Hello community, here is the log from the commit of package shorewall for openSUSE:Factory checked in at 2015-09-17 09:21:02 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/shorewall (Old) and /work/SRC/openSUSE:Factory/.shorewall.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shorewall" Changes: -------- --- /work/SRC/openSUSE:Factory/shorewall/shorewall.changes 2015-08-05 06:49:58.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.shorewall.new/shorewall.changes 2015-09-17 09:21:04.000000000 +0200 @@ -1,0 +2,40 @@ +Tue Sep 15 09:22:51 UTC 2015 - [email protected] + +- Update to version 4.6.13 For more details see changelog.txt and + realeasenotes.txt + + * The 'rules' file manpages have been corrected regarding the + packets that are processed by rules in the NEW section. + + * Parsing of IPv6 address ranges has been corrected. Previously, + use of ranges resulted in 'Invalid IPv6 Address' errors. + + * The shorewall6-hosts man page has been corrected to show the + proper contents of the HOST(S) column. + + * Previously, INLINE statements in the mangle file were not + recognized if a chain designator (:F, :P, etc.) followingowed + INLINE(...). As a consequence, additional matches following + a semicolon were interpreted as column/value pairs unless + INLINE_MATCHES=Yes, resulting in compilation failure. + + * Inline matches on IP[6]TABLE rules could be ignored if + INLINE_MATCHES=No. They are now recognized. + + * Specifying an action with a logging level in one of the + _DEFAULT options in shorewall[6].conf + (e.g., REJECT_DEFAULT=Reject:info) produced a compilation error: + + ERROR: Invalid value (:info) for first Reject parameter + /usr/share/shorewall/action.Rejectect (line 52) + + That has been corrected. Note, however, that specifying logging + with a default action tends to defeat one of the main purposes + of default actions which is to suppress logging. + + * Previously, it was necessary to set TC_EXPERT=Yes to have full + access to the user mark in fw marks. That has been corrected so + that any place that a mark or mask can be specified, both the + TC mark and the User mark are accessible. + +------------------------------------------------------------------- Old: ---- shorewall-4.6.11.tar.bz2 shorewall-core-4.6.11.tar.bz2 shorewall-docs-html-4.6.11.tar.bz2 shorewall-init-4.6.11.tar.bz2 shorewall-lite-4.6.11.tar.bz2 shorewall6-4.6.11.tar.bz2 shorewall6-lite-4.6.11.tar.bz2 New: ---- shorewall-4.6.13.tar.bz2 shorewall-core-4.6.13.tar.bz2 shorewall-docs-html-4.6.13.tar.bz2 shorewall-init-4.6.13.tar.bz2 shorewall-lite-4.6.13.tar.bz2 shorewall6-4.6.13.tar.bz2 shorewall6-lite-4.6.13.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shorewall.spec ++++++ --- /var/tmp/diff_new_pack.pk5nzQ/_old 2015-09-17 09:21:06.000000000 +0200 +++ /var/tmp/diff_new_pack.pk5nzQ/_new 2015-09-17 09:21:06.000000000 +0200 @@ -20,19 +20,19 @@ %define have_systemd 1 Name: shorewall -Version: 4.6.11 +Version: 4.6.13 Release: 0 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems License: GPL-2.0 Group: Productivity/Networking/Security Url: http://www.shorewall.net/ -Source: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.11/%{name}-%version.tar.bz2 -Source1: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.11/%{name}-core-%version.tar.bz2 -Source2: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.11/%{name}-lite-%version.tar.bz2 -Source3: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.11/%{name}-init-%version.tar.bz2 -Source4: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.11/%{name}6-lite-%version.tar.bz2 -Source5: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.11/%{name}6-%version.tar.bz2 -Source6: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.11/%{name}-docs-html-%version.tar.bz2 +Source: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.13/%{name}-%version.tar.bz2 +Source1: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.13/%{name}-core-%version.tar.bz2 +Source2: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.13/%{name}-lite-%version.tar.bz2 +Source3: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.13/%{name}-init-%version.tar.bz2 +Source4: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.13/%{name}6-lite-%version.tar.bz2 +Source5: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.13/%{name}6-%version.tar.bz2 +Source6: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.13/%{name}-docs-html-%version.tar.bz2 Source7: %{name}-4.4.22.rpmlintrc Source8: README.openSUSE # PATCH-FIX-UPSTREAM [email protected] Shorewall-lite init.suse.sh Required Stop ++++++ shorewall-4.6.11.tar.bz2 -> shorewall-4.6.13.tar.bz2 ++++++ ++++ 4182 lines of diff (skipped) ++++++ shorewall-core-4.6.11.tar.bz2 -> shorewall-core-4.6.13.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.11/changelog.txt new/shorewall-core-4.6.13/changelog.txt --- old/shorewall-core-4.6.11/changelog.txt 2015-07-06 23:57:57.000000000 +0200 +++ new/shorewall-core-4.6.13/changelog.txt 2015-09-08 20:10:31.000000000 +0200 @@ -1,9 +1,93 @@ +Changes in 4.6.13 Final + +1) Allow non-expoerts access to the user bits in the fw mark. + +Changes in 4.6.13 RC 1 + +1) Update release documents. + +2) Unconditionally get inline matches. + +Changes in 4.6.13 Beta 2 + +1) Update release documents. + +2) Restore tcrules conversion. + +3) Place a header on a newly-created mangle file. + +Changes in 4.6.13 Beta 1 + +1) Update release documents. + +2) Correct 'rules' man pages. + +3) Correct parsing of IPv6 ranges + +4) Correct the shorewall6-hosts(5) manpage. + +6) Improve update + +7) Allow 'second' and 'minute' in LOGLIMIT specifications + +8) Update -t also converts the TOS file + +9) Fix INLINE(...):... + +Changes in 4.6.12.1 + +1) Update release documents. + +2) Correct a warning message. + +3) Attempt a 'restore' after a fatal error during start/restart. + +Changes in 4.6.12 Final + +1) Update release documents. + +2) Correct an error message. + +3) Use NYTProf as the profiler + +Changes in 4.6.12 RC 3 + +1) Fully activate the new update options. + +Changes in 4.6.12 RC 2 + +1) Update release documents. + +2) Update module versions. + +3) Allow =0 on multi-zone interfaces + +4) Port 'update' improvements from 5.0.0. + +Changes in 4.6.12 RC 1 + +1) Update release documents. + +2) Add Debian-specific .service files + +3) Create dual shorewallrc files for Debian + +Changes in 4.6.12 Beta 1 + +1) Update release documents. + +2) Enhance compiler() progress message. + +3) Make script generations repeatable. + Changes in 4.6.11 Final 1) Update release documents. 2) Clean up PATH fix. +3) Change shorewall6.conf to specify INLINE_MATCHES=No. + Changes in 4.6.11 RC 1 1) Update release documents. @@ -696,5 +780,3 @@ 6) Implement INLINE_MATCHES 7) Implement IP[6]TABLES actions in several files. - - diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.11/configure new/shorewall-core-4.6.13/configure --- old/shorewall-core-4.6.11/configure 2015-07-06 23:57:57.000000000 +0200 +++ new/shorewall-core-4.6.13/configure 2015-09-08 20:10:31.000000000 +0200 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=4.6.11 +VERSION=4.6.13 case "$BASH_VERSION" in [4-9].*) @@ -102,7 +102,7 @@ vendor=redhat ;; debian|ubuntu) - vendor=debian + ls -l /sbin/init |fgrep -q systemd | vendor=debian.systemd | vendor=debian.sysvinit ;; opensuse) vendor=suse @@ -130,7 +130,7 @@ *) if [ -f /etc/debian_version ]; then params[HOST]=debian - rcfile=shorewallrc.debian + rcfile=shorewallrc.debian.sysvinit elif [ -f /etc/redhat-release ]; then params[HOST]=redhat rcfile=shorewallrc.redhat diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.11/configure.pl new/shorewall-core-4.6.13/configure.pl --- old/shorewall-core-4.6.11/configure.pl 2015-07-06 23:57:57.000000000 +0200 +++ new/shorewall-core-4.6.13/configure.pl 2015-09-08 20:10:31.000000000 +0200 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '4.6.11' + VERSION => '4.6.13' }; my %params; @@ -68,14 +68,16 @@ $vendor = 'redhat'; } elsif ( $id eq 'opensuse' ) { $vendor = 'suse'; - } elsif ( $id eq 'ubuntu' ) { - $vendor = 'debian'; + } elsif ( $id eq 'ubuntu' || $id eq 'debian' ) { + my $init = `ls -l /sbin/init`; + $vendor = $init =~ /systemd/ ? 'debian.systemd' : 'debian.sysvinit'; } else { $vendor = $id; } } $params{HOST} = $vendor; + $params{HOST} =~ s/\..*//; } if ( defined $vendor ) { @@ -84,7 +86,7 @@ } else { if ( -f '/etc/debian_version' ) { $vendor = 'debian'; - $rcfilename = 'shorewallrc.debian'; + $rcfilename = 'shorewallrc.debian.sysvinit'; } elsif ( -f '/etc/redhat-release' ){ $vendor = 'redhat'; $rcfilename = 'shorewallrc.redhat'; @@ -117,7 +119,7 @@ if ( $vendor eq 'linux' ) { printf "INFO: Creating a generic Linux installation - %s %2d %04d %02d:%02d:%02d\n\n", $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];; } else { - printf "INFO: Creating a %s-specific installation - %s %2d %04d %02d:%02d:%02d\n\n", $vendor, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];; + printf "INFO: Creating a %s-specific installation - %s %2d %04d %02d:%02d:%02d\n\n", $params{HOST}, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];; } open $rcfile, '<', $rcfilename or die "Unable to open $rcfilename for input: $!"; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.11/install.sh new/shorewall-core-4.6.13/install.sh --- old/shorewall-core-4.6.11/install.sh 2015-07-06 23:57:57.000000000 +0200 +++ new/shorewall-core-4.6.13/install.sh 2015-09-08 20:10:31.000000000 +0200 @@ -22,7 +22,7 @@ # along with this program; if not, see <http://www.gnu.org/licenses/>. # -VERSION=4.6.11 +VERSION=4.6.13 usage() # $1 = exit status { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.11/lib.base new/shorewall-core-4.6.13/lib.base --- old/shorewall-core-4.6.11/lib.base 2015-07-06 23:49:20.000000000 +0200 +++ new/shorewall-core-4.6.13/lib.base 2015-09-07 20:35:47.000000000 +0200 @@ -76,6 +76,24 @@ fi # +# Fatal Error +# +fatal_error() # $@ = Message +{ + echo " ERROR: $@" >&2 + exit 2 +} + +# +# Not configured Error +# +not_configured_error() # $@ = Message +{ + echo " ERROR: $@" >&2 + exit 6 +} + +# # Conditionally produce message # progress_message() # $* = Message diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.11/lib.cli new/shorewall-core-4.6.13/lib.cli --- old/shorewall-core-4.6.11/lib.cli 2015-07-06 23:49:20.000000000 +0200 +++ new/shorewall-core-4.6.13/lib.cli 2015-09-07 20:35:47.000000000 +0200 @@ -1012,7 +1012,6 @@ case "$1" in connections) - show_connections if [ $g_family -eq 4 ]; then if [ -d /proc/sys/net/netfilter/ ]; then local count @@ -3975,7 +3974,7 @@ echo " status [ -i ]" echo " stop" ecko " try <directory> [ <timeout> ]" - ecko " update [ -a ] [ -b ] [ -r ] [ -T ] [ -D ] [ -i ] [-t] [-A] [ <directory> ]" + ecko " update [ -a ] [ -b ] [ -r ] [ -T ] [ -D ] [ -i ] [-t] [-s] [-n] [-A] [ <directory> ]" echo " version [ -a ]" echo exit $1 @@ -4028,6 +4027,8 @@ g_counters= g_loopback= g_compiled= + g_routestopped= + g_notrack= VERBOSE= VERBOSITY=1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.11/lib.common new/shorewall-core-4.6.13/lib.common --- old/shorewall-core-4.6.11/lib.common 2015-07-06 23:49:20.000000000 +0200 +++ new/shorewall-core-4.6.13/lib.common 2015-09-07 20:35:47.000000000 +0200 @@ -71,24 +71,6 @@ } # -# Fatal Error -# -fatal_error() # $@ = Message -{ - echo " ERROR: $@" >&2 - exit 2 -} - -# -# Not configured Error -# -not_configured_error() # $@ = Message -{ - echo " ERROR: $@" >&2 - exit 6 -} - -# # Get the Shorewall version of the passed script # get_script_version() { # $1 = script diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.11/releasenotes.txt new/shorewall-core-4.6.13/releasenotes.txt --- old/shorewall-core-4.6.11/releasenotes.txt 2015-07-06 23:57:57.000000000 +0200 +++ new/shorewall-core-4.6.13/releasenotes.txt 2015-09-08 20:10:31.000000000 +0200 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 6 . 1 1 - ---------------------------- - J u l y 0 7 , 2 0 1 5 + S H O R E W A L L 4 . 6 . 1 3 + ------------------------------ + S e p t e m b e r 0 9 , 2 0 1 5 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -11,28 +11,50 @@ V. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES ---------------------------------------------------------------------------- + N O T I C E + +Shorewall 4.6.13 is scheduled to be the last 4.6 release. In +the fall of 2015, Shorewall 5.0.0 will be available. Please see +http://www.shorewall.org/Shorewall-5.html for information about +preparing to migrate to Shorewall 5. + +---------------------------------------------------------------------------- I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1. This release includes defect repair up to and including Shorewall - 4.6.10.1. - -2. Previously, when the -c option was given to the 'compile' command, - the progress message "Compiling..." was issued before it was - determined if compilation was necessary. Now, that message is - suppressed when re-compilation is not required. +1) The 'rules' file manpages have been corrected regarding the packets + that are processed by rules in the NEW section. -3. Previously, when the -c option was given to the 'compile' command, - the 'postcompile' extension script was executed even when there was - no (re-)compilation. Now, the 'postcompile' script is only invoked - when a new script is generated. +2) Parsing of IPv6 address ranges has been corrected. Previously, use + of ranges resulted in 'Invalid IPv6 Address' errors. -4. If CONFDIR was other than /etc, then ordinary users would not - receive a clear error message when they attempted to execute one of - the commands that change the firewall state. +3) The shorewall6-hosts man page has been corrected to show the + proper contents of the HOST(S) column. -5. Previously, IPv4 DHCP client broadcasts were blocked by the - 'rpfilter' interface option. That has been corrected. +4) Previously, INLINE statements in the mangle file were not + recognized if a chain designator (:F, :P, etc.) followed + INLINE(...). As a consequence, additional matches following a + semicolon were interpreted as column/value pairs unless + INLINE_MATCHES=Yes, resulting in compilation failure. + +5) Inline matches on IP[6]TABLE rules could be ignored if + INLINE_MATCHES=No. They are now recognized. + +6) Specifying an action with a logging level in one of the _DEFAULT + options in shorewall[6].conf (e.g., REJECT_DEFAULT=Reject:info) + produced a compilation error: + + ERROR: Invalid value (:info) for first Reject parameter + /usr/share/shorewall/action.Reject (line 52) + + That has been corrected. Note, however, that specifying logging + with a default action tends to defeat one of the main purposes of + default actions which is to suppress logging. + +7) Previously, it was necessary to set TC_EXPERT=Yes to have full + access to the user mark in fw marks. That has been corrected so + that any place that a mark or mask can be specified, both the TC + mark and the User mark are accessible. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -45,44 +67,40 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) Over the years, a number of changes have been added to Shorewall - that work around defects in other products. When running a current - distribution, these workarounds are unnecessary and add to the time - required for normal Shorewall operations. +1) 'update -t' now converts both the tcrules and tos files. - Beginning in this release, those workarounds may be disabled by - setting WORKAROUNDS=No in shorewall.conf. - -2) Previously, both lib.cli and lib.cli-std included nearly-identical - usage() functions. Now, only lib.cli includes the function which - produces its output based on which product's CLI is invoking it. +2) 'second' and 'minute' are now allowed in the LOGLIMIT + specification in place of 'sec' and 'min' respectively. -3) To accomodate compiled scripts produced by Shorewall versions - before 4.4.8, Shorewall products from 4.4.8 onward have run scripts - twice. The first time is simply to capture the output of the - 'version' command. Based on the script's version, it is then invoked - to execute the requested command. +3) The 'update' command now converts additional deprecated option + settings: - Beginning in this release, scripts will only be run once if: + - LOGRATE/LOGBURST are converted to the equivalent LOGLIMIT + setting. - - WORKAROUNDS=No, or - - the script was compiled as part of executing the command, or - - AUTOMAKE=Yes and it was determined that re-compilation was not - required. + - BLACKLISTNEWONLY is now converted to the equivalent BLACKLIST + setting. -4) When the 'conntrack' utility program is installed, the 'show - connections' command can now display a subset of the entire - conntrack table by simply following the 'connections' keyword with - one or more conntrack filter parameters. +4) Two settings now have more reasonable defaults if they don't appear + in the .conf file being updated: - For example, to display all http connections: + - USE_DEFAULT_RT now defaults to No + - EXPORTMODULES now defaults to No. - shorewall show connections -p tcp --dport 80 +5) When the 'update' command is converting a deprecated file, it now + makes additional checks when it finds a target file (mangle, + stoppedrules or blrules) to append the converted rules to: - See conntrack(8) for a description of the available parameters. + - If the file is in the directory $SHAREDIR/$product/configfiles/, + the file is not opened. + - If the file is in the directory + $SHAREDIR/doc/$product/default-config/, the file is not opened. + - If the file is not writable, the file is not opened. -5) To ensure that the compiler has an adequate PATH, the default - Shorewall PATH is now appended to the compiler's active PATH. + When the file isn't opened because of one of these checks, an + attempt is made to create a new file in either the directory + specified on the command line (if any) or in the first directory + listed in the CONFIG_PATH setting. ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -375,7 +393,158 @@ See shorewall[6].conf(5) for additional details. ---------------------------------------------------------------------------- - V. N O T E S F R O M O T H E R 4 . 6 R E L E A S E S + V. N O T E S F R O M O T H E R 4 . 6 R E L E A S E S +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 6 . 1 2 +---------------------------------------------------------------------------- + +4.6.12.1 + +1) Beginning with Shorewall 4.6.10, a fatal error during a start or + restart operation can leave the firewall in an indeterminent state. + That problem has been corrected so that the intended action takes + place: + + - If there is a current executable RESTOREFILE, then the firewall + is restored using that file. + + - Otherwise, the firewall is placed in the stopped state. + +2) Previously, if 'none' were passed as the log level argument to the + AutoBL action, compilation failed silently. Now, the intended + behavior (no logging) is produced. + +4.6.12 + +1) This release includes defect repair up through Shorewall 4.6.11.1. + +2) Previously, when Perl 5.18.0 or later was used with Shorewall, + multiple compilations of an unchanging configuration could produce + different but equivalent script files. Now, the script files + produced will be identical (except for dates and times) for any + given Shorewall version. + +3) Previously, if a binary interface option (those that have a value + of zero or 1) was specified with a value of zero on such an + interface, compilation failed. + + For example, this interface definition: + + - eth2 arp_filter=0,routeback=0,tcpflags=0,proxyarp=0 + + would generate the following error message: + + ERROR: The "routeback" option may not be specified on a + multi-zone interface + + Now, the option is allowed. + +4) Several issues with 'update -b' have been corrected. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 6 . 1 2 +---------------------------------------------------------------------------- + +1) The initial 'Compiling...', 'Checking...' and 'Updating..." + progress messages now include the Product name and version. + +2) Debian-specific .service files have been added. + +3) There are now two shorewallrc files for Debian - one for sysvinit + and one for systemd. The configure and configure.pl scrips + determine which to use by examining /sbin/init. + +4) Two new options are available for the 'update' command: + + -r converts a routestopped file to an equivalent stoppedrules file. + + -n converts a notrack file to an equivalent conntrack file. If + there is already an existing conntrack file, the converted rules + are appended to the existing file. + + WARNING: If you include /usr/share/shorewall/configfiles (or + wherever your distro places empty files) in your CONFIG_FILE + setting and there is no new file in your config directory (such as + /etc/shorewall), then the 'update' command will update the copy of + the file in /usr/share/shorewall/configfiles. This is probably not + what you want, since files in that directory (or your distro's + corresponding directory) will be overwritten by the next upgrade. + +5) Shorewall now uses NYTProf as its profiler rather than the + deprecated DProf. + +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 6 . 1 1 +---------------------------------------------------------------------------- + +1. This release includes defect repair up to and including Shorewall + 4.6.10.1. + +2. Previously, when the -c option was given to the 'compile' command, + the progress message "Compiling..." was issued before it was + determined if compilation was necessary. Now, that message is + suppressed when re-compilation is not required. + +3. Previously, when the -c option was given to the 'compile' command, + the 'postcompile' extension script was executed even when there was + no (re-)compilation. Now, the 'postcompile' script is only invoked + when a new script is generated. + +4. If CONFDIR was other than /etc, then ordinary users would not + receive a clear error message when they attempted to execute one of + the commands that change the firewall state. + +5. Previously, IPv4 DHCP client broadcasts were blocked by the + 'rpfilter' interface option. That has been corrected. + +6) The 'update' command incorrectly added the INLINE_MATCHES option + to shorewall6.conf with a default value of 'Yes'. This caused + 'start' to fail with invalid ip6tables rules when the alternate + input format using ';' is used. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 6 . 1 1 +---------------------------------------------------------------------------- + +1) Over the years, a number of changes have been added to Shorewall + that work around defects in other products. When running a current + distribution, these workarounds are unnecessary and add to the time + required for normal Shorewall operations. + + Beginning in this release, those workarounds may be disabled by + setting WORKAROUNDS=No in shorewall.conf. + +2) Previously, both lib.cli and lib.cli-std included nearly-identical + usage() functions. Now, only lib.cli includes the function which + produces its output based on which product's CLI is invoking it. + +3) To accomodate compiled scripts produced by Shorewall versions + before 4.4.8, Shorewall products from 4.4.8 onward have run scripts + twice. The first time is simply to capture the output of the + 'version' command. Based on the script's version, it is then invoked + to execute the requested command. + + Beginning in this release, scripts will only be run once if: + + - WORKAROUNDS=No, or + - the script was compiled as part of executing the command, or + - AUTOMAKE=Yes and it was determined that re-compilation was not + required. + +4) When the 'conntrack' utility program is installed, the 'show + connections' command can now display a subset of the entire + conntrack table by simply following the 'connections' keyword with + one or more conntrack filter parameters. + + For example, to display all http connections: + + shorewall show connections -p tcp --dport 80 + + See conntrack(8) for a description of the available parameters. + +5) To ensure that the compiler has an adequate PATH, the default + Shorewall PATH is now appended to the compiler's active PATH. + ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 6 . 1 0 ---------------------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.11/shorewall-core.spec new/shorewall-core-4.6.13/shorewall-core.spec --- old/shorewall-core-4.6.11/shorewall-core.spec 2015-07-06 23:57:57.000000000 +0200 +++ new/shorewall-core-4.6.13/shorewall-core.spec 2015-09-08 20:10:31.000000000 +0200 @@ -1,5 +1,5 @@ %define name shorewall-core -%define version 4.6.11 +%define version 4.6.13 %define release 0base Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. @@ -63,6 +63,30 @@ %doc COPYING INSTALL changelog.txt releasenotes.txt %changelog +* Mon Sep 07 2015 Tom Eastep [email protected] +- Updated to 4.6.13-0base +* Sun Aug 30 2015 Tom Eastep [email protected] +- Updated to 4.6.13-0RC1 +* Fri Aug 28 2015 Tom Eastep [email protected] +- Updated to 4.6.13-0Beta2 +* Thu Aug 27 2015 Tom Eastep [email protected] +- Updated to 4.6.13-0Beta1 +* Sat Aug 22 2015 Tom Eastep [email protected] +- Updated to 4.6.12-2 +* Fri Aug 21 2015 Tom Eastep [email protected] +- Updated to 4.6.12-1 +* Mon Aug 17 2015 Tom Eastep [email protected] +- Updated to 4.6.12-0base +* Sun Aug 16 2015 Tom Eastep [email protected] +- Updated to 4.6.12-0RC3 +* Thu Aug 13 2015 Tom Eastep [email protected] +- Updated to 4.6.12-0RC2 +* Thu Jul 30 2015 Tom Eastep [email protected] +- Updated to 4.6.12-0RC1 +* Mon Jul 13 2015 Tom Eastep [email protected] +- Updated to 4.6.12-0Beta2 +* Wed Jul 08 2015 Tom Eastep [email protected] +- Updated to 4.6.12-0Beta1 * Fri Jul 03 2015 Tom Eastep [email protected] - Updated to 4.6.11-0base * Mon Jun 29 2015 Tom Eastep [email protected] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.11/shorewallrc.debian new/shorewall-core-4.6.13/shorewallrc.debian --- old/shorewall-core-4.6.11/shorewallrc.debian 2015-07-06 23:49:20.000000000 +0200 +++ new/shorewall-core-4.6.13/shorewallrc.debian 1970-01-01 01:00:00.000000000 +0100 @@ -1,23 +0,0 @@ -# -# Debian Shorewall 4.5 rc file -# -BUILD= #Default is to detect the build system -HOST=debian -PREFIX=/usr #Top-level directory for shared files, libraries, etc. -SHAREDIR=${PREFIX}/share #Directory for arch-neutral files. -LIBEXECDIR=${PREFIX}/share #Directory for executable scripts. -PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory -CONFDIR=/etc #Directory where subsystem configurations are installed -SBINDIR=/sbin #Directory where system administration programs are installed -MANDIR=${PREFIX}/share/man #Directory where manpages are installed. -INITDIR=/etc/init.d #Directory where SysV init scripts are installed. -INITFILE=$PRODUCT #Name of the product's installed SysV init script -INITSOURCE=init.debian.sh #Name of the distributed file to be installed as the SysV init script -ANNOTATED= #If non-zero, annotated configuration files are installed -SYSCONFFILE=default.debian #Name of the distributed file to be installed in $SYSCONFDIR -SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service -SYSCONFDIR=/etc/default #Directory where SysV init parameter files are installed -SERVICEDIR= #Directory where .service files are installed (systems running systemd only) -SPARSE=Yes #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR -VARLIB=/var/lib #Directory where product variable data is stored. -VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.11/shorewallrc.debian.systemd new/shorewall-core-4.6.13/shorewallrc.debian.systemd --- old/shorewall-core-4.6.11/shorewallrc.debian.systemd 1970-01-01 01:00:00.000000000 +0100 +++ new/shorewall-core-4.6.13/shorewallrc.debian.systemd 2015-09-07 20:35:47.000000000 +0200 @@ -0,0 +1,23 @@ +# +# Debian Shorewall 4.5 rc file +# +BUILD= #Default is to detect the build system +HOST=debian +PREFIX=/usr #Top-level directory for shared files, libraries, etc. +SHAREDIR=${PREFIX}/share #Directory for arch-neutral files. +LIBEXECDIR=${PREFIX}/share #Directory for executable scripts. +PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory +CONFDIR=/etc #Directory where subsystem configurations are installed +SBINDIR=/sbin #Directory where system administration programs are installed +MANDIR=${PREFIX}/share/man #Directory where manpages are installed. +INITDIR= #Directory where SysV init scripts are installed. +INITFILE= #Name of the product's installed SysV init script +INITSOURCE=init.debian.sh #Name of the distributed file to be installed as the SysV init script +ANNOTATED= #If non-zero, annotated configuration files are installed +SYSCONFFILE=default.debian #Name of the distributed file to be installed in $SYSCONFDIR +SERVICEFILE=$PRODUCT.service.debian #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service +SYSCONFDIR=/etc/default #Directory where SysV init parameter files are installed +SERVICEDIR=/lib/systemd/system #Directory where .service files are installed (systems running systemd only) +SPARSE=Yes #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR +VARLIB=/var/lib #Directory where product variable data is stored. +VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.11/shorewallrc.debian.sysvinit new/shorewall-core-4.6.13/shorewallrc.debian.sysvinit --- old/shorewall-core-4.6.11/shorewallrc.debian.sysvinit 1970-01-01 01:00:00.000000000 +0100 +++ new/shorewall-core-4.6.13/shorewallrc.debian.sysvinit 2015-09-07 20:35:47.000000000 +0200 @@ -0,0 +1,23 @@ +# +# Debian Shorewall 4.5 rc file +# +BUILD= #Default is to detect the build system +HOST=debian +PREFIX=/usr #Top-level directory for shared files, libraries, etc. +SHAREDIR=${PREFIX}/share #Directory for arch-neutral files. +LIBEXECDIR=${PREFIX}/share #Directory for executable scripts. +PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory +CONFDIR=/etc #Directory where subsystem configurations are installed +SBINDIR=/sbin #Directory where system administration programs are installed +MANDIR=${PREFIX}/share/man #Directory where manpages are installed. +INITDIR=/etc/init.d #Directory where SysV init scripts are installed. +INITFILE=$PRODUCT #Name of the product's installed SysV init script +INITSOURCE=init.debian.sh #Name of the distributed file to be installed as the SysV init script +ANNOTATED= #If non-zero, annotated configuration files are installed +SYSCONFFILE=default.debian #Name of the distributed file to be installed in $SYSCONFDIR +SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service +SYSCONFDIR=/etc/default #Directory where SysV init parameter files are installed +SERVICEDIR= #Directory where .service files are installed (systems running systemd only) +SPARSE=Yes #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR +VARLIB=/var/lib #Directory where product variable data is stored. +VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.11/uninstall.sh new/shorewall-core-4.6.13/uninstall.sh --- old/shorewall-core-4.6.11/uninstall.sh 2015-07-06 23:57:57.000000000 +0200 +++ new/shorewall-core-4.6.13/uninstall.sh 2015-09-08 20:10:31.000000000 +0200 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.6.11 +VERSION=4.6.13 usage() # $1 = exit status { ++++++ shorewall-docs-html-4.6.11.tar.bz2 -> shorewall-docs-html-4.6.13.tar.bz2 ++++++ ++++ 8296 lines of diff (skipped) ++++++ shorewall-init-4.6.11.tar.bz2 -> shorewall-init-4.6.13.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.11/changelog.txt new/shorewall-init-4.6.13/changelog.txt --- old/shorewall-init-4.6.11/changelog.txt 2015-07-06 23:57:57.000000000 +0200 +++ new/shorewall-init-4.6.13/changelog.txt 2015-09-08 20:10:32.000000000 +0200 @@ -1,9 +1,93 @@ +Changes in 4.6.13 Final + +1) Allow non-expoerts access to the user bits in the fw mark. + +Changes in 4.6.13 RC 1 + +1) Update release documents. + +2) Unconditionally get inline matches. + +Changes in 4.6.13 Beta 2 + +1) Update release documents. + +2) Restore tcrules conversion. + +3) Place a header on a newly-created mangle file. + +Changes in 4.6.13 Beta 1 + +1) Update release documents. + +2) Correct 'rules' man pages. + +3) Correct parsing of IPv6 ranges + +4) Correct the shorewall6-hosts(5) manpage. + +6) Improve update + +7) Allow 'second' and 'minute' in LOGLIMIT specifications + +8) Update -t also converts the TOS file + +9) Fix INLINE(...):... + +Changes in 4.6.12.1 + +1) Update release documents. + +2) Correct a warning message. + +3) Attempt a 'restore' after a fatal error during start/restart. + +Changes in 4.6.12 Final + +1) Update release documents. + +2) Correct an error message. + +3) Use NYTProf as the profiler + +Changes in 4.6.12 RC 3 + +1) Fully activate the new update options. + +Changes in 4.6.12 RC 2 + +1) Update release documents. + +2) Update module versions. + +3) Allow =0 on multi-zone interfaces + +4) Port 'update' improvements from 5.0.0. + +Changes in 4.6.12 RC 1 + +1) Update release documents. + +2) Add Debian-specific .service files + +3) Create dual shorewallrc files for Debian + +Changes in 4.6.12 Beta 1 + +1) Update release documents. + +2) Enhance compiler() progress message. + +3) Make script generations repeatable. + Changes in 4.6.11 Final 1) Update release documents. 2) Clean up PATH fix. +3) Change shorewall6.conf to specify INLINE_MATCHES=No. + Changes in 4.6.11 RC 1 1) Update release documents. @@ -696,5 +780,3 @@ 6) Implement INLINE_MATCHES 7) Implement IP[6]TABLES actions in several files. - - diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.11/configure new/shorewall-init-4.6.13/configure --- old/shorewall-init-4.6.11/configure 2015-07-06 23:57:57.000000000 +0200 +++ new/shorewall-init-4.6.13/configure 2015-09-08 20:10:32.000000000 +0200 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=4.6.11 +VERSION=4.6.13 case "$BASH_VERSION" in [4-9].*) @@ -102,7 +102,7 @@ vendor=redhat ;; debian|ubuntu) - vendor=debian + ls -l /sbin/init |fgrep -q systemd | vendor=debian.systemd | vendor=debian.sysvinit ;; opensuse) vendor=suse @@ -130,7 +130,7 @@ *) if [ -f /etc/debian_version ]; then params[HOST]=debian - rcfile=shorewallrc.debian + rcfile=shorewallrc.debian.sysvinit elif [ -f /etc/redhat-release ]; then params[HOST]=redhat rcfile=shorewallrc.redhat diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.11/configure.pl new/shorewall-init-4.6.13/configure.pl --- old/shorewall-init-4.6.11/configure.pl 2015-07-06 23:57:57.000000000 +0200 +++ new/shorewall-init-4.6.13/configure.pl 2015-09-08 20:10:32.000000000 +0200 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '4.6.11' + VERSION => '4.6.13' }; my %params; @@ -68,14 +68,16 @@ $vendor = 'redhat'; } elsif ( $id eq 'opensuse' ) { $vendor = 'suse'; - } elsif ( $id eq 'ubuntu' ) { - $vendor = 'debian'; + } elsif ( $id eq 'ubuntu' || $id eq 'debian' ) { + my $init = `ls -l /sbin/init`; + $vendor = $init =~ /systemd/ ? 'debian.systemd' : 'debian.sysvinit'; } else { $vendor = $id; } } $params{HOST} = $vendor; + $params{HOST} =~ s/\..*//; } if ( defined $vendor ) { @@ -84,7 +86,7 @@ } else { if ( -f '/etc/debian_version' ) { $vendor = 'debian'; - $rcfilename = 'shorewallrc.debian'; + $rcfilename = 'shorewallrc.debian.sysvinit'; } elsif ( -f '/etc/redhat-release' ){ $vendor = 'redhat'; $rcfilename = 'shorewallrc.redhat'; @@ -117,7 +119,7 @@ if ( $vendor eq 'linux' ) { printf "INFO: Creating a generic Linux installation - %s %2d %04d %02d:%02d:%02d\n\n", $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];; } else { - printf "INFO: Creating a %s-specific installation - %s %2d %04d %02d:%02d:%02d\n\n", $vendor, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];; + printf "INFO: Creating a %s-specific installation - %s %2d %04d %02d:%02d:%02d\n\n", $params{HOST}, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];; } open $rcfile, '<', $rcfilename or die "Unable to open $rcfilename for input: $!"; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.11/install.sh new/shorewall-init-4.6.13/install.sh --- old/shorewall-init-4.6.11/install.sh 2015-07-06 23:57:57.000000000 +0200 +++ new/shorewall-init-4.6.13/install.sh 2015-09-08 20:10:32.000000000 +0200 @@ -27,7 +27,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.6.11 +VERSION=4.6.13 usage() # $1 = exit status { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.11/releasenotes.txt new/shorewall-init-4.6.13/releasenotes.txt --- old/shorewall-init-4.6.11/releasenotes.txt 2015-07-06 23:57:57.000000000 +0200 +++ new/shorewall-init-4.6.13/releasenotes.txt 2015-09-08 20:10:32.000000000 +0200 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 6 . 1 1 - ---------------------------- - J u l y 0 7 , 2 0 1 5 + S H O R E W A L L 4 . 6 . 1 3 + ------------------------------ + S e p t e m b e r 0 9 , 2 0 1 5 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -11,28 +11,50 @@ V. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES ---------------------------------------------------------------------------- + N O T I C E + +Shorewall 4.6.13 is scheduled to be the last 4.6 release. In +the fall of 2015, Shorewall 5.0.0 will be available. Please see +http://www.shorewall.org/Shorewall-5.html for information about +preparing to migrate to Shorewall 5. + +---------------------------------------------------------------------------- I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1. This release includes defect repair up to and including Shorewall - 4.6.10.1. - -2. Previously, when the -c option was given to the 'compile' command, - the progress message "Compiling..." was issued before it was - determined if compilation was necessary. Now, that message is - suppressed when re-compilation is not required. +1) The 'rules' file manpages have been corrected regarding the packets + that are processed by rules in the NEW section. -3. Previously, when the -c option was given to the 'compile' command, - the 'postcompile' extension script was executed even when there was - no (re-)compilation. Now, the 'postcompile' script is only invoked - when a new script is generated. +2) Parsing of IPv6 address ranges has been corrected. Previously, use + of ranges resulted in 'Invalid IPv6 Address' errors. -4. If CONFDIR was other than /etc, then ordinary users would not - receive a clear error message when they attempted to execute one of - the commands that change the firewall state. +3) The shorewall6-hosts man page has been corrected to show the + proper contents of the HOST(S) column. -5. Previously, IPv4 DHCP client broadcasts were blocked by the - 'rpfilter' interface option. That has been corrected. +4) Previously, INLINE statements in the mangle file were not + recognized if a chain designator (:F, :P, etc.) followed + INLINE(...). As a consequence, additional matches following a + semicolon were interpreted as column/value pairs unless + INLINE_MATCHES=Yes, resulting in compilation failure. + +5) Inline matches on IP[6]TABLE rules could be ignored if + INLINE_MATCHES=No. They are now recognized. + +6) Specifying an action with a logging level in one of the _DEFAULT + options in shorewall[6].conf (e.g., REJECT_DEFAULT=Reject:info) + produced a compilation error: + + ERROR: Invalid value (:info) for first Reject parameter + /usr/share/shorewall/action.Reject (line 52) + + That has been corrected. Note, however, that specifying logging + with a default action tends to defeat one of the main purposes of + default actions which is to suppress logging. + +7) Previously, it was necessary to set TC_EXPERT=Yes to have full + access to the user mark in fw marks. That has been corrected so + that any place that a mark or mask can be specified, both the TC + mark and the User mark are accessible. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -45,44 +67,40 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) Over the years, a number of changes have been added to Shorewall - that work around defects in other products. When running a current - distribution, these workarounds are unnecessary and add to the time - required for normal Shorewall operations. +1) 'update -t' now converts both the tcrules and tos files. - Beginning in this release, those workarounds may be disabled by - setting WORKAROUNDS=No in shorewall.conf. - -2) Previously, both lib.cli and lib.cli-std included nearly-identical - usage() functions. Now, only lib.cli includes the function which - produces its output based on which product's CLI is invoking it. +2) 'second' and 'minute' are now allowed in the LOGLIMIT + specification in place of 'sec' and 'min' respectively. -3) To accomodate compiled scripts produced by Shorewall versions - before 4.4.8, Shorewall products from 4.4.8 onward have run scripts - twice. The first time is simply to capture the output of the - 'version' command. Based on the script's version, it is then invoked - to execute the requested command. +3) The 'update' command now converts additional deprecated option + settings: - Beginning in this release, scripts will only be run once if: + - LOGRATE/LOGBURST are converted to the equivalent LOGLIMIT + setting. - - WORKAROUNDS=No, or - - the script was compiled as part of executing the command, or - - AUTOMAKE=Yes and it was determined that re-compilation was not - required. + - BLACKLISTNEWONLY is now converted to the equivalent BLACKLIST + setting. -4) When the 'conntrack' utility program is installed, the 'show - connections' command can now display a subset of the entire - conntrack table by simply following the 'connections' keyword with - one or more conntrack filter parameters. +4) Two settings now have more reasonable defaults if they don't appear + in the .conf file being updated: - For example, to display all http connections: + - USE_DEFAULT_RT now defaults to No + - EXPORTMODULES now defaults to No. - shorewall show connections -p tcp --dport 80 +5) When the 'update' command is converting a deprecated file, it now + makes additional checks when it finds a target file (mangle, + stoppedrules or blrules) to append the converted rules to: - See conntrack(8) for a description of the available parameters. + - If the file is in the directory $SHAREDIR/$product/configfiles/, + the file is not opened. + - If the file is in the directory + $SHAREDIR/doc/$product/default-config/, the file is not opened. + - If the file is not writable, the file is not opened. -5) To ensure that the compiler has an adequate PATH, the default - Shorewall PATH is now appended to the compiler's active PATH. + When the file isn't opened because of one of these checks, an + attempt is made to create a new file in either the directory + specified on the command line (if any) or in the first directory + listed in the CONFIG_PATH setting. ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -375,7 +393,158 @@ See shorewall[6].conf(5) for additional details. ---------------------------------------------------------------------------- - V. N O T E S F R O M O T H E R 4 . 6 R E L E A S E S + V. N O T E S F R O M O T H E R 4 . 6 R E L E A S E S +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 6 . 1 2 +---------------------------------------------------------------------------- + +4.6.12.1 + +1) Beginning with Shorewall 4.6.10, a fatal error during a start or + restart operation can leave the firewall in an indeterminent state. + That problem has been corrected so that the intended action takes + place: + + - If there is a current executable RESTOREFILE, then the firewall + is restored using that file. + + - Otherwise, the firewall is placed in the stopped state. + +2) Previously, if 'none' were passed as the log level argument to the + AutoBL action, compilation failed silently. Now, the intended + behavior (no logging) is produced. + +4.6.12 + +1) This release includes defect repair up through Shorewall 4.6.11.1. + +2) Previously, when Perl 5.18.0 or later was used with Shorewall, + multiple compilations of an unchanging configuration could produce + different but equivalent script files. Now, the script files + produced will be identical (except for dates and times) for any + given Shorewall version. + +3) Previously, if a binary interface option (those that have a value + of zero or 1) was specified with a value of zero on such an + interface, compilation failed. + + For example, this interface definition: + + - eth2 arp_filter=0,routeback=0,tcpflags=0,proxyarp=0 + + would generate the following error message: + + ERROR: The "routeback" option may not be specified on a + multi-zone interface + + Now, the option is allowed. + +4) Several issues with 'update -b' have been corrected. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 6 . 1 2 +---------------------------------------------------------------------------- + +1) The initial 'Compiling...', 'Checking...' and 'Updating..." + progress messages now include the Product name and version. + +2) Debian-specific .service files have been added. + +3) There are now two shorewallrc files for Debian - one for sysvinit + and one for systemd. The configure and configure.pl scrips + determine which to use by examining /sbin/init. + +4) Two new options are available for the 'update' command: + + -r converts a routestopped file to an equivalent stoppedrules file. + + -n converts a notrack file to an equivalent conntrack file. If + there is already an existing conntrack file, the converted rules + are appended to the existing file. + + WARNING: If you include /usr/share/shorewall/configfiles (or + wherever your distro places empty files) in your CONFIG_FILE + setting and there is no new file in your config directory (such as + /etc/shorewall), then the 'update' command will update the copy of + the file in /usr/share/shorewall/configfiles. This is probably not + what you want, since files in that directory (or your distro's + corresponding directory) will be overwritten by the next upgrade. + +5) Shorewall now uses NYTProf as its profiler rather than the + deprecated DProf. + +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 6 . 1 1 +---------------------------------------------------------------------------- + +1. This release includes defect repair up to and including Shorewall + 4.6.10.1. + +2. Previously, when the -c option was given to the 'compile' command, + the progress message "Compiling..." was issued before it was + determined if compilation was necessary. Now, that message is + suppressed when re-compilation is not required. + +3. Previously, when the -c option was given to the 'compile' command, + the 'postcompile' extension script was executed even when there was + no (re-)compilation. Now, the 'postcompile' script is only invoked + when a new script is generated. + +4. If CONFDIR was other than /etc, then ordinary users would not + receive a clear error message when they attempted to execute one of + the commands that change the firewall state. + +5. Previously, IPv4 DHCP client broadcasts were blocked by the + 'rpfilter' interface option. That has been corrected. + +6) The 'update' command incorrectly added the INLINE_MATCHES option + to shorewall6.conf with a default value of 'Yes'. This caused + 'start' to fail with invalid ip6tables rules when the alternate + input format using ';' is used. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 6 . 1 1 +---------------------------------------------------------------------------- + +1) Over the years, a number of changes have been added to Shorewall + that work around defects in other products. When running a current + distribution, these workarounds are unnecessary and add to the time + required for normal Shorewall operations. + + Beginning in this release, those workarounds may be disabled by + setting WORKAROUNDS=No in shorewall.conf. + +2) Previously, both lib.cli and lib.cli-std included nearly-identical + usage() functions. Now, only lib.cli includes the function which + produces its output based on which product's CLI is invoking it. + +3) To accomodate compiled scripts produced by Shorewall versions + before 4.4.8, Shorewall products from 4.4.8 onward have run scripts + twice. The first time is simply to capture the output of the + 'version' command. Based on the script's version, it is then invoked + to execute the requested command. + + Beginning in this release, scripts will only be run once if: + + - WORKAROUNDS=No, or + - the script was compiled as part of executing the command, or + - AUTOMAKE=Yes and it was determined that re-compilation was not + required. + +4) When the 'conntrack' utility program is installed, the 'show + connections' command can now display a subset of the entire + conntrack table by simply following the 'connections' keyword with + one or more conntrack filter parameters. + + For example, to display all http connections: + + shorewall show connections -p tcp --dport 80 + + See conntrack(8) for a description of the available parameters. + +5) To ensure that the compiler has an adequate PATH, the default + Shorewall PATH is now appended to the compiler's active PATH. + ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 6 . 1 0 ---------------------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.11/shorewall-init.service new/shorewall-init-4.6.13/shorewall-init.service --- old/shorewall-init-4.6.11/shorewall-init.service 2015-07-06 23:49:20.000000000 +0200 +++ new/shorewall-init-4.6.13/shorewall-init.service 2015-09-07 20:35:47.000000000 +0200 @@ -6,7 +6,6 @@ [Unit] Description=Shorewall firewall (bootup security) Before=network.target -Conflicts=iptables.service ip6tables.service firewalld.service [Service] Type=oneshot diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.11/shorewall-init.service.214 new/shorewall-init-4.6.13/shorewall-init.service.214 --- old/shorewall-init-4.6.11/shorewall-init.service.214 2015-07-06 23:49:20.000000000 +0200 +++ new/shorewall-init-4.6.13/shorewall-init.service.214 2015-09-07 20:35:47.000000000 +0200 @@ -7,7 +7,6 @@ Description=Shorewall firewall (bootup security) Before=network-pre.target Wants=network-pre.target -Conflicts=iptables.service firewalld.service [Service] Type=oneshot diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.11/shorewall-init.service.214.debian new/shorewall-init-4.6.13/shorewall-init.service.214.debian --- old/shorewall-init-4.6.11/shorewall-init.service.214.debian 1970-01-01 01:00:00.000000000 +0100 +++ new/shorewall-init-4.6.13/shorewall-init.service.214.debian 2015-09-07 20:35:47.000000000 +0200 @@ -0,0 +1,21 @@ +# +# The Shoreline Firewall (Shorewall) Packet Filtering Firewall +# +# Copyright 2011 Jonathan Underwood <[email protected]> +# Copyright 2015 Tom Eastep <[email protected]> +# +[Unit] +Description=Shorewall firewall (bootup security) +Before=network-pre.target +Wants=network-pre.target + +[Service] +Type=oneshot +RemainAfterExit=yes +EnvironmentFile=-/etc/default/shorewall-init +StandardOutput=syslog +ExecStart=/sbin/shorewall-init start +ExecStop=/sbin/shorewall-init stop + +[Install] +WantedBy=basic.target diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.11/shorewall-init.service.debian new/shorewall-init-4.6.13/shorewall-init.service.debian --- old/shorewall-init-4.6.11/shorewall-init.service.debian 1970-01-01 01:00:00.000000000 +0100 +++ new/shorewall-init-4.6.13/shorewall-init.service.debian 2015-09-07 20:35:47.000000000 +0200 @@ -0,0 +1,21 @@ +# +# The Shoreline Firewall (Shorewall) Packet Filtering Firewall +# +# Copyright 2011 Jonathan Underwood <[email protected]> +# Copyright 2015 Tom Eastep <[email protected]> +# +[Unit] +Description=Shorewall firewall (bootup security) +Wants=network.target +Before=network.target + +[Service] +Type=oneshot +RemainAfterExit=yes +EnvironmentFile=-/etc/default/shorewall-init +StandardOutput=syslog +ExecStart=/sbin/shorewall-init start +ExecStop=/sbin/shorewall-init stop + +[Install] +WantedBy=basic.target diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.11/shorewall-init.spec new/shorewall-init-4.6.13/shorewall-init.spec --- old/shorewall-init-4.6.11/shorewall-init.spec 2015-07-06 23:57:57.000000000 +0200 +++ new/shorewall-init-4.6.13/shorewall-init.spec 2015-09-08 20:10:32.000000000 +0200 @@ -1,5 +1,5 @@ %define name shorewall-init -%define version 4.6.11 +%define version 4.6.13 %define release 0base Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall). @@ -126,6 +126,30 @@ %doc COPYING changelog.txt releasenotes.txt %changelog +* Mon Sep 07 2015 Tom Eastep [email protected] +- Updated to 4.6.13-0base +* Sun Aug 30 2015 Tom Eastep [email protected] +- Updated to 4.6.13-0RC1 +* Fri Aug 28 2015 Tom Eastep [email protected] +- Updated to 4.6.13-0Beta2 +* Thu Aug 27 2015 Tom Eastep [email protected] +- Updated to 4.6.13-0Beta1 +* Sat Aug 22 2015 Tom Eastep [email protected] +- Updated to 4.6.12-2 +* Fri Aug 21 2015 Tom Eastep [email protected] +- Updated to 4.6.12-1 +* Mon Aug 17 2015 Tom Eastep [email protected] +- Updated to 4.6.12-0base +* Sun Aug 16 2015 Tom Eastep [email protected] +- Updated to 4.6.12-0RC3 +* Thu Aug 13 2015 Tom Eastep [email protected] +- Updated to 4.6.12-0RC2 +* Thu Jul 30 2015 Tom Eastep [email protected] +- Updated to 4.6.12-0RC1 +* Mon Jul 13 2015 Tom Eastep [email protected] +- Updated to 4.6.12-0Beta2 +* Wed Jul 08 2015 Tom Eastep [email protected] +- Updated to 4.6.12-0Beta1 * Fri Jul 03 2015 Tom Eastep [email protected] - Updated to 4.6.11-0base * Mon Jun 29 2015 Tom Eastep [email protected] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.11/shorewallrc.debian new/shorewall-init-4.6.13/shorewallrc.debian --- old/shorewall-init-4.6.11/shorewallrc.debian 2015-07-06 23:57:57.000000000 +0200 +++ new/shorewall-init-4.6.13/shorewallrc.debian 1970-01-01 01:00:00.000000000 +0100 @@ -1,23 +0,0 @@ -# -# Debian Shorewall 4.5 rc file -# -BUILD= #Default is to detect the build system -HOST=debian -PREFIX=/usr #Top-level directory for shared files, libraries, etc. -SHAREDIR=${PREFIX}/share #Directory for arch-neutral files. -LIBEXECDIR=${PREFIX}/share #Directory for executable scripts. -PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory -CONFDIR=/etc #Directory where subsystem configurations are installed -SBINDIR=/sbin #Directory where system administration programs are installed -MANDIR=${PREFIX}/share/man #Directory where manpages are installed. -INITDIR=/etc/init.d #Directory where SysV init scripts are installed. -INITFILE=$PRODUCT #Name of the product's installed SysV init script -INITSOURCE=init.debian.sh #Name of the distributed file to be installed as the SysV init script -ANNOTATED= #If non-zero, annotated configuration files are installed -SYSCONFFILE=default.debian #Name of the distributed file to be installed in $SYSCONFDIR -SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service -SYSCONFDIR=/etc/default #Directory where SysV init parameter files are installed -SERVICEDIR= #Directory where .service files are installed (systems running systemd only) -SPARSE=Yes #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR -VARLIB=/var/lib #Directory where product variable data is stored. -VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.11/shorewallrc.debian.systemd new/shorewall-init-4.6.13/shorewallrc.debian.systemd --- old/shorewall-init-4.6.11/shorewallrc.debian.systemd 1970-01-01 01:00:00.000000000 +0100 +++ new/shorewall-init-4.6.13/shorewallrc.debian.systemd 2015-09-08 20:10:32.000000000 +0200 @@ -0,0 +1,23 @@ +# +# Debian Shorewall 4.5 rc file +# +BUILD= #Default is to detect the build system +HOST=debian +PREFIX=/usr #Top-level directory for shared files, libraries, etc. +SHAREDIR=${PREFIX}/share #Directory for arch-neutral files. +LIBEXECDIR=${PREFIX}/share #Directory for executable scripts. +PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory +CONFDIR=/etc #Directory where subsystem configurations are installed +SBINDIR=/sbin #Directory where system administration programs are installed +MANDIR=${PREFIX}/share/man #Directory where manpages are installed. +INITDIR= #Directory where SysV init scripts are installed. +INITFILE= #Name of the product's installed SysV init script +INITSOURCE=init.debian.sh #Name of the distributed file to be installed as the SysV init script +ANNOTATED= #If non-zero, annotated configuration files are installed +SYSCONFFILE=default.debian #Name of the distributed file to be installed in $SYSCONFDIR +SERVICEFILE=$PRODUCT.service.debian #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service +SYSCONFDIR=/etc/default #Directory where SysV init parameter files are installed +SERVICEDIR=/lib/systemd/system #Directory where .service files are installed (systems running systemd only) +SPARSE=Yes #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR +VARLIB=/var/lib #Directory where product variable data is stored. +VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.11/shorewallrc.debian.sysvinit new/shorewall-init-4.6.13/shorewallrc.debian.sysvinit --- old/shorewall-init-4.6.11/shorewallrc.debian.sysvinit 1970-01-01 01:00:00.000000000 +0100 +++ new/shorewall-init-4.6.13/shorewallrc.debian.sysvinit 2015-09-08 20:10:32.000000000 +0200 @@ -0,0 +1,23 @@ +# +# Debian Shorewall 4.5 rc file +# +BUILD= #Default is to detect the build system +HOST=debian +PREFIX=/usr #Top-level directory for shared files, libraries, etc. +SHAREDIR=${PREFIX}/share #Directory for arch-neutral files. +LIBEXECDIR=${PREFIX}/share #Directory for executable scripts. +PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory +CONFDIR=/etc #Directory where subsystem configurations are installed +SBINDIR=/sbin #Directory where system administration programs are installed +MANDIR=${PREFIX}/share/man #Directory where manpages are installed. +INITDIR=/etc/init.d #Directory where SysV init scripts are installed. +INITFILE=$PRODUCT #Name of the product's installed SysV init script +INITSOURCE=init.debian.sh #Name of the distributed file to be installed as the SysV init script +ANNOTATED= #If non-zero, annotated configuration files are installed +SYSCONFFILE=default.debian #Name of the distributed file to be installed in $SYSCONFDIR +SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service +SYSCONFDIR=/etc/default #Directory where SysV init parameter files are installed +SERVICEDIR= #Directory where .service files are installed (systems running systemd only) +SPARSE=Yes #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR +VARLIB=/var/lib #Directory where product variable data is stored. +VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.11/uninstall.sh new/shorewall-init-4.6.13/uninstall.sh --- old/shorewall-init-4.6.11/uninstall.sh 2015-07-06 23:57:57.000000000 +0200 +++ new/shorewall-init-4.6.13/uninstall.sh 2015-09-08 20:10:32.000000000 +0200 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.6.11 +VERSION=4.6.13 usage() # $1 = exit status { ++++++ shorewall-lite-4.6.11.tar.bz2 -> shorewall-lite-4.6.13.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.11/changelog.txt new/shorewall-lite-4.6.13/changelog.txt --- old/shorewall-lite-4.6.11/changelog.txt 2015-07-06 23:57:58.000000000 +0200 +++ new/shorewall-lite-4.6.13/changelog.txt 2015-09-08 20:10:32.000000000 +0200 @@ -1,9 +1,93 @@ +Changes in 4.6.13 Final + +1) Allow non-expoerts access to the user bits in the fw mark. + +Changes in 4.6.13 RC 1 + +1) Update release documents. + +2) Unconditionally get inline matches. + +Changes in 4.6.13 Beta 2 + +1) Update release documents. + +2) Restore tcrules conversion. + +3) Place a header on a newly-created mangle file. + +Changes in 4.6.13 Beta 1 + +1) Update release documents. + +2) Correct 'rules' man pages. + +3) Correct parsing of IPv6 ranges + +4) Correct the shorewall6-hosts(5) manpage. + +6) Improve update + +7) Allow 'second' and 'minute' in LOGLIMIT specifications + +8) Update -t also converts the TOS file + +9) Fix INLINE(...):... + +Changes in 4.6.12.1 + +1) Update release documents. + +2) Correct a warning message. + +3) Attempt a 'restore' after a fatal error during start/restart. + +Changes in 4.6.12 Final + +1) Update release documents. + +2) Correct an error message. + +3) Use NYTProf as the profiler + +Changes in 4.6.12 RC 3 + +1) Fully activate the new update options. + +Changes in 4.6.12 RC 2 + +1) Update release documents. + +2) Update module versions. + +3) Allow =0 on multi-zone interfaces + +4) Port 'update' improvements from 5.0.0. + +Changes in 4.6.12 RC 1 + +1) Update release documents. + +2) Add Debian-specific .service files + +3) Create dual shorewallrc files for Debian + +Changes in 4.6.12 Beta 1 + +1) Update release documents. + +2) Enhance compiler() progress message. + +3) Make script generations repeatable. + Changes in 4.6.11 Final 1) Update release documents. 2) Clean up PATH fix. +3) Change shorewall6.conf to specify INLINE_MATCHES=No. + Changes in 4.6.11 RC 1 1) Update release documents. @@ -696,5 +780,3 @@ 6) Implement INLINE_MATCHES 7) Implement IP[6]TABLES actions in several files. - - diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.11/configure new/shorewall-lite-4.6.13/configure --- old/shorewall-lite-4.6.11/configure 2015-07-06 23:57:58.000000000 +0200 +++ new/shorewall-lite-4.6.13/configure 2015-09-08 20:10:32.000000000 +0200 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=4.6.11 +VERSION=4.6.13 case "$BASH_VERSION" in [4-9].*) @@ -102,7 +102,7 @@ vendor=redhat ;; debian|ubuntu) - vendor=debian + ls -l /sbin/init |fgrep -q systemd | vendor=debian.systemd | vendor=debian.sysvinit ;; opensuse) vendor=suse @@ -130,7 +130,7 @@ *) if [ -f /etc/debian_version ]; then params[HOST]=debian - rcfile=shorewallrc.debian + rcfile=shorewallrc.debian.sysvinit elif [ -f /etc/redhat-release ]; then params[HOST]=redhat rcfile=shorewallrc.redhat diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.11/configure.pl new/shorewall-lite-4.6.13/configure.pl --- old/shorewall-lite-4.6.11/configure.pl 2015-07-06 23:57:58.000000000 +0200 +++ new/shorewall-lite-4.6.13/configure.pl 2015-09-08 20:10:32.000000000 +0200 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '4.6.11' + VERSION => '4.6.13' }; my %params; @@ -68,14 +68,16 @@ $vendor = 'redhat'; } elsif ( $id eq 'opensuse' ) { $vendor = 'suse'; - } elsif ( $id eq 'ubuntu' ) { - $vendor = 'debian'; + } elsif ( $id eq 'ubuntu' || $id eq 'debian' ) { + my $init = `ls -l /sbin/init`; + $vendor = $init =~ /systemd/ ? 'debian.systemd' : 'debian.sysvinit'; } else { $vendor = $id; } } $params{HOST} = $vendor; + $params{HOST} =~ s/\..*//; } if ( defined $vendor ) { @@ -84,7 +86,7 @@ } else { if ( -f '/etc/debian_version' ) { $vendor = 'debian'; - $rcfilename = 'shorewallrc.debian'; + $rcfilename = 'shorewallrc.debian.sysvinit'; } elsif ( -f '/etc/redhat-release' ){ $vendor = 'redhat'; $rcfilename = 'shorewallrc.redhat'; @@ -117,7 +119,7 @@ if ( $vendor eq 'linux' ) { printf "INFO: Creating a generic Linux installation - %s %2d %04d %02d:%02d:%02d\n\n", $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];; } else { - printf "INFO: Creating a %s-specific installation - %s %2d %04d %02d:%02d:%02d\n\n", $vendor, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];; + printf "INFO: Creating a %s-specific installation - %s %2d %04d %02d:%02d:%02d\n\n", $params{HOST}, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];; } open $rcfile, '<', $rcfilename or die "Unable to open $rcfilename for input: $!"; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.11/install.sh new/shorewall-lite-4.6.13/install.sh --- old/shorewall-lite-4.6.11/install.sh 2015-07-06 23:57:57.000000000 +0200 +++ new/shorewall-lite-4.6.13/install.sh 2015-09-08 20:10:32.000000000 +0200 @@ -22,7 +22,7 @@ # along with this program; if not, see <http://www.gnu.org/licenses/>. # -VERSION=4.6.11 +VERSION=4.6.13 usage() # $1 = exit status { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.11/manpages/shorewall-lite-vardir.5 new/shorewall-lite-4.6.13/manpages/shorewall-lite-vardir.5 --- old/shorewall-lite-4.6.11/manpages/shorewall-lite-vardir.5 2015-07-07 00:00:44.000000000 +0200 +++ new/shorewall-lite-4.6.13/manpages/shorewall-lite-vardir.5 2015-09-08 20:13:20.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite-vardir .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 07/06/2015 +.\" Date: 09/08/2015 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-LITE\-VAR" "5" "07/06/2015" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-LITE\-VAR" "5" "09/08/2015" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.11/manpages/shorewall-lite.8 new/shorewall-lite-4.6.13/manpages/shorewall-lite.8 --- old/shorewall-lite-4.6.11/manpages/shorewall-lite.8 2015-07-07 00:00:45.000000000 +0200 +++ new/shorewall-lite-4.6.13/manpages/shorewall-lite.8 2015-09-08 20:13:21.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 07/06/2015 +.\" Date: 09/08/2015 .\" Manual: Administrative Commands .\" Source: Administrative Commands .\" Language: English .\" -.TH "SHOREWALL\-LITE" "8" "07/06/2015" "Administrative Commands" "Administrative Commands" +.TH "SHOREWALL\-LITE" "8" "09/08/2015" "Administrative Commands" "Administrative Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.11/manpages/shorewall-lite.conf.5 new/shorewall-lite-4.6.13/manpages/shorewall-lite.conf.5 --- old/shorewall-lite-4.6.11/manpages/shorewall-lite.conf.5 2015-07-07 00:00:43.000000000 +0200 +++ new/shorewall-lite-4.6.13/manpages/shorewall-lite.conf.5 2015-09-08 20:13:19.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite.conf .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 07/06/2015 +.\" Date: 09/08/2015 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-LITE\&.CO" "5" "07/06/2015" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-LITE\&.CO" "5" "09/08/2015" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.11/releasenotes.txt new/shorewall-lite-4.6.13/releasenotes.txt --- old/shorewall-lite-4.6.11/releasenotes.txt 2015-07-06 23:57:58.000000000 +0200 +++ new/shorewall-lite-4.6.13/releasenotes.txt 2015-09-08 20:10:32.000000000 +0200 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 6 . 1 1 - ---------------------------- - J u l y 0 7 , 2 0 1 5 + S H O R E W A L L 4 . 6 . 1 3 + ------------------------------ + S e p t e m b e r 0 9 , 2 0 1 5 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -11,28 +11,50 @@ V. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES ---------------------------------------------------------------------------- + N O T I C E + +Shorewall 4.6.13 is scheduled to be the last 4.6 release. In +the fall of 2015, Shorewall 5.0.0 will be available. Please see +http://www.shorewall.org/Shorewall-5.html for information about +preparing to migrate to Shorewall 5. + +---------------------------------------------------------------------------- I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1. This release includes defect repair up to and including Shorewall - 4.6.10.1. - -2. Previously, when the -c option was given to the 'compile' command, - the progress message "Compiling..." was issued before it was - determined if compilation was necessary. Now, that message is - suppressed when re-compilation is not required. +1) The 'rules' file manpages have been corrected regarding the packets + that are processed by rules in the NEW section. -3. Previously, when the -c option was given to the 'compile' command, - the 'postcompile' extension script was executed even when there was - no (re-)compilation. Now, the 'postcompile' script is only invoked - when a new script is generated. +2) Parsing of IPv6 address ranges has been corrected. Previously, use + of ranges resulted in 'Invalid IPv6 Address' errors. -4. If CONFDIR was other than /etc, then ordinary users would not - receive a clear error message when they attempted to execute one of - the commands that change the firewall state. +3) The shorewall6-hosts man page has been corrected to show the + proper contents of the HOST(S) column. -5. Previously, IPv4 DHCP client broadcasts were blocked by the - 'rpfilter' interface option. That has been corrected. +4) Previously, INLINE statements in the mangle file were not + recognized if a chain designator (:F, :P, etc.) followed + INLINE(...). As a consequence, additional matches following a + semicolon were interpreted as column/value pairs unless + INLINE_MATCHES=Yes, resulting in compilation failure. + +5) Inline matches on IP[6]TABLE rules could be ignored if + INLINE_MATCHES=No. They are now recognized. + +6) Specifying an action with a logging level in one of the _DEFAULT + options in shorewall[6].conf (e.g., REJECT_DEFAULT=Reject:info) + produced a compilation error: + + ERROR: Invalid value (:info) for first Reject parameter + /usr/share/shorewall/action.Reject (line 52) + + That has been corrected. Note, however, that specifying logging + with a default action tends to defeat one of the main purposes of + default actions which is to suppress logging. + +7) Previously, it was necessary to set TC_EXPERT=Yes to have full + access to the user mark in fw marks. That has been corrected so + that any place that a mark or mask can be specified, both the TC + mark and the User mark are accessible. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -45,44 +67,40 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) Over the years, a number of changes have been added to Shorewall - that work around defects in other products. When running a current - distribution, these workarounds are unnecessary and add to the time - required for normal Shorewall operations. +1) 'update -t' now converts both the tcrules and tos files. - Beginning in this release, those workarounds may be disabled by - setting WORKAROUNDS=No in shorewall.conf. - -2) Previously, both lib.cli and lib.cli-std included nearly-identical - usage() functions. Now, only lib.cli includes the function which - produces its output based on which product's CLI is invoking it. +2) 'second' and 'minute' are now allowed in the LOGLIMIT + specification in place of 'sec' and 'min' respectively. -3) To accomodate compiled scripts produced by Shorewall versions - before 4.4.8, Shorewall products from 4.4.8 onward have run scripts - twice. The first time is simply to capture the output of the - 'version' command. Based on the script's version, it is then invoked - to execute the requested command. +3) The 'update' command now converts additional deprecated option + settings: - Beginning in this release, scripts will only be run once if: + - LOGRATE/LOGBURST are converted to the equivalent LOGLIMIT + setting. - - WORKAROUNDS=No, or - - the script was compiled as part of executing the command, or - - AUTOMAKE=Yes and it was determined that re-compilation was not - required. + - BLACKLISTNEWONLY is now converted to the equivalent BLACKLIST + setting. -4) When the 'conntrack' utility program is installed, the 'show - connections' command can now display a subset of the entire - conntrack table by simply following the 'connections' keyword with - one or more conntrack filter parameters. +4) Two settings now have more reasonable defaults if they don't appear + in the .conf file being updated: - For example, to display all http connections: + - USE_DEFAULT_RT now defaults to No + - EXPORTMODULES now defaults to No. - shorewall show connections -p tcp --dport 80 +5) When the 'update' command is converting a deprecated file, it now + makes additional checks when it finds a target file (mangle, + stoppedrules or blrules) to append the converted rules to: - See conntrack(8) for a description of the available parameters. + - If the file is in the directory $SHAREDIR/$product/configfiles/, + the file is not opened. + - If the file is in the directory + $SHAREDIR/doc/$product/default-config/, the file is not opened. + - If the file is not writable, the file is not opened. -5) To ensure that the compiler has an adequate PATH, the default - Shorewall PATH is now appended to the compiler's active PATH. + When the file isn't opened because of one of these checks, an + attempt is made to create a new file in either the directory + specified on the command line (if any) or in the first directory + listed in the CONFIG_PATH setting. ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -375,7 +393,158 @@ See shorewall[6].conf(5) for additional details. ---------------------------------------------------------------------------- - V. N O T E S F R O M O T H E R 4 . 6 R E L E A S E S + V. N O T E S F R O M O T H E R 4 . 6 R E L E A S E S +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 6 . 1 2 +---------------------------------------------------------------------------- + +4.6.12.1 + +1) Beginning with Shorewall 4.6.10, a fatal error during a start or + restart operation can leave the firewall in an indeterminent state. + That problem has been corrected so that the intended action takes + place: + + - If there is a current executable RESTOREFILE, then the firewall + is restored using that file. + + - Otherwise, the firewall is placed in the stopped state. + +2) Previously, if 'none' were passed as the log level argument to the + AutoBL action, compilation failed silently. Now, the intended + behavior (no logging) is produced. + +4.6.12 + +1) This release includes defect repair up through Shorewall 4.6.11.1. + +2) Previously, when Perl 5.18.0 or later was used with Shorewall, + multiple compilations of an unchanging configuration could produce + different but equivalent script files. Now, the script files + produced will be identical (except for dates and times) for any + given Shorewall version. + +3) Previously, if a binary interface option (those that have a value + of zero or 1) was specified with a value of zero on such an + interface, compilation failed. + + For example, this interface definition: + + - eth2 arp_filter=0,routeback=0,tcpflags=0,proxyarp=0 + + would generate the following error message: + + ERROR: The "routeback" option may not be specified on a + multi-zone interface + + Now, the option is allowed. + +4) Several issues with 'update -b' have been corrected. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 6 . 1 2 +---------------------------------------------------------------------------- + +1) The initial 'Compiling...', 'Checking...' and 'Updating..." + progress messages now include the Product name and version. + +2) Debian-specific .service files have been added. + +3) There are now two shorewallrc files for Debian - one for sysvinit + and one for systemd. The configure and configure.pl scrips + determine which to use by examining /sbin/init. + +4) Two new options are available for the 'update' command: + + -r converts a routestopped file to an equivalent stoppedrules file. + + -n converts a notrack file to an equivalent conntrack file. If + there is already an existing conntrack file, the converted rules + are appended to the existing file. + + WARNING: If you include /usr/share/shorewall/configfiles (or + wherever your distro places empty files) in your CONFIG_FILE + setting and there is no new file in your config directory (such as + /etc/shorewall), then the 'update' command will update the copy of + the file in /usr/share/shorewall/configfiles. This is probably not + what you want, since files in that directory (or your distro's + corresponding directory) will be overwritten by the next upgrade. + +5) Shorewall now uses NYTProf as its profiler rather than the + deprecated DProf. + +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 6 . 1 1 +---------------------------------------------------------------------------- + +1. This release includes defect repair up to and including Shorewall + 4.6.10.1. + +2. Previously, when the -c option was given to the 'compile' command, + the progress message "Compiling..." was issued before it was + determined if compilation was necessary. Now, that message is + suppressed when re-compilation is not required. + +3. Previously, when the -c option was given to the 'compile' command, + the 'postcompile' extension script was executed even when there was + no (re-)compilation. Now, the 'postcompile' script is only invoked + when a new script is generated. + +4. If CONFDIR was other than /etc, then ordinary users would not + receive a clear error message when they attempted to execute one of + the commands that change the firewall state. + +5. Previously, IPv4 DHCP client broadcasts were blocked by the + 'rpfilter' interface option. That has been corrected. + +6) The 'update' command incorrectly added the INLINE_MATCHES option + to shorewall6.conf with a default value of 'Yes'. This caused + 'start' to fail with invalid ip6tables rules when the alternate + input format using ';' is used. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 6 . 1 1 +---------------------------------------------------------------------------- + +1) Over the years, a number of changes have been added to Shorewall + that work around defects in other products. When running a current + distribution, these workarounds are unnecessary and add to the time + required for normal Shorewall operations. + + Beginning in this release, those workarounds may be disabled by + setting WORKAROUNDS=No in shorewall.conf. + +2) Previously, both lib.cli and lib.cli-std included nearly-identical + usage() functions. Now, only lib.cli includes the function which + produces its output based on which product's CLI is invoking it. + +3) To accomodate compiled scripts produced by Shorewall versions + before 4.4.8, Shorewall products from 4.4.8 onward have run scripts + twice. The first time is simply to capture the output of the + 'version' command. Based on the script's version, it is then invoked + to execute the requested command. + + Beginning in this release, scripts will only be run once if: + + - WORKAROUNDS=No, or + - the script was compiled as part of executing the command, or + - AUTOMAKE=Yes and it was determined that re-compilation was not + required. + +4) When the 'conntrack' utility program is installed, the 'show + connections' command can now display a subset of the entire + conntrack table by simply following the 'connections' keyword with + one or more conntrack filter parameters. + + For example, to display all http connections: + + shorewall show connections -p tcp --dport 80 + + See conntrack(8) for a description of the available parameters. + +5) To ensure that the compiler has an adequate PATH, the default + Shorewall PATH is now appended to the compiler's active PATH. + ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 6 . 1 0 ---------------------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.11/shorewall-lite.service.debian new/shorewall-lite-4.6.13/shorewall-lite.service.debian --- old/shorewall-lite-4.6.11/shorewall-lite.service.debian 1970-01-01 01:00:00.000000000 +0100 +++ new/shorewall-lite-4.6.13/shorewall-lite.service.debian 2015-09-07 20:35:47.000000000 +0200 @@ -0,0 +1,22 @@ +# +# The Shoreline Firewall (Shorewall) Packet Filtering Firewall +# +# Copyright 2011 Jonathan Underwood <[email protected]> +# Copyright 2015 Tom Eastep <[email protected]> +# +[Unit] +Description=Shorewall IPv4 firewall (lite) +Wants=network-online.target +After=network-online.target +Conflicts=iptables.service firewalld.service + +[Service] +Type=oneshot +RemainAfterExit=yes +EnvironmentFile=-/etc/default/shorewall-lite +StandardOutput=syslog +ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS +ExecStop=/sbin/shorewall-lite $OPTIONS stop + +[Install] +WantedBy=basic.target diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.11/shorewall-lite.spec new/shorewall-lite-4.6.13/shorewall-lite.spec --- old/shorewall-lite-4.6.11/shorewall-lite.spec 2015-07-06 23:57:58.000000000 +0200 +++ new/shorewall-lite-4.6.13/shorewall-lite.spec 2015-09-08 20:10:32.000000000 +0200 @@ -1,5 +1,5 @@ %define name shorewall-lite -%define version 4.6.11 +%define version 4.6.13 %define release 0base %define initdir /etc/init.d @@ -106,6 +106,30 @@ %doc COPYING changelog.txt releasenotes.txt %changelog +* Mon Sep 07 2015 Tom Eastep [email protected] +- Updated to 4.6.13-0base +* Sun Aug 30 2015 Tom Eastep [email protected] +- Updated to 4.6.13-0RC1 +* Fri Aug 28 2015 Tom Eastep [email protected] +- Updated to 4.6.13-0Beta2 +* Thu Aug 27 2015 Tom Eastep [email protected] +- Updated to 4.6.13-0Beta1 +* Sat Aug 22 2015 Tom Eastep [email protected] +- Updated to 4.6.12-2 +* Fri Aug 21 2015 Tom Eastep [email protected] +- Updated to 4.6.12-1 +* Mon Aug 17 2015 Tom Eastep [email protected] +- Updated to 4.6.12-0base +* Sun Aug 16 2015 Tom Eastep [email protected] +- Updated to 4.6.12-0RC3 +* Thu Aug 13 2015 Tom Eastep [email protected] +- Updated to 4.6.12-0RC2 +* Thu Jul 30 2015 Tom Eastep [email protected] +- Updated to 4.6.12-0RC1 +* Mon Jul 13 2015 Tom Eastep [email protected] +- Updated to 4.6.12-0Beta2 +* Wed Jul 08 2015 Tom Eastep [email protected] +- Updated to 4.6.12-0Beta1 * Fri Jul 03 2015 Tom Eastep [email protected] - Updated to 4.6.11-0base * Mon Jun 29 2015 Tom Eastep [email protected] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.11/shorewallrc.debian new/shorewall-lite-4.6.13/shorewallrc.debian --- old/shorewall-lite-4.6.11/shorewallrc.debian 2015-07-06 23:57:58.000000000 +0200 +++ new/shorewall-lite-4.6.13/shorewallrc.debian 1970-01-01 01:00:00.000000000 +0100 @@ -1,23 +0,0 @@ -# -# Debian Shorewall 4.5 rc file -# -BUILD= #Default is to detect the build system -HOST=debian -PREFIX=/usr #Top-level directory for shared files, libraries, etc. -SHAREDIR=${PREFIX}/share #Directory for arch-neutral files. -LIBEXECDIR=${PREFIX}/share #Directory for executable scripts. -PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory -CONFDIR=/etc #Directory where subsystem configurations are installed -SBINDIR=/sbin #Directory where system administration programs are installed -MANDIR=${PREFIX}/share/man #Directory where manpages are installed. -INITDIR=/etc/init.d #Directory where SysV init scripts are installed. -INITFILE=$PRODUCT #Name of the product's installed SysV init script -INITSOURCE=init.debian.sh #Name of the distributed file to be installed as the SysV init script -ANNOTATED= #If non-zero, annotated configuration files are installed -SYSCONFFILE=default.debian #Name of the distributed file to be installed in $SYSCONFDIR -SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service -SYSCONFDIR=/etc/default #Directory where SysV init parameter files are installed -SERVICEDIR= #Directory where .service files are installed (systems running systemd only) -SPARSE=Yes #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR -VARLIB=/var/lib #Directory where product variable data is stored. -VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.11/shorewallrc.debian.systemd new/shorewall-lite-4.6.13/shorewallrc.debian.systemd --- old/shorewall-lite-4.6.11/shorewallrc.debian.systemd 1970-01-01 01:00:00.000000000 +0100 +++ new/shorewall-lite-4.6.13/shorewallrc.debian.systemd 2015-09-08 20:10:32.000000000 +0200 @@ -0,0 +1,23 @@ +# +# Debian Shorewall 4.5 rc file +# +BUILD= #Default is to detect the build system +HOST=debian +PREFIX=/usr #Top-level directory for shared files, libraries, etc. +SHAREDIR=${PREFIX}/share #Directory for arch-neutral files. +LIBEXECDIR=${PREFIX}/share #Directory for executable scripts. +PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory +CONFDIR=/etc #Directory where subsystem configurations are installed +SBINDIR=/sbin #Directory where system administration programs are installed +MANDIR=${PREFIX}/share/man #Directory where manpages are installed. +INITDIR= #Directory where SysV init scripts are installed. +INITFILE= #Name of the product's installed SysV init script +INITSOURCE=init.debian.sh #Name of the distributed file to be installed as the SysV init script +ANNOTATED= #If non-zero, annotated configuration files are installed +SYSCONFFILE=default.debian #Name of the distributed file to be installed in $SYSCONFDIR +SERVICEFILE=$PRODUCT.service.debian #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service +SYSCONFDIR=/etc/default #Directory where SysV init parameter files are installed +SERVICEDIR=/lib/systemd/system #Directory where .service files are installed (systems running systemd only) +SPARSE=Yes #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR +VARLIB=/var/lib #Directory where product variable data is stored. +VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.11/shorewallrc.debian.sysvinit new/shorewall-lite-4.6.13/shorewallrc.debian.sysvinit --- old/shorewall-lite-4.6.11/shorewallrc.debian.sysvinit 1970-01-01 01:00:00.000000000 +0100 +++ new/shorewall-lite-4.6.13/shorewallrc.debian.sysvinit 2015-09-08 20:10:32.000000000 +0200 @@ -0,0 +1,23 @@ +# +# Debian Shorewall 4.5 rc file +# +BUILD= #Default is to detect the build system +HOST=debian +PREFIX=/usr #Top-level directory for shared files, libraries, etc. +SHAREDIR=${PREFIX}/share #Directory for arch-neutral files. +LIBEXECDIR=${PREFIX}/share #Directory for executable scripts. +PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory +CONFDIR=/etc #Directory where subsystem configurations are installed +SBINDIR=/sbin #Directory where system administration programs are installed +MANDIR=${PREFIX}/share/man #Directory where manpages are installed. +INITDIR=/etc/init.d #Directory where SysV init scripts are installed. +INITFILE=$PRODUCT #Name of the product's installed SysV init script +INITSOURCE=init.debian.sh #Name of the distributed file to be installed as the SysV init script +ANNOTATED= #If non-zero, annotated configuration files are installed +SYSCONFFILE=default.debian #Name of the distributed file to be installed in $SYSCONFDIR +SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service +SYSCONFDIR=/etc/default #Directory where SysV init parameter files are installed +SERVICEDIR= #Directory where .service files are installed (systems running systemd only) +SPARSE=Yes #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR +VARLIB=/var/lib #Directory where product variable data is stored. +VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.11/uninstall.sh new/shorewall-lite-4.6.13/uninstall.sh --- old/shorewall-lite-4.6.11/uninstall.sh 2015-07-06 23:57:58.000000000 +0200 +++ new/shorewall-lite-4.6.13/uninstall.sh 2015-09-08 20:10:32.000000000 +0200 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.6.11 +VERSION=4.6.13 PRODUCT=shorewall-lite usage() # $1 = exit status ++++++ shorewall-4.6.11.tar.bz2 -> shorewall6-4.6.13.tar.bz2 ++++++ ++++ 130002 lines of diff (skipped) ++++++ shorewall-lite-4.6.11.tar.bz2 -> shorewall6-lite-4.6.13.tar.bz2 ++++++ ++++ 9435 lines of diff (skipped)
