Hello community, here is the log from the commit of package shorewall for openSUSE:Factory checked in at 2020-07-08 19:17:24 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/shorewall (Old) and /work/SRC/openSUSE:Factory/.shorewall.new.3060 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shorewall" Wed Jul 8 19:17:24 2020 rev:118 rq:819361 version:5.2.6 Changes: -------- --- /work/SRC/openSUSE:Factory/shorewall/shorewall.changes 2020-07-05 01:15:17.744444694 +0200 +++ /work/SRC/openSUSE:Factory/.shorewall.new.3060/shorewall.changes 2020-07-08 19:17:56.092058400 +0200 @@ -1,0 +2,36 @@ +Tue Jul 7 11:31:48 UTC 2020 - Bruno Friedmann <[email protected]> + +- Update to version 5.2.6 + + **Upgrade your configuration** + https://shorewall.org/pub/shorewall/5.2/shorewall-5.2.6/releasenotes.txt + + When compiling for export, the compiler generates a firewall.conf + file which is later installed on the remote firewall system as + ${VARDIR}/firewall.conf. Previously, the CLI on that firewall was + not processing the file, resulting in some features not being + available: + - Default values for VERBOSITY, LOGFILE, LOGFORMAT, PATH, + SHOREWALL_SHELL, SUBSYSLOCK, RESTOREFILE, RESTART, + DYNAMIC_BLACKLIST and PAGER are not supplied. + - scfilter file supplied at compile time. + - dumpfilter file supplied at compile time. + That has been corrected. + + A bug in iptables (see + https://git.netfilter.org/iptables/commit/?id=d1555a0906e35ba8d170613d5a43da64e527dbe1) + prevents the '--queue-cpu-fanout' option from being applied unless + that option is the last one specified. Unfortunately, Shorewall + places the '--queue-bypass' option last if that option is also + specified. + This release works around this issue by ensuring that the + '--queue-cpu-fanout' option appears last. + + The -D 'compile', 'check', 'reload' and 'Restart' option was + previously omitted from the output of 'shorewall help'. It is now + included. As part of this change, an incorrect and conflicting + description of the -D option was removed from the 'remote-restart' + section of shorewall(8). + + Previously, when EXPAND_POLICIES=No, chains that enforced ACCEPT + policies were not completely optimized by optimize level 2 (ACCEPT + rules preceding the final unconditional ACCEPT were not + deleted). That has been corrected such that these rules are now + optimized. + +------------------------------------------------------------------- Old: ---- shorewall-5.2.5.2.tar.bz2 shorewall-core-5.2.5.2.tar.bz2 shorewall-docs-html-5.2.5.2.tar.bz2 shorewall-init-5.2.5.2.tar.bz2 shorewall-lite-5.2.5.2.tar.bz2 shorewall6-5.2.5.2.tar.bz2 shorewall6-lite-5.2.5.2.tar.bz2 New: ---- shorewall-5.2.6.tar.bz2 shorewall-core-5.2.6.tar.bz2 shorewall-docs-html-5.2.6.tar.bz2 shorewall-init-5.2.6.tar.bz2 shorewall-lite-5.2.6.tar.bz2 shorewall6-5.2.6.tar.bz2 shorewall6-lite-5.2.6.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shorewall.spec ++++++ --- /var/tmp/diff_new_pack.WlboAl/_old 2020-07-08 19:17:58.432058106 +0200 +++ /var/tmp/diff_new_pack.WlboAl/_new 2020-07-08 19:17:58.432058106 +0200 @@ -18,7 +18,7 @@ %define have_systemd 1 %define dmaj 5.2 -%define dmin 5.2.5 +%define dmin 5.2.6 # Warn users for upgrading configuration but only on major or minor version changes %define conf_need_update 0 #2017+ New fillup location @@ -26,7 +26,7 @@ %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: shorewall -Version: 5.2.5.2 +Version: 5.2.6 Release: 0 Summary: An iptables-based firewall for Linux systems License: GPL-2.0-only ++++++ shorewall-5.2.5.2.tar.bz2 -> shorewall-5.2.6.tar.bz2 ++++++ ++++ 2192 lines of diff (skipped) ++++++ shorewall-core-5.2.5.2.tar.bz2 -> shorewall-core-5.2.6.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.5.2/changelog.txt new/shorewall-core-5.2.6/changelog.txt --- old/shorewall-core-5.2.5.2/changelog.txt 2020-06-28 20:27:29.000000000 +0200 +++ new/shorewall-core-5.2.6/changelog.txt 2020-07-04 19:40:53.000000000 +0200 @@ -1,18 +1,32 @@ -Changes in 5.2.5.2 +Changes in 5.2.6 Final 1) Update release documents -2) Correct handling of ";;+" in the snat file. +2) Add the compiler -D option to usage output. -Changes in 5.2.5.1 +3) Fix policy chain optimization when EXPAND_POLICIES=No. + +Changes in 5.2.6 RC 1 + +1) Update release documents + +2) Rename snat PORTS column + +3) Add ?FORMAT 2 support for the snat file. + +4) Merge from 5.2.5.2 + +5) Work around iptables --queue-cpu-fanout bug. + +Changes in 5.2.6 Beta 1 1) Update release documents -2) Replace 'kern.err' sith 'daemon.err'. +2) Implement 'dport' action option -3) Remove duplicates from the output of 'show actions'. +2) Make 'show actions' more robust -4) Correct a typo in shorewall-providers(5). +3) Process the firewall.conf file on Shorewall-lite Changes in 5.2.5 Final diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.5.2/configure new/shorewall-core-5.2.6/configure --- old/shorewall-core-5.2.5.2/configure 2020-06-28 20:27:28.000000000 +0200 +++ new/shorewall-core-5.2.6/configure 2020-07-04 19:40:53.000000000 +0200 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=5.2.5.2 +VERSION=5.2.6 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.5.2/configure.pl new/shorewall-core-5.2.6/configure.pl --- old/shorewall-core-5.2.5.2/configure.pl 2020-06-28 20:27:28.000000000 +0200 +++ new/shorewall-core-5.2.6/configure.pl 2020-07-04 19:40:53.000000000 +0200 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '5.2.5.2' + VERSION => '5.2.6' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.5.2/install.sh new/shorewall-core-5.2.6/install.sh --- old/shorewall-core-5.2.5.2/install.sh 2020-06-28 20:27:28.000000000 +0200 +++ new/shorewall-core-5.2.6/install.sh 2020-07-04 19:40:53.000000000 +0200 @@ -22,7 +22,7 @@ # along with this program; if not, see <http://www.gnu.org/licenses/>. # -VERSION=5.2.5.2 +VERSION=5.2.6 PRODUCT=shorewall-core Product="Shorewall Core" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.5.2/known_problems.txt new/shorewall-core-5.2.6/known_problems.txt --- old/shorewall-core-5.2.5.2/known_problems.txt 2020-06-28 20:27:29.000000000 +0200 +++ new/shorewall-core-5.2.6/known_problems.txt 2020-07-04 19:40:53.000000000 +0200 @@ -35,24 +35,3 @@ change will survive future updates of the shorewall package from apt repositories. The override file itself will be saved to `/etc/systemd/system/shorewall.service.d/`. - -5) When ';;+" appears in the snat file, the '+' incorrectly appears - in the generated ip[6]tables rule. - - Corrected in Shorewall 5.2.5.2. - -6) When compiling for export, the compiler generates a firewall.conf - file which is later installed on the remote firewall system as - ${VARDIR}/firewall.conf. Currently, the CLI on that firewall is - not processing the file, resulting in some features not being - available: - - - Default values for VERBOSITY, LOGFILE, LOGFORMAT, PATH, - SHOREWALL_SHELL, SUBSYSLOCK, RESTOREFILE, RESTART, - DYNAMIC_BLACKLIST and PAGER are not supplied. - - - scfilter file supplied at compile time. - - - dumpfilter file supplied at compile time. - - Corrected in 5.2.6 Beta 1. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.5.2/lib.cli new/shorewall-core-5.2.6/lib.cli --- old/shorewall-core-5.2.5.2/lib.cli 2020-06-28 20:05:00.000000000 +0200 +++ new/shorewall-core-5.2.6/lib.cli 2020-07-04 19:40:43.000000000 +0200 @@ -937,11 +937,28 @@ fi } +sort_actions() { + local sep #separates sort keys from the action[.std] record + sep="##" + + awk -v sep="$sep" \ + 'BEGIN { action = ""; ifrec = ""; nr = 0; };\ + /^#/ { next; };\ + /^\?(if|IF|If)/ { ifrec = $0; nr = NR; next; };\ + /^( |\t|\?)/ { if ( action != "" ) print action, NR, sep $0; next; };\ + { action = $1; };\ + nr != 0 { print action , nr, sep ifrec; nr = 0; };\ + { print action , NR, sep $0; }' | sort -k 1,2 | sed "s/^.*${sep}//" +} + show_actions() { - if [ -f ${g_confdir}/actions ]; then - cat ${g_sharedir}/actions.std ${g_confdir}/actions | grep -Ev '^[#?[:space:]]|^$' + local actions + actions=$(find_file actions) + + if [ -f ${actions} ]; then + cat ${actions} ${g_sharedir}/actions.std | sort_actions else - grep -Ev '^[#?[:space:]]|^$' ${g_sharedir}/actions.std + sort_actions < ${g_sharedir}/actions.std fi } @@ -1108,10 +1125,6 @@ show_bl; } -show_actions_sorted() { - show_actions | sort -u -k 1,1 -} - show_macros() { for directory in $(split $CONFIG_PATH); do temp= @@ -1543,7 +1556,7 @@ ;; actions) [ $# -gt 1 ] && too_many_arguments $2 - eval show_actions_sorted $g_pager + eval show_actions $g_pager return ;; macro) @@ -4012,7 +4025,7 @@ ensure_config_path - [ -f $g_firewall.conf ] && . ${VARDIR}/firewall.conf + [ -f ${VARDIR}/firewall.conf ] && . ${VARDIR}/firewall.conf [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin @@ -4346,9 +4359,9 @@ echo " add <interface>[:<host-list>] ... <zone>" echo " allow <address> ..." echo " blacklist <address> [ <option> ... ]" - ecko " [ check | ck ] [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ -i ] [ <directory> ]" + ecko " [ check | ck ] [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ -i ] [ -D ] [ <directory> ]" echo " clear" - ecko " [ compile | co ] [ -e ] [ -p ] [ -t ] [ -c ] [ -d ] [ -T ] [ -i ] [ <directory name> ] [ <path name> ]" + ecko " [ compile | co ] [ -e ] [ -p ] [ -t ] [ -c ] [ -d ] [ -T ] [ -i ] [ -D ] [ <directory name> ] [ <path name> ]" echo " close <source> <dest> [ <protocol> [ <port> ] ]" echo " delete <interface>[:<host-list>] ... <zone>" echo " disable <interface>" @@ -4388,7 +4401,7 @@ if [ -n "$g_lite" ]; then echo " reload [ -n ] [ -p ] [ -f ] [ -C ] [ <directory> ]" else - echo " reload [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ -C ] [ <directory> ]" + echo " reload [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ -C ] [ -D ] [ <directory> ]" fi if [ -z "$g_lite" ]; then @@ -4404,7 +4417,7 @@ if [ -n "$g_lite" ]; then echo " restart [ -n ] [ -p ] [ -f ] [ -C ] [ <directory> ]" else - echo " restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ -C ] [ <directory> ]" + echo " restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ -C ] [ -D ] [ <directory> ]" fi echo " restore [ -n ] [ -p ] [ -C ] [ <file name> ]" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.5.2/manpages/shorewall.8 new/shorewall-core-5.2.6/manpages/shorewall.8 --- old/shorewall-core-5.2.5.2/manpages/shorewall.8 2020-06-13 22:10:45.000000000 +0200 +++ new/shorewall-core-5.2.6/manpages/shorewall.8 2020-07-04 19:42:30.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 06/13/2020 +.\" Date: 07/04/2020 .\" Manual: Administrative Commands .\" Source: Administrative Commands .\" Language: English .\" -.TH "SHOREWALL" "8" "06/13/2020" "Administrative Commands" "Administrative Commands" +.TH "SHOREWALL" "8" "07/04/2020" "Administrative Commands" "Administrative Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -1231,9 +1231,6 @@ \fB\-i\fR option was added in Shorewall 4\&.6\&.0 and causes a warning message to be issued if the current line contains alternative input specifications following a semicolon (";")\&. Such lines will be handled incorrectly if INLINE_MATCHES is set to Yes in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2(5) (\m[blue]\fBshorewall6\&.conf\fR\m[]\&\s-2\u[1]\d\s+2(5)\&. -.sp -The -\fB\-D \fRoption was added in Shoewall 5\&.2\&.4 and causes the compiler to write a large amount of debugging information to standard output\&. .RE .PP \fBreset [\fR\fB\fIchain\fR\fR\fB, \&.\&.\&.]\fR diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.5.2/releasenotes.txt new/shorewall-core-5.2.6/releasenotes.txt --- old/shorewall-core-5.2.5.2/releasenotes.txt 2020-06-28 20:27:29.000000000 +0200 +++ new/shorewall-core-5.2.6/releasenotes.txt 2020-07-04 19:40:53.000000000 +0200 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 5 . 2 . 5 . 2 + S H O R E W A L L 5 . 2 . 6 ------------------------------- - J U N E 2 8 , 2 0 2 0 + J U L Y 0 4 , 2 0 2 0 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,64 +14,46 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -5.2.5.2 +1) This release includes defect repair up through Shorewall version + 5.2.5.2. -1) Previously, ";;+" was mishandled in the snat file; the generated - rule incorrectly included the leading "+". That has been corrected - so that the generated rule is now correct. +2) When compiling for export, the compiler generates a firewall.conf + file which is later installed on the remote firewall system as + ${VARDIR}/firewall.conf. Previously, the CLI on that firewall was + not processing the file, resulting in some features not being + available: + + - Default values for VERBOSITY, LOGFILE, LOGFORMAT, PATH, + SHOREWALL_SHELL, SUBSYSLOCK, RESTOREFILE, RESTART, + DYNAMIC_BLACKLIST and PAGER are not supplied. - Example (SNAT OpenVPN server traffic leaving on eth0): + - scfilter file supplied at compile time. - SNAT(192.2.0.4) - eth0 ;;+ -p udp --sport 1194 - -5.2.5.1 - -1) The change in 5.2.5 base which changed the 'user' facility to the - 'daemon' facility in Shorewall syslog messages did not change the - messages with severity 'err'. That has been corrected such that - all syslog messages now use the 'daemon' facility. - -2) The actions.std file contains "?IF...?ELSE...?ENDIF" sequences - that provide different action options depending on the availabilty - of certain capabilities. This has resulted in the Broadcast and - Multicast options being listed twice in the output of - "shorewall[6] show actions". Beginning with this release, this - duplication is eliminated. Note, however, that the options shown - will be incomplete if they were continued onto another line, and - may be incorrect for Broadcast and Multicast. - -3) A typo in shorewall-providers(5) has been corrected. - -5.2.5 Base - -1) Previously, Shorewall-init installed a 'shorewall' script in - /etc/network/if-down.d on Debian and derivatives. This script was - unnecessary and required Debian-specific code in the generated - firewall script. The Shorewall-init script is no longer installed - and the generated firewall script is now free of - distribution-specific code. - -2) Also on Debian and derivatives, Shorewall-init installed - /etc//NetworkManager/dispatcher.d/01-shorewall which was also - unnecessary. Beginning with this release, that file is no longer - installed. - -3) Previously, if the dynamic-blacklisting default timeout was set in - a variable in the params file and the variable was used in setting - DYNAMIC_BLACKLIST, then the 'allow' command would fail with - the message: - - ERROR: Invalid value (ipset-only,disconnect,timeout=) for - DYNAMIC_BLACKLIST + - dumpfilter file supplied at compile time. That has been corrected. -4) When EXPAND_POLICIES=No in shorewall[6].conf, policies in complex - rulesets are enforced in chains such as 'net-all' and - 'all-all'. Previously, these chains included redundant - state-oriented rules. In addition to being redundant. these rules - could actually break complex IPv6 configurations. The extra rules are - now omitted. +3) A bug in iptables (see + https://git.netfilter.org/iptables/commit/?id=d1555a0906e35ba8d170613d5a43da64e527dbe1) + prevents the '--queue-cpu-fanout' option from being applied unless + that option is the last one specified. Unfortunately, Shorewall + places the '--queue-bypass' option last if that option is also + specified. + + This release works around this issue by ensuring that the + '--queue-cpu-fanout' option appears last. + +4) The -D 'compile', 'check', 'reload' and 'Restart' option was + previously omitted from the output of 'shorewall help'. It is now + included. As part of this change, an incorrect and conflicting + description of the -D option was removed from the 'remote-restart' + section of shorewall(8). + +5) Previously, when EXPAND_POLICIES=No, chains that enforced ACCEPT + policies were not completely optimized by optimize level 2 (ACCEPT + rules preceding the final unconditional ACCEPT were not + deleted). That has been corrected such that these rules are now + optimized. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -119,79 +101,45 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) Prior to this release, when a 'timeout' value was specified in the - DYNAMIC_BLACKLIST setting, the dynamic-blacklisting ipset was - created with this default timeout. This had the unfortunate - disadvantage that it was not possible to add permanent entries - into the ipset. Even if 'timeout 0' was specified in a 'blacklist' - command, the entry would still age out of the ipset after the - default timeout had elapsed. +1) The 'actions' file now supports a 'dport' option to go along with + the 'proto' option. Using these two options can now restrict an + action to a particular service. See shorewall-actions(5) for + details. - Beginning with this release, the dynamic-blacklisting ipset is - created with 'timeout 0'. When an address is added to the set, - either by BLACKLIST policy enforcement, by the BLACKLIST action, - or by the CLI 'blacklist' command (where no 'timeout' is - specified), the default timeout is applied to the new entry. + Example limiting net->all SSH connections to 3/min per source IP: - Once you have upgraded to this version of Shorewall, you can - convert your existing dynamic-blacklisting ipset (with a non-zero - default timeout) to have a default timeout of zero as follows: + /etc/shorewall/actions: - a) If RESTART=restart in shorewall[6].conf, then simply - 'shorewall[6] restart'. + SSHLIMIT proto=tcp,\ # Blacklist overzealous SSHers + dport=ssh - b) Otherwise, 'shorewall[6] stop && shorewall[6] start'. + /etc/shorewall/action.SSLHIMIT -2) Previously, when an ADD or DEL rule specified logging, the entire - action (e.g. 'ADD(+NET_BL:src:7200)') was included in the log - message. This could easily lead to a "Log prefix shortened..." - warning during compilation. + ACCEPT { RATE=s:3/min:3 } + BLACKLIST:$LOG_LEVEL:net_SSHLIMIT - Beginning with this release, such log messages will contain only - the basic action ('ADD' or 'DEL') and the set name (e.g., - 'ADD(NET_BL)') to reduce the liklihood of producing the warning. + /etc/shorewall/rules: -3) Traditionally, Shorewall has logged state change messages using - the 'user' syslog facility. Beginning with this release, these - messages will be logged using the 'daemon' facility to more - accurately reflect that these messages relate to a service. + SSHLIMIT net all -4) The DYNAMIC_BLACKLIST setting now allows a 'log' option to be - specified for ipset-based blacklisting. When this option is given, - successful 'blacklist' and 'allow' commands generate a 'daemon.info' - log message. +2) The change to 'show actions' implemented in 5.2.5.1 (see below) + has been further extended. -5) When ipset-based dynamic blacklisting is enabled, the generated - ruleset has traditionally refreshed the 'timeout' of an ipset - entry when a packet from blacklisted host is received. This has - the unfortunate side effect that it can change a permanent entry - (timeout 0) to a temporary (one with non-zero timeout). Beginning - with this release, this timeout refresh can be avoided by - specifying the 'noupdate' option in the DYNAMIC_BLACKLIST - setting. + - "?IF...?ELSE...?ENDIF" sequences are now shown in the output + - Continuation lines are now shown in the output so that all + action options are now displayed + - If an action appears in both /usr/share/shorewall[6]/actions.std + and in /etc/shorewall[6]/actions, then the entry in the actions + file is shown followed by the entry in the actions.std file. -6) To allow Shorewall's ipset-based blacklisting to play nicely with - fail2ban, the 'blacklist!' CLI command has been added. +3) To emphasize that it specifies destination ports, the PORT column + in the snat file has been renamed DPORT. Beginning with this + release, both 'port' and 'dport' are accepted in the alternative + input format. - The command - - blacklist! <ip> - - is equivalent to - - blacklist <ip> timeout 0 - - thus allowing 'blacklist!' to be specified as the 'blocktype' in - /etc/fail2ban/actions.d/shorewall.conf. - - See https://shorewall.org/blacklisting_support.htm#fail2ban for - further information about using Shorewall dynamic blacklisting - with fail2ban. - -7) Previously, when a zone name was too long, the resulting error - message was "Invalid zone name (<name>)". To make the cause of - the failur4e clearer, the message is now "Zone name (<name>) too - long". +4) The snat file now supports ?FORMAT 2, which adds an SPORT (source + port) column immediately to the right of the DPORT (destination + port) column. ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -303,7 +251,7 @@ (stateless netmapping in the netmap file). The good news is that, since kernel 3.7, Netfilter supports stateful IPv6 network mapping which is now also supported in Shorewall6 (see - shorewall6-netmap(5)). + shorewall-netmap(5)). This issue is not handled by 'shorewall update' and must be corrected manually. @@ -591,6 +539,137 @@ ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 5 . 2 R E L E A S E S ---------------------------------------------------------------------------- + N E W F E A T U R E S I N 5 . 2 . 5 +---------------------------------------------------------------------------- + +1) Prior to this release, when a 'timeout' value was specified in the + DYNAMIC_BLACKLIST setting, the dynamic-blacklisting ipset was + created with this default timeout. This had the unfortunate + disadvantage that it was not possible to add permanent entries + into the ipset. Even if 'timeout 0' was specified in a 'blacklist' + command, the entry would still age out of the ipset after the + default timeout had elapsed. + + Beginning with this release, the dynamic-blacklisting ipset is + created with 'timeout 0'. When an address is added to the set, + either by BLACKLIST policy enforcement, by the BLACKLIST action, + or by the CLI 'blacklist' command (where no 'timeout' is + specified), the default timeout is applied to the new entry. + + Once you have upgraded to this version of Shorewall, you can + convert your existing dynamic-blacklisting ipset (with a non-zero + default timeout) to have a default timeout of zero as follows: + + a) If RESTART=restart in shorewall[6].conf, then simply + 'shorewall[6] restart'. + + b) Otherwise, 'shorewall[6] stop && shorewall[6] start'. + +2) Previously, when an ADD or DEL rule specified logging, the entire + action (e.g. 'ADD(+NET_BL:src:7200)') was included in the log + message. This could easily lead to a "Log prefix shortened..." + warning during compilation. + + Beginning with this release, such log messages will contain only + the basic action ('ADD' or 'DEL') and the set name (e.g., + 'ADD(NET_BL)') to reduce the liklihood of producing the warning. + +3) Traditionally, Shorewall has logged state change messages using + the 'user' syslog facility. Beginning with this release, these + messages will be logged using the 'daemon' facility to more + accurately reflect that these messages relate to a service. + +4) The DYNAMIC_BLACKLIST setting now allows a 'log' option to be + specified for ipset-based blacklisting. When this option is given, + successful 'blacklist' and 'allow' commands generate a 'daemon.info' + log message. + +5) When ipset-based dynamic blacklisting is enabled, the generated + ruleset has traditionally refreshed the 'timeout' of an ipset + entry when a packet from blacklisted host is received. This has + the unfortunate side effect that it can change a permanent entry + (timeout 0) to a temporary (one with non-zero timeout). Beginning + with this release, this timeout refresh can be avoided by + specifying the 'noupdate' option in the DYNAMIC_BLACKLIST + setting. + +6) To allow Shorewall's ipset-based blacklisting to play nicely with + fail2ban, the 'blacklist!' CLI command has been added. + + The command + + blacklist! <ip> + + is equivalent to + + blacklist <ip> timeout 0 + + thus allowing 'blacklist!' to be specified as the 'blocktype' in + /etc/fail2ban/actions.d/shorewall.conf. + + See https://shorewall.org/blacklisting_support.htm#fail2ban for + further information about using Shorewall dynamic blacklisting + with fail2ban. + +7) Previously, when a zone name was too long, the resulting error + message was "Invalid zone name (<name>)". To make the cause of + the failure clearer, the message is now "Zone name (<name>) too + long". + +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 5 . 2 . 5 +---------------------------------------------------------------------------- + +5.2.5.1 + +1) The change in 5.2.5 base which changed the 'user' facility to the + 'daemon' facility in Shorewall syslog messages did not change the + messages with severity 'err'. That has been corrected such that + all syslog messages now use the 'daemon' facility. + +2) The actions.std file contains "?IF...?ELSE...?ENDIF" sequences + that provide different action options depending on the availabilty + of certain capabilities. This has resulted in the Broadcast and + Multicast options being listed twice in the output of + "shorewall[6] show actions". Beginning with this release, this + duplication is eliminated. Note, however, that the options shown + will be incomplete if they were continued onto another line, and + may be incorrect for Broadcast and Multicast. + +3) A typo in shorewall-providers(5) has been corrected. + +5.2.5 Base + +1) Previously, Shorewall-init installed a 'shorewall' script in + /etc/network/if-down.d on Debian and derivatives. This script was + unnecessary and required Debian-specific code in the generated + firewall script. The Shorewall-init script is no longer installed + and the generated firewall script is now free of + distribution-specific code. + +2) Also on Debian and derivatives, Shorewall-init installed + /etc//NetworkManager/dispatcher.d/01-shorewall which was also + unnecessary. Beginning with this release, that file is no longer + installed. + +3) Previously, if the dynamic-blacklisting default timeout was set in + a variable in the params file and the variable was used in setting + DYNAMIC_BLACKLIST, then the 'allow' command would fail with + the message: + + ERROR: Invalid value (ipset-only,disconnect,timeout=) for + DYNAMIC_BLACKLIST + + That has been corrected. + +4) When EXPAND_POLICIES=No in shorewall[6].conf, policies in complex + rulesets are enforced in chains such as 'net-all' and + 'all-all'. Previously, these chains included redundant + state-oriented rules. In addition to being redundant. these rules + could actually break complex IPv6 configurations. The extra rules are + now omitted. + +---------------------------------------------------------------------------- N E W F E A T U R E S I N 5 . 2 . 4 ---------------------------------------------------------------------------- @@ -623,28 +702,6 @@ replaced by 'shorewall.org'. ---------------------------------------------------------------------------- - N E W F E A T U R E S I N 5 . 2 . 4 ----------------------------------------------------------------------------- - -1) Zone exclusion (e.g., "all!z2,z2,...") is now supported in the - policy file. - -2) With the availability of zone exclusion in the rules file, 'all[+]-' - and 'any[+]-' are equivalent to 'all[+]!$FW' and 'any[+]!$FW' - respectively. Beginning with this release, the former are - deprecated in favor of the latter and will result in a warning - message, if used. - -3) Internal documentaton of the undocumented 'test' parameter to - compiler.pl has been added (it is used by the regression test - library to suppress versions and date/times from the generated - script). - -4) The LOAD_HELPERS_ONLY option has been removed from - shorewall[6].conf. Hereafter, Shorewall[6] will behave as if - LOAD_HELPERS_ONLY=Yes had been specified. - ----------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 5 . 2 . 4 ---------------------------------------------------------------------------- @@ -763,6 +820,28 @@ ipsets in the stoppedrules file. ---------------------------------------------------------------------------- + N E W F E A T U R E S I N 5 . 2 . 3 +---------------------------------------------------------------------------- + +1) Zone exclusion (e.g., "all!z2,z2,...") is now supported in the + policy file. + +2) With the availability of zone exclusion in the rules file, 'all[+]-' + and 'any[+]-' are equivalent to 'all[+]!$FW' and 'any[+]!$FW' + respectively. Beginning with this release, the former are + deprecated in favor of the latter and will result in a warning + message, if used. + +3) Internal documentaton of the undocumented 'test' parameter to + compiler.pl has been added (it is used by the regression test + library to suppress versions and date/times from the generated + script). + +4) The LOAD_HELPERS_ONLY option has been removed from + shorewall[6].conf. Hereafter, Shorewall[6] will behave as if + LOAD_HELPERS_ONLY=Yes had been specified. + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 5 . 2 . 3 ---------------------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.5.2/shorewall-core.spec new/shorewall-core-5.2.6/shorewall-core.spec --- old/shorewall-core-5.2.5.2/shorewall-core.spec 2020-06-28 20:27:29.000000000 +0200 +++ new/shorewall-core-5.2.6/shorewall-core.spec 2020-07-04 19:40:53.000000000 +0200 @@ -1,6 +1,6 @@ %define name shorewall-core -%define version 5.2.5 -%define release 2 +%define version 5.2.6 +%define release 0base Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. Name: %{name} @@ -69,10 +69,12 @@ %doc COPYING INSTALL changelog.txt releasenotes.txt %changelog -* Wed Jun 24 2020 Tom Eastep <[email protected]> -- Updated to 5.2.5-2 -* Sat Jun 13 2020 Tom Eastep <[email protected]> -- Updated to 5.2.5-1 +* Mon Jun 29 2020 Tom Eastep <[email protected]> +- Updated to 5.2.6-0base +* Sat Jun 27 2020 Tom Eastep <[email protected]> +- Updated to 5.2.6-0RC1 +* Sun Jun 14 2020 Tom Eastep <[email protected]> +- Updated to 5.2.6-0Beta1 * Wed Jun 10 2020 Tom Eastep <[email protected]> - Updated to 5.2.5-0base * Sat Jun 06 2020 Tom Eastep <[email protected]> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.5.2/uninstall.sh new/shorewall-core-5.2.6/uninstall.sh --- old/shorewall-core-5.2.5.2/uninstall.sh 2020-06-28 20:27:28.000000000 +0200 +++ new/shorewall-core-5.2.6/uninstall.sh 2020-07-04 19:40:53.000000000 +0200 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=5.2.5.2 +VERSION=5.2.6 PRODUCT=shorewall-core Product="Shorewall Core" ++++++ shorewall-docs-html-5.2.5.2.tar.bz2 -> shorewall-docs-html-5.2.6.tar.bz2 ++++++ ++++ 1651 lines of diff (skipped) ++++++ shorewall-init-5.2.5.2.tar.bz2 -> shorewall-init-5.2.6.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.5.2/changelog.txt new/shorewall-init-5.2.6/changelog.txt --- old/shorewall-init-5.2.5.2/changelog.txt 2020-06-28 20:27:29.000000000 +0200 +++ new/shorewall-init-5.2.6/changelog.txt 2020-07-04 19:40:53.000000000 +0200 @@ -1,18 +1,32 @@ -Changes in 5.2.5.2 +Changes in 5.2.6 Final 1) Update release documents -2) Correct handling of ";;+" in the snat file. +2) Add the compiler -D option to usage output. -Changes in 5.2.5.1 +3) Fix policy chain optimization when EXPAND_POLICIES=No. + +Changes in 5.2.6 RC 1 + +1) Update release documents + +2) Rename snat PORTS column + +3) Add ?FORMAT 2 support for the snat file. + +4) Merge from 5.2.5.2 + +5) Work around iptables --queue-cpu-fanout bug. + +Changes in 5.2.6 Beta 1 1) Update release documents -2) Replace 'kern.err' sith 'daemon.err'. +2) Implement 'dport' action option -3) Remove duplicates from the output of 'show actions'. +2) Make 'show actions' more robust -4) Correct a typo in shorewall-providers(5). +3) Process the firewall.conf file on Shorewall-lite Changes in 5.2.5 Final diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.5.2/configure new/shorewall-init-5.2.6/configure --- old/shorewall-init-5.2.5.2/configure 2020-06-28 20:27:29.000000000 +0200 +++ new/shorewall-init-5.2.6/configure 2020-07-04 19:40:53.000000000 +0200 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=5.2.5.2 +VERSION=5.2.6 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.5.2/configure.pl new/shorewall-init-5.2.6/configure.pl --- old/shorewall-init-5.2.5.2/configure.pl 2020-06-28 20:27:29.000000000 +0200 +++ new/shorewall-init-5.2.6/configure.pl 2020-07-04 19:40:53.000000000 +0200 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '5.2.5.2' + VERSION => '5.2.6' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.5.2/install.sh new/shorewall-init-5.2.6/install.sh --- old/shorewall-init-5.2.5.2/install.sh 2020-06-28 20:27:29.000000000 +0200 +++ new/shorewall-init-5.2.6/install.sh 2020-07-04 19:40:53.000000000 +0200 @@ -27,7 +27,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=5.2.5.2 +VERSION=5.2.6 PRODUCT=shorewall-init Product="Shorewall Init" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.5.2/releasenotes.txt new/shorewall-init-5.2.6/releasenotes.txt --- old/shorewall-init-5.2.5.2/releasenotes.txt 2020-06-28 20:27:29.000000000 +0200 +++ new/shorewall-init-5.2.6/releasenotes.txt 2020-07-04 19:40:53.000000000 +0200 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 5 . 2 . 5 . 2 + S H O R E W A L L 5 . 2 . 6 ------------------------------- - J U N E 2 8 , 2 0 2 0 + J U L Y 0 4 , 2 0 2 0 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,64 +14,46 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -5.2.5.2 +1) This release includes defect repair up through Shorewall version + 5.2.5.2. -1) Previously, ";;+" was mishandled in the snat file; the generated - rule incorrectly included the leading "+". That has been corrected - so that the generated rule is now correct. +2) When compiling for export, the compiler generates a firewall.conf + file which is later installed on the remote firewall system as + ${VARDIR}/firewall.conf. Previously, the CLI on that firewall was + not processing the file, resulting in some features not being + available: + + - Default values for VERBOSITY, LOGFILE, LOGFORMAT, PATH, + SHOREWALL_SHELL, SUBSYSLOCK, RESTOREFILE, RESTART, + DYNAMIC_BLACKLIST and PAGER are not supplied. - Example (SNAT OpenVPN server traffic leaving on eth0): + - scfilter file supplied at compile time. - SNAT(192.2.0.4) - eth0 ;;+ -p udp --sport 1194 - -5.2.5.1 - -1) The change in 5.2.5 base which changed the 'user' facility to the - 'daemon' facility in Shorewall syslog messages did not change the - messages with severity 'err'. That has been corrected such that - all syslog messages now use the 'daemon' facility. - -2) The actions.std file contains "?IF...?ELSE...?ENDIF" sequences - that provide different action options depending on the availabilty - of certain capabilities. This has resulted in the Broadcast and - Multicast options being listed twice in the output of - "shorewall[6] show actions". Beginning with this release, this - duplication is eliminated. Note, however, that the options shown - will be incomplete if they were continued onto another line, and - may be incorrect for Broadcast and Multicast. - -3) A typo in shorewall-providers(5) has been corrected. - -5.2.5 Base - -1) Previously, Shorewall-init installed a 'shorewall' script in - /etc/network/if-down.d on Debian and derivatives. This script was - unnecessary and required Debian-specific code in the generated - firewall script. The Shorewall-init script is no longer installed - and the generated firewall script is now free of - distribution-specific code. - -2) Also on Debian and derivatives, Shorewall-init installed - /etc//NetworkManager/dispatcher.d/01-shorewall which was also - unnecessary. Beginning with this release, that file is no longer - installed. - -3) Previously, if the dynamic-blacklisting default timeout was set in - a variable in the params file and the variable was used in setting - DYNAMIC_BLACKLIST, then the 'allow' command would fail with - the message: - - ERROR: Invalid value (ipset-only,disconnect,timeout=) for - DYNAMIC_BLACKLIST + - dumpfilter file supplied at compile time. That has been corrected. -4) When EXPAND_POLICIES=No in shorewall[6].conf, policies in complex - rulesets are enforced in chains such as 'net-all' and - 'all-all'. Previously, these chains included redundant - state-oriented rules. In addition to being redundant. these rules - could actually break complex IPv6 configurations. The extra rules are - now omitted. +3) A bug in iptables (see + https://git.netfilter.org/iptables/commit/?id=d1555a0906e35ba8d170613d5a43da64e527dbe1) + prevents the '--queue-cpu-fanout' option from being applied unless + that option is the last one specified. Unfortunately, Shorewall + places the '--queue-bypass' option last if that option is also + specified. + + This release works around this issue by ensuring that the + '--queue-cpu-fanout' option appears last. + +4) The -D 'compile', 'check', 'reload' and 'Restart' option was + previously omitted from the output of 'shorewall help'. It is now + included. As part of this change, an incorrect and conflicting + description of the -D option was removed from the 'remote-restart' + section of shorewall(8). + +5) Previously, when EXPAND_POLICIES=No, chains that enforced ACCEPT + policies were not completely optimized by optimize level 2 (ACCEPT + rules preceding the final unconditional ACCEPT were not + deleted). That has been corrected such that these rules are now + optimized. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -119,79 +101,45 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) Prior to this release, when a 'timeout' value was specified in the - DYNAMIC_BLACKLIST setting, the dynamic-blacklisting ipset was - created with this default timeout. This had the unfortunate - disadvantage that it was not possible to add permanent entries - into the ipset. Even if 'timeout 0' was specified in a 'blacklist' - command, the entry would still age out of the ipset after the - default timeout had elapsed. +1) The 'actions' file now supports a 'dport' option to go along with + the 'proto' option. Using these two options can now restrict an + action to a particular service. See shorewall-actions(5) for + details. - Beginning with this release, the dynamic-blacklisting ipset is - created with 'timeout 0'. When an address is added to the set, - either by BLACKLIST policy enforcement, by the BLACKLIST action, - or by the CLI 'blacklist' command (where no 'timeout' is - specified), the default timeout is applied to the new entry. + Example limiting net->all SSH connections to 3/min per source IP: - Once you have upgraded to this version of Shorewall, you can - convert your existing dynamic-blacklisting ipset (with a non-zero - default timeout) to have a default timeout of zero as follows: + /etc/shorewall/actions: - a) If RESTART=restart in shorewall[6].conf, then simply - 'shorewall[6] restart'. + SSHLIMIT proto=tcp,\ # Blacklist overzealous SSHers + dport=ssh - b) Otherwise, 'shorewall[6] stop && shorewall[6] start'. + /etc/shorewall/action.SSLHIMIT -2) Previously, when an ADD or DEL rule specified logging, the entire - action (e.g. 'ADD(+NET_BL:src:7200)') was included in the log - message. This could easily lead to a "Log prefix shortened..." - warning during compilation. + ACCEPT { RATE=s:3/min:3 } + BLACKLIST:$LOG_LEVEL:net_SSHLIMIT - Beginning with this release, such log messages will contain only - the basic action ('ADD' or 'DEL') and the set name (e.g., - 'ADD(NET_BL)') to reduce the liklihood of producing the warning. + /etc/shorewall/rules: -3) Traditionally, Shorewall has logged state change messages using - the 'user' syslog facility. Beginning with this release, these - messages will be logged using the 'daemon' facility to more - accurately reflect that these messages relate to a service. + SSHLIMIT net all -4) The DYNAMIC_BLACKLIST setting now allows a 'log' option to be - specified for ipset-based blacklisting. When this option is given, - successful 'blacklist' and 'allow' commands generate a 'daemon.info' - log message. +2) The change to 'show actions' implemented in 5.2.5.1 (see below) + has been further extended. -5) When ipset-based dynamic blacklisting is enabled, the generated - ruleset has traditionally refreshed the 'timeout' of an ipset - entry when a packet from blacklisted host is received. This has - the unfortunate side effect that it can change a permanent entry - (timeout 0) to a temporary (one with non-zero timeout). Beginning - with this release, this timeout refresh can be avoided by - specifying the 'noupdate' option in the DYNAMIC_BLACKLIST - setting. + - "?IF...?ELSE...?ENDIF" sequences are now shown in the output + - Continuation lines are now shown in the output so that all + action options are now displayed + - If an action appears in both /usr/share/shorewall[6]/actions.std + and in /etc/shorewall[6]/actions, then the entry in the actions + file is shown followed by the entry in the actions.std file. -6) To allow Shorewall's ipset-based blacklisting to play nicely with - fail2ban, the 'blacklist!' CLI command has been added. +3) To emphasize that it specifies destination ports, the PORT column + in the snat file has been renamed DPORT. Beginning with this + release, both 'port' and 'dport' are accepted in the alternative + input format. - The command - - blacklist! <ip> - - is equivalent to - - blacklist <ip> timeout 0 - - thus allowing 'blacklist!' to be specified as the 'blocktype' in - /etc/fail2ban/actions.d/shorewall.conf. - - See https://shorewall.org/blacklisting_support.htm#fail2ban for - further information about using Shorewall dynamic blacklisting - with fail2ban. - -7) Previously, when a zone name was too long, the resulting error - message was "Invalid zone name (<name>)". To make the cause of - the failur4e clearer, the message is now "Zone name (<name>) too - long". +4) The snat file now supports ?FORMAT 2, which adds an SPORT (source + port) column immediately to the right of the DPORT (destination + port) column. ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -303,7 +251,7 @@ (stateless netmapping in the netmap file). The good news is that, since kernel 3.7, Netfilter supports stateful IPv6 network mapping which is now also supported in Shorewall6 (see - shorewall6-netmap(5)). + shorewall-netmap(5)). This issue is not handled by 'shorewall update' and must be corrected manually. @@ -591,6 +539,137 @@ ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 5 . 2 R E L E A S E S ---------------------------------------------------------------------------- + N E W F E A T U R E S I N 5 . 2 . 5 +---------------------------------------------------------------------------- + +1) Prior to this release, when a 'timeout' value was specified in the + DYNAMIC_BLACKLIST setting, the dynamic-blacklisting ipset was + created with this default timeout. This had the unfortunate + disadvantage that it was not possible to add permanent entries + into the ipset. Even if 'timeout 0' was specified in a 'blacklist' + command, the entry would still age out of the ipset after the + default timeout had elapsed. + + Beginning with this release, the dynamic-blacklisting ipset is + created with 'timeout 0'. When an address is added to the set, + either by BLACKLIST policy enforcement, by the BLACKLIST action, + or by the CLI 'blacklist' command (where no 'timeout' is + specified), the default timeout is applied to the new entry. + + Once you have upgraded to this version of Shorewall, you can + convert your existing dynamic-blacklisting ipset (with a non-zero + default timeout) to have a default timeout of zero as follows: + + a) If RESTART=restart in shorewall[6].conf, then simply + 'shorewall[6] restart'. + + b) Otherwise, 'shorewall[6] stop && shorewall[6] start'. + +2) Previously, when an ADD or DEL rule specified logging, the entire + action (e.g. 'ADD(+NET_BL:src:7200)') was included in the log + message. This could easily lead to a "Log prefix shortened..." + warning during compilation. + + Beginning with this release, such log messages will contain only + the basic action ('ADD' or 'DEL') and the set name (e.g., + 'ADD(NET_BL)') to reduce the liklihood of producing the warning. + +3) Traditionally, Shorewall has logged state change messages using + the 'user' syslog facility. Beginning with this release, these + messages will be logged using the 'daemon' facility to more + accurately reflect that these messages relate to a service. + +4) The DYNAMIC_BLACKLIST setting now allows a 'log' option to be + specified for ipset-based blacklisting. When this option is given, + successful 'blacklist' and 'allow' commands generate a 'daemon.info' + log message. + +5) When ipset-based dynamic blacklisting is enabled, the generated + ruleset has traditionally refreshed the 'timeout' of an ipset + entry when a packet from blacklisted host is received. This has + the unfortunate side effect that it can change a permanent entry + (timeout 0) to a temporary (one with non-zero timeout). Beginning + with this release, this timeout refresh can be avoided by + specifying the 'noupdate' option in the DYNAMIC_BLACKLIST + setting. + +6) To allow Shorewall's ipset-based blacklisting to play nicely with + fail2ban, the 'blacklist!' CLI command has been added. + + The command + + blacklist! <ip> + + is equivalent to + + blacklist <ip> timeout 0 + + thus allowing 'blacklist!' to be specified as the 'blocktype' in + /etc/fail2ban/actions.d/shorewall.conf. + + See https://shorewall.org/blacklisting_support.htm#fail2ban for + further information about using Shorewall dynamic blacklisting + with fail2ban. + +7) Previously, when a zone name was too long, the resulting error + message was "Invalid zone name (<name>)". To make the cause of + the failure clearer, the message is now "Zone name (<name>) too + long". + +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 5 . 2 . 5 +---------------------------------------------------------------------------- + +5.2.5.1 + +1) The change in 5.2.5 base which changed the 'user' facility to the + 'daemon' facility in Shorewall syslog messages did not change the + messages with severity 'err'. That has been corrected such that + all syslog messages now use the 'daemon' facility. + +2) The actions.std file contains "?IF...?ELSE...?ENDIF" sequences + that provide different action options depending on the availabilty + of certain capabilities. This has resulted in the Broadcast and + Multicast options being listed twice in the output of + "shorewall[6] show actions". Beginning with this release, this + duplication is eliminated. Note, however, that the options shown + will be incomplete if they were continued onto another line, and + may be incorrect for Broadcast and Multicast. + +3) A typo in shorewall-providers(5) has been corrected. + +5.2.5 Base + +1) Previously, Shorewall-init installed a 'shorewall' script in + /etc/network/if-down.d on Debian and derivatives. This script was + unnecessary and required Debian-specific code in the generated + firewall script. The Shorewall-init script is no longer installed + and the generated firewall script is now free of + distribution-specific code. + +2) Also on Debian and derivatives, Shorewall-init installed + /etc//NetworkManager/dispatcher.d/01-shorewall which was also + unnecessary. Beginning with this release, that file is no longer + installed. + +3) Previously, if the dynamic-blacklisting default timeout was set in + a variable in the params file and the variable was used in setting + DYNAMIC_BLACKLIST, then the 'allow' command would fail with + the message: + + ERROR: Invalid value (ipset-only,disconnect,timeout=) for + DYNAMIC_BLACKLIST + + That has been corrected. + +4) When EXPAND_POLICIES=No in shorewall[6].conf, policies in complex + rulesets are enforced in chains such as 'net-all' and + 'all-all'. Previously, these chains included redundant + state-oriented rules. In addition to being redundant. these rules + could actually break complex IPv6 configurations. The extra rules are + now omitted. + +---------------------------------------------------------------------------- N E W F E A T U R E S I N 5 . 2 . 4 ---------------------------------------------------------------------------- @@ -623,28 +702,6 @@ replaced by 'shorewall.org'. ---------------------------------------------------------------------------- - N E W F E A T U R E S I N 5 . 2 . 4 ----------------------------------------------------------------------------- - -1) Zone exclusion (e.g., "all!z2,z2,...") is now supported in the - policy file. - -2) With the availability of zone exclusion in the rules file, 'all[+]-' - and 'any[+]-' are equivalent to 'all[+]!$FW' and 'any[+]!$FW' - respectively. Beginning with this release, the former are - deprecated in favor of the latter and will result in a warning - message, if used. - -3) Internal documentaton of the undocumented 'test' parameter to - compiler.pl has been added (it is used by the regression test - library to suppress versions and date/times from the generated - script). - -4) The LOAD_HELPERS_ONLY option has been removed from - shorewall[6].conf. Hereafter, Shorewall[6] will behave as if - LOAD_HELPERS_ONLY=Yes had been specified. - ----------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 5 . 2 . 4 ---------------------------------------------------------------------------- @@ -763,6 +820,28 @@ ipsets in the stoppedrules file. ---------------------------------------------------------------------------- + N E W F E A T U R E S I N 5 . 2 . 3 +---------------------------------------------------------------------------- + +1) Zone exclusion (e.g., "all!z2,z2,...") is now supported in the + policy file. + +2) With the availability of zone exclusion in the rules file, 'all[+]-' + and 'any[+]-' are equivalent to 'all[+]!$FW' and 'any[+]!$FW' + respectively. Beginning with this release, the former are + deprecated in favor of the latter and will result in a warning + message, if used. + +3) Internal documentaton of the undocumented 'test' parameter to + compiler.pl has been added (it is used by the regression test + library to suppress versions and date/times from the generated + script). + +4) The LOAD_HELPERS_ONLY option has been removed from + shorewall[6].conf. Hereafter, Shorewall[6] will behave as if + LOAD_HELPERS_ONLY=Yes had been specified. + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 5 . 2 . 3 ---------------------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.5.2/shorewall-init.spec new/shorewall-init-5.2.6/shorewall-init.spec --- old/shorewall-init-5.2.5.2/shorewall-init.spec 2020-06-28 20:27:29.000000000 +0200 +++ new/shorewall-init-5.2.6/shorewall-init.spec 2020-07-04 19:40:53.000000000 +0200 @@ -1,6 +1,6 @@ %define name shorewall-init -%define version 5.2.5 -%define release 2 +%define version 5.2.6 +%define release 0base Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall). Name: %{name} @@ -135,10 +135,12 @@ %doc COPYING changelog.txt releasenotes.txt %changelog -* Wed Jun 24 2020 Tom Eastep <[email protected]> -- Updated to 5.2.5-2 -* Sat Jun 13 2020 Tom Eastep <[email protected]> -- Updated to 5.2.5-1 +* Mon Jun 29 2020 Tom Eastep <[email protected]> +- Updated to 5.2.6-0base +* Sat Jun 27 2020 Tom Eastep <[email protected]> +- Updated to 5.2.6-0RC1 +* Sun Jun 14 2020 Tom Eastep <[email protected]> +- Updated to 5.2.6-0Beta1 * Wed Jun 10 2020 Tom Eastep <[email protected]> - Updated to 5.2.5-0base * Sat Jun 06 2020 Tom Eastep <[email protected]> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.5.2/uninstall.sh new/shorewall-init-5.2.6/uninstall.sh --- old/shorewall-init-5.2.5.2/uninstall.sh 2020-06-28 20:27:29.000000000 +0200 +++ new/shorewall-init-5.2.6/uninstall.sh 2020-07-04 19:40:53.000000000 +0200 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=5.2.5.2 +VERSION=5.2.6 PRODUCT=shorewall-init Product="Shorewall Init" ++++++ shorewall-lite-5.2.5.2.tar.bz2 -> shorewall-lite-5.2.6.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.5.2/changelog.txt new/shorewall-lite-5.2.6/changelog.txt --- old/shorewall-lite-5.2.5.2/changelog.txt 2020-06-28 20:27:29.000000000 +0200 +++ new/shorewall-lite-5.2.6/changelog.txt 2020-07-04 19:40:53.000000000 +0200 @@ -1,18 +1,32 @@ -Changes in 5.2.5.2 +Changes in 5.2.6 Final 1) Update release documents -2) Correct handling of ";;+" in the snat file. +2) Add the compiler -D option to usage output. -Changes in 5.2.5.1 +3) Fix policy chain optimization when EXPAND_POLICIES=No. + +Changes in 5.2.6 RC 1 + +1) Update release documents + +2) Rename snat PORTS column + +3) Add ?FORMAT 2 support for the snat file. + +4) Merge from 5.2.5.2 + +5) Work around iptables --queue-cpu-fanout bug. + +Changes in 5.2.6 Beta 1 1) Update release documents -2) Replace 'kern.err' sith 'daemon.err'. +2) Implement 'dport' action option -3) Remove duplicates from the output of 'show actions'. +2) Make 'show actions' more robust -4) Correct a typo in shorewall-providers(5). +3) Process the firewall.conf file on Shorewall-lite Changes in 5.2.5 Final diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.5.2/configure new/shorewall-lite-5.2.6/configure --- old/shorewall-lite-5.2.5.2/configure 2020-06-28 20:27:29.000000000 +0200 +++ new/shorewall-lite-5.2.6/configure 2020-07-04 19:40:53.000000000 +0200 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=5.2.5.2 +VERSION=5.2.6 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.5.2/configure.pl new/shorewall-lite-5.2.6/configure.pl --- old/shorewall-lite-5.2.5.2/configure.pl 2020-06-28 20:27:29.000000000 +0200 +++ new/shorewall-lite-5.2.6/configure.pl 2020-07-04 19:40:53.000000000 +0200 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '5.2.5.2' + VERSION => '5.2.6' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.5.2/install.sh new/shorewall-lite-5.2.6/install.sh --- old/shorewall-lite-5.2.5.2/install.sh 2020-06-28 20:27:29.000000000 +0200 +++ new/shorewall-lite-5.2.6/install.sh 2020-07-04 19:40:53.000000000 +0200 @@ -22,7 +22,7 @@ # along with this program; if not, see <http://www.gnu.org/licenses/>. # -VERSION=5.2.5.2 +VERSION=5.2.6 usage() # $1 = exit status { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.5.2/manpages/shorewall-lite-vardir.5 new/shorewall-lite-5.2.6/manpages/shorewall-lite-vardir.5 --- old/shorewall-lite-5.2.5.2/manpages/shorewall-lite-vardir.5 2020-06-13 22:10:37.000000000 +0200 +++ new/shorewall-lite-5.2.6/manpages/shorewall-lite-vardir.5 2020-07-04 19:42:22.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite-vardir .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 06/13/2020 +.\" Date: 07/04/2020 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-LITE\-VAR" "5" "06/13/2020" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-LITE\-VAR" "5" "07/04/2020" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.5.2/manpages/shorewall-lite.8 new/shorewall-lite-5.2.6/manpages/shorewall-lite.8 --- old/shorewall-lite-5.2.5.2/manpages/shorewall-lite.8 2020-06-13 22:10:37.000000000 +0200 +++ new/shorewall-lite-5.2.6/manpages/shorewall-lite.8 2020-07-04 19:42:23.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 06/13/2020 +.\" Date: 07/04/2020 .\" Manual: Administrative Commands .\" Source: Administrative Commands .\" Language: English .\" -.TH "SHOREWALL\-LITE" "8" "06/13/2020" "Administrative Commands" "Administrative Commands" +.TH "SHOREWALL\-LITE" "8" "07/04/2020" "Administrative Commands" "Administrative Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.5.2/manpages/shorewall-lite.conf.5 new/shorewall-lite-5.2.6/manpages/shorewall-lite.conf.5 --- old/shorewall-lite-5.2.5.2/manpages/shorewall-lite.conf.5 2020-06-13 22:10:36.000000000 +0200 +++ new/shorewall-lite-5.2.6/manpages/shorewall-lite.conf.5 2020-07-04 19:42:22.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite.conf .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 06/13/2020 +.\" Date: 07/04/2020 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-LITE\&.CO" "5" "06/13/2020" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-LITE\&.CO" "5" "07/04/2020" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.5.2/releasenotes.txt new/shorewall-lite-5.2.6/releasenotes.txt --- old/shorewall-lite-5.2.5.2/releasenotes.txt 2020-06-28 20:27:29.000000000 +0200 +++ new/shorewall-lite-5.2.6/releasenotes.txt 2020-07-04 19:40:53.000000000 +0200 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 5 . 2 . 5 . 2 + S H O R E W A L L 5 . 2 . 6 ------------------------------- - J U N E 2 8 , 2 0 2 0 + J U L Y 0 4 , 2 0 2 0 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,64 +14,46 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -5.2.5.2 +1) This release includes defect repair up through Shorewall version + 5.2.5.2. -1) Previously, ";;+" was mishandled in the snat file; the generated - rule incorrectly included the leading "+". That has been corrected - so that the generated rule is now correct. +2) When compiling for export, the compiler generates a firewall.conf + file which is later installed on the remote firewall system as + ${VARDIR}/firewall.conf. Previously, the CLI on that firewall was + not processing the file, resulting in some features not being + available: + + - Default values for VERBOSITY, LOGFILE, LOGFORMAT, PATH, + SHOREWALL_SHELL, SUBSYSLOCK, RESTOREFILE, RESTART, + DYNAMIC_BLACKLIST and PAGER are not supplied. - Example (SNAT OpenVPN server traffic leaving on eth0): + - scfilter file supplied at compile time. - SNAT(192.2.0.4) - eth0 ;;+ -p udp --sport 1194 - -5.2.5.1 - -1) The change in 5.2.5 base which changed the 'user' facility to the - 'daemon' facility in Shorewall syslog messages did not change the - messages with severity 'err'. That has been corrected such that - all syslog messages now use the 'daemon' facility. - -2) The actions.std file contains "?IF...?ELSE...?ENDIF" sequences - that provide different action options depending on the availabilty - of certain capabilities. This has resulted in the Broadcast and - Multicast options being listed twice in the output of - "shorewall[6] show actions". Beginning with this release, this - duplication is eliminated. Note, however, that the options shown - will be incomplete if they were continued onto another line, and - may be incorrect for Broadcast and Multicast. - -3) A typo in shorewall-providers(5) has been corrected. - -5.2.5 Base - -1) Previously, Shorewall-init installed a 'shorewall' script in - /etc/network/if-down.d on Debian and derivatives. This script was - unnecessary and required Debian-specific code in the generated - firewall script. The Shorewall-init script is no longer installed - and the generated firewall script is now free of - distribution-specific code. - -2) Also on Debian and derivatives, Shorewall-init installed - /etc//NetworkManager/dispatcher.d/01-shorewall which was also - unnecessary. Beginning with this release, that file is no longer - installed. - -3) Previously, if the dynamic-blacklisting default timeout was set in - a variable in the params file and the variable was used in setting - DYNAMIC_BLACKLIST, then the 'allow' command would fail with - the message: - - ERROR: Invalid value (ipset-only,disconnect,timeout=) for - DYNAMIC_BLACKLIST + - dumpfilter file supplied at compile time. That has been corrected. -4) When EXPAND_POLICIES=No in shorewall[6].conf, policies in complex - rulesets are enforced in chains such as 'net-all' and - 'all-all'. Previously, these chains included redundant - state-oriented rules. In addition to being redundant. these rules - could actually break complex IPv6 configurations. The extra rules are - now omitted. +3) A bug in iptables (see + https://git.netfilter.org/iptables/commit/?id=d1555a0906e35ba8d170613d5a43da64e527dbe1) + prevents the '--queue-cpu-fanout' option from being applied unless + that option is the last one specified. Unfortunately, Shorewall + places the '--queue-bypass' option last if that option is also + specified. + + This release works around this issue by ensuring that the + '--queue-cpu-fanout' option appears last. + +4) The -D 'compile', 'check', 'reload' and 'Restart' option was + previously omitted from the output of 'shorewall help'. It is now + included. As part of this change, an incorrect and conflicting + description of the -D option was removed from the 'remote-restart' + section of shorewall(8). + +5) Previously, when EXPAND_POLICIES=No, chains that enforced ACCEPT + policies were not completely optimized by optimize level 2 (ACCEPT + rules preceding the final unconditional ACCEPT were not + deleted). That has been corrected such that these rules are now + optimized. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -119,79 +101,45 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) Prior to this release, when a 'timeout' value was specified in the - DYNAMIC_BLACKLIST setting, the dynamic-blacklisting ipset was - created with this default timeout. This had the unfortunate - disadvantage that it was not possible to add permanent entries - into the ipset. Even if 'timeout 0' was specified in a 'blacklist' - command, the entry would still age out of the ipset after the - default timeout had elapsed. +1) The 'actions' file now supports a 'dport' option to go along with + the 'proto' option. Using these two options can now restrict an + action to a particular service. See shorewall-actions(5) for + details. - Beginning with this release, the dynamic-blacklisting ipset is - created with 'timeout 0'. When an address is added to the set, - either by BLACKLIST policy enforcement, by the BLACKLIST action, - or by the CLI 'blacklist' command (where no 'timeout' is - specified), the default timeout is applied to the new entry. + Example limiting net->all SSH connections to 3/min per source IP: - Once you have upgraded to this version of Shorewall, you can - convert your existing dynamic-blacklisting ipset (with a non-zero - default timeout) to have a default timeout of zero as follows: + /etc/shorewall/actions: - a) If RESTART=restart in shorewall[6].conf, then simply - 'shorewall[6] restart'. + SSHLIMIT proto=tcp,\ # Blacklist overzealous SSHers + dport=ssh - b) Otherwise, 'shorewall[6] stop && shorewall[6] start'. + /etc/shorewall/action.SSLHIMIT -2) Previously, when an ADD or DEL rule specified logging, the entire - action (e.g. 'ADD(+NET_BL:src:7200)') was included in the log - message. This could easily lead to a "Log prefix shortened..." - warning during compilation. + ACCEPT { RATE=s:3/min:3 } + BLACKLIST:$LOG_LEVEL:net_SSHLIMIT - Beginning with this release, such log messages will contain only - the basic action ('ADD' or 'DEL') and the set name (e.g., - 'ADD(NET_BL)') to reduce the liklihood of producing the warning. + /etc/shorewall/rules: -3) Traditionally, Shorewall has logged state change messages using - the 'user' syslog facility. Beginning with this release, these - messages will be logged using the 'daemon' facility to more - accurately reflect that these messages relate to a service. + SSHLIMIT net all -4) The DYNAMIC_BLACKLIST setting now allows a 'log' option to be - specified for ipset-based blacklisting. When this option is given, - successful 'blacklist' and 'allow' commands generate a 'daemon.info' - log message. +2) The change to 'show actions' implemented in 5.2.5.1 (see below) + has been further extended. -5) When ipset-based dynamic blacklisting is enabled, the generated - ruleset has traditionally refreshed the 'timeout' of an ipset - entry when a packet from blacklisted host is received. This has - the unfortunate side effect that it can change a permanent entry - (timeout 0) to a temporary (one with non-zero timeout). Beginning - with this release, this timeout refresh can be avoided by - specifying the 'noupdate' option in the DYNAMIC_BLACKLIST - setting. + - "?IF...?ELSE...?ENDIF" sequences are now shown in the output + - Continuation lines are now shown in the output so that all + action options are now displayed + - If an action appears in both /usr/share/shorewall[6]/actions.std + and in /etc/shorewall[6]/actions, then the entry in the actions + file is shown followed by the entry in the actions.std file. -6) To allow Shorewall's ipset-based blacklisting to play nicely with - fail2ban, the 'blacklist!' CLI command has been added. +3) To emphasize that it specifies destination ports, the PORT column + in the snat file has been renamed DPORT. Beginning with this + release, both 'port' and 'dport' are accepted in the alternative + input format. - The command - - blacklist! <ip> - - is equivalent to - - blacklist <ip> timeout 0 - - thus allowing 'blacklist!' to be specified as the 'blocktype' in - /etc/fail2ban/actions.d/shorewall.conf. - - See https://shorewall.org/blacklisting_support.htm#fail2ban for - further information about using Shorewall dynamic blacklisting - with fail2ban. - -7) Previously, when a zone name was too long, the resulting error - message was "Invalid zone name (<name>)". To make the cause of - the failur4e clearer, the message is now "Zone name (<name>) too - long". +4) The snat file now supports ?FORMAT 2, which adds an SPORT (source + port) column immediately to the right of the DPORT (destination + port) column. ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -303,7 +251,7 @@ (stateless netmapping in the netmap file). The good news is that, since kernel 3.7, Netfilter supports stateful IPv6 network mapping which is now also supported in Shorewall6 (see - shorewall6-netmap(5)). + shorewall-netmap(5)). This issue is not handled by 'shorewall update' and must be corrected manually. @@ -591,6 +539,137 @@ ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 5 . 2 R E L E A S E S ---------------------------------------------------------------------------- + N E W F E A T U R E S I N 5 . 2 . 5 +---------------------------------------------------------------------------- + +1) Prior to this release, when a 'timeout' value was specified in the + DYNAMIC_BLACKLIST setting, the dynamic-blacklisting ipset was + created with this default timeout. This had the unfortunate + disadvantage that it was not possible to add permanent entries + into the ipset. Even if 'timeout 0' was specified in a 'blacklist' + command, the entry would still age out of the ipset after the + default timeout had elapsed. + + Beginning with this release, the dynamic-blacklisting ipset is + created with 'timeout 0'. When an address is added to the set, + either by BLACKLIST policy enforcement, by the BLACKLIST action, + or by the CLI 'blacklist' command (where no 'timeout' is + specified), the default timeout is applied to the new entry. + + Once you have upgraded to this version of Shorewall, you can + convert your existing dynamic-blacklisting ipset (with a non-zero + default timeout) to have a default timeout of zero as follows: + + a) If RESTART=restart in shorewall[6].conf, then simply + 'shorewall[6] restart'. + + b) Otherwise, 'shorewall[6] stop && shorewall[6] start'. + +2) Previously, when an ADD or DEL rule specified logging, the entire + action (e.g. 'ADD(+NET_BL:src:7200)') was included in the log + message. This could easily lead to a "Log prefix shortened..." + warning during compilation. + + Beginning with this release, such log messages will contain only + the basic action ('ADD' or 'DEL') and the set name (e.g., + 'ADD(NET_BL)') to reduce the liklihood of producing the warning. + +3) Traditionally, Shorewall has logged state change messages using + the 'user' syslog facility. Beginning with this release, these + messages will be logged using the 'daemon' facility to more + accurately reflect that these messages relate to a service. + +4) The DYNAMIC_BLACKLIST setting now allows a 'log' option to be + specified for ipset-based blacklisting. When this option is given, + successful 'blacklist' and 'allow' commands generate a 'daemon.info' + log message. + +5) When ipset-based dynamic blacklisting is enabled, the generated + ruleset has traditionally refreshed the 'timeout' of an ipset + entry when a packet from blacklisted host is received. This has + the unfortunate side effect that it can change a permanent entry + (timeout 0) to a temporary (one with non-zero timeout). Beginning + with this release, this timeout refresh can be avoided by + specifying the 'noupdate' option in the DYNAMIC_BLACKLIST + setting. + +6) To allow Shorewall's ipset-based blacklisting to play nicely with + fail2ban, the 'blacklist!' CLI command has been added. + + The command + + blacklist! <ip> + + is equivalent to + + blacklist <ip> timeout 0 + + thus allowing 'blacklist!' to be specified as the 'blocktype' in + /etc/fail2ban/actions.d/shorewall.conf. + + See https://shorewall.org/blacklisting_support.htm#fail2ban for + further information about using Shorewall dynamic blacklisting + with fail2ban. + +7) Previously, when a zone name was too long, the resulting error + message was "Invalid zone name (<name>)". To make the cause of + the failure clearer, the message is now "Zone name (<name>) too + long". + +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 5 . 2 . 5 +---------------------------------------------------------------------------- + +5.2.5.1 + +1) The change in 5.2.5 base which changed the 'user' facility to the + 'daemon' facility in Shorewall syslog messages did not change the + messages with severity 'err'. That has been corrected such that + all syslog messages now use the 'daemon' facility. + +2) The actions.std file contains "?IF...?ELSE...?ENDIF" sequences + that provide different action options depending on the availabilty + of certain capabilities. This has resulted in the Broadcast and + Multicast options being listed twice in the output of + "shorewall[6] show actions". Beginning with this release, this + duplication is eliminated. Note, however, that the options shown + will be incomplete if they were continued onto another line, and + may be incorrect for Broadcast and Multicast. + +3) A typo in shorewall-providers(5) has been corrected. + +5.2.5 Base + +1) Previously, Shorewall-init installed a 'shorewall' script in + /etc/network/if-down.d on Debian and derivatives. This script was + unnecessary and required Debian-specific code in the generated + firewall script. The Shorewall-init script is no longer installed + and the generated firewall script is now free of + distribution-specific code. + +2) Also on Debian and derivatives, Shorewall-init installed + /etc//NetworkManager/dispatcher.d/01-shorewall which was also + unnecessary. Beginning with this release, that file is no longer + installed. + +3) Previously, if the dynamic-blacklisting default timeout was set in + a variable in the params file and the variable was used in setting + DYNAMIC_BLACKLIST, then the 'allow' command would fail with + the message: + + ERROR: Invalid value (ipset-only,disconnect,timeout=) for + DYNAMIC_BLACKLIST + + That has been corrected. + +4) When EXPAND_POLICIES=No in shorewall[6].conf, policies in complex + rulesets are enforced in chains such as 'net-all' and + 'all-all'. Previously, these chains included redundant + state-oriented rules. In addition to being redundant. these rules + could actually break complex IPv6 configurations. The extra rules are + now omitted. + +---------------------------------------------------------------------------- N E W F E A T U R E S I N 5 . 2 . 4 ---------------------------------------------------------------------------- @@ -623,28 +702,6 @@ replaced by 'shorewall.org'. ---------------------------------------------------------------------------- - N E W F E A T U R E S I N 5 . 2 . 4 ----------------------------------------------------------------------------- - -1) Zone exclusion (e.g., "all!z2,z2,...") is now supported in the - policy file. - -2) With the availability of zone exclusion in the rules file, 'all[+]-' - and 'any[+]-' are equivalent to 'all[+]!$FW' and 'any[+]!$FW' - respectively. Beginning with this release, the former are - deprecated in favor of the latter and will result in a warning - message, if used. - -3) Internal documentaton of the undocumented 'test' parameter to - compiler.pl has been added (it is used by the regression test - library to suppress versions and date/times from the generated - script). - -4) The LOAD_HELPERS_ONLY option has been removed from - shorewall[6].conf. Hereafter, Shorewall[6] will behave as if - LOAD_HELPERS_ONLY=Yes had been specified. - ----------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 5 . 2 . 4 ---------------------------------------------------------------------------- @@ -763,6 +820,28 @@ ipsets in the stoppedrules file. ---------------------------------------------------------------------------- + N E W F E A T U R E S I N 5 . 2 . 3 +---------------------------------------------------------------------------- + +1) Zone exclusion (e.g., "all!z2,z2,...") is now supported in the + policy file. + +2) With the availability of zone exclusion in the rules file, 'all[+]-' + and 'any[+]-' are equivalent to 'all[+]!$FW' and 'any[+]!$FW' + respectively. Beginning with this release, the former are + deprecated in favor of the latter and will result in a warning + message, if used. + +3) Internal documentaton of the undocumented 'test' parameter to + compiler.pl has been added (it is used by the regression test + library to suppress versions and date/times from the generated + script). + +4) The LOAD_HELPERS_ONLY option has been removed from + shorewall[6].conf. Hereafter, Shorewall[6] will behave as if + LOAD_HELPERS_ONLY=Yes had been specified. + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 5 . 2 . 3 ---------------------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.5.2/shorewall-lite.spec new/shorewall-lite-5.2.6/shorewall-lite.spec --- old/shorewall-lite-5.2.5.2/shorewall-lite.spec 2020-06-28 20:27:29.000000000 +0200 +++ new/shorewall-lite-5.2.6/shorewall-lite.spec 2020-07-04 19:40:53.000000000 +0200 @@ -1,6 +1,6 @@ %define name shorewall-lite -%define version 5.2.5 -%define release 2 +%define version 5.2.6 +%define release 0base %define initdir /etc/init.d Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems. @@ -114,10 +114,12 @@ %doc COPYING changelog.txt releasenotes.txt %changelog -* Wed Jun 24 2020 Tom Eastep <[email protected]> -- Updated to 5.2.5-2 -* Sat Jun 13 2020 Tom Eastep <[email protected]> -- Updated to 5.2.5-1 +* Mon Jun 29 2020 Tom Eastep <[email protected]> +- Updated to 5.2.6-0base +* Sat Jun 27 2020 Tom Eastep <[email protected]> +- Updated to 5.2.6-0RC1 +* Sun Jun 14 2020 Tom Eastep <[email protected]> +- Updated to 5.2.6-0Beta1 * Wed Jun 10 2020 Tom Eastep <[email protected]> - Updated to 5.2.5-0base * Sat Jun 06 2020 Tom Eastep <[email protected]> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.5.2/uninstall.sh new/shorewall-lite-5.2.6/uninstall.sh --- old/shorewall-lite-5.2.5.2/uninstall.sh 2020-06-28 20:27:29.000000000 +0200 +++ new/shorewall-lite-5.2.6/uninstall.sh 2020-07-04 19:40:53.000000000 +0200 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=5.2.5.2 +VERSION=5.2.6 usage() # $1 = exit status { ++++++ shorewall-5.2.5.2.tar.bz2 -> shorewall6-5.2.6.tar.bz2 ++++++ ++++ 122577 lines of diff (skipped) ++++++ shorewall-lite-5.2.5.2.tar.bz2 -> shorewall6-lite-5.2.6.tar.bz2 ++++++ ++++ 3456 lines of diff (skipped)
