Hello community, here is the log from the commit of package shorewall for openSUSE:Factory checked in at 2020-09-28 14:29:18 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/shorewall (Old) and /work/SRC/openSUSE:Factory/.shorewall.new.4249 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shorewall" Mon Sep 28 14:29:18 2020 rev:120 rq:838004 version:5.2.8 Changes: -------- --- /work/SRC/openSUSE:Factory/shorewall/shorewall.changes 2020-08-24 15:14:22.810723777 +0200 +++ /work/SRC/openSUSE:Factory/.shorewall.new.4249/shorewall.changes 2020-09-28 14:29:37.762177018 +0200 @@ -1,0 +2,57 @@ +Sat Sep 26 08:23:10 UTC 2020 - Bruno Friedmann <[email protected]> + +- Update to version 5.2.8 (Upgrade your configuration) + https://shorewall.org/pub/shorewall/5.2/shorewall-5.2.8/releasenotes.txt + + Certain restrictions that apply to wildcard interfaces (interface + name ends in '+') were previously not enforced when the logical + interface name did not end in '+' but the physical interface name + did end in '+'. That has been corrected. + + To ensure that error messages appear in the correct place in the + output stream, stderr is now redirected to stdout when the + configured PAGER is used by a command. + + Since Shorewall 5.1.0, the Shorewall uninstall.sh script has + incorrectly removed ${SBINDIR}/shorewall, while the Shorewall-core + uninstall.sh script has failed to remove that file. Both scripts + have been corrected. + + Previously, the Shorewall CLI included a spurious hyphen ('-') + between the product name (e.g., 'Shorewall6') and the version when + printing a command output banner. + + The shorewall-snat(5) manpage previously stated that a + comma-separated list of IP address could be specified for + SNAT. That statement was in error and has been removed. As part of + this change, IPv4 Example 6 has been updated to use the + PROBABILITY column. + - New features + + 'show tc' command now shows the classifiers associated with + each interface (as displayed by the 'show classifiers' + command). This integrated qdisc/filter information is also included + in the output of the 'dump' command. This change deprecates the + 'show classifiers' ('show filters') command, as that command's + output is now included in the 'show tc' output. + + Shorewall6 has traditionally generated rules for IPv6 anycast + addresses. These rules include: + a) Packets with these destination IP addresses are dropped by + REJECT rules. + b) Packets with these source IP addresses are dropped by the + 'nosmurfs' interface option and by the 'dropSmurfs' action. + c) Packets with these destination IP addresses are not logged + during policy enforcement. + d) Packets with these destination IP addresses are processes by + the 'Broadcast' action. + Beginning with this release, individual network interfaces can be + excluded from this treatment through use of the 'omitanycast' + option in /etc/shorewall6/interfaces. + Note: This option was named 'noanycast' in earlier Beta releases. + + Duplicate function names have been eliminated between the + Shorewall-core lib.cli shell library and the Shorewall lib.cli-std + library. + + The 'status' command in Shorewall[6]-lite now precedes the + configuration directory name with the administrative host name + separated with a colon (":"). + + Tuomo Soini has contributed a macro that handles NFS v1.4 (no + dynamic ports). +- Packaging: + + Add buildrequires for pkgconfig (missing) + + Use macro for sbindir + +------------------------------------------------------------------- Old: ---- shorewall-5.2.7.tar.bz2 shorewall-core-5.2.7.tar.bz2 shorewall-docs-html-5.2.7.tar.bz2 shorewall-init-5.2.7.tar.bz2 shorewall-lite-5.2.7.tar.bz2 shorewall6-5.2.7.tar.bz2 shorewall6-lite-5.2.7.tar.bz2 New: ---- shorewall-5.2.8.tar.bz2 shorewall-core-5.2.8.tar.bz2 shorewall-docs-html-5.2.8.tar.bz2 shorewall-init-5.2.8.tar.bz2 shorewall-lite-5.2.8.tar.bz2 shorewall6-5.2.8.tar.bz2 shorewall6-lite-5.2.8.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shorewall.spec ++++++ --- /var/tmp/diff_new_pack.WKZUWk/_old 2020-09-28 14:29:39.070178152 +0200 +++ /var/tmp/diff_new_pack.WKZUWk/_new 2020-09-28 14:29:39.074178156 +0200 @@ -18,7 +18,7 @@ %define have_systemd 1 %define dmaj 5.2 -%define dmin 5.2.7 +%define dmin 5.2.8 # Warn users for upgrading configuration but only on major or minor version changes %define conf_need_update 0 #2017+ New fillup location @@ -26,7 +26,7 @@ %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: shorewall -Version: 5.2.7 +Version: 5.2.8 Release: 0 Summary: An iptables-based firewall for Linux systems License: GPL-2.0-only @@ -49,6 +49,7 @@ Patch3: shorewall-lite-fillup-install.patch BuildRequires: bash >= 4 BuildRequires: perl-base +BuildRequires: pkgconfig BuildRequires: perl(Digest::SHA) BuildRequires: pkgconfig(systemd) Requires: %{_sbindir}/service @@ -202,7 +203,7 @@ # We don't have /sbin /bin merged on /usr so symlinks can't work. # so we dynamically patch last /sbin calls in lib.cli-std # and make shorewall remote working without hacks -sed -i 's#/sbin/shorewall#/usr/sbin/shorewall#g' %{name}-%{version}/lib.cli-std +sed -i 's#/sbin/shorewall#%{_sbindir}/shorewall#g' %{name}-%{version}/lib.cli-std %build ++++++ shorewall-5.2.7.tar.bz2 -> shorewall-5.2.8.tar.bz2 ++++++ ++++ 1948 lines of diff (skipped) ++++++ shorewall-core-5.2.7.tar.bz2 -> shorewall-core-5.2.8.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.7/changelog.txt new/shorewall-core-5.2.8/changelog.txt --- old/shorewall-core-5.2.7/changelog.txt 2020-07-29 21:53:02.000000000 +0200 +++ new/shorewall-core-5.2.8/changelog.txt 2020-09-25 00:02:15.000000000 +0200 @@ -1,7 +1,54 @@ -Changes in 5.2.7 Final +Changes in 5.2.8 Final 1) Update release documents +2) Update the %tcdevices documentation at the top of Tc.pm. + +3) Update shorewall-snat(5). + +4) Document NFS macro. + +Changes in 5.2.8 RC 1 + +1) Update release documents + +2) Rename 'noanycast' to 'omitanycast' + +3) Correct use of $physwild. + +4) Ensure that SHOREWALL_SHELL is set. + +5) Redirect stderr to stdout when using $PAGER + +6) Eliminate duplicate function names. + +7) Don't remove ${SBINDIR}/shorewall when removing Shorewall. + +8) Remove bogus New Feature from release notes. + +9) Include hostname in status command when using Lite product. + +10( Display consistent banner from CLI + +Changes in 5.2.8 Beta 2 + +1) Update release documents + +2) Correct code generated for 'noanycast'. + +3) Flesh out IPv6 anycast documentation. + +Changes in 5.2.8 Beta 1 + +1) Update release documents + +2) Show filters in output of 'show tc' + +3) Show policing filter in output of 'show classifiers' and + 'shorewall tc'. + +4) Add 'noanycast' interface option. + Changes in 5.2.7 RC 1 1) Update release documents diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.7/configure new/shorewall-core-5.2.8/configure --- old/shorewall-core-5.2.7/configure 2020-07-29 21:53:02.000000000 +0200 +++ new/shorewall-core-5.2.8/configure 2020-09-25 00:02:15.000000000 +0200 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=5.2.7 +VERSION=5.2.8 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.7/configure.pl new/shorewall-core-5.2.8/configure.pl --- old/shorewall-core-5.2.7/configure.pl 2020-07-29 21:53:02.000000000 +0200 +++ new/shorewall-core-5.2.8/configure.pl 2020-09-25 00:02:15.000000000 +0200 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '5.2.7' + VERSION => '5.2.8' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.7/install.sh new/shorewall-core-5.2.8/install.sh --- old/shorewall-core-5.2.7/install.sh 2020-07-29 21:53:02.000000000 +0200 +++ new/shorewall-core-5.2.8/install.sh 2020-09-25 00:02:15.000000000 +0200 @@ -22,7 +22,7 @@ # along with this program; if not, see <http://www.gnu.org/licenses/>. # -VERSION=5.2.7 +VERSION=5.2.8 PRODUCT=shorewall-core Product="Shorewall Core" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.7/lib.cli new/shorewall-core-5.2.8/lib.cli --- old/shorewall-core-5.2.7/lib.cli 2020-07-26 18:53:16.000000000 +0200 +++ new/shorewall-core-5.2.8/lib.cli 2020-09-24 23:46:24.000000000 +0200 @@ -247,10 +247,39 @@ # # Show traffic control information # -show_tc1() { +show_one_classifier() { + local class + + qt tc -s filter ls root dev $1 && tc -s filter ls root dev $device | grep -v '^$' + tc filter show dev $1 + tc class show dev $1 | fgrep 'leaf ' | fgrep -v ' hfsc' | sed 's/^.*leaf //;s/ .*//' | while read class; do + if [ -n "$class" ]; then + echo + echo Node $class + tc filter show dev $device parent $class + fi + done + echo +} +show_classifier1() { + local device + local qdisc + + device=${1%@*} + qdisc=$(tc qdisc list dev $device) + if [ -n "$qdisc" ]; then + echo Device $device: + show_one_classifier $device + fi +} + +show_tc1() { show_one_tc() { local device + local qdisc + local ingress + device=${1%@*} qdisc=$(tc qdisc list dev $device) @@ -260,6 +289,7 @@ echo tc -s -d class show dev $device echo + show_one_classifier $device "$qdisc" fi } @@ -270,7 +300,6 @@ show_one_tc ${interface%:} done fi - } show_tc() { @@ -291,28 +320,8 @@ # show_classifiers() { - show_one_classifier() { - local device - device=${1%@*} - qdisc=$(tc qdisc list dev $device) - - if [ -n "$qdisc" ]; then - echo Device $device: - qt tc -s filter ls root dev $device && tc -s filter ls root dev $device | grep -v '^$' - tc filter show dev $device - tc class show dev $device | fgrep 'leaf ' | fgrep -v ' hfsc' | sed 's/^.*leaf //;s/ .*//' | while read class; do - if [ -n "$class" ]; then - echo - echo Node $class - tc filter show dev $device parent $class - fi - done - echo - fi - } - ip -o link list | while read inx interface details; do - show_one_classifier ${interface%:} + show_classifier1 ${interface%:} done } @@ -1017,6 +1026,8 @@ show_classifiers_command() { echo "$g_product $SHOREWALL_VERSION Classifiers at $g_hostname - $(date)" echo + echo "Warning: This command is deprecated in favor of the 'show tc' command" + echo show_classifiers } @@ -1904,8 +1915,6 @@ if [ -n "$TC_ENABLED" ]; then heading "Traffic Control" show_tc1 - heading "TC Filters" - show_classifiers fi } @@ -3596,7 +3605,7 @@ [ $# -eq 0 ] || missing_argument - [ $VERBOSITY -ge 1 ] && echo "${g_product}-$SHOREWALL_VERSION Status at $g_hostname - $(date)" && echo + [ $VERBOSITY -ge 1 ] && echo "${g_product} $SHOREWALL_VERSION Status at $g_hostname - $(date)" && echo show_status [ -n "$interfaces" ] && show_interfaces exit $status @@ -4010,9 +4019,15 @@ # the Standard CLI by loading lib.cli-std ################################################################################ # -# Set the configuration variables from shorewall[6]-lite.conf. +# Set the configuration variables from shorewall[6]-lite.conf. This function +# is replaced by the one in lib.cli-std (Shorewall product) when Shorewall or +# Shorewall6 is being run. +# +# $1 = Yes: read the params file +# $2 = Yes: check for STARTUP_ENABLED +# $3 = Yes: Check for LOGFILE # -get_config() { +lite_get_config() { local config local lib @@ -4161,7 +4176,7 @@ [ -x "$g_pager" ] || fatal_error "PAGER $g_pager is not executable" - g_pager="| $g_pager" + g_pager="2>&1 | $g_pager" fi fi @@ -4174,10 +4189,22 @@ [ -f $lib ] && . $lib } + +# +# get_config() -- calls the appropriate xxx_get_config() +# +get_config() { + if [ -z "$g_lite" ]; then + std_get_config $@ + else + lite_get_config $@ + fi +} + # # Start Command Executor # -start_command() { +lite_start_command() { local finished finished=0 @@ -4265,9 +4292,20 @@ } # +# start_command() -- calls the appropriate xxx_start_command() +# +start_command() { + if [ -z "$g_lite" ]; then + std_start_command $@ + else + lite_start_command $@ + fi +} + +# # Reload/Restart Command Executor # -restart_command() { +lite_restart_command() { local finished finished=0 local rc @@ -4336,6 +4374,17 @@ return $rc } +# +# restart_command() -- calls the appropriate xxx_restart_command() +# +restart_command() { + if [ -z "$g_lite" ]; then + std_restart_command $@ + else + lite_restart_command $@ + fi +} + run_command() { if [ -x $g_firewall ] ; then run_it $g_firewall $@ @@ -4439,12 +4488,11 @@ echo " [ show | list | ls ] arptables" echo " [ show | list | ls ] [ -f ] capabilities" echo " [ show | list | ls ] [ -x ] {bl|blacklists}" - echo " [ show | list | ls ] classifiers" + echo " [ show | list | ls ] {classifiers|filters)" echo " [ show | list | ls ] config" echo " [ show | list | ls ] connections" echo " [ show | list | ls ] event [ <event> ...]" echo " [ show | list | ls ] events" - echo " [ show | list | ls ] filters" echo " [ show | list | ls ] ip" if [ $g_family -eq 4 ]; then @@ -4705,7 +4753,7 @@ exit 1 fi - banner="${g_product}-${SHOREWALL_VERSION} Status at $g_hostname -" + banner="${g_product} ${SHOREWALL_VERSION} Status at $g_hostname -" COMMAND=$1 @@ -4795,7 +4843,7 @@ logwatch) only_root get_config Yes Yes Yes - banner="${g_product}-$SHOREWALL_VERSION Logwatch at $g_hostname -" + banner="${g_product} $SHOREWALL_VERSION Logwatch at $g_hostname -" logwatch_command $@ ;; drop) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.7/manpages/shorewall.8 new/shorewall-core-5.2.8/manpages/shorewall.8 --- old/shorewall-core-5.2.7/manpages/shorewall.8 2020-07-29 21:54:41.000000000 +0200 +++ new/shorewall-core-5.2.8/manpages/shorewall.8 2020-09-25 00:06:52.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 07/29/2020 +.\" Date: 09/24/2020 .\" Manual: Administrative Commands .\" Source: Administrative Commands .\" Language: English .\" -.TH "SHOREWALL" "8" "07/29/2020" "Administrative Commands" "Administrative Commands" +.TH "SHOREWALL" "8" "09/24/2020" "Administrative Commands" "Administrative Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -240,6 +240,17 @@ . .TE .sp 1 +Note that when Shorewall isn\*(Aqt installed, the \*(Aqshorewall\*(Aq command behaves like shorewall\-lite\&. The same is not true with respect to Shorewall6, "shorewall6" and \*(Aqshorewall6\-lite"\&. You can make \*(Aqshorewall6\*(Aq behave like \*(Aqshorewallt\-lite\*(Aq by adding the following command to root\*(Aqs \&.profile file (or to \&.bashrc, if root\*(Aqs shell is bash): +.sp +.if n \{\ +.RS 4 +.\} +.nf + alias shorewall6=shorewall6\-lite +.fi +.if n \{\ +.RE +.\} .RE .PP \fB\-v\fR[\fIverbosity\fR] @@ -1543,7 +1554,7 @@ .PP \fBclassifiers|filters\fR .RS 4 -Displays information about the packet classifiers defined on the system as a result of traffic shaping configuration\&. +Displays information about the packet classifiers defined on the system as a result of traffic shaping configuration\&. Beginning with Shorewall 5\&.2\&.8, this command is deprecated, as its output is included in the information displayed by the \*(Aqshow tc\*(Aq command\&. .RE .PP \fBconfig\fR diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.7/releasenotes.txt new/shorewall-core-5.2.8/releasenotes.txt --- old/shorewall-core-5.2.7/releasenotes.txt 2020-07-29 21:53:02.000000000 +0200 +++ new/shorewall-core-5.2.8/releasenotes.txt 2020-09-25 00:02:15.000000000 +0200 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 5 . 2 . 7 + S H O R E W A L L 5 . 2 . 8 ------------------------------- - J U L Y 3 1 , 2 0 2 0 + S E P T E M B E R 2 4 , 2 0 2 0 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,7 +14,35 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) This release contains defect repair up through Shorewall 5.2.6.1. +1) Certain restrictions that apply to wildcard interfaces (interface + name ends in '+') were previously not enforced when the logical + interface name did not end in '+' but the physical interface name + did end in '+'. That has been corrected. + +2) To ensure that error messages appear in the correct place in the + output stream, stderr is now redirected to stdout when the + configured PAGER is used by a command. + +3) Since Shorewall 5.1.0, the Shorewall uninstall.sh script has + incorrectly removed ${SBINDIR}/shorewall, while the Shorewall-core + uninstall.sh script has failed to remove that file. Both scripts + have been corrected. + +4) Previously, the Shorewall CLI included a spurious hyphen ('-') + between the product name (e.g., 'Shorewall6') and the version when + printing a command output banner. + + Example: + + Shorewall6 Lite 5.2.8-RC1 Logwatch at foo8 - Thu 17 Sep 2020 ... + + That has been corrected. + +5) The shorewall-snat(5) manpage previously stated that a + comma-separated list of IP address could be specified for + SNAT. That statement was in error and has been removed. As part of + this change, IPv4 Example 6 has been updated to use the + PROBABILITY column. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -58,34 +86,69 @@ repositories. The override file itself will be saved to `/etc/systemd/system/shorewall.service.d/`. +5) RFC 2526 describes IPv6 subnet anycast addresses. The RFC makes a + distinction between subnets with "IPv6 address types required to + have 64-bit interface identifiers in EUI-64 format" and all other + subnets. When generating these anycast addresses, the Shorewall + compiler does not make this distinction and unconditionally + assumes that the last 128 addresses in the subnet are reserved as + anycast addresses. + ---------------------------------------------------------------------------- I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) Previously, it was not possible to classify traffic by destination - IP address when using an Intermediate Functional Block (IFB) for - traffic shaping. This is because such classification takes place - before the traffic passes through the mangle PREROUTING chain. +1) The 'show tc' command now shows the classifiers associated with + each interface (as displayed by the 'show classifiers' + command). This integrated qdisc/filter information is also included + in the output of the 'dump' command. This change deprecates the + 'show classifiers' ('show filters') command, as that command's + output is now included in the 'show tc' output. - Such filtering is now possible by setting the 'connmark' option in - the tcdevices file. This option causes the current connection mark - to be copied to the packet mark prior to filtering, thus allowing - the packet mark to be used for classification. +2) Shorewall6 has traditionally generated rules for IPv6 anycast + addresses. These rules include: - This change adds a new CONNMARK_ACTION capability which is - required to be able to specify the 'connmark' option. + a) Packets with these destination IP addresses are dropped by + REJECT rules. - Rodrigo Araujo provided the bulk of the code for this enhancement. + b) Packets with these source IP addresses are dropped by the + 'nosmurfs' interface option and by the 'dropSmurfs' action. -2) The tcpri file now supports ?FORMAT 2 which inserts an SPORT - column directly to the right of the PORT column. As part of this - change, the PORT column is renamed to DPORT while allowing both - 'port' and 'dport' to be used in the alternate input format. See - shorewall-tcpri(5) and - http://shorewall.org/simple_traffic_shaping.html for additional - information. + c) Packets with these destination IP addresses are not logged + during policy enforcement. -3) The Simple TC document is now linked to FAQs 97 and 97a. + d) Packets with these destination IP addresses are processes by + the 'Broadcast' action. + + Beginning with this release, individual network interfaces can be + excluded from this treatment through use of the 'omitanycast' + option in /etc/shorewall6/interfaces. + + Note: This option was named 'noanycast' in earlier Beta releases. + +3) Duplicate function names have been eliminated between the + Shorewall-core lib.cli shell library and the Shorewall lib.cli-std + library. + +4) The 'status' command in Shorewall[6]-lite now precedes the + configuration directory name with the administrative host name + separated with a colon (":"). + + Example (Firewall script generated on host 'debianvm'): + + root@gateway:~# shorewall-lite status + Shorewall Lite-5.2.8 Status at gateway - Tue 15 Sep 2020 03:09:15 PM PDT + + Shorewall Lite is running + State:Started Tue 15 Sep 2020 03:08:33 PM PDT from + debianvm:/home/teastep/shorewall/gateway/shorewall/ + (/var/lib/shorewall-lite/firewall compiled Tue 15 Sep 2020 + 03:08:28 PM PDT by Shorewall version 5.2.8) + + root@gateway:~# + +5) Tuomo Soini has contributed a macro that handles NFS v1.4 (no + dynamic ports). ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -485,6 +548,35 @@ ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 5 . 2 R E L E A S E S ---------------------------------------------------------------------------- + N E W F E A T U R E S I N 5 . 2 . 7 +---------------------------------------------------------------------------- + +1) Previously, it was not possible to classify traffic by destination + IP address when using an Intermediate Functional Block (IFB) for + traffic shaping. This is because such classification takes place + before the traffic passes through the mangle PREROUTING chain. + + Such filtering is now possible by setting the 'connmark' option in + the tcdevices file. This option causes the current connection mark + to be copied to the packet mark prior to filtering, thus allowing + the packet mark to be used for classification. + + This change adds a new CONNMARK_ACTION capability which is + required to be able to specify the 'connmark' option. + + Rodrigo Araujo provided the bulk of the code for this enhancement. + +2) The tcpri file now supports ?FORMAT 2 which inserts an SPORT + column directly to the right of the PORT column. As part of this + change, the PORT column is renamed to DPORT while allowing both + 'port' and 'dport' to be used in the alternate input format. See + shorewall-tcpri(5) and + http://shorewall.org/simple_traffic_shaping.html for additional + information. + +3) The Simple TC document is now linked to FAQs 97 and 97a. + +---------------------------------------------------------------------------- N E W F E A T U R E S I N 5 . 2 . 6 ---------------------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.7/shorewall-core.spec new/shorewall-core-5.2.8/shorewall-core.spec --- old/shorewall-core-5.2.7/shorewall-core.spec 2020-07-29 21:53:02.000000000 +0200 +++ new/shorewall-core-5.2.8/shorewall-core.spec 2020-09-25 00:02:15.000000000 +0200 @@ -1,5 +1,5 @@ %define name shorewall-core -%define version 5.2.7 +%define version 5.2.8 %define release 0base Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. @@ -69,6 +69,14 @@ %doc COPYING INSTALL changelog.txt releasenotes.txt %changelog +* Fri Sep 18 2020 Tom Eastep <[email protected]> +- Updated to 5.2.8-0base +* Thu Sep 10 2020 Tom Eastep <[email protected]> +- Updated to 5.2.8-0RC1 +* Wed Sep 09 2020 Tom Eastep <[email protected]> +- Updated to 5.2.8-0Beta2 +* Sat Aug 01 2020 Tom Eastep <[email protected]> +- Updated to 5.2.8-0Beta1 * Wed Jul 29 2020 Tom Eastep <[email protected]> - Updated to 5.2.7-0base * Sat Jul 25 2020 Tom Eastep <[email protected]> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.7/uninstall.sh new/shorewall-core-5.2.8/uninstall.sh --- old/shorewall-core-5.2.7/uninstall.sh 2020-07-29 21:53:02.000000000 +0200 +++ new/shorewall-core-5.2.8/uninstall.sh 2020-09-25 00:02:15.000000000 +0200 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=5.2.7 +VERSION=5.2.8 PRODUCT=shorewall-core Product="Shorewall Core" @@ -134,6 +134,7 @@ remove_directory ${SHAREDIR}/shorewall remove_file ~/.shorewallrc +remove_file ${SBINDIR}/shorewall # # Report Success ++++++ shorewall-docs-html-5.2.7.tar.bz2 -> shorewall-docs-html-5.2.8.tar.bz2 ++++++ ++++ 1649 lines of diff (skipped) ++++++ shorewall-init-5.2.7.tar.bz2 -> shorewall-init-5.2.8.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.7/changelog.txt new/shorewall-init-5.2.8/changelog.txt --- old/shorewall-init-5.2.7/changelog.txt 2020-07-29 21:53:02.000000000 +0200 +++ new/shorewall-init-5.2.8/changelog.txt 2020-09-25 00:02:16.000000000 +0200 @@ -1,7 +1,54 @@ -Changes in 5.2.7 Final +Changes in 5.2.8 Final 1) Update release documents +2) Update the %tcdevices documentation at the top of Tc.pm. + +3) Update shorewall-snat(5). + +4) Document NFS macro. + +Changes in 5.2.8 RC 1 + +1) Update release documents + +2) Rename 'noanycast' to 'omitanycast' + +3) Correct use of $physwild. + +4) Ensure that SHOREWALL_SHELL is set. + +5) Redirect stderr to stdout when using $PAGER + +6) Eliminate duplicate function names. + +7) Don't remove ${SBINDIR}/shorewall when removing Shorewall. + +8) Remove bogus New Feature from release notes. + +9) Include hostname in status command when using Lite product. + +10( Display consistent banner from CLI + +Changes in 5.2.8 Beta 2 + +1) Update release documents + +2) Correct code generated for 'noanycast'. + +3) Flesh out IPv6 anycast documentation. + +Changes in 5.2.8 Beta 1 + +1) Update release documents + +2) Show filters in output of 'show tc' + +3) Show policing filter in output of 'show classifiers' and + 'shorewall tc'. + +4) Add 'noanycast' interface option. + Changes in 5.2.7 RC 1 1) Update release documents diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.7/configure new/shorewall-init-5.2.8/configure --- old/shorewall-init-5.2.7/configure 2020-07-29 21:53:02.000000000 +0200 +++ new/shorewall-init-5.2.8/configure 2020-09-25 00:02:16.000000000 +0200 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=5.2.7 +VERSION=5.2.8 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.7/configure.pl new/shorewall-init-5.2.8/configure.pl --- old/shorewall-init-5.2.7/configure.pl 2020-07-29 21:53:02.000000000 +0200 +++ new/shorewall-init-5.2.8/configure.pl 2020-09-25 00:02:16.000000000 +0200 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '5.2.7' + VERSION => '5.2.8' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.7/install.sh new/shorewall-init-5.2.8/install.sh --- old/shorewall-init-5.2.7/install.sh 2020-07-29 21:53:02.000000000 +0200 +++ new/shorewall-init-5.2.8/install.sh 2020-09-25 00:02:16.000000000 +0200 @@ -27,7 +27,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=5.2.7 +VERSION=5.2.8 PRODUCT=shorewall-init Product="Shorewall Init" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.7/releasenotes.txt new/shorewall-init-5.2.8/releasenotes.txt --- old/shorewall-init-5.2.7/releasenotes.txt 2020-07-29 21:53:02.000000000 +0200 +++ new/shorewall-init-5.2.8/releasenotes.txt 2020-09-25 00:02:16.000000000 +0200 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 5 . 2 . 7 + S H O R E W A L L 5 . 2 . 8 ------------------------------- - J U L Y 3 1 , 2 0 2 0 + S E P T E M B E R 2 4 , 2 0 2 0 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,7 +14,35 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) This release contains defect repair up through Shorewall 5.2.6.1. +1) Certain restrictions that apply to wildcard interfaces (interface + name ends in '+') were previously not enforced when the logical + interface name did not end in '+' but the physical interface name + did end in '+'. That has been corrected. + +2) To ensure that error messages appear in the correct place in the + output stream, stderr is now redirected to stdout when the + configured PAGER is used by a command. + +3) Since Shorewall 5.1.0, the Shorewall uninstall.sh script has + incorrectly removed ${SBINDIR}/shorewall, while the Shorewall-core + uninstall.sh script has failed to remove that file. Both scripts + have been corrected. + +4) Previously, the Shorewall CLI included a spurious hyphen ('-') + between the product name (e.g., 'Shorewall6') and the version when + printing a command output banner. + + Example: + + Shorewall6 Lite 5.2.8-RC1 Logwatch at foo8 - Thu 17 Sep 2020 ... + + That has been corrected. + +5) The shorewall-snat(5) manpage previously stated that a + comma-separated list of IP address could be specified for + SNAT. That statement was in error and has been removed. As part of + this change, IPv4 Example 6 has been updated to use the + PROBABILITY column. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -58,34 +86,69 @@ repositories. The override file itself will be saved to `/etc/systemd/system/shorewall.service.d/`. +5) RFC 2526 describes IPv6 subnet anycast addresses. The RFC makes a + distinction between subnets with "IPv6 address types required to + have 64-bit interface identifiers in EUI-64 format" and all other + subnets. When generating these anycast addresses, the Shorewall + compiler does not make this distinction and unconditionally + assumes that the last 128 addresses in the subnet are reserved as + anycast addresses. + ---------------------------------------------------------------------------- I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) Previously, it was not possible to classify traffic by destination - IP address when using an Intermediate Functional Block (IFB) for - traffic shaping. This is because such classification takes place - before the traffic passes through the mangle PREROUTING chain. +1) The 'show tc' command now shows the classifiers associated with + each interface (as displayed by the 'show classifiers' + command). This integrated qdisc/filter information is also included + in the output of the 'dump' command. This change deprecates the + 'show classifiers' ('show filters') command, as that command's + output is now included in the 'show tc' output. - Such filtering is now possible by setting the 'connmark' option in - the tcdevices file. This option causes the current connection mark - to be copied to the packet mark prior to filtering, thus allowing - the packet mark to be used for classification. +2) Shorewall6 has traditionally generated rules for IPv6 anycast + addresses. These rules include: - This change adds a new CONNMARK_ACTION capability which is - required to be able to specify the 'connmark' option. + a) Packets with these destination IP addresses are dropped by + REJECT rules. - Rodrigo Araujo provided the bulk of the code for this enhancement. + b) Packets with these source IP addresses are dropped by the + 'nosmurfs' interface option and by the 'dropSmurfs' action. -2) The tcpri file now supports ?FORMAT 2 which inserts an SPORT - column directly to the right of the PORT column. As part of this - change, the PORT column is renamed to DPORT while allowing both - 'port' and 'dport' to be used in the alternate input format. See - shorewall-tcpri(5) and - http://shorewall.org/simple_traffic_shaping.html for additional - information. + c) Packets with these destination IP addresses are not logged + during policy enforcement. -3) The Simple TC document is now linked to FAQs 97 and 97a. + d) Packets with these destination IP addresses are processes by + the 'Broadcast' action. + + Beginning with this release, individual network interfaces can be + excluded from this treatment through use of the 'omitanycast' + option in /etc/shorewall6/interfaces. + + Note: This option was named 'noanycast' in earlier Beta releases. + +3) Duplicate function names have been eliminated between the + Shorewall-core lib.cli shell library and the Shorewall lib.cli-std + library. + +4) The 'status' command in Shorewall[6]-lite now precedes the + configuration directory name with the administrative host name + separated with a colon (":"). + + Example (Firewall script generated on host 'debianvm'): + + root@gateway:~# shorewall-lite status + Shorewall Lite-5.2.8 Status at gateway - Tue 15 Sep 2020 03:09:15 PM PDT + + Shorewall Lite is running + State:Started Tue 15 Sep 2020 03:08:33 PM PDT from + debianvm:/home/teastep/shorewall/gateway/shorewall/ + (/var/lib/shorewall-lite/firewall compiled Tue 15 Sep 2020 + 03:08:28 PM PDT by Shorewall version 5.2.8) + + root@gateway:~# + +5) Tuomo Soini has contributed a macro that handles NFS v1.4 (no + dynamic ports). ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -485,6 +548,35 @@ ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 5 . 2 R E L E A S E S ---------------------------------------------------------------------------- + N E W F E A T U R E S I N 5 . 2 . 7 +---------------------------------------------------------------------------- + +1) Previously, it was not possible to classify traffic by destination + IP address when using an Intermediate Functional Block (IFB) for + traffic shaping. This is because such classification takes place + before the traffic passes through the mangle PREROUTING chain. + + Such filtering is now possible by setting the 'connmark' option in + the tcdevices file. This option causes the current connection mark + to be copied to the packet mark prior to filtering, thus allowing + the packet mark to be used for classification. + + This change adds a new CONNMARK_ACTION capability which is + required to be able to specify the 'connmark' option. + + Rodrigo Araujo provided the bulk of the code for this enhancement. + +2) The tcpri file now supports ?FORMAT 2 which inserts an SPORT + column directly to the right of the PORT column. As part of this + change, the PORT column is renamed to DPORT while allowing both + 'port' and 'dport' to be used in the alternate input format. See + shorewall-tcpri(5) and + http://shorewall.org/simple_traffic_shaping.html for additional + information. + +3) The Simple TC document is now linked to FAQs 97 and 97a. + +---------------------------------------------------------------------------- N E W F E A T U R E S I N 5 . 2 . 6 ---------------------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.7/shorewall-init.spec new/shorewall-init-5.2.8/shorewall-init.spec --- old/shorewall-init-5.2.7/shorewall-init.spec 2020-07-29 21:53:02.000000000 +0200 +++ new/shorewall-init-5.2.8/shorewall-init.spec 2020-09-25 00:02:16.000000000 +0200 @@ -1,5 +1,5 @@ %define name shorewall-init -%define version 5.2.7 +%define version 5.2.8 %define release 0base Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall). @@ -135,6 +135,14 @@ %doc COPYING changelog.txt releasenotes.txt %changelog +* Fri Sep 18 2020 Tom Eastep <[email protected]> +- Updated to 5.2.8-0base +* Thu Sep 10 2020 Tom Eastep <[email protected]> +- Updated to 5.2.8-0RC1 +* Wed Sep 09 2020 Tom Eastep <[email protected]> +- Updated to 5.2.8-0Beta2 +* Sat Aug 01 2020 Tom Eastep <[email protected]> +- Updated to 5.2.8-0Beta1 * Wed Jul 29 2020 Tom Eastep <[email protected]> - Updated to 5.2.7-0base * Sat Jul 25 2020 Tom Eastep <[email protected]> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.7/uninstall.sh new/shorewall-init-5.2.8/uninstall.sh --- old/shorewall-init-5.2.7/uninstall.sh 2020-07-29 21:53:02.000000000 +0200 +++ new/shorewall-init-5.2.8/uninstall.sh 2020-09-25 00:02:16.000000000 +0200 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=5.2.7 +VERSION=5.2.8 PRODUCT=shorewall-init Product="Shorewall Init" ++++++ shorewall-lite-5.2.7.tar.bz2 -> shorewall-lite-5.2.8.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.7/changelog.txt new/shorewall-lite-5.2.8/changelog.txt --- old/shorewall-lite-5.2.7/changelog.txt 2020-07-29 21:53:02.000000000 +0200 +++ new/shorewall-lite-5.2.8/changelog.txt 2020-09-25 00:02:16.000000000 +0200 @@ -1,7 +1,54 @@ -Changes in 5.2.7 Final +Changes in 5.2.8 Final 1) Update release documents +2) Update the %tcdevices documentation at the top of Tc.pm. + +3) Update shorewall-snat(5). + +4) Document NFS macro. + +Changes in 5.2.8 RC 1 + +1) Update release documents + +2) Rename 'noanycast' to 'omitanycast' + +3) Correct use of $physwild. + +4) Ensure that SHOREWALL_SHELL is set. + +5) Redirect stderr to stdout when using $PAGER + +6) Eliminate duplicate function names. + +7) Don't remove ${SBINDIR}/shorewall when removing Shorewall. + +8) Remove bogus New Feature from release notes. + +9) Include hostname in status command when using Lite product. + +10( Display consistent banner from CLI + +Changes in 5.2.8 Beta 2 + +1) Update release documents + +2) Correct code generated for 'noanycast'. + +3) Flesh out IPv6 anycast documentation. + +Changes in 5.2.8 Beta 1 + +1) Update release documents + +2) Show filters in output of 'show tc' + +3) Show policing filter in output of 'show classifiers' and + 'shorewall tc'. + +4) Add 'noanycast' interface option. + Changes in 5.2.7 RC 1 1) Update release documents diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.7/configure new/shorewall-lite-5.2.8/configure --- old/shorewall-lite-5.2.7/configure 2020-07-29 21:53:02.000000000 +0200 +++ new/shorewall-lite-5.2.8/configure 2020-09-25 00:02:16.000000000 +0200 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=5.2.7 +VERSION=5.2.8 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.7/configure.pl new/shorewall-lite-5.2.8/configure.pl --- old/shorewall-lite-5.2.7/configure.pl 2020-07-29 21:53:02.000000000 +0200 +++ new/shorewall-lite-5.2.8/configure.pl 2020-09-25 00:02:16.000000000 +0200 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '5.2.7' + VERSION => '5.2.8' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.7/install.sh new/shorewall-lite-5.2.8/install.sh --- old/shorewall-lite-5.2.7/install.sh 2020-07-29 21:53:02.000000000 +0200 +++ new/shorewall-lite-5.2.8/install.sh 2020-09-25 00:02:16.000000000 +0200 @@ -22,7 +22,7 @@ # along with this program; if not, see <http://www.gnu.org/licenses/>. # -VERSION=5.2.7 +VERSION=5.2.8 usage() # $1 = exit status { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.7/manpages/shorewall-lite-vardir.5 new/shorewall-lite-5.2.8/manpages/shorewall-lite-vardir.5 --- old/shorewall-lite-5.2.7/manpages/shorewall-lite-vardir.5 2020-07-29 21:54:33.000000000 +0200 +++ new/shorewall-lite-5.2.8/manpages/shorewall-lite-vardir.5 2020-09-25 00:06:25.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite-vardir .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 07/29/2020 +.\" Date: 09/24/2020 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-LITE\-VAR" "5" "07/29/2020" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-LITE\-VAR" "5" "09/24/2020" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.7/manpages/shorewall-lite.8 new/shorewall-lite-5.2.8/manpages/shorewall-lite.8 --- old/shorewall-lite-5.2.7/manpages/shorewall-lite.8 2020-07-29 21:54:33.000000000 +0200 +++ new/shorewall-lite-5.2.8/manpages/shorewall-lite.8 2020-09-25 00:06:27.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 07/29/2020 +.\" Date: 09/24/2020 .\" Manual: Administrative Commands .\" Source: Administrative Commands .\" Language: English .\" -.TH "SHOREWALL\-LITE" "8" "07/29/2020" "Administrative Commands" "Administrative Commands" +.TH "SHOREWALL\-LITE" "8" "09/24/2020" "Administrative Commands" "Administrative Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.7/manpages/shorewall-lite.conf.5 new/shorewall-lite-5.2.8/manpages/shorewall-lite.conf.5 --- old/shorewall-lite-5.2.7/manpages/shorewall-lite.conf.5 2020-07-29 21:54:32.000000000 +0200 +++ new/shorewall-lite-5.2.8/manpages/shorewall-lite.conf.5 2020-09-25 00:06:23.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite.conf .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 07/29/2020 +.\" Date: 09/24/2020 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-LITE\&.CO" "5" "07/29/2020" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-LITE\&.CO" "5" "09/24/2020" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.7/releasenotes.txt new/shorewall-lite-5.2.8/releasenotes.txt --- old/shorewall-lite-5.2.7/releasenotes.txt 2020-07-29 21:53:02.000000000 +0200 +++ new/shorewall-lite-5.2.8/releasenotes.txt 2020-09-25 00:02:16.000000000 +0200 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 5 . 2 . 7 + S H O R E W A L L 5 . 2 . 8 ------------------------------- - J U L Y 3 1 , 2 0 2 0 + S E P T E M B E R 2 4 , 2 0 2 0 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,7 +14,35 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) This release contains defect repair up through Shorewall 5.2.6.1. +1) Certain restrictions that apply to wildcard interfaces (interface + name ends in '+') were previously not enforced when the logical + interface name did not end in '+' but the physical interface name + did end in '+'. That has been corrected. + +2) To ensure that error messages appear in the correct place in the + output stream, stderr is now redirected to stdout when the + configured PAGER is used by a command. + +3) Since Shorewall 5.1.0, the Shorewall uninstall.sh script has + incorrectly removed ${SBINDIR}/shorewall, while the Shorewall-core + uninstall.sh script has failed to remove that file. Both scripts + have been corrected. + +4) Previously, the Shorewall CLI included a spurious hyphen ('-') + between the product name (e.g., 'Shorewall6') and the version when + printing a command output banner. + + Example: + + Shorewall6 Lite 5.2.8-RC1 Logwatch at foo8 - Thu 17 Sep 2020 ... + + That has been corrected. + +5) The shorewall-snat(5) manpage previously stated that a + comma-separated list of IP address could be specified for + SNAT. That statement was in error and has been removed. As part of + this change, IPv4 Example 6 has been updated to use the + PROBABILITY column. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -58,34 +86,69 @@ repositories. The override file itself will be saved to `/etc/systemd/system/shorewall.service.d/`. +5) RFC 2526 describes IPv6 subnet anycast addresses. The RFC makes a + distinction between subnets with "IPv6 address types required to + have 64-bit interface identifiers in EUI-64 format" and all other + subnets. When generating these anycast addresses, the Shorewall + compiler does not make this distinction and unconditionally + assumes that the last 128 addresses in the subnet are reserved as + anycast addresses. + ---------------------------------------------------------------------------- I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) Previously, it was not possible to classify traffic by destination - IP address when using an Intermediate Functional Block (IFB) for - traffic shaping. This is because such classification takes place - before the traffic passes through the mangle PREROUTING chain. +1) The 'show tc' command now shows the classifiers associated with + each interface (as displayed by the 'show classifiers' + command). This integrated qdisc/filter information is also included + in the output of the 'dump' command. This change deprecates the + 'show classifiers' ('show filters') command, as that command's + output is now included in the 'show tc' output. - Such filtering is now possible by setting the 'connmark' option in - the tcdevices file. This option causes the current connection mark - to be copied to the packet mark prior to filtering, thus allowing - the packet mark to be used for classification. +2) Shorewall6 has traditionally generated rules for IPv6 anycast + addresses. These rules include: - This change adds a new CONNMARK_ACTION capability which is - required to be able to specify the 'connmark' option. + a) Packets with these destination IP addresses are dropped by + REJECT rules. - Rodrigo Araujo provided the bulk of the code for this enhancement. + b) Packets with these source IP addresses are dropped by the + 'nosmurfs' interface option and by the 'dropSmurfs' action. -2) The tcpri file now supports ?FORMAT 2 which inserts an SPORT - column directly to the right of the PORT column. As part of this - change, the PORT column is renamed to DPORT while allowing both - 'port' and 'dport' to be used in the alternate input format. See - shorewall-tcpri(5) and - http://shorewall.org/simple_traffic_shaping.html for additional - information. + c) Packets with these destination IP addresses are not logged + during policy enforcement. -3) The Simple TC document is now linked to FAQs 97 and 97a. + d) Packets with these destination IP addresses are processes by + the 'Broadcast' action. + + Beginning with this release, individual network interfaces can be + excluded from this treatment through use of the 'omitanycast' + option in /etc/shorewall6/interfaces. + + Note: This option was named 'noanycast' in earlier Beta releases. + +3) Duplicate function names have been eliminated between the + Shorewall-core lib.cli shell library and the Shorewall lib.cli-std + library. + +4) The 'status' command in Shorewall[6]-lite now precedes the + configuration directory name with the administrative host name + separated with a colon (":"). + + Example (Firewall script generated on host 'debianvm'): + + root@gateway:~# shorewall-lite status + Shorewall Lite-5.2.8 Status at gateway - Tue 15 Sep 2020 03:09:15 PM PDT + + Shorewall Lite is running + State:Started Tue 15 Sep 2020 03:08:33 PM PDT from + debianvm:/home/teastep/shorewall/gateway/shorewall/ + (/var/lib/shorewall-lite/firewall compiled Tue 15 Sep 2020 + 03:08:28 PM PDT by Shorewall version 5.2.8) + + root@gateway:~# + +5) Tuomo Soini has contributed a macro that handles NFS v1.4 (no + dynamic ports). ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -485,6 +548,35 @@ ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 5 . 2 R E L E A S E S ---------------------------------------------------------------------------- + N E W F E A T U R E S I N 5 . 2 . 7 +---------------------------------------------------------------------------- + +1) Previously, it was not possible to classify traffic by destination + IP address when using an Intermediate Functional Block (IFB) for + traffic shaping. This is because such classification takes place + before the traffic passes through the mangle PREROUTING chain. + + Such filtering is now possible by setting the 'connmark' option in + the tcdevices file. This option causes the current connection mark + to be copied to the packet mark prior to filtering, thus allowing + the packet mark to be used for classification. + + This change adds a new CONNMARK_ACTION capability which is + required to be able to specify the 'connmark' option. + + Rodrigo Araujo provided the bulk of the code for this enhancement. + +2) The tcpri file now supports ?FORMAT 2 which inserts an SPORT + column directly to the right of the PORT column. As part of this + change, the PORT column is renamed to DPORT while allowing both + 'port' and 'dport' to be used in the alternate input format. See + shorewall-tcpri(5) and + http://shorewall.org/simple_traffic_shaping.html for additional + information. + +3) The Simple TC document is now linked to FAQs 97 and 97a. + +---------------------------------------------------------------------------- N E W F E A T U R E S I N 5 . 2 . 6 ---------------------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.7/shorewall-lite.spec new/shorewall-lite-5.2.8/shorewall-lite.spec --- old/shorewall-lite-5.2.7/shorewall-lite.spec 2020-07-29 21:53:02.000000000 +0200 +++ new/shorewall-lite-5.2.8/shorewall-lite.spec 2020-09-25 00:02:16.000000000 +0200 @@ -1,5 +1,5 @@ %define name shorewall-lite -%define version 5.2.7 +%define version 5.2.8 %define release 0base %define initdir /etc/init.d @@ -114,6 +114,14 @@ %doc COPYING changelog.txt releasenotes.txt %changelog +* Fri Sep 18 2020 Tom Eastep <[email protected]> +- Updated to 5.2.8-0base +* Thu Sep 10 2020 Tom Eastep <[email protected]> +- Updated to 5.2.8-0RC1 +* Wed Sep 09 2020 Tom Eastep <[email protected]> +- Updated to 5.2.8-0Beta2 +* Sat Aug 01 2020 Tom Eastep <[email protected]> +- Updated to 5.2.8-0Beta1 * Wed Jul 29 2020 Tom Eastep <[email protected]> - Updated to 5.2.7-0base * Sat Jul 25 2020 Tom Eastep <[email protected]> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.7/uninstall.sh new/shorewall-lite-5.2.8/uninstall.sh --- old/shorewall-lite-5.2.7/uninstall.sh 2020-07-29 21:53:02.000000000 +0200 +++ new/shorewall-lite-5.2.8/uninstall.sh 2020-09-25 00:02:16.000000000 +0200 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=5.2.7 +VERSION=5.2.8 usage() # $1 = exit status { ++++++ shorewall-5.2.7.tar.bz2 -> shorewall6-5.2.8.tar.bz2 ++++++ ++++ 122739 lines of diff (skipped) ++++++ shorewall-lite-5.2.7.tar.bz2 -> shorewall6-lite-5.2.8.tar.bz2 ++++++ ++++ 3245 lines of diff (skipped)
