Beginning with Shorewall 5.1.2, The DROP_DEFAULT, REJECT_DEFAULT, etc. options may now specify a comma-separated list of actions rather than just a single action. The actions are invoked in the order in which they are listed and each action may optionally be @@ -345,13 +329,13 @@ This issue is partially handled by 'shorewall update' - see the 5.2 issues below. -6) Beginning with Shorewall 5.1.2, the allowBcast, dropBcast, and +7) Beginning with Shorewall 5.1.2, the allowBcast, dropBcast, and Broadcast no longer handle multicast. Multicast is handeled separately in actions allowMcast, dropMcast and Multicast. The now-deprecated Drop and Reject policy actions have been modified so that they continue to silently drop multicast packets. -7) According to the Netfilter team (see +8) According to the Netfilter team (see https://patchwork.kernel.org/patch/9198133/), the --nflog-range option of the NFLOG target has never worked correctly, and they have deprecated that option in favor of the --nflog-size option. @@ -376,14 +360,14 @@ This issue is not handled by 'shorewall update' and must be corrected manually. -8) The MODULE_SUFFIX option in shorewall[6].conf was eliminated in +9) The MODULE_SUFFIX option in shorewall[6].conf was eliminated in Shorewall 5.1.7. Shorewall now finds modules, independent of their filename suffix. 'shorewall [-6] update' will automatically remove any MODULE_SUFFIX setting. -9) Beginning with Shorewall 5.1.8, when RESTORE_DEFAULT_ROUTE=Yes the +10) Beginning with Shorewall 5.1.8, when RESTORE_DEFAULT_ROUTE=Yes the default route is only restored when there are no enabled 'balance/primary' providers and no enabled fallback providers. @@ -392,7 +376,7 @@ successfully enabled, the default route(s) are removed from the main table. -10) Because restoring default routes to the main routing table can +11) Because restoring default routes to the main routing table can break the ability of Foolsm and other link status monitors to properly detect non-functioning provider links, a warning message is issued when the 'persistent' provider option is specified and @@ -406,7 +390,7 @@ This issue is not handled by 'shorewall update' and must be corrected manually. -11) Most interface OPTIONS have always been ignored when the INTERFACE +12) Most interface OPTIONS have always been ignored when the INTERFACE name is '+'. Beginning with the Shorewall 5.1.10 release, a warning is issued when an ignored option is specified with interface name '+'. @@ -451,7 +435,7 @@ This issue is not handled by 'shorewall update' and must be corrected manually. -12) INLINE_MATCHES=Yes has been documented as deprecated for some +13) INLINE_MATCHES=Yes has been documented as deprecated for some time, but it has not generated a warning. Beginning with the Shorewall 5.1.12 release, a warning is issued: @@ -607,7 +591,39 @@ ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 5 . 2 R E L E A S E S ---------------------------------------------------------------------------- - N E W F E A T U R E S I N 5 . 2 . 3 + N E W F E A T U R E S I N 5 . 2 . 4 +---------------------------------------------------------------------------- + +1) Previously, Shorewall's Docker support assumed that the default + Docker Bridge (docker0) was being used. Beginning with this + release, the DOCKER_BRIDGE option in Shorewall.conf allows an + arbitrary name to be assigned to the bridge. In particular, when + CNI is being used, DOCKER_BRIDGE=cni0 is the appropriate setting. + +2) The CLI keywords 'debug' and 'trace' have been replaced by -D and + -T options respectively (e.g., 'shorewall trace reload' is now + 'shorewall -T reload'). Like the keywords, only one of these + options can be active at a time; if both are entered, only the + last one is activated. A similar change has been made to the + generated script. + + The -T option (formerly 'trace') now applies only to shell-level + tracing in the CLI and generated script. Those commands that + invoke the rules compiler now accept a -D command option which + causes the compiler to generate debugging information (e.g., + 'shorewall check -D'). + + The 'nolock' keyword is now deprecated in favor of the -N + option (e.g., 'shorewall nolock reload' becomes 'shorewall -N + reload'). + + See shorewall(8) for details. + +3) Within the source code and documentation, 'shorewall.net' has been + replaced by 'shorewall.org'. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 5 . 2 . 4 ---------------------------------------------------------------------------- 1) Zone exclusion (e.g., "all!z2,z2,...") is now supported in the @@ -629,6 +645,124 @@ LOAD_HELPERS_ONLY=Yes had been specified. ---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 5 . 2 . 4 +---------------------------------------------------------------------------- + +5.2.4.4 + +1) When DYNAMIC_BLACKLIST=ipset... or when SAVE_IPSETS=Yes in + shorewall[6].conf, 'shorewall[6] start' could hang when 5.2.4.3 + was installed. That has been corrected. + +2) When 5.2.4.3 was installed, 'shorewall[6] start' would not + automatically create dynamic blacklisting ipsets. That has been + corrected. + +5.2.4.3 + +1) When interfaces was managed by Network Manager and IFUPDOWN=1 was + specified in the Shorewall-init configuration file, when an optional + interface was brought up, enabling the interface in + Shorewall6[-lite] could fail. + + Correcting this issue involves corrected code in this release of + Shorewall, but also may require a configuration change in + /etc/shorewall6/interfaces. The change in Shorewall makes the + generated script honor the 'wait=<seconds>' specification in + /etc/shorewall6/interfaces when executing the 'enable' command. + If there are optional interfaces that do not specify 'wait=...', + then the interfaces file must be altered to include such + specifications. + +2) An unnecessary test during command initialization in the generated + script has been eliminated. + +3) Previously, 'shorewall[6] stop' or 'shorewall[6] clear' would + create the dynamic blacklist ipset if it did not exist. Creation + of the ipset is now defered until the next 'start'. + +4) Previously, 'shorewall[6] start' would delete all corresponding + ipsets before restoring. It now deletes only those sets that will + be restored, thus allowing SAVE_IPSETS to be specified in the + Shorewall-init configuration when ipset-based dynamic blacklisting + is also enabled. Previously, if any additional ipsets were used, + it was necessary to set SAVE_IPSETS=Yes in shorewall[6].conf as + well. + +5) Previously, 'Shorewall-init start' restored ipsets after stopping + the firewalls, precluding use of ipsets in the stoppedrules file. + Shorewall-init now restores the ipsets before stopping the + firewalls. + +6) Optimize level 16 has been speeded up by an order of magnitude. + Tests using a large user-supplied configuration showed compilation + time with OPTIMIZE=all was reduced from 22min 40 seconds to 21.5 + seconds. + +5.2.4.2 + +1) This release corrects two problems associated with Debian + Shorewall-init when IFUPDOWN=1 in the Shorewall-init + configuration file (/etc/default/shorewall-init): + + a) Down events were ignored when Network Manager was being used. + + b) Up events were processed twice when a dual-stack interface + was brought up. + + Both problems have been corrected. To make the fixes effective, + it is necessary to recompile the firewall script (shorewall[6] + compile, start, restart or reload). + +5.2.4.1 + +1) The web site and documentation have been improved to correct some + invalid links in the manpages (including the manpages released + in Shorewall components) and to link directly to the current + website at https://shorewall.org. (Tuomo Soini) + +2) Cautions regarding SAVE_IPSETS have been added to the ipsets + article. + +3) OpenSuSE users running systemd have complained that the firewalls + are stopped after a Shorewall product upgrade. The problem is that + OpenSuSE restarts all running products that have been + upgraded. Recall that 'systemctl restart' is equivalent to + 'systemctl stop && systemctl start'. But starting Shorewall-init + results in the firewall products specified in the Shorewall-init + config file to be stopped. To address this issue, Shorewall-init + will now ignore 'start' and 'stop' commands, for running firewalls + (Tuomo Soini). + +4) On Redhat-based system and on OpenSuSE, extraneous Shorewall-init + log messages regarding invalid commands were being issued. These + harmless messages are now suppressed (Tuomo Soini). + +5.2.4 Final + +1) Previously, when a Shorewall6 firewall was placed into the + 'stopped' state, ICMP6 packets required by RFC 4890 were not + automatically accepted by the generated ruleset. + + Beginning with this release, those packets are automatically + accepted. + +2) Previously, the output of 'shorewall[6] help' displayed the + superseded 'load' command. That text has been deleted. + +3) The QOSExample.html file in the documentation and on the web site + previously showed tcrules content for the /etc/shorewall/mangle + file (recall that 'mangle' superseded 'tcrules'). That page has + been corrected. + +4) The 'Starting and Stopping' and 'Configuration file basics' + documents have been updated to align them with the current product + behavior. + +5) The 'ipsets' document has been updated to clarify the use of + ipsets in the stoppedrules file. + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 5 . 2 . 3 ---------------------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.4.5/shorewall-lite.spec new/shorewall-lite-5.2.5.2/shorewall-lite.spec --- old/shorewall-lite-5.2.4.5/shorewall-lite.spec 2020-05-14 18:36:02.000000000 +0200 +++ new/shorewall-lite-5.2.5.2/shorewall-lite.spec 2020-06-28 20:27:29.000000000 +0200 @@ -1,6 +1,6 @@ %define name shorewall-lite -%define version 5.2.4 -%define release 5 +%define version 5.2.5 +%define release 2 %define initdir /etc/init.d Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems. @@ -114,18 +114,18 @@ %doc COPYING changelog.txt releasenotes.txt %changelog -* Sun May 10 2020 Tom Eastep <[email protected]> -- Updated to 5.2.4-5 -* Wed Apr 29 2020 Tom Eastep <[email protected]> -- Updated to 5.2.4-4 +* Wed Jun 24 2020 Tom Eastep <[email protected]> +- Updated to 5.2.5-2 +* Sat Jun 13 2020 Tom Eastep <[email protected]> +- Updated to 5.2.5-1 +* Wed Jun 10 2020 Tom Eastep <[email protected]> +- Updated to 5.2.5-0base +* Sat Jun 06 2020 Tom Eastep <[email protected]> +- Updated to 5.2.5-0RC1 +* Wed Jun 03 2020 Tom Eastep <[email protected]> +- Updated to 5.2.5-0Beta2 * Sun Apr 19 2020 Tom Eastep <[email protected]> -- Updated to 5.2.4-3 -* Sat Apr 18 2020 Tom Eastep <[email protected]> -- Updated to 5.2.4-2 -* Fri Mar 27 2020 Tom Eastep <[email protected]> -- Updated to 5.2.4-1 -* Tue Mar 17 2020 Tom Eastep <[email protected]> -- Updated to 5.2.4-0base +- Updated to 5.2.5-0Beta1 * Sat Mar 14 2020 Tom Eastep <[email protected]> - Updated to 5.2.4-0RC1 * Fri Mar 06 2020 Tom Eastep <[email protected]> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.4.5/uninstall.sh new/shorewall-lite-5.2.5.2/uninstall.sh --- old/shorewall-lite-5.2.4.5/uninstall.sh 2020-05-14 18:36:02.000000000 +0200 +++ new/shorewall-lite-5.2.5.2/uninstall.sh 2020-06-28 20:27:29.000000000 +0200 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=5.2.4.5 +VERSION=5.2.5.2 usage() # $1 = exit status { ++++++ shorewall-5.2.4.5.tar.bz2 -> shorewall6-5.2.5.2.tar.bz2 ++++++ ++++ 122573 lines of diff (skipped) ++++++ shorewall-lite-5.2.4.5.tar.bz2 -> shorewall6-lite-5.2.5.2.tar.bz2 ++++++ ++++ 3600 lines of diff (skipped)
