Hello community, here is the log from the commit of package shorewall for openSUSE:Factory checked in at 2015-08-05 06:49:56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/shorewall (Old) and /work/SRC/openSUSE:Factory/.shorewall.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shorewall" Changes: -------- --- /work/SRC/openSUSE:Factory/shorewall/shorewall.changes 2015-06-24 21:01:35.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.shorewall.new/shorewall.changes 2015-08-05 06:49:58.000000000 +0200 @@ -1,0 +2,31 @@ +Tue Jul 14 09:48:08 UTC 2015 - [email protected] + +- Update to version 4.6.11 For more details see changelog.txt and + releasenotes.txt + + * Previously, when the -c option was given to the 'compile' + command, the progress message "Compiling..." was issued before + it was determined if compilation was necessary. Now, that message + is suppressed when re-compilation is not required. + + * Previously, when the -c option was given to the 'compile' + command, the 'postcompile' extension script was executed even when + there was no (re-)compilation. Now, the 'postcompile' script is + only invoked when a new script is generated. + + * If CONFDIR was other than /etc, then ordinary users would not + receive a clear error message when they attempted to execute + one of the commands that change the firewall state. + + * Previously, IPv4 DHCP client broadcasts were blocked by the + 'rpfilter' interface option. That has been corrected. + + * The 'update' command incorrectly added the INLINE_MATCHES + option to shorewall6.conf with a default value of 'Yes'. This + caused 'start' to fail with invalid ip6tables rules when the alternate + input format using ';' is used. + + Note: This last issue is not documented in the release notes + included with the release. + +------------------------------------------------------------------- Old: ---- shorewall-4.6.10.1.tar.bz2 shorewall-core-4.6.10.1.tar.bz2 shorewall-docs-html-4.6.10.1.tar.bz2 shorewall-init-4.6.10.1.tar.bz2 shorewall-lite-4.6.10.1.tar.bz2 shorewall6-4.6.10.1.tar.bz2 shorewall6-lite-4.6.10.1.tar.bz2 New: ---- shorewall-4.6.11.tar.bz2 shorewall-core-4.6.11.tar.bz2 shorewall-docs-html-4.6.11.tar.bz2 shorewall-init-4.6.11.tar.bz2 shorewall-lite-4.6.11.tar.bz2 shorewall6-4.6.11.tar.bz2 shorewall6-lite-4.6.11.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shorewall.spec ++++++ --- /var/tmp/diff_new_pack.0ATd9L/_old 2015-08-05 06:49:59.000000000 +0200 +++ /var/tmp/diff_new_pack.0ATd9L/_new 2015-08-05 06:49:59.000000000 +0200 @@ -20,19 +20,19 @@ %define have_systemd 1 Name: shorewall -Version: 4.6.10.1 +Version: 4.6.11 Release: 0 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems License: GPL-2.0 Group: Productivity/Networking/Security Url: http://www.shorewall.net/ -Source: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.10/%{name}-%version.tar.bz2 -Source1: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.10/%{name}-core-%version.tar.bz2 -Source2: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.10/%{name}-lite-%version.tar.bz2 -Source3: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.10/%{name}-init-%version.tar.bz2 -Source4: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.10/%{name}6-lite-%version.tar.bz2 -Source5: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.10/%{name}6-%version.tar.bz2 -Source6: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.10/%{name}-docs-html-%version.tar.bz2 +Source: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.11/%{name}-%version.tar.bz2 +Source1: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.11/%{name}-core-%version.tar.bz2 +Source2: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.11/%{name}-lite-%version.tar.bz2 +Source3: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.11/%{name}-init-%version.tar.bz2 +Source4: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.11/%{name}6-lite-%version.tar.bz2 +Source5: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.11/%{name}6-%version.tar.bz2 +Source6: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.11/%{name}-docs-html-%version.tar.bz2 Source7: %{name}-4.4.22.rpmlintrc Source8: README.openSUSE # PATCH-FIX-UPSTREAM [email protected] Shorewall-lite init.suse.sh Required Stop ++++++ shorewall-4.6.10.1.tar.bz2 -> shorewall-4.6.11.tar.bz2 ++++++ ++++ 4592 lines of diff (skipped) ++++++ shorewall-core-4.6.10.1.tar.bz2 -> shorewall-core-4.6.11.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.10.1/changelog.txt new/shorewall-core-4.6.11/changelog.txt --- old/shorewall-core-4.6.10.1/changelog.txt 2015-06-10 17:00:52.000000000 +0200 +++ new/shorewall-core-4.6.11/changelog.txt 2015-07-06 23:57:57.000000000 +0200 @@ -1,12 +1,46 @@ -Changes in 4.6.10.1 +Changes in 4.6.11 Final 1) Update release documents. -2) Use consistent indentation in lib.core +2) Clean up PATH fix. -3) Complete Shorewall-init improvements +Changes in 4.6.11 RC 1 -4) Return exit status 6 when startup is disabled +1) Update release documents. + +2) Allow selection in 'show connections' + +3) Ensure that the compiler has a usable PATH + +4) Correctly handle IPv4 DHCP incoming requests with 'rpfilter'. + +Changes in 4.6.11 Beta 3 + +1) Update release documents. + +2) Correct the test for ordinary user accessing the default config. + +3) Eliminated the usage() function in lib.cli-std + +4) Don't get script's version if it was just compiled + +5) Append default PATH to the active PATH in the compiler. + +Changes in 4.6.11 Beta 2 + +1) Update release documents. + +2) Don't invoke 'postcompile' when compilation isn't done. + +Changes in 4.6.11 Beta 1 + +1) Update release documents. + +2) Add WORKAROUNDS option + +3) Merge Tuomo's fixes. + +4) Fix 'compile -c' progress message Changes in 4.6.10 Final diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.10.1/configure new/shorewall-core-4.6.11/configure --- old/shorewall-core-4.6.10.1/configure 2015-06-10 17:00:52.000000000 +0200 +++ new/shorewall-core-4.6.11/configure 2015-07-06 23:57:57.000000000 +0200 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=4.6.10.1 +VERSION=4.6.11 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.10.1/configure.pl new/shorewall-core-4.6.11/configure.pl --- old/shorewall-core-4.6.10.1/configure.pl 2015-06-10 17:00:52.000000000 +0200 +++ new/shorewall-core-4.6.11/configure.pl 2015-07-06 23:57:57.000000000 +0200 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '4.6.10.1' + VERSION => '4.6.11' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.10.1/install.sh new/shorewall-core-4.6.11/install.sh --- old/shorewall-core-4.6.10.1/install.sh 2015-06-10 17:00:52.000000000 +0200 +++ new/shorewall-core-4.6.11/install.sh 2015-07-06 23:57:57.000000000 +0200 @@ -22,7 +22,7 @@ # along with this program; if not, see <http://www.gnu.org/licenses/>. # -VERSION=4.6.10.1 +VERSION=4.6.11 usage() # $1 = exit status { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.10.1/lib.cli new/shorewall-core-4.6.11/lib.cli --- old/shorewall-core-4.6.10.1/lib.cli 2015-06-09 20:02:00.000000000 +0200 +++ new/shorewall-core-4.6.11/lib.cli 2015-07-06 23:49:20.000000000 +0200 @@ -388,16 +388,30 @@ status=0 if [ -f ${VARDIR}/firewall ]; then - if $iptables_save | iptablesbug | grep -v -- '-A dynamic.* -j ACCEPT' > ${VARDIR}/restore-$$; then - cp -f ${VARDIR}/firewall $g_restorepath - mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables - chmod +x $g_restorepath - echo " Currently-running Configuration Saved to $g_restorepath" - run_user_exit save + if [ -n "$WORKAROUNDS" ]; then + if $iptables_save | iptablesbug | grep -v -- '-A dynamic.* -j ACCEPT' > ${VARDIR}/restore-$$; then + cp -f ${VARDIR}/firewall $g_restorepath + mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables + chmod +x $g_restorepath + echo " Currently-running Configuration Saved to $g_restorepath" + run_user_exit save + else + rm -f ${VARDIR}/restore-$$ + echo " ERROR: Currently-running Configuration Not Saved" >&2 + status=1 + fi else - rm -f ${VARDIR}/restore-$$ - echo " ERROR: Currently-running Configuration Not Saved" >&2 - status=1 + if $iptables_save | grep -v -- '-A dynamic.* -j ACCEPT' > ${VARDIR}/restore-$$; then + cp -f ${VARDIR}/firewall $g_restorepath + mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables + chmod +x $g_restorepath + echo " Currently-running Configuration Saved to $g_restorepath" + run_user_exit save + else + rm -f ${VARDIR}/restore-$$ + echo " ERROR: Currently-running Configuration Not Saved" >&2 + status=1 + fi fi else echo " ERROR: ${VARDIR}/firewall does not exist" >&2 @@ -409,14 +423,24 @@ resolve_arptables if [ -n "$arptables" ]; then - # - # 'sed' command is a hack to work around broken arptables_jf - # - if ${arptables}-save | sed 's/-p[[:space:]]\+0\([[:digit:]]\)00\/ffff/-p 000\1\/ffff/' > ${VARDIR}/restore-$$; then - if grep -q '^-A' ${VARDIR}/restore-$$; then - mv -f ${VARDIR}/restore-$$ ${g_restorepath}-arptables - else - rm -f ${VARDIR}/restore-$$ + if [ -n "$WORKAROUNDS" ]; then + # + # 'sed' command is a hack to work around broken arptables_jf + # + if ${arptables}-save | sed 's/-p[[:space:]]\+0\([[:digit:]]\)00\/ffff/-p 000\1\/ffff/' > ${VARDIR}/restore-$$; then + if grep -q '^-A' ${VARDIR}/restore-$$; then + mv -f ${VARDIR}/restore-$$ ${g_restorepath}-arptables + else + rm -f ${VARDIR}/restore-$$ + fi + fi + else + if ${arptables}-save > ${VARDIR}/restore-$$; then + if grep -q '^-A' ${VARDIR}/restore-$$; then + mv -f ${VARDIR}/restore-$$ ${g_restorepath}-arptables + else + rm -f ${VARDIR}/restore-$$ + fi fi fi else @@ -457,21 +481,28 @@ esac if [ -n "$IPSET" ]; then - if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then - # - # The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny - # - hack='| grep -v /31' - else - hack= - fi + if [ -n "$WORKAROUNDS" ]; then + if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then + # + # The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny + # + hack='| grep -v /31' + else + hack= + fi - if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then - # - # Don't save an 'empty' file - # - grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets + if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then + # + # Don't save an 'empty' file + # + grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets + fi fi + elif eval $IPSET -S > ${VARDIR}/ipsets.tmp; then + # + # Don't save an 'empty' file + # + grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets fi ;; [Nn]o|ipv4|ipv6) @@ -981,8 +1012,7 @@ case "$1" in connections) - [ $# -gt 1 ] && usage 1 - + show_connections if [ $g_family -eq 4 ]; then if [ -d /proc/sys/net/netfilter/ ]; then local count @@ -997,8 +1027,10 @@ echo if qt mywhich conntrack ; then - conntrack -f ipv${g_family} -L | show_connections_filter + shift + conntrack -f ipv4 -L $@ | show_connections_filter else + [ $# -gt 1 ] && usage 1 if [ -f /proc/net/ip_conntrack ]; then cat /proc/net/ip_conntrack | show_connections_filter else @@ -1006,10 +1038,12 @@ fi fi elif qt mywhich conntrack ; then + shift echo "$g_product $SHOREWALL_VERSION Connections at $g_hostname - $(date)" echo - conntrack -f ipv6 -L | show_connections_filter + conntrack -f ipv6 -L $@ | show_connections_filter else + [ $# -gt 1 ] && usage 1 local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count) local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max) echo "$g_product $SHOREWALL_VERSION Connections ($count of $max) at $g_hostname - $(date)" @@ -1513,7 +1547,9 @@ heading "Conntrack Table" fi - if [ $g_family -eq 4 ]; then + if qt mywhich conntrack; then + conntrack -f ipv${g_family} -L 2> /dev/null + elif [ $g_family -eq 4 ]; then [ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack else grep '^ipv6' /proc/net/nf_conntrack @@ -3619,6 +3655,19 @@ IPSET='' fi + if [ -n "$WORKAROUNDS" ]; then + case $WORKAROUNDS in + [Yy]es) + ;; + [Nn]o) + WORKAROUNDS='' + ;; + *) + fatal_error "Invalid setting ($WORKAROUNDS) for WORKAROUNDS" + ;; + esac + fi + TC=tc IP=$(mywhich ip 2> /dev/null) @@ -3819,6 +3868,12 @@ } # +# Echo the parameters if product is Shorewall or Shorewall6 +# +ecko() { + [ -z "$g_lite" ] && echo "$@" +} +# # Give Usage Information # usage() # $1 = exit status @@ -3827,13 +3882,16 @@ echo "where <command> is one of:" echo " add <interface>[:<host-list>] ... <zone>" echo " allow <address> ..." + ecko " [ check | ck ] [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ -i ] [ <directory> ]" echo " clear" + ecko " [ compile | co ] [ -e ] [ -p ] [ -t ] [ -c ] [ -d ] [ -T ] [ -i ] [ <directory name> ] [ <path name> ]" echo " close <source> <dest> [ <protocol> [ <port> ] ]" echo " delete <interface>[:<host-list>] ... <zone>" echo " disable <interface>" echo " drop <address> ..." echo " dump [ -x ] [ -l ] [ -m ]" echo " enable <interface>" + ecko " export [ <directory1> ] [<user>@]<system>[:<directory2>]" echo " forget [ <file name> ]" echo " help" @@ -3843,21 +3901,46 @@ echo " iprange <address>-<address>" fi + if [ $g_family -eq 4 ]; then + echo " iptrace <iptables match expression>" + else + echo " iptrace <ip6tables match expression>" + fi + + ecko " load [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory> ] <system>" echo " logdrop <address> ..." echo " logreject <address> ..." echo " logwatch [<refresh interval>]" + + if [ $g_family -eq 4 ]; then + echo " noiptrace <iptables match expression>" + else + echo " noiptrace <ip6tables match expression>" + fi + echo " open <source> <dest> [ <protocol> [ <port> ] ]" - echo " reject <address> ..." echo " reenable <interface>" + ecko " refresh [ -d ] [ -n ] [ -T ] [ -D <directory> ] [ <chain>... ]" + echo " reject <address> ..." + ecko " reload [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory> ] <system>" echo " reset [ <chain> ... ]" - echo " restart [ -n ] [ -p ] [ -f ] [ -C ] [ <directory> ]" + + if [ -n "$g_lite" ]; then + echo " restart [ -n ] [ -p ] [ -f ] [ -C ] [ <directory> ]" + else + echo " restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ -C ] [ <directory> ]" + fi + echo " restore [ -n ] [ -p ] [ -C ] [ <file name> ]" echo " run <command> [ <parameter> ... ]" + ecko " safe-restart [ -t <timeout> ] [ <directory> ]" + ecko " safe-start [ -t <timeout> ] [ <directory> ]" echo " save [ -C ] [ <file name> ]" echo " savesets" echo " [ show | list | ls ] [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]" - echo " [ show | list | ls ] [ -f ] capabilities" + ecko " [ show | list | ls ] actions" echo " [ show | list | ls ] arptables" + echo " [ show | list | ls ] [ -f ] capabilities" echo " [ show | list | ls ] [ -x ] {bl|blacklists}" echo " [ show | list | ls ] classifiers" echo " [ show | list | ls ] config" @@ -3873,6 +3956,8 @@ echo " [ show | list | ls ] [ -m ] log [<regex>]" echo " [ show | list | ls ] [ -x ] mangle|nat|raw|rawpost" + ecko " [ show | list | ls ] macro <macro>" + ecko " [ show | list | ls ] macros" echo " [ show | list | ls ] nfacct" echo " [ show | list | ls ] opens" echo " [ show | list | ls ] policies" @@ -3880,9 +3965,17 @@ echo " [ show | list | ls ] tc [ device ]" echo " [ show | list | ls ] vardir" echo " [ show | list | ls ] zones" - echo " start [ -f ] [ -p ] [ -C ] [ <directory> ]" - echo " stop" + + if [ -n "$g_lite" ]; then + echo " start [ -f ] [ -p ] [ -C ] [ <directory> ]" + else + echo " start [ -f ] [ -n ] [ -p ] [ -c ] [ -T ] [ -i ] [ -C ] [ <directory> ]" + fi + echo " status [ -i ]" + echo " stop" + ecko " try <directory> [ <timeout> ]" + ecko " update [ -a ] [ -b ] [ -r ] [ -T ] [ -D ] [ -i ] [-t] [-A] [ <directory> ]" echo " version [ -a ]" echo exit $1 @@ -3934,6 +4027,7 @@ g_tcrules= g_counters= g_loopback= + g_compiled= VERBOSE= VERBOSITY=1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.10.1/lib.common new/shorewall-core-4.6.11/lib.common --- old/shorewall-core-4.6.10.1/lib.common 2015-06-09 20:02:00.000000000 +0200 +++ new/shorewall-core-4.6.11/lib.common 2015-07-06 23:49:20.000000000 +0200 @@ -98,14 +98,23 @@ local digits local verbosity - verbosity="$VERBOSITY" - VERBOSITY=0 + if [ -z "$WORKAROUNDS" -o "$g_compiled" = "$g_file" ]; then + # + # Unless WORKAROUNDS=No, either this script was just compiled or AUTOMAKE + # determined that re-compilation wasn't needed + # + temp="$SHOREWALL_VERSION" + else + verbosity="$VERBOSITY" + VERBOSITY=0 - temp=$( $SHOREWALL_SHELL $1 version | tail -n 1 | sed 's/-.*//' ) + temp=$( $SHOREWALL_SHELL $1 version | tail -n 1 ) + fi if [ -z "$temp" ]; then version=0 else + temp=${temp%-*} ifs=$IFS IFS=. temp=$(echo $temp) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.10.1/releasenotes.txt new/shorewall-core-4.6.11/releasenotes.txt --- old/shorewall-core-4.6.10.1/releasenotes.txt 2015-06-10 17:00:52.000000000 +0200 +++ new/shorewall-core-4.6.11/releasenotes.txt 2015-07-06 23:57:57.000000000 +0200 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 6 . 1 0 . 1 + S H O R E W A L L 4 . 6 . 1 1 ---------------------------- - J u n e 1 0 , 2 0 1 5 + J u l y 0 7 , 2 0 1 5 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,37 +14,25 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -4.6.10.1 +1. This release includes defect repair up to and including Shorewall + 4.6.10.1. -1) Indentation is now consistent in lib.core (Tuomo Soini). +2. Previously, when the -c option was given to the 'compile' command, + the progress message "Compiling..." was issued before it was + determined if compilation was necessary. Now, that message is + suppressed when re-compilation is not required. + +3. Previously, when the -c option was given to the 'compile' command, + the 'postcompile' extension script was executed even when there was + no (re-)compilation. Now, the 'postcompile' script is only invoked + when a new script is generated. + +4. If CONFDIR was other than /etc, then ordinary users would not + receive a clear error message when they attempted to execute one of + the commands that change the firewall state. -2) The first problem corrected in 4.6.10 below was incomplete. It is - now complete (Tuomo Soini). - -3) Similarly, the second fix was also incomplete and is now completed - (Tuomo Soini). - -4.6.10 - -1) On some distributions, Shorewall-init would fail if one of the - configured products had a problem. Now, Shorewall-init goes on to - the next product rather than stopping. - -2) Previously, when startup was disabled (STARTUP_ENABLED=No or no - compiled firewall on a -lite system), exit status 2 was - returned. Now, exit status 6 is returned. - -3) Previously, if SAVE_IPSETS=ipv4 (or ipv6) but the configuration did - not use ipsets, then a superfluous warning message was issued: - - WARNING: Invalid value (ipv4) for SAVE_IPSETS - - That warning is now suppressed. - -4) Previously, the algorithm used to normalize the probabilities - defined in the 'load' provider option was incorrect and could - result in probabilities > 1.0. When this occurred, the firewall - would fail to start. +5. Previously, IPv4 DHCP client broadcasts were blocked by the + 'rpfilter' interface option. That has been corrected. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -57,73 +45,44 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) Previously, the 'ctevents' and 'expevents' options could only be - specified in the conntrack file if a helper was named. That is no - longer necessary. +1) Over the years, a number of changes have been added to Shorewall + that work around defects in other products. When running a current + distribution, these workarounds are unnecessary and add to the time + required for normal Shorewall operations. - Example: + Beginning in this release, those workarounds may be disabled by + setting WORKAROUNDS=No in shorewall.conf. - #ACTION SOURCE DESTINATION PROTO DEST ... - # PORT(S) ... - # - CT:ctevents:assured,destroy\ - all - - +2) Previously, both lib.cli and lib.cli-std included nearly-identical + usage() functions. Now, only lib.cli includes the function which + produces its output based on which product's CLI is invoking it. -2) Two new options have been added to the NFQUEUE target. +3) To accomodate compiled scripts produced by Shorewall versions + before 4.4.8, Shorewall products from 4.4.8 onward have run scripts + twice. The first time is simply to capture the output of the + 'version' command. Based on the script's version, it is then invoked + to execute the requested command. - - By default, if no userspace program is listening on an NFQUEUE, - then all packets that are to be queued are dropped. When the new - 'bypass' option is used, the NFQUEUE rule is silently bypassed - instead. The packet will move on to the next rule. + Beginning in this release, scripts will only be run once if: - Examples: + - WORKAROUNDS=No, or + - the script was compiled as part of executing the command, or + - AUTOMAKE=Yes and it was determined that re-compilation was not + required. - NFQUEUE(bypass) - NFQUEUE(3,bypass) +4) When the 'conntrack' utility program is installed, the 'show + connections' command can now display a subset of the entire + conntrack table by simply following the 'connections' keyword with + one or more conntrack filter parameters. - - Now, a queue range of the form n:m may be specified. Packets are - then balanced across the given queues. This is useful for - multicore systems: start multiple instances of the userspace - program on queues x, x+1, .. x+n and use "x:x+n". Packets - belonging to the same connection are put into the same nfqueue. + For example, to display all http connections: - Examples: - - NFQUEUE(4:6) - NFQUEUE(4:6,bypass) - - Queue ranges are also permitted in an NFQUEUE policy; the - 'bypass' option is not permitted there. - -3) The 'call' command is now documented. It provides a way to call - shell functions in the Shorewall libraries or in the generated - script. + shorewall show connections -p tcp --dport 80 - call <function> [ <parameter> ... ] + See conntrack(8) for a description of the available parameters. - <function> must name a shell function in one of the Shorewall - libraries or in the generated script. The function is first - searched for in lib.base, lib.common, lib.cli and lib.cli-std - (lib.cli-std is not searched by the '-lite' products). If the - function is found, it is called with any supplied <parameter>s. - - If the function is not found in the libraries, the call command - is passed to the generated script for processing. - -4) Several changes have been made to the processing of the 'load' - option in provider files: - - - load values are normalized to 8-digit precision and 10-byte - length. - - a warning is issued if the sum of the loads is not 1.000000. - - if the normalized probability for an interface is >= - 1.000000 then the probability match part of the generated rule is - omitted. - -5) There is now an ipv6 'findgw' skeleton file. - -6) The 'disable' and 'enable' commands now succed if the interface is - already disabled or enabled respectively. Tuomo Soini. +5) To ensure that the compiler has an adequate PATH, the default + Shorewall PATH is now appended to the compiler's active PATH. ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -418,6 +377,102 @@ ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 4 . 6 R E L E A S E S ---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 6 . 1 0 +---------------------------------------------------------------------------- + +1) On some distributions, Shorewall-init would fail if one of the + configured products had a problem. Now, Shorewall-init goes on to + the next product rather than stopping. + +2) Previously, when startup was disabled (STARTUP_ENABLED=No or no + compiled firewall on a -lite system), exit status 2 was + returned. Now, exit status 6 is returned. + +3) Previously, if SAVE_IPSETS=ipv4 (or ipv6) but the configuration did + not use ipsets, then a superfluous warning message was issued: + + WARNING: Invalid value (ipv4) for SAVE_IPSETS + + That warning is now suppressed. + +4) Previously, the algorithm used to normalize the probabilities + defined in the 'load' provider option was incorrect and could + result in probabilities > 1.0. When this occurred, the firewall + would fail to start. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 6 . 1 0 +---------------------------------------------------------------------------- + +1) Previously, the 'ctevents' and 'expevents' options could only be + specified in the conntrack file if a helper was named. That is no + longer necessary. + + Example: + + #ACTION SOURCE DESTINATION PROTO DEST ... + # PORT(S) ... + # + CT:ctevents:assured,destroy\ + all - - + +2) Two new options have been added to the NFQUEUE target. + + - By default, if no userspace program is listening on an NFQUEUE, + then all packets that are to be queued are dropped. When the new + 'bypass' option is used, the NFQUEUE rule is silently bypassed + instead. The packet will move on to the next rule. + + Examples: + + NFQUEUE(bypass) + NFQUEUE(3,bypass) + + - Now, a queue range of the form n:m may be specified. Packets are + then balanced across the given queues. This is useful for + multicore systems: start multiple instances of the userspace + program on queues x, x+1, .. x+n and use "x:x+n". Packets + belonging to the same connection are put into the same nfqueue. + + Examples: + + NFQUEUE(4:6) + NFQUEUE(4:6,bypass) + + Queue ranges are also permitted in an NFQUEUE policy; the + 'bypass' option is not permitted there. + +3) The 'call' command is now documented. It provides a way to call + shell functions in the Shorewall libraries or in the generated + script. + + call <function> [ <parameter> ... ] + + <function> must name a shell function in one of the Shorewall + libraries or in the generated script. The function is first + searched for in lib.base, lib.common, lib.cli and lib.cli-std + (lib.cli-std is not searched by the '-lite' products). If the + function is found, it is called with any supplied <parameter>s. + + If the function is not found in the libraries, the call command + is passed to the generated script for processing. + +4) Several changes have been made to the processing of the 'load' + option in provider files: + + - load values are normalized to 8-digit precision and 10-byte + length. + - a warning is issued if the sum of the loads is not 1.000000. + - if the normalized probability for an interface is >= + 1.000000 then the probability match part of the generated rule is + omitted. + +5) There is now an ipv6 'findgw' skeleton file. + +6) The 'disable' and 'enable' commands now succed if the interface is + already disabled or enabled respectively. Tuomo Soini. + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 6 . 9 ---------------------------------------------------------------------------- @@ -441,7 +496,7 @@ commands rather than just start, restart and restore. ---------------------------------------------------------------------------- - N E W F E A T U R E S I N 4 . 6 . 89 + N E W F E A T U R E S I N 4 . 6 . 9 ---------------------------------------------------------------------------- 1) There is now a TCPMSS Target (TCPMSS_TARGET) capability. Your diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.10.1/shorewall-core.spec new/shorewall-core-4.6.11/shorewall-core.spec --- old/shorewall-core-4.6.10.1/shorewall-core.spec 2015-06-10 17:00:52.000000000 +0200 +++ new/shorewall-core-4.6.11/shorewall-core.spec 2015-07-06 23:57:57.000000000 +0200 @@ -1,6 +1,6 @@ %define name shorewall-core -%define version 4.6.10 -%define release 1 +%define version 4.6.11 +%define release 0base Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. Name: %{name} @@ -63,8 +63,16 @@ %doc COPYING INSTALL changelog.txt releasenotes.txt %changelog -* Tue Jun 09 2015 Tom Eastep [email protected] -- Updated to 4.6.10-1 +* Fri Jul 03 2015 Tom Eastep [email protected] +- Updated to 4.6.11-0base +* Mon Jun 29 2015 Tom Eastep [email protected] +- Updated to 4.6.11-0RC1 +* Fri Jun 26 2015 Tom Eastep [email protected] +- Updated to 4.6.11-0Beta3 +* Mon Jun 22 2015 Tom Eastep [email protected] +- Updated to 4.6.11-0Beta2 +* Sun May 31 2015 Tom Eastep [email protected] +- Updated to 4.6.11-0Beta1 * Fri May 29 2015 Tom Eastep [email protected] - Updated to 4.6.10-0base * Mon May 25 2015 Tom Eastep [email protected] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.10.1/uninstall.sh new/shorewall-core-4.6.11/uninstall.sh --- old/shorewall-core-4.6.10.1/uninstall.sh 2015-06-10 17:00:52.000000000 +0200 +++ new/shorewall-core-4.6.11/uninstall.sh 2015-07-06 23:57:57.000000000 +0200 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.6.10.1 +VERSION=4.6.11 usage() # $1 = exit status { ++++++ shorewall-docs-html-4.6.10.1.tar.bz2 -> shorewall-docs-html-4.6.11.tar.bz2 ++++++ ++++ 21255 lines of diff (skipped) ++++++ shorewall-init-4.6.10.1.tar.bz2 -> shorewall-init-4.6.11.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.10.1/changelog.txt new/shorewall-init-4.6.11/changelog.txt --- old/shorewall-init-4.6.10.1/changelog.txt 2015-06-10 17:00:53.000000000 +0200 +++ new/shorewall-init-4.6.11/changelog.txt 2015-07-06 23:57:57.000000000 +0200 @@ -1,12 +1,46 @@ -Changes in 4.6.10.1 +Changes in 4.6.11 Final 1) Update release documents. -2) Use consistent indentation in lib.core +2) Clean up PATH fix. -3) Complete Shorewall-init improvements +Changes in 4.6.11 RC 1 -4) Return exit status 6 when startup is disabled +1) Update release documents. + +2) Allow selection in 'show connections' + +3) Ensure that the compiler has a usable PATH + +4) Correctly handle IPv4 DHCP incoming requests with 'rpfilter'. + +Changes in 4.6.11 Beta 3 + +1) Update release documents. + +2) Correct the test for ordinary user accessing the default config. + +3) Eliminated the usage() function in lib.cli-std + +4) Don't get script's version if it was just compiled + +5) Append default PATH to the active PATH in the compiler. + +Changes in 4.6.11 Beta 2 + +1) Update release documents. + +2) Don't invoke 'postcompile' when compilation isn't done. + +Changes in 4.6.11 Beta 1 + +1) Update release documents. + +2) Add WORKAROUNDS option + +3) Merge Tuomo's fixes. + +4) Fix 'compile -c' progress message Changes in 4.6.10 Final diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.10.1/configure new/shorewall-init-4.6.11/configure --- old/shorewall-init-4.6.10.1/configure 2015-06-10 17:00:53.000000000 +0200 +++ new/shorewall-init-4.6.11/configure 2015-07-06 23:57:57.000000000 +0200 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=4.6.10.1 +VERSION=4.6.11 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.10.1/configure.pl new/shorewall-init-4.6.11/configure.pl --- old/shorewall-init-4.6.10.1/configure.pl 2015-06-10 17:00:53.000000000 +0200 +++ new/shorewall-init-4.6.11/configure.pl 2015-07-06 23:57:57.000000000 +0200 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '4.6.10.1' + VERSION => '4.6.11' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.10.1/install.sh new/shorewall-init-4.6.11/install.sh --- old/shorewall-init-4.6.10.1/install.sh 2015-06-10 17:00:53.000000000 +0200 +++ new/shorewall-init-4.6.11/install.sh 2015-07-06 23:57:57.000000000 +0200 @@ -27,7 +27,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.6.10.1 +VERSION=4.6.11 usage() # $1 = exit status { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.10.1/releasenotes.txt new/shorewall-init-4.6.11/releasenotes.txt --- old/shorewall-init-4.6.10.1/releasenotes.txt 2015-06-10 17:00:53.000000000 +0200 +++ new/shorewall-init-4.6.11/releasenotes.txt 2015-07-06 23:57:57.000000000 +0200 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 6 . 1 0 . 1 + S H O R E W A L L 4 . 6 . 1 1 ---------------------------- - J u n e 1 0 , 2 0 1 5 + J u l y 0 7 , 2 0 1 5 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,37 +14,25 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -4.6.10.1 +1. This release includes defect repair up to and including Shorewall + 4.6.10.1. -1) Indentation is now consistent in lib.core (Tuomo Soini). +2. Previously, when the -c option was given to the 'compile' command, + the progress message "Compiling..." was issued before it was + determined if compilation was necessary. Now, that message is + suppressed when re-compilation is not required. + +3. Previously, when the -c option was given to the 'compile' command, + the 'postcompile' extension script was executed even when there was + no (re-)compilation. Now, the 'postcompile' script is only invoked + when a new script is generated. + +4. If CONFDIR was other than /etc, then ordinary users would not + receive a clear error message when they attempted to execute one of + the commands that change the firewall state. -2) The first problem corrected in 4.6.10 below was incomplete. It is - now complete (Tuomo Soini). - -3) Similarly, the second fix was also incomplete and is now completed - (Tuomo Soini). - -4.6.10 - -1) On some distributions, Shorewall-init would fail if one of the - configured products had a problem. Now, Shorewall-init goes on to - the next product rather than stopping. - -2) Previously, when startup was disabled (STARTUP_ENABLED=No or no - compiled firewall on a -lite system), exit status 2 was - returned. Now, exit status 6 is returned. - -3) Previously, if SAVE_IPSETS=ipv4 (or ipv6) but the configuration did - not use ipsets, then a superfluous warning message was issued: - - WARNING: Invalid value (ipv4) for SAVE_IPSETS - - That warning is now suppressed. - -4) Previously, the algorithm used to normalize the probabilities - defined in the 'load' provider option was incorrect and could - result in probabilities > 1.0. When this occurred, the firewall - would fail to start. +5. Previously, IPv4 DHCP client broadcasts were blocked by the + 'rpfilter' interface option. That has been corrected. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -57,73 +45,44 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) Previously, the 'ctevents' and 'expevents' options could only be - specified in the conntrack file if a helper was named. That is no - longer necessary. +1) Over the years, a number of changes have been added to Shorewall + that work around defects in other products. When running a current + distribution, these workarounds are unnecessary and add to the time + required for normal Shorewall operations. - Example: + Beginning in this release, those workarounds may be disabled by + setting WORKAROUNDS=No in shorewall.conf. - #ACTION SOURCE DESTINATION PROTO DEST ... - # PORT(S) ... - # - CT:ctevents:assured,destroy\ - all - - +2) Previously, both lib.cli and lib.cli-std included nearly-identical + usage() functions. Now, only lib.cli includes the function which + produces its output based on which product's CLI is invoking it. -2) Two new options have been added to the NFQUEUE target. +3) To accomodate compiled scripts produced by Shorewall versions + before 4.4.8, Shorewall products from 4.4.8 onward have run scripts + twice. The first time is simply to capture the output of the + 'version' command. Based on the script's version, it is then invoked + to execute the requested command. - - By default, if no userspace program is listening on an NFQUEUE, - then all packets that are to be queued are dropped. When the new - 'bypass' option is used, the NFQUEUE rule is silently bypassed - instead. The packet will move on to the next rule. + Beginning in this release, scripts will only be run once if: - Examples: + - WORKAROUNDS=No, or + - the script was compiled as part of executing the command, or + - AUTOMAKE=Yes and it was determined that re-compilation was not + required. - NFQUEUE(bypass) - NFQUEUE(3,bypass) +4) When the 'conntrack' utility program is installed, the 'show + connections' command can now display a subset of the entire + conntrack table by simply following the 'connections' keyword with + one or more conntrack filter parameters. - - Now, a queue range of the form n:m may be specified. Packets are - then balanced across the given queues. This is useful for - multicore systems: start multiple instances of the userspace - program on queues x, x+1, .. x+n and use "x:x+n". Packets - belonging to the same connection are put into the same nfqueue. + For example, to display all http connections: - Examples: - - NFQUEUE(4:6) - NFQUEUE(4:6,bypass) - - Queue ranges are also permitted in an NFQUEUE policy; the - 'bypass' option is not permitted there. - -3) The 'call' command is now documented. It provides a way to call - shell functions in the Shorewall libraries or in the generated - script. + shorewall show connections -p tcp --dport 80 - call <function> [ <parameter> ... ] + See conntrack(8) for a description of the available parameters. - <function> must name a shell function in one of the Shorewall - libraries or in the generated script. The function is first - searched for in lib.base, lib.common, lib.cli and lib.cli-std - (lib.cli-std is not searched by the '-lite' products). If the - function is found, it is called with any supplied <parameter>s. - - If the function is not found in the libraries, the call command - is passed to the generated script for processing. - -4) Several changes have been made to the processing of the 'load' - option in provider files: - - - load values are normalized to 8-digit precision and 10-byte - length. - - a warning is issued if the sum of the loads is not 1.000000. - - if the normalized probability for an interface is >= - 1.000000 then the probability match part of the generated rule is - omitted. - -5) There is now an ipv6 'findgw' skeleton file. - -6) The 'disable' and 'enable' commands now succed if the interface is - already disabled or enabled respectively. Tuomo Soini. +5) To ensure that the compiler has an adequate PATH, the default + Shorewall PATH is now appended to the compiler's active PATH. ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -418,6 +377,102 @@ ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 4 . 6 R E L E A S E S ---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 6 . 1 0 +---------------------------------------------------------------------------- + +1) On some distributions, Shorewall-init would fail if one of the + configured products had a problem. Now, Shorewall-init goes on to + the next product rather than stopping. + +2) Previously, when startup was disabled (STARTUP_ENABLED=No or no + compiled firewall on a -lite system), exit status 2 was + returned. Now, exit status 6 is returned. + +3) Previously, if SAVE_IPSETS=ipv4 (or ipv6) but the configuration did + not use ipsets, then a superfluous warning message was issued: + + WARNING: Invalid value (ipv4) for SAVE_IPSETS + + That warning is now suppressed. + +4) Previously, the algorithm used to normalize the probabilities + defined in the 'load' provider option was incorrect and could + result in probabilities > 1.0. When this occurred, the firewall + would fail to start. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 6 . 1 0 +---------------------------------------------------------------------------- + +1) Previously, the 'ctevents' and 'expevents' options could only be + specified in the conntrack file if a helper was named. That is no + longer necessary. + + Example: + + #ACTION SOURCE DESTINATION PROTO DEST ... + # PORT(S) ... + # + CT:ctevents:assured,destroy\ + all - - + +2) Two new options have been added to the NFQUEUE target. + + - By default, if no userspace program is listening on an NFQUEUE, + then all packets that are to be queued are dropped. When the new + 'bypass' option is used, the NFQUEUE rule is silently bypassed + instead. The packet will move on to the next rule. + + Examples: + + NFQUEUE(bypass) + NFQUEUE(3,bypass) + + - Now, a queue range of the form n:m may be specified. Packets are + then balanced across the given queues. This is useful for + multicore systems: start multiple instances of the userspace + program on queues x, x+1, .. x+n and use "x:x+n". Packets + belonging to the same connection are put into the same nfqueue. + + Examples: + + NFQUEUE(4:6) + NFQUEUE(4:6,bypass) + + Queue ranges are also permitted in an NFQUEUE policy; the + 'bypass' option is not permitted there. + +3) The 'call' command is now documented. It provides a way to call + shell functions in the Shorewall libraries or in the generated + script. + + call <function> [ <parameter> ... ] + + <function> must name a shell function in one of the Shorewall + libraries or in the generated script. The function is first + searched for in lib.base, lib.common, lib.cli and lib.cli-std + (lib.cli-std is not searched by the '-lite' products). If the + function is found, it is called with any supplied <parameter>s. + + If the function is not found in the libraries, the call command + is passed to the generated script for processing. + +4) Several changes have been made to the processing of the 'load' + option in provider files: + + - load values are normalized to 8-digit precision and 10-byte + length. + - a warning is issued if the sum of the loads is not 1.000000. + - if the normalized probability for an interface is >= + 1.000000 then the probability match part of the generated rule is + omitted. + +5) There is now an ipv6 'findgw' skeleton file. + +6) The 'disable' and 'enable' commands now succed if the interface is + already disabled or enabled respectively. Tuomo Soini. + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 6 . 9 ---------------------------------------------------------------------------- @@ -441,7 +496,7 @@ commands rather than just start, restart and restore. ---------------------------------------------------------------------------- - N E W F E A T U R E S I N 4 . 6 . 89 + N E W F E A T U R E S I N 4 . 6 . 9 ---------------------------------------------------------------------------- 1) There is now a TCPMSS Target (TCPMSS_TARGET) capability. Your diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.10.1/shorewall-init.spec new/shorewall-init-4.6.11/shorewall-init.spec --- old/shorewall-init-4.6.10.1/shorewall-init.spec 2015-06-10 17:00:53.000000000 +0200 +++ new/shorewall-init-4.6.11/shorewall-init.spec 2015-07-06 23:57:57.000000000 +0200 @@ -1,6 +1,6 @@ %define name shorewall-init -%define version 4.6.10 -%define release 1 +%define version 4.6.11 +%define release 0base Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall). Name: %{name} @@ -126,8 +126,16 @@ %doc COPYING changelog.txt releasenotes.txt %changelog -* Tue Jun 09 2015 Tom Eastep [email protected] -- Updated to 4.6.10-1 +* Fri Jul 03 2015 Tom Eastep [email protected] +- Updated to 4.6.11-0base +* Mon Jun 29 2015 Tom Eastep [email protected] +- Updated to 4.6.11-0RC1 +* Fri Jun 26 2015 Tom Eastep [email protected] +- Updated to 4.6.11-0Beta3 +* Mon Jun 22 2015 Tom Eastep [email protected] +- Updated to 4.6.11-0Beta2 +* Sun May 31 2015 Tom Eastep [email protected] +- Updated to 4.6.11-0Beta1 * Fri May 29 2015 Tom Eastep [email protected] - Updated to 4.6.10-0base * Mon May 25 2015 Tom Eastep [email protected] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.10.1/uninstall.sh new/shorewall-init-4.6.11/uninstall.sh --- old/shorewall-init-4.6.10.1/uninstall.sh 2015-06-10 17:00:53.000000000 +0200 +++ new/shorewall-init-4.6.11/uninstall.sh 2015-07-06 23:57:57.000000000 +0200 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.6.10.1 +VERSION=4.6.11 usage() # $1 = exit status { ++++++ shorewall-lite-4.6.10.1.tar.bz2 -> shorewall-lite-4.6.11.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.10.1/changelog.txt new/shorewall-lite-4.6.11/changelog.txt --- old/shorewall-lite-4.6.10.1/changelog.txt 2015-06-10 17:00:53.000000000 +0200 +++ new/shorewall-lite-4.6.11/changelog.txt 2015-07-06 23:57:58.000000000 +0200 @@ -1,12 +1,46 @@ -Changes in 4.6.10.1 +Changes in 4.6.11 Final 1) Update release documents. -2) Use consistent indentation in lib.core +2) Clean up PATH fix. -3) Complete Shorewall-init improvements +Changes in 4.6.11 RC 1 -4) Return exit status 6 when startup is disabled +1) Update release documents. + +2) Allow selection in 'show connections' + +3) Ensure that the compiler has a usable PATH + +4) Correctly handle IPv4 DHCP incoming requests with 'rpfilter'. + +Changes in 4.6.11 Beta 3 + +1) Update release documents. + +2) Correct the test for ordinary user accessing the default config. + +3) Eliminated the usage() function in lib.cli-std + +4) Don't get script's version if it was just compiled + +5) Append default PATH to the active PATH in the compiler. + +Changes in 4.6.11 Beta 2 + +1) Update release documents. + +2) Don't invoke 'postcompile' when compilation isn't done. + +Changes in 4.6.11 Beta 1 + +1) Update release documents. + +2) Add WORKAROUNDS option + +3) Merge Tuomo's fixes. + +4) Fix 'compile -c' progress message Changes in 4.6.10 Final diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.10.1/configure new/shorewall-lite-4.6.11/configure --- old/shorewall-lite-4.6.10.1/configure 2015-06-10 17:00:53.000000000 +0200 +++ new/shorewall-lite-4.6.11/configure 2015-07-06 23:57:58.000000000 +0200 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=4.6.10.1 +VERSION=4.6.11 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.10.1/configure.pl new/shorewall-lite-4.6.11/configure.pl --- old/shorewall-lite-4.6.10.1/configure.pl 2015-06-10 17:00:53.000000000 +0200 +++ new/shorewall-lite-4.6.11/configure.pl 2015-07-06 23:57:58.000000000 +0200 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '4.6.10.1' + VERSION => '4.6.11' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.10.1/install.sh new/shorewall-lite-4.6.11/install.sh --- old/shorewall-lite-4.6.10.1/install.sh 2015-06-10 17:00:53.000000000 +0200 +++ new/shorewall-lite-4.6.11/install.sh 2015-07-06 23:57:57.000000000 +0200 @@ -22,7 +22,7 @@ # along with this program; if not, see <http://www.gnu.org/licenses/>. # -VERSION=4.6.10.1 +VERSION=4.6.11 usage() # $1 = exit status { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.10.1/manpages/shorewall-lite-vardir.5 new/shorewall-lite-4.6.11/manpages/shorewall-lite-vardir.5 --- old/shorewall-lite-4.6.10.1/manpages/shorewall-lite-vardir.5 2015-06-10 17:04:14.000000000 +0200 +++ new/shorewall-lite-4.6.11/manpages/shorewall-lite-vardir.5 2015-07-07 00:00:44.000000000 +0200 @@ -1,13 +1,13 @@ '\" t .\" Title: shorewall-lite-vardir .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] -.\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 06/10/2015 +.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> +.\" Date: 07/06/2015 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-LITE\-VAR" "5" "06/10/2015" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-LITE\-VAR" "5" "07/06/2015" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.10.1/manpages/shorewall-lite.8 new/shorewall-lite-4.6.11/manpages/shorewall-lite.8 --- old/shorewall-lite-4.6.10.1/manpages/shorewall-lite.8 2015-06-10 17:04:16.000000000 +0200 +++ new/shorewall-lite-4.6.11/manpages/shorewall-lite.8 2015-07-07 00:00:45.000000000 +0200 @@ -1,13 +1,13 @@ '\" t .\" Title: shorewall-lite .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] -.\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 06/10/2015 +.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> +.\" Date: 07/06/2015 .\" Manual: Administrative Commands .\" Source: Administrative Commands .\" Language: English .\" -.TH "SHOREWALL\-LITE" "8" "06/10/2015" "Administrative Commands" "Administrative Commands" +.TH "SHOREWALL\-LITE" "8" "07/06/2015" "Administrative Commands" "Administrative Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -131,8 +131,7 @@ prevents the command from attempting to acquire the Shorewall\-lite lockfile\&. It is useful if you need to include \fBshorewall\fR commands in the -started -\m[blue]\fBextension script\fR\m[]\&\s-2\u[1]\d\s+2\&. +started\m[blue]\fBextension script\fR\m[]\&\s-2\u[1]\d\s+2\&. .PP The \fIoptions\fR @@ -611,9 +610,7 @@ The rules in each \fIchain\fR are displayed using the -\fBiptables \-L\fR -\fIchain\fR -\fB\-n \-v\fR +\fBiptables \-L\fR\fIchain\fR\fB\-n \-v\fR command\&. If no \fIchain\fR is given, all of the chains in the filter table are displayed\&. The @@ -649,9 +646,13 @@ Displays distribution\-specific defaults\&. .RE .PP -\fBconnections\fR +\fBconnections [\fR\fB\fIfilter_parameter\fR\fR\fB \&.\&.\&.]\fR .RS 4 Displays the IP connections currently being tracked by the firewall\&. +.sp +If the +\fBconntrack\fR +utility is installed, beginning with Shorewall 4\&.6\&.11 the set of connections displayed can be limited by including conntrack filter parameters (\-p , \-s, \-\-dport, etc)\&. See conntrack(8) for details\&. .RE .PP \fBevent\fR\fI event\fR diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.10.1/manpages/shorewall-lite.conf.5 new/shorewall-lite-4.6.11/manpages/shorewall-lite.conf.5 --- old/shorewall-lite-4.6.10.1/manpages/shorewall-lite.conf.5 2015-06-10 17:04:13.000000000 +0200 +++ new/shorewall-lite-4.6.11/manpages/shorewall-lite.conf.5 2015-07-07 00:00:43.000000000 +0200 @@ -1,13 +1,13 @@ '\" t .\" Title: shorewall-lite.conf .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] -.\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 06/10/2015 +.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> +.\" Date: 07/06/2015 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-LITE\&.CO" "5" "06/10/2015" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-LITE\&.CO" "5" "07/06/2015" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.10.1/manpages/shorewall-lite.xml new/shorewall-lite-4.6.11/manpages/shorewall-lite.xml --- old/shorewall-lite-4.6.10.1/manpages/shorewall-lite.xml 2015-06-10 17:04:16.000000000 +0200 +++ new/shorewall-lite-4.6.11/manpages/shorewall-lite.xml 2015-07-07 00:00:46.000000000 +0200 @@ -1243,11 +1243,19 @@ </varlistentry> <varlistentry> - <term><emphasis role="bold">connections</emphasis></term> + <term><emphasis role="bold">connections + [<replaceable>filter_parameter</replaceable> + ...]</emphasis></term> <listitem> <para>Displays the IP connections currently being tracked by the firewall.</para> + + <para>If the <command>conntrack</command> utility is + installed, beginning with Shorewall 4.6.11 the set of + connections displayed can be limited by including conntrack + filter parameters (-p , -s, --dport, etc). See conntrack(8) + for details.</para> </listitem> </varlistentry> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.10.1/releasenotes.txt new/shorewall-lite-4.6.11/releasenotes.txt --- old/shorewall-lite-4.6.10.1/releasenotes.txt 2015-06-10 17:00:53.000000000 +0200 +++ new/shorewall-lite-4.6.11/releasenotes.txt 2015-07-06 23:57:58.000000000 +0200 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 6 . 1 0 . 1 + S H O R E W A L L 4 . 6 . 1 1 ---------------------------- - J u n e 1 0 , 2 0 1 5 + J u l y 0 7 , 2 0 1 5 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,37 +14,25 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -4.6.10.1 +1. This release includes defect repair up to and including Shorewall + 4.6.10.1. -1) Indentation is now consistent in lib.core (Tuomo Soini). +2. Previously, when the -c option was given to the 'compile' command, + the progress message "Compiling..." was issued before it was + determined if compilation was necessary. Now, that message is + suppressed when re-compilation is not required. + +3. Previously, when the -c option was given to the 'compile' command, + the 'postcompile' extension script was executed even when there was + no (re-)compilation. Now, the 'postcompile' script is only invoked + when a new script is generated. + +4. If CONFDIR was other than /etc, then ordinary users would not + receive a clear error message when they attempted to execute one of + the commands that change the firewall state. -2) The first problem corrected in 4.6.10 below was incomplete. It is - now complete (Tuomo Soini). - -3) Similarly, the second fix was also incomplete and is now completed - (Tuomo Soini). - -4.6.10 - -1) On some distributions, Shorewall-init would fail if one of the - configured products had a problem. Now, Shorewall-init goes on to - the next product rather than stopping. - -2) Previously, when startup was disabled (STARTUP_ENABLED=No or no - compiled firewall on a -lite system), exit status 2 was - returned. Now, exit status 6 is returned. - -3) Previously, if SAVE_IPSETS=ipv4 (or ipv6) but the configuration did - not use ipsets, then a superfluous warning message was issued: - - WARNING: Invalid value (ipv4) for SAVE_IPSETS - - That warning is now suppressed. - -4) Previously, the algorithm used to normalize the probabilities - defined in the 'load' provider option was incorrect and could - result in probabilities > 1.0. When this occurred, the firewall - would fail to start. +5. Previously, IPv4 DHCP client broadcasts were blocked by the + 'rpfilter' interface option. That has been corrected. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -57,73 +45,44 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) Previously, the 'ctevents' and 'expevents' options could only be - specified in the conntrack file if a helper was named. That is no - longer necessary. +1) Over the years, a number of changes have been added to Shorewall + that work around defects in other products. When running a current + distribution, these workarounds are unnecessary and add to the time + required for normal Shorewall operations. - Example: + Beginning in this release, those workarounds may be disabled by + setting WORKAROUNDS=No in shorewall.conf. - #ACTION SOURCE DESTINATION PROTO DEST ... - # PORT(S) ... - # - CT:ctevents:assured,destroy\ - all - - +2) Previously, both lib.cli and lib.cli-std included nearly-identical + usage() functions. Now, only lib.cli includes the function which + produces its output based on which product's CLI is invoking it. -2) Two new options have been added to the NFQUEUE target. +3) To accomodate compiled scripts produced by Shorewall versions + before 4.4.8, Shorewall products from 4.4.8 onward have run scripts + twice. The first time is simply to capture the output of the + 'version' command. Based on the script's version, it is then invoked + to execute the requested command. - - By default, if no userspace program is listening on an NFQUEUE, - then all packets that are to be queued are dropped. When the new - 'bypass' option is used, the NFQUEUE rule is silently bypassed - instead. The packet will move on to the next rule. + Beginning in this release, scripts will only be run once if: - Examples: + - WORKAROUNDS=No, or + - the script was compiled as part of executing the command, or + - AUTOMAKE=Yes and it was determined that re-compilation was not + required. - NFQUEUE(bypass) - NFQUEUE(3,bypass) +4) When the 'conntrack' utility program is installed, the 'show + connections' command can now display a subset of the entire + conntrack table by simply following the 'connections' keyword with + one or more conntrack filter parameters. - - Now, a queue range of the form n:m may be specified. Packets are - then balanced across the given queues. This is useful for - multicore systems: start multiple instances of the userspace - program on queues x, x+1, .. x+n and use "x:x+n". Packets - belonging to the same connection are put into the same nfqueue. + For example, to display all http connections: - Examples: - - NFQUEUE(4:6) - NFQUEUE(4:6,bypass) - - Queue ranges are also permitted in an NFQUEUE policy; the - 'bypass' option is not permitted there. - -3) The 'call' command is now documented. It provides a way to call - shell functions in the Shorewall libraries or in the generated - script. + shorewall show connections -p tcp --dport 80 - call <function> [ <parameter> ... ] + See conntrack(8) for a description of the available parameters. - <function> must name a shell function in one of the Shorewall - libraries or in the generated script. The function is first - searched for in lib.base, lib.common, lib.cli and lib.cli-std - (lib.cli-std is not searched by the '-lite' products). If the - function is found, it is called with any supplied <parameter>s. - - If the function is not found in the libraries, the call command - is passed to the generated script for processing. - -4) Several changes have been made to the processing of the 'load' - option in provider files: - - - load values are normalized to 8-digit precision and 10-byte - length. - - a warning is issued if the sum of the loads is not 1.000000. - - if the normalized probability for an interface is >= - 1.000000 then the probability match part of the generated rule is - omitted. - -5) There is now an ipv6 'findgw' skeleton file. - -6) The 'disable' and 'enable' commands now succed if the interface is - already disabled or enabled respectively. Tuomo Soini. +5) To ensure that the compiler has an adequate PATH, the default + Shorewall PATH is now appended to the compiler's active PATH. ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -418,6 +377,102 @@ ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 4 . 6 R E L E A S E S ---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 6 . 1 0 +---------------------------------------------------------------------------- + +1) On some distributions, Shorewall-init would fail if one of the + configured products had a problem. Now, Shorewall-init goes on to + the next product rather than stopping. + +2) Previously, when startup was disabled (STARTUP_ENABLED=No or no + compiled firewall on a -lite system), exit status 2 was + returned. Now, exit status 6 is returned. + +3) Previously, if SAVE_IPSETS=ipv4 (or ipv6) but the configuration did + not use ipsets, then a superfluous warning message was issued: + + WARNING: Invalid value (ipv4) for SAVE_IPSETS + + That warning is now suppressed. + +4) Previously, the algorithm used to normalize the probabilities + defined in the 'load' provider option was incorrect and could + result in probabilities > 1.0. When this occurred, the firewall + would fail to start. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 6 . 1 0 +---------------------------------------------------------------------------- + +1) Previously, the 'ctevents' and 'expevents' options could only be + specified in the conntrack file if a helper was named. That is no + longer necessary. + + Example: + + #ACTION SOURCE DESTINATION PROTO DEST ... + # PORT(S) ... + # + CT:ctevents:assured,destroy\ + all - - + +2) Two new options have been added to the NFQUEUE target. + + - By default, if no userspace program is listening on an NFQUEUE, + then all packets that are to be queued are dropped. When the new + 'bypass' option is used, the NFQUEUE rule is silently bypassed + instead. The packet will move on to the next rule. + + Examples: + + NFQUEUE(bypass) + NFQUEUE(3,bypass) + + - Now, a queue range of the form n:m may be specified. Packets are + then balanced across the given queues. This is useful for + multicore systems: start multiple instances of the userspace + program on queues x, x+1, .. x+n and use "x:x+n". Packets + belonging to the same connection are put into the same nfqueue. + + Examples: + + NFQUEUE(4:6) + NFQUEUE(4:6,bypass) + + Queue ranges are also permitted in an NFQUEUE policy; the + 'bypass' option is not permitted there. + +3) The 'call' command is now documented. It provides a way to call + shell functions in the Shorewall libraries or in the generated + script. + + call <function> [ <parameter> ... ] + + <function> must name a shell function in one of the Shorewall + libraries or in the generated script. The function is first + searched for in lib.base, lib.common, lib.cli and lib.cli-std + (lib.cli-std is not searched by the '-lite' products). If the + function is found, it is called with any supplied <parameter>s. + + If the function is not found in the libraries, the call command + is passed to the generated script for processing. + +4) Several changes have been made to the processing of the 'load' + option in provider files: + + - load values are normalized to 8-digit precision and 10-byte + length. + - a warning is issued if the sum of the loads is not 1.000000. + - if the normalized probability for an interface is >= + 1.000000 then the probability match part of the generated rule is + omitted. + +5) There is now an ipv6 'findgw' skeleton file. + +6) The 'disable' and 'enable' commands now succed if the interface is + already disabled or enabled respectively. Tuomo Soini. + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 6 . 9 ---------------------------------------------------------------------------- @@ -441,7 +496,7 @@ commands rather than just start, restart and restore. ---------------------------------------------------------------------------- - N E W F E A T U R E S I N 4 . 6 . 89 + N E W F E A T U R E S I N 4 . 6 . 9 ---------------------------------------------------------------------------- 1) There is now a TCPMSS Target (TCPMSS_TARGET) capability. Your diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.10.1/shorewall-lite.spec new/shorewall-lite-4.6.11/shorewall-lite.spec --- old/shorewall-lite-4.6.10.1/shorewall-lite.spec 2015-06-10 17:00:53.000000000 +0200 +++ new/shorewall-lite-4.6.11/shorewall-lite.spec 2015-07-06 23:57:58.000000000 +0200 @@ -1,6 +1,6 @@ %define name shorewall-lite -%define version 4.6.10 -%define release 1 +%define version 4.6.11 +%define release 0base %define initdir /etc/init.d Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems. @@ -106,8 +106,16 @@ %doc COPYING changelog.txt releasenotes.txt %changelog -* Tue Jun 09 2015 Tom Eastep [email protected] -- Updated to 4.6.10-1 +* Fri Jul 03 2015 Tom Eastep [email protected] +- Updated to 4.6.11-0base +* Mon Jun 29 2015 Tom Eastep [email protected] +- Updated to 4.6.11-0RC1 +* Fri Jun 26 2015 Tom Eastep [email protected] +- Updated to 4.6.11-0Beta3 +* Mon Jun 22 2015 Tom Eastep [email protected] +- Updated to 4.6.11-0Beta2 +* Sun May 31 2015 Tom Eastep [email protected] +- Updated to 4.6.11-0Beta1 * Fri May 29 2015 Tom Eastep [email protected] - Updated to 4.6.10-0base * Mon May 25 2015 Tom Eastep [email protected] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.10.1/uninstall.sh new/shorewall-lite-4.6.11/uninstall.sh --- old/shorewall-lite-4.6.10.1/uninstall.sh 2015-06-10 17:00:53.000000000 +0200 +++ new/shorewall-lite-4.6.11/uninstall.sh 2015-07-06 23:57:58.000000000 +0200 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.6.10.1 +VERSION=4.6.11 PRODUCT=shorewall-lite usage() # $1 = exit status ++++++ shorewall-4.6.10.1.tar.bz2 -> shorewall6-4.6.11.tar.bz2 ++++++ ++++ 129894 lines of diff (skipped) ++++++ shorewall-lite-4.6.10.1.tar.bz2 -> shorewall6-lite-4.6.11.tar.bz2 ++++++ ++++ 9155 lines of diff (skipped)
