diff -Naurdw -X /home/teastep/bin/exclude.txt shorewall6-lite-4.6.13/changelog.txt shorewall6-lite-5.0.0/changelog.txt --- shorewall6-lite-4.6.13/changelog.txt 2015-09-08 11:10:32.580535219 -0700 +++ shorewall6-lite-5.0.0/changelog.txt 2015-10-09 13:28:27.025286787 -0700 @@ -1,782 +1,65 @@ -Changes in 4.6.13 Final - -1) Allow non-expoerts access to the user bits in the fw mark. - -Changes in 4.6.13 RC 1 - -1) Update release documents. - -2) Unconditionally get inline matches. - -Changes in 4.6.13 Beta 2 - -1) Update release documents. - -2) Restore tcrules conversion. - -3) Place a header on a newly-created mangle file. - -Changes in 4.6.13 Beta 1 - -1) Update release documents. - -2) Correct 'rules' man pages. - -3) Correct parsing of IPv6 ranges - -4) Correct the shorewall6-hosts(5) manpage. - -6) Improve update - -7) Allow 'second' and 'minute' in LOGLIMIT specifications - -8) Update -t also converts the TOS file - -9) Fix INLINE(...):... - -Changes in 4.6.12.1 - -1) Update release documents. - -2) Correct a warning message. - -3) Attempt a 'restore' after a fatal error during start/restart. - -Changes in 4.6.12 Final - -1) Update release documents. - -2) Correct an error message. - -3) Use NYTProf as the profiler - -Changes in 4.6.12 RC 3 - -1) Fully activate the new update options. - -Changes in 4.6.12 RC 2 - -1) Update release documents. - -2) Update module versions. - -3) Allow =0 on multi-zone interfaces - -4) Port 'update' improvements from 5.0.0. - -Changes in 4.6.12 RC 1 - -1) Update release documents. - -2) Add Debian-specific .service files - -3) Create dual shorewallrc files for Debian - -Changes in 4.6.12 Beta 1 - -1) Update release documents. - -2) Enhance compiler() progress message. - -3) Make script generations repeatable. - -Changes in 4.6.11 Final - -1) Update release documents. - -2) Clean up PATH fix. - -3) Change shorewall6.conf to specify INLINE_MATCHES=No. - -Changes in 4.6.11 RC 1 - -1) Update release documents. - -2) Allow selection in 'show connections' - -3) Ensure that the compiler has a usable PATH - -4) Correctly handle IPv4 DHCP incoming requests with 'rpfilter'. - -Changes in 4.6.11 Beta 3 - -1) Update release documents. - -2) Correct the test for ordinary user accessing the default config. - -3) Eliminated the usage() function in lib.cli-std - -4) Don't get script's version if it was just compiled - -5) Append default PATH to the active PATH in the compiler. - -Changes in 4.6.11 Beta 2 - -1) Update release documents. - -2) Don't invoke 'postcompile' when compilation isn't done. - -Changes in 4.6.11 Beta 1 - -1) Update release documents. - -2) Add WORKAROUNDS option - -3) Merge Tuomo's fixes. - -4) Fix 'compile -c' progress message - -Changes in 4.6.10 Final - -1) Update release documents. - -2) Update Module Versions - -3) Tuomo Soini's fix to enable/disable. - -Changes in 4.6.10 RC 1 - -1) Update release documents. - -2) load= enhancements - -3) Indicate success when no ipsets are saved by the script - -4) load= corrections. - -5) IPv6 findgw. - -Changes in 4.6.10 Beta 2 - -1) Update release documents. - -2) Add queue-balance and queue-bypass options to NFQUEUE. - -3) Implement 'call' in the compiled program and externalize 'call' in - the CLI. - -Changes in 4.6.10 Beta 1 - -1) Update release documents. - -2) Fix Shorewall-init bailing out when a product didn't start/stop - -3) Return exit status 6 for non-configured firewall. - -4) Don't require a helper for ctevents and expevents. - -Changes in 4.6.9 Final - -1) Update release documents. - -Changes in 4.6.9 RC 2 - -1) Update release documents. - -2) Fix generated code. - - - Eliminate syntax error - - Correct handling of required interfaces when 'wait' is specified. - -Changes in 4.6.9 RC 1 - -1) Update release documents. - -2) More detect_configuration() optimization. - -3) Add 'reenable' command. - -4) Fix helper capabilities detection. - -Changes in 4.6.9 Beta 3 - -1) Update release documents. - -2) Clarify how to avoid loading helper modules. - -3) Merge Tuomo Soini's QUIC macro. - -4) Merge Tuomo Soini's deprecation of the JabberSecure macro. - -5) Correct rule generated by SetEvent and ResetEvent. - -6) Optimize detect_configuration() for enable/disable. - -Changes in 4.6.9 Beta 2 - -1) Update release documents. - -2) Add brief mention of 'list' and 'ls' to the CLI manpages. - -3) Add complete syntax in the CLI manpages. - -4) Add Tuomo Soini's fixes for .service files. - -Changes in 4.6.9 Beta 1 - -1) Update release documents. - -2) Implement TCPMSS_TARGET capability. - -Changes in 4.6.8 Final - -1) Update release documents. - -2) Apply Matt Darfeuille's uninstall fixes - -Changes in 4.6.8 RC 1 - -1) Update release documents. - -2) Correct the Shorewall-init installer. - -3) Apply nfw's fix for IP[6]TABLES in the conntrack file. - -Changes in 4.6.8 Beta 3 - -1) Update release documents. - -2) Implement ICMP handling in 'open' and 'close' - -3) Implement 'savesets' command. - -4) Allow comma-separated lists in the rtrules file. - -Changes in 4.6.8 Beta 2 - -1) Update release documents. - -2) Improve the 'close' and 'show opens' commands. - -Changes in 4.6.8 Beta 1 - -1) Update release documents. - -2) Implement the 'open' and 'close' commands - -Changes in 4.6.7 Final - -1) Update release documents. - -Changes in 4.6.7 RC 1 - -1) Update release documents. - -Changes in 4.6.7 Beta 1 - -1) Update release documents. - -2) Add 'tinc' tunnel support. - -3) Add parameter to SAME. - -4) Implement ADD and DEL in the mangle file. - -Changes in 4.6.6.2 - -1) Update release documents. - -2) Clarify Zone Exclusion - -3) Correct handling of +set[n] - -4) Apply Orion Paplawski's MODULE_SUFFIX patch. - -5) Update MODULE_SUFFIX="ko ko.xz" in samples. - -Changes in 4.6.6.1 - -1) Update release documents. - -2) Allow SAVE and RESTORE in the INPUT chain. - -3) Correct manpage descriptions of mangle SAVE and RESTORE - -4) Protect 'enable' and 'disable' with mutex - -5) Change the installation default value of INLINE_MATCHES - -6) Correct the file name in mangle split_line error messages - -7) Propagate the LOCKFILE setting to the generated script - -Changes in 4.6.6 Final - -1) Update release documents. - -2) Apply Tuomo Soini's fix for Shorewall-init. - -3) Make leading 'SHELL' case sensitive. - -4) Zabbix Macro from Tuomo Soini. - -5) Tinc Macro from Răzvan Sandu. - -Changes in 4.6.6 RC 1 - -1) Update release documents. - -2) Add 'primary' provider option. - -3) Correct ipset names in port columns. - -Changes in 4.6.6 Beta 3 - -1) Update release documents. - -2) Add the 'loopback' interface option. - -3) Use 'Iface match' for loopback interfaces where practical. - -Changes in 4.6.6 Beta 2 - -1) Update release documents. - -2) Document the -c option to the 'dump' and 'show routing' commands. - -3) Implement the 'TARPIT' target. - -Changes in 4.6.6 Beta 1 - -1) Update release documents. - -2) Minor reorganization of Shorewall::Compiler::compiler() - -3) Cosmetic/commentary changes to Shorewall::Config - -4) Start firewall after network-online target has been reached - -Changes in 4.6.5.3 - -1) Update release documents. - -2) Correct shorewall-init scripts to use VARLIB rather than VARDIR - (Roberto Sanchez) - -3) Correct handling of dynamic zones - -4) Correct handling of mark ranges - -Changes in 4.6.5.2 - -1) Update release documents. - -2) Fix IPv6 LOG_BACKEND=LOG - -Changes in 4.6.5.1 - -1) Update release documents. - -2) Apply Alan Barrett's dhclient patch - -3) Make emacs sh-mode work better with lib.core - -4) Fix setting of options[SERVICEDIR] in configure - -5) Rename SYSTEMDDIR to SERVICEDIR in shorewallrc.* - -6) Eliminate redundant "/" in the installers - -Changes in 4.6.5 Final - -1) Update release documents. - -2) Apply Thomas D's manpage fixes. - -3) Correct .service files. - -Changes in 4.6.5 RC 1 - -1) Update release documents. - -2) Correct a couple of defects in the -C code. - -3) Fix LOG_BACKEND on kernel 3.17. - -Changes in 4.6.5 Beta 3 - -1) Update release documents. - -2) Process params files with $SHOREWALL_SHELL. - -3) Implement the -C option. - -Changes in 4.6.5 Beta 2 - -1) Update release documents. - -2) Defect repair from the 4.6.4 branch. - -3) Allow both source and dest limits in the RATE LIMIT column. - -Changes in 4.6.5 Beta 1 - -1) Update release documents. - -2) Merge defect repair from 4.6.4. - -Changes in 4.6.5 Beta 1 - -1) Update release documents. - -2) New .service file strategy. - -Changes in 4.6.4.1 - -1) Update release documents - -2) Eliminate confusing output during 'save', 'safe-*' and 'try' - commands. - -3) Remove 'optional' from the Universal interfaces file. - -Changes in 4.6.4 Final - -1) Update release documents - -Changes in 4.6.4 RC 1 - -1) Update release documents - -2) Added FAQ 104 (kernel log messages during compile). - -3) Create INITD in the -lite installer. - -4) Don't link init script if there is none. - -5) Add -n option to the installers and uninstallers. - -6) Support SANDBOX in the installers and uninstallers. - -7) Correct many defects in the uninstallers. - -Changes in 4.6.4 Beta 3 - -1) Update release documents - -2) Allow SAVE_IPSETS to specify a list of ipset names. - -3) Document .spec and actions.std fixes. - -3) Packaging changes. - -Changes in 4.6.4-Beta 2 - -1) Update release documents - -2) Correct minor issue in a warning message. - -3) Implement LOG_BACKEND. - -4) Correct stoppedrules/ADMINISABSENTMINDED=No - -Changes in 4.6.4-Beta 1 - -1) Update release documents - -2) Install support for Centos 7 and Foobar 7 - -3) Tweaks to .service files. - -Changes in 4.6.3.4 - -1) Update release documents - -2) Remove the 'optional' option from the Universal 'net' entry in - interfaces. - -3) Don't check for required interfaces on 'stop' and 'clear'. - -4) Merge the defect repair from 4.6.2.5 into 4.6.3. - -Changes in 4.6.3.3 - -1) Update release documents - -2) Re-enable SECTION PREROUTING in the accounting file - -3) Eliminate many superfluous rules for tcpflags, nosmurfs and maclist - -Changes in 4.6.3.2 - -1) Update release documents - -2) Document the Goto-Meeting macro. - -3) Correct silly logic error - -4) Correct examples in actions manpages. - -5) Issue warning when /etc/iproute2/rt_tables is not writeable. - -6) Remove redundant help text output from -lite CLIs. - -Changes in 4.6.3.1 - -1) Update release documents - -2) Correct the u32 match string in action.DNSAmp. - -3) Clarify REJECT handling in IP[6]TABLES rules. - -Changes in 4.6.3 Final - -1) Update release documents. - -2) Apply Thomas D's fix for SAVE_IPSETS on Debian. - -Changes in 4.6.3 RC 1 - -1) Update release documents. - -2) Minor code and documentation cleanup. - -3) Defect repair from 4.6.2.5. - -hanges in 4.6.3 Beta 2 - -1) Update release documents. - -2) Add DNSAmp action - -3) Allow inline matches in action bodies (from 4.6.2.4) - -4) Allow physical names to be used in the INTERFACE column of the - providers file. - -Changes in 4.6.3 Beta 1 - -1) Update release documents. - -2) Describe new helper assignment in the FTP article. - -3) Merge defect repair from 4.6.2.3. - -4) Implement the 'run' command. - -Changes in 4.6.2.2 - -1) Update release documents. - -2) Detect Header Match when LOAD_MODULES_ONLY = No. - -3) Correct IPv6 ipset support detection on later kernels. - -4) Correct detection of the Ipset Counter capability. - -5) Detect Arptables JF when LOAD_MODULES_ONLY = No. - -6) Update the tcfilter manpages to mention BASIC_FILTER - -Changes in 4.6.2.1 - -1) Update release documents. - -2) Two issues with tcrules processing were corrected. - -Changes in 4.6.2 Final - -1) Update release documents. - -Changes in 4.6.2 RC 1 - -1) Update release documents. - -2) Allow specification of the GATEWAY MAC address. - -3) Fix some brokenness in installation under Cygwin. - -Changes in 4.6.2 Beta 2 - -1) Update release documents. - -2) Update Events.xml with a stateful port knocking example. - -3) Apply Thibaut Chèze's patch for DSCP names. - -4) Allow SAVE/RESTORE rules in the OUTPUT chain. - -5) Add ILO macro from Tuomo Soini. - -6) Apply Tuomo Soini's patch to add additional ports to the IPMI - macro. - -Changes in 4.6.2 Beta 1 - -1) Update release documents. - -2) Implement 'status -i' - -3) Implement 'show bl' - -4) Add TIME column to the mangle file - -Changes in 4.6.1.3 - -1) Update release documents. - -2) Correct handling of DSCP class names. - -3) Allow SAVE and RESTORE in the output chain. - -Changes in 4.6.1.3 - -1) Update release documents. - -2) Correct the compiler's handling of IfEvent. - -Changes in 4.6.1.2 - -1) Update release documents. - -2) Correct 'masq' manpages. - -3) Allow INLINE_MATCHES=Yes with AUTOHELPERS=No to work correctly. - -Changes in 4.6.1.1 - -1) Update release documents. - -2) Raise an error when a server list is specified in a DNAT or - REDIRECT rule. - -3) Correct Shorewall-init Debian init script - -Changes in 4.6.1 - -1) Update release documents. - -2) New Macros - -3) Apply pi-Rho's fix for rpfilter vs. dynamic chain. - -Changes in 4.6.0.3 - -1) Update release documents. - -2) Fix RHEL7 installation of Shorewall-init. - -3) Merge content from 4.5.21.10 - -Changes in 4.6.0.2 - -1) Update release documents. - -2) Correct handling of tcrules upgrade with 'upgrade -A'. - -3) Apply Tuomo Soini's whitespace patch. - -4) Extend Orion Poplawski's RHEL7 patch. - -5) Add FAQ 2e. - -6) Update Support article. - -7) Fix shorewall-masq SOURCE description - -Changes in 4.6.0.1 - -1) Update release documents. - -2) Correct CHECKSUM handling. - -3) Apply Simon Mater's cosmetic changes to 'mangle' file. - -4) Correct chain designator editing. - -Changes in 4.6.0 Final - -1) Update release documents. - -2) Upgrade IPv6 actions to FORMAT-2. - -Changes in 4.6.0 RC 3 - -1) Update release documents. - -2) Deprecate FORMAT-1 actions and macros. - -Changes in 4.6.0 RC 2 - -1) Update release documents. - -2) Add additional tabs to mangle files. - -3) Add link from Multi-ISP to packet marking. - -4) Updated the installers to install the .service files with mode 644 - rather than 600. - -Changes in 4.6.0 RC 1 +Changes in 5.0.0 1) Update release documents. -2) Make LOAD_HELPERS_ONLY=Yes the default. +2) Remove options from 'update' warning messages. -3) Merge 4.5.21.8/9 defect repair. +3) Update documentation for obsolete file removal. -4) Improve host interface inheritance. +4) Apply Erich Titl's 'date' fix. -Changes in 4.6.0 Beta 6 +Changes in 5.0.0 RC 1 1) Update release documents. -2) Merge 4.5.21.7 defect repair. +2) .service file fixes from Tuomo Soini -Changes in 4.6.0 Beta 5 +Changes in 5.0.0 Beta 2 1) Update release documents. -2) Add -t and -A update options. +2) Correct the 'reset' command -3) Implemented the BASIC_FILTERS option. +3) Allow table names in the reset command. -4) Documentation updates. +4) Add Gluster FS action -Changes in 4.6.0 Beta 4 +Changes in 5.0.0 Beta 1 1) Update release documents. -2) Defect repair for issues reported by testers. - -3) Support ipset lists in the tcfilters file. - -4) Cocument ipset use in tcfilters. - -5) Corrected 'dump' help text - -Changes in 4.6.0 Beta 3 - -1) Update release documents. +2) Redefine 'reload' and 'restart'. -2) Merge defect repair from Shorewall 4.5.21.6. +3) Eliminate service.214 files. -3) Implement basic filter generation in the tcfilters file. +4) Add 'reload' to the service files. -Changes in 4.6.0 Beta 2 +5) Allow connlimit by destination. -1) Update release documents. +6) Add the LEGACY_RESTART option. -2) Make tcpflags the default. +7) Deimplement support for several old options -3) ipset names in PORT columns. +8) Merge from 4.6.12 -4) ipset extensions. +9) Correct a warning message to refer to 'mangle' rather than + 'tcrules'. -5) DROP in stoppedrules +10) Drop support for the 'tos', 'tcrules', 'routestopped', 'notrack' + and 'blacklist' files. -Changes in 4.6.0 Beta 1 +11) Disallow bare SECTION, COMMENT and FORMAT lines. -1) Update release documents. +12) The -t update option also converts the 'tos' file. -2) Change ZONE2ZONE default. +13) Merge from 4.6.13. -3) Implement ?SECTION +14) Remove all of the individual options from the 'update' command. -4) Finish INLINE in tcrules. +15) Delimit inline matches with ';;'. -5) Add INLINE to masq. +16) Allow log-tags in shorewall.conf options -6) Implement INLINE_MATCHES +17) Allow non-expoerts access to the user bits in the fw mark. -7) Implement IP[6]TABLES actions in several files. +18) Add a PROBABILITY column to the masq files diff -Naurdw -X /home/teastep/bin/exclude.txt shorewall6-lite-4.6.13/configpath shorewall6-lite-5.0.0/configpath --- shorewall6-lite-4.6.13/configpath 2015-09-07 11:35:47.000000000 -0700 +++ shorewall6-lite-5.0.0/configpath 2015-10-08 13:16:32.000000000 -0700 @@ -1,5 +1,5 @@ # -# Shorewall6 Lite version 4.1 - Default Config Path +# Shorewall6 Lite version 5 - Default Config Path # # /usr/share/shorewall-lite/configpath # diff -Naurdw -X /home/teastep/bin/exclude.txt shorewall6-lite-4.6.13/configure shorewall6-lite-5.0.0/configure --- shorewall6-lite-4.6.13/configure 2015-09-08 11:10:32.584535235 -0700 +++ shorewall6-lite-5.0.0/configure 2015-10-09 13:28:27.029286819 -0700 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=4.6.13 +VERSION=5.0.0 case "$BASH_VERSION" in [4-9].*) diff -Naurdw -X /home/teastep/bin/exclude.txt shorewall6-lite-4.6.13/configure.pl shorewall6-lite-5.0.0/configure.pl --- shorewall6-lite-4.6.13/configure.pl 2015-09-08 11:10:32.588535257 -0700 +++ shorewall6-lite-5.0.0/configure.pl 2015-10-09 13:28:27.029286819 -0700 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '4.6.13' + VERSION => '5.0.0' }; my %params; diff -Naurdw -X /home/teastep/bin/exclude.txt shorewall6-lite-4.6.13/helpers shorewall6-lite-5.0.0/helpers --- shorewall6-lite-4.6.13/helpers 2015-09-08 11:10:32.576535190 -0700 +++ shorewall6-lite-5.0.0/helpers 2015-10-09 13:28:27.021286760 -0700 @@ -1,5 +1,5 @@ # -# Shorewall6 version 4 - Helpers File +# Shorewall6 version 5 - Helpers File # # /usr/share/shorewall6/helpers # diff -Naurdw -X /home/teastep/bin/exclude.txt shorewall6-lite-4.6.13/install.sh shorewall6-lite-5.0.0/install.sh --- shorewall6-lite-4.6.13/install.sh 2015-09-08 11:10:32.576535190 -0700 +++ shorewall6-lite-5.0.0/install.sh 2015-10-09 13:28:27.021286760 -0700 @@ -22,7 +22,7 @@ # along with this program; if not, see . # -VERSION=4.6.13 +VERSION=5.0.0 usage() # $1 = exit status { diff -Naurdw -X /home/teastep/bin/exclude.txt shorewall6-lite-4.6.13/manpages/shorewall6-lite.8 shorewall6-lite-5.0.0/manpages/shorewall6-lite.8 --- shorewall6-lite-4.6.13/manpages/shorewall6-lite.8 2015-09-08 11:13:25.461442800 -0700 +++ shorewall6-lite-5.0.0/manpages/shorewall6-lite.8 2015-10-09 13:31:12.118413807 -0700 @@ -2,12 +2,12 @@ .\" Title: shorewall6-lite .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 09/08/2015 +.\" Date: 10/09/2015 .\" Manual: Administrative Commands .\" Source: Administrative Commands .\" Language: English .\" -.TH "SHOREWALL6\-LITE" "8" "09/08/2015" "Administrative Commands" "Administrative Commands" +.TH "SHOREWALL6\-LITE" "8" "10/09/2015" "Administrative Commands" "Administrative Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -221,6 +221,7 @@ \fB\-f\fR is given, the command will be processed by the compiled script that executed the last successful \fBstart\fR, +\fBreload\fR, \fBrestart\fR or \fBrefresh\fR @@ -466,6 +467,29 @@ \fIaddress\fRes to be silently rejected\&. .RE .PP +\fBreload \fR[\-n] [\-p] [\-\fBC\fR] +.RS 4 +Added in Shorewall 5\&.0\&.0, +\fBreload\fR +is similar to +\fBshorewall6\-lite start\fR +except that it assumes that the firewall is already started\&. Existing connections are maintained\&. +.sp +The +\fB\-n\fR +option causes shorewall6\-lite to avoid updating the routing table(s)\&. +.sp +The +\fB\-p\fR +option causes the connection tracking table to be flushed; the +\fBconntrack\fR +utility must be installed to use this option\&. +.sp +The +\fB\-C\fR +option was added in Shorewall 4\&.6\&.5\&. If the specified (or implicit) firewall script is the one that generated the current running configuration, then the running netfilter configuration will be reloaded as is so as to preserve the iptables packet and byte counters\&. +.RE +.PP \fBreset [\fR\fB\fIchain\fR\fR\fB, \&.\&.\&.]\fR .RS 4 Resets the packet and byte counters in the specified @@ -476,9 +500,9 @@ .PP \fBrestart \fR[\-n] [\-p] [\-\fBC\fR] .RS 4 -Restart is similar to -\fBshorewall6\-lite start\fR -except that it assumes that the firewall is already started\&. Existing connections are maintained\&. +Beginning with Shorewall 5\&.0\&.0, this command performs a true restart\&. The firewall is completely stopped as if a +\fBstop\fR +command had been issued then it is started again\&. .sp The \fB\-n\fR diff -Naurdw -X /home/teastep/bin/exclude.txt shorewall6-lite-4.6.13/manpages/shorewall6-lite.conf.5 shorewall6-lite-5.0.0/manpages/shorewall6-lite.conf.5 --- shorewall6-lite-4.6.13/manpages/shorewall6-lite.conf.5 2015-09-08 11:13:22.905429374 -0700 +++ shorewall6-lite-5.0.0/manpages/shorewall6-lite.conf.5 2015-10-09 13:31:09.530396136 -0700 @@ -2,12 +2,12 @@ .\" Title: shorewall6-lite.conf .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 09/08/2015 +.\" Date: 10/09/2015 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL6\-LITE\&.C" "5" "09/08/2015" "Configuration Files" "Configuration Files" +.TH "SHOREWALL6\-LITE\&.C" "5" "10/09/2015" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Naurdw -X /home/teastep/bin/exclude.txt shorewall6-lite-4.6.13/manpages/shorewall6-lite-vardir.5 shorewall6-lite-5.0.0/manpages/shorewall6-lite-vardir.5 --- shorewall6-lite-4.6.13/manpages/shorewall6-lite-vardir.5 2015-09-08 11:13:23.989435066 -0700 +++ shorewall6-lite-5.0.0/manpages/shorewall6-lite-vardir.5 2015-10-09 13:31:10.630403642 -0700 @@ -2,12 +2,12 @@ .\" Title: shorewall6-lite-vardir .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 09/08/2015 +.\" Date: 10/09/2015 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL6\-LITE\-VA" "5" "09/08/2015" "Configuration Files" "Configuration Files" +.TH "SHOREWALL6\-LITE\-VA" "5" "10/09/2015" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Naurdw -X /home/teastep/bin/exclude.txt shorewall6-lite-4.6.13/manpages/shorewall6-lite.xml shorewall6-lite-5.0.0/manpages/shorewall6-lite.xml --- shorewall6-lite-4.6.13/manpages/shorewall6-lite.xml 2015-09-08 11:13:25.557443304 -0700 +++ shorewall6-lite-5.0.0/manpages/shorewall6-lite.xml 2015-10-09 13:31:12.222414500 -0700 @@ -699,8 +699,9 @@ If is given, the command will be processed by the compiled script that executed the last successful - start, restart or - refresh command if that script exists. + start, reload, restart or refresh command + if that script exists. @@ -1004,6 +1005,31 @@ + reload [-n] [-p] + [-] + + + Added in Shorewall 5.0.0, reload is similar to shorewall6-lite + start except that it assumes that the firewall is already + started. Existing connections are maintained. + + The option causes shorewall6-lite to avoid + updating the routing table(s). + + The option causes the connection tracking + table to be flushed; the conntrack utility must + be installed to use this option. + + The option was added in Shorewall 4.6.5. + If the specified (or implicit) firewall script is the one that + generated the current running configuration, then the running + netfilter configuration will be reloaded as is so as to preserve the + iptables packet and byte counters. + + + + reset [chain, ...] @@ -1020,9 +1046,10 @@ [-] - Restart is similar to shorewall6-lite start - except that it assumes that the firewall is already started. - Existing connections are maintained. + Beginning with Shorewall 5.0.0, this command performs a true + restart. The firewall is completely stopped as if a + stop command had been issued then it is started + again. The option causes shorewall6-lite to avoid updating the routing table(s). diff -Naurdw -X /home/teastep/bin/exclude.txt shorewall6-lite-4.6.13/modules shorewall6-lite-5.0.0/modules --- shorewall6-lite-4.6.13/modules 2015-09-08 11:10:32.572535170 -0700 +++ shorewall6-lite-5.0.0/modules 2015-10-09 13:28:27.017286737 -0700 @@ -1,5 +1,5 @@ # -# Shorewall6 version 4 - Modules File +# Shorewall6 version 5 - Modules File # # /usr/share/shorewall6/modules # diff -Naurdw -X /home/teastep/bin/exclude.txt shorewall6-lite-4.6.13/modules.essential shorewall6-lite-5.0.0/modules.essential --- shorewall6-lite-4.6.13/modules.essential 2015-09-08 11:10:32.572535170 -0700 +++ shorewall6-lite-5.0.0/modules.essential 2015-10-09 13:28:27.017286737 -0700 @@ -1,5 +1,5 @@ # -# Shorewall6 version 4 - Essential Modules File +# Shorewall6 version 5 - Essential Modules File # # /usr/share/shorewall6/modules.essential # diff -Naurdw -X /home/teastep/bin/exclude.txt shorewall6-lite-4.6.13/modules.extensions shorewall6-lite-5.0.0/modules.extensions --- shorewall6-lite-4.6.13/modules.extensions 2015-09-08 11:10:32.572535170 -0700 +++ shorewall6-lite-5.0.0/modules.extensions 2015-10-09 13:28:27.017286737 -0700 @@ -1,5 +1,5 @@ # -# Shorewall6 version 4 - Extensions Modules File +# Shorewall6 version 5 - Extensions Modules File # # /usr/share/shorewall6/modules.extension # diff -Naurdw -X /home/teastep/bin/exclude.txt shorewall6-lite-4.6.13/modules.ipset shorewall6-lite-5.0.0/modules.ipset --- shorewall6-lite-4.6.13/modules.ipset 2015-09-08 11:10:32.572535170 -0700 +++ shorewall6-lite-5.0.0/modules.ipset 2015-10-09 13:28:27.017286737 -0700 @@ -1,5 +1,5 @@ # -# Shorewall version 4 - IP Set Modules File +# Shorewall version 5 - IP Set Modules File # # /usr/share/shorewall6/modules.ipset # diff -Naurdw -X /home/teastep/bin/exclude.txt shorewall6-lite-4.6.13/modules.tc shorewall6-lite-5.0.0/modules.tc --- shorewall6-lite-4.6.13/modules.tc 2015-09-08 11:10:32.572535170 -0700 +++ shorewall6-lite-5.0.0/modules.tc 2015-10-09 13:28:27.017286737 -0700 @@ -1,5 +1,5 @@ # -# Shorewall6 version 4 - Traffic Shaping Modules File +# Shorewall6 version 5 - Traffic Shaping Modules File # # /usr/share/shorewall6/modules.tc # diff -Naurdw -X /home/teastep/bin/exclude.txt shorewall6-lite-4.6.13/modules.xtables shorewall6-lite-5.0.0/modules.xtables --- shorewall6-lite-4.6.13/modules.xtables 2015-09-08 11:10:32.572535170 -0700 +++ shorewall6-lite-5.0.0/modules.xtables 2015-10-09 13:28:27.017286737 -0700 @@ -1,5 +1,5 @@ # -# Shorewall6 version 4 - Xtables Modules File +# Shorewall6 version 5 - Xtables Modules File # # /usr/share/shorewall6/modules.xtables # diff -Naurdw -X /home/teastep/bin/exclude.txt shorewall6-lite-4.6.13/releasenotes.txt shorewall6-lite-5.0.0/releasenotes.txt --- shorewall6-lite-4.6.13/releasenotes.txt 2015-09-08 11:10:32.580535219 -0700 +++ shorewall6-lite-5.0.0/releasenotes.txt 2015-10-09 13:28:27.025286787 -0700 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 6 . 1 3 - ------------------------------ - S e p t e m b e r 0 9 , 2 0 1 5 + S H O R E W A L L 5 . 0 . 0 + ---------------------------- + O c t o b e r 1 0 , 2 0 1 5 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -11,50 +11,13 @@ V. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES ---------------------------------------------------------------------------- - N O T I C E - -Shorewall 4.6.13 is scheduled to be the last 4.6 release. In -the fall of 2015, Shorewall 5.0.0 will be available. Please see -http://www.shorewall.org/Shorewall-5.html for information about -preparing to migrate to Shorewall 5. - ----------------------------------------------------------------------------- I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) The 'rules' file manpages have been corrected regarding the packets - that are processed by rules in the NEW section. - -2) Parsing of IPv6 address ranges has been corrected. Previously, use - of ranges resulted in 'Invalid IPv6 Address' errors. - -3) The shorewall6-hosts man page has been corrected to show the - proper contents of the HOST(S) column. - -4) Previously, INLINE statements in the mangle file were not - recognized if a chain designator (:F, :P, etc.) followed - INLINE(...). As a consequence, additional matches following a - semicolon were interpreted as column/value pairs unless - INLINE_MATCHES=Yes, resulting in compilation failure. - -5) Inline matches on IP[6]TABLE rules could be ignored if - INLINE_MATCHES=No. They are now recognized. - -6) Specifying an action with a logging level in one of the _DEFAULT - options in shorewall[6].conf (e.g., REJECT_DEFAULT=Reject:info) - produced a compilation error: - - ERROR: Invalid value (:info) for first Reject parameter - /usr/share/shorewall/action.Reject (line 52) - - That has been corrected. Note, however, that specifying logging - with a default action tends to defeat one of the main purposes of - default actions which is to suppress logging. +1) This release includes defect repair up through Shorewall 4.6.13.1. -7) Previously, it was necessary to set TC_EXPERT=Yes to have full - access to the user mark in fw marks. That has been corrected so - that any place that a mark or mask can be specified, both the TC - mark and the User mark are accessible. +2) The compiled script now uses the %e date format rather than %_d, + for Busybox compatibilty. (Erich Titl) ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -67,252 +30,214 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) 'update -t' now converts both the tcrules and tos files. - -2) 'second' and 'minute' are now allowed in the LOGLIMIT - specification in place of 'sec' and 'min' respectively. - -3) The 'update' command now converts additional deprecated option - settings: +1) To make the command names more accurately reflect what they do, + several changes have been included: - - LOGRATE/LOGBURST are converted to the equivalent LOGLIMIT - setting. + a) Beginning with this release, the 'restart' command now does a + true restart and is equivalent to a 'stop' followed by a + 'start'. - - BLACKLISTNEWONLY is now converted to the equivalent BLACKLIST - setting. + b) The pre-5.0.0 'load' command has been renamed 'remote_start'. -4) Two settings now have more reasonable defaults if they don't appear - in the .conf file being updated: + c) The pre-5.0.0 'reload' command has been renamed 'remote_reload'. - - USE_DEFAULT_RT now defaults to No - - EXPORTMODULES now defaults to No. + c) The 'reload' command now performs the same function as the + pre-5.0.0 'restart' command. -5) When the 'update' command is converting a deprecated file, it now - makes additional checks when it finds a target file (mangle, - stoppedrules or blrules) to append the converted rules to: + d) A 'remote_restart' command has been added to Shorewall and + Shorewall6 to allow a remote 'restart' after updating the + remote firewall system's compiled script. - - If the file is in the directory $SHAREDIR/$product/configfiles/, - the file is not opened. - - If the file is in the directory - $SHAREDIR/doc/$product/default-config/, the file is not opened. - - If the file is not writable, the file is not opened. +2) For those that can't get used to the idea of using 'reload' in + place of 'restart', a LEGACY_RESTART option has been added. The + option defaults to No but if set to Yes, then the 'restart' command + does what it has always done. - When the file isn't opened because of one of these checks, an - attempt is made to create a new file in either the directory - specified on the command line (if any) or in the first directory - listed in the CONFIG_PATH setting. +3) It is now possible to limit connections by destination address in + the rules file by prefixing the CONNLIMIT setting with 'd:'. ----------------------------------------------------------------------------- - I V. M I G R A T I O N I S S U E S ----------------------------------------------------------------------------- +4) While the WORKAROUNDS setting is still present in the + shorewall[6].conf files: -1) If you are migrating from Shorewall 4.4.x or earlier, please see - http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.21/releasenotes.txt + a) Its default setting has been changed to No. -2) Beginning with Shorewall 4.5.2, using /etc/shorewall-lite/vardir - and /etc/shorewall6-lite/vardir to specify VARDIR is deprecated in - favor of the VARDIR setting in shorewallrc. + b) All workarounds for old distributions have been eliminated. See + the Migration Issues for additional information. - NOTE: While the name of the variable remains VARDIR, the - meaning is slightly different. When set in shorewallrc, - each product (shorewall-lite, and shorewall6-lite) will - create a directory under the specified path name to - hold state information. +5) A number of configuration options have been eliminated: - Example: + - EXPORTPARAMS + - IPSECFILE + - LEGACY_FASTSTART + - LOGRATE * + - LOGBURST * + - WIDE_TC_MARKS * + - HIGH_ROUTE_MARKS * + - BLACKLISTNEWONLY * - VARDIR=/opt/var/ + A fatal error results if those flagged with an asterisk ("*") + appear in the .conf file -- run the 'shorewall[6] update' command + to convert their settings to use supported options. - The state directory for shorewall-lite will be - /opt/var/shorewall-lite/ and the directory for - shorewall6-lite will be /opt/var/shorewall6-lite. + A warning is issued if any of the rest appear in the .conf file. + 'shorewall[6] update' will drop them from the file. - When VARDIR is set in /etc/shorewall[6]/vardir, the - product will save its state directly in the specified - directory. +7) The -b, -D, -r, -s, -t and -n options have been removed from the + 'update' command. The command now behaves as if all of those + options had been specified. - In Shorewall 4.5.8, a VARLIB variable was added to the shorewallrc - file and the meaning of VARDIR is once again consistent. The - default setting of VARDIR for a particular product is - ${VARLIB}/$product. There is an entry of that form in the - shorewallrc file. Because there is a single shorewallrc file for - all installed products, the /etc/shorewall[6]-lite/vardir file - provides the only means for overriding this default. +6) Support has been removed for the 'blacklist', 'tcrules', + 'routestopped', 'notrack' and 'tos' files. -3) Begining with Shorewall 4.5.6, the tcrules file is processed if - MANGLE_ENABLED=Yes, independent of the setting of TC_ENABLED. This - allows actions like TTL and TPROXY to be used without enabling - traffic shaping. + The 'update' command will: - If you have rules in your tcrules file that you only want processed - when TC_ENABLED is other than 'No', then enclose them in + - convert the 'tcrules' and 'tos' files to the equivalent 'mangle' + file. - ?IF $TC_ENABLED - ... - ?ENDIF + - convert the 'blacklist' file into an equivalent 'blrules' file. - If they are to be processed only if TC_ENABLED=Internal, then enclose - them in + - convert the routestopped' file into the equivalent 'stoppedrules' + file. - ?IF TC_ENABLED eq 'Internal' - ... - ?ENDIF + - convert a 'notrack' file to the equivalent 'conntrack' file. -4) Beginning with Shorewall 4.5.7, the deprecated - /etc/shorewall[6]/blacklist files are no longer installed. Existing - files are still processed by the compiler. Note that blacklist - files may be converted to equivalent blrules files using - 'shorewall[6] update -b'. +7) Beginning with this release, all macros and actions are assumed + to be FORMAT-2. FORMAT-1 macros and actions are no longer supported + and will be silently processed as if they were FORMAT-2. For most + macros and actions, this change will be of no concern, but may cause + compilation errors in rare cases. -5) In Shorewall 4.5.7, the /etc/shorewall[6]/notrack file was renamed - /etc/shorewall[6]/conntrack. When upgrading to a release >= 4.5.7, - the conntrack file will be installed along side of an existing - notrack file. When both files exist, a compiler warning is - generated: +8) Beginning with this release, COMMENT, FORMAT and SECTION lines must + begin with a question mark ("?"). The 'update' command makes these + changes for you. - WARNING: Both notrack and conntrack exist; conntrack is ignored +9) As an alternative to INLINE_MATCHES=Yes, you may now specify inline + matches (raw ip[6]tables text) after a double semicolon (';;'). - This warning may be eliminated by moving any entries in the notrack - file to the conntrack file and removing the notrack file. + Example from the 'masq' file to split SNAT between two public + addresses on eth1: -6) In Shorewall 4.5.8, the /etc/shorewall[6]/routestopped files were - deprecated if favor of new /etc/shorewall[6]/stoppedrules - counterparts. The new files have much more familiar and - straightforward semantics. Once a stoppedrules file is populated, - the compiler will process that file and will ignore the - corresponding routestopped file. + #INTERFACE SOURCE ADDRESS + eth1 - 1.2.3.1 ;; -m statistic --mode random --probability 0.50 + eth1 - 1.2.3.2 -7) In Shorewall 4.5.8, a new variable (VARLIB) was added to the - shorewallrc file. This variable assumes the role formerly played by - VARDIR, and VARDIR now designates the configuration directory for a - particular product. +10) Options in shorewall[6].conf that accept a log level now also allow + specification of a log tag. - This change should be transparent to all users: + Example: - a) If VARDIR is set in an existing shorewallrc file and VARLIB is - not, then VARLIB is set to ${VARDIR} and VARDIR is set to - ${VARLIB}/${PRODUCT}. + TCP_FLAGS_LOG_LEVEL=info:,tcpflags - b) If VARLIB is set in a shorewallrc file and VARDIR is not, then - VARDIR is set to ${VARLIB}/${PRODUCT}. +11) A PROBABILITY column has been added to the masq file. One usage + scenario is to balance SNAT between two or more IP addresses on a + WAN interface: - The Shorewall-core installer will automatically update - ~/.shorewallrc and save the original in ~/.shorewallrc.bak + #INTERFACE SOURCE ADDRESS + eth1 - 1.2.3.4 { probability=0.50 } + eth2 - 1.2.3.5 -8) Previously, the macro.SNMP macro opened both UDP ports 161 and 162 - from SOURCE to DEST. This is against the usual practice of opening - these ports in the opposite direction. Beginning with Shorewall - 4.5.8, the SNMP macro opens port 161 from SOURCE to DEST as before, - and a new SNMPTrap macro is added that opens port 162 (from SOURCE - to DEST). +12) Previously, when chain names were included in a 'reset' command, + they were assumed to be filter table chains. Now, both a table name + and a chain name can be given (e.g., mangle:PREROUTING). The + specified table remains the default for the remainder of the + command unless a following entry also includes a table name. -9) Beginning with Shorewall 4.5.11, ?FORMAT is preferred over FORMAT - for specifying the format of records in these configuration files: +13) An action for Gluster FS (action.GlusterFS) has been added. See the + action file for a description of the parameters. - action.* files - conntrack - interface - macro.* files - tcrules +---------------------------------------------------------------------------- + I V. M I G R A T I O N I S S U E S +---------------------------------------------------------------------------- - While deprecated, FORMAT (without the '?') is still supported. +1) If you are migrating from Shorewall 4.4.x or earlier, please see + http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.21/releasenotes.txt - Also, ?COMMENT is preferred over COMMENT for attaching comments to - generated netfilter rules in the following files. +2) It is strongly recommended that you first upgrade your installation + to a 4.6 release >= 5.6.12 prior to upgrading to Shorewall 5.0. - accounting - action.* files - blrules files - conntrack - masq - nat - rules - secmarks - tcrules - tunnels + Once you are on the Shorewall 4.6 release: - When one of the deprecated forms is encountered, a warning message - is issued. + - shorewall update -A - Examples: + If you also run Shorewall6: - WARNING: 'FORMAT' is deprecated in favor of '?FORMAT' - - consider running 'shorewall update -D'. + - shorewall6 update -A - WARNING: 'COMMENT' is deprecated in favor of '?COMMENT' - - consider running 'shorewall update -D'. + These steps are necessary because Shorewall 5.0: - As the warnings indicate, 'update -D' will traverse the CONFIG_PATH - replacing FORMAT and COMMENT lines with ?FORMAT and ?COMMENT - directives respectively. The original version of modified files - will be saved with a .bak suffix. + - Does not contain support for the 'tcrules' and 'tos' files -- + existing 'tcrules' and 'tos' files must be converted to an + equivalent set of 'mangle' file entries. - During the update, .bak files are skipped as are files in - ${SHAREDIR}/shorewall and ${SHAREDIR}/shorewall6. + - Does not contain support for the 'blacklist' file -- it must + be converted to an equivalent 'blrules' file. -10) To allow finer-grained selection of the connection-tracking states - that are passed through blacklists (both dynamic and static), a - BLACKLIST option was added to shorewall.conf and shorewall6.conf in - Shorewall 4.5.13. + - Does not contain support for the 'notrack' file -- it must be + converted to an equivalent 'conntrack' file. - The BLACKLISTNEWONLY option was deprecated at that point. A - 'shorewall update' ( 'shorewall6 update' ) will replace the - BLACKLISTNEWONLY option with the equivalent BLACKLIST option. + - Does not contain support for the 'routestopped' file -- it must + be converted to an equivalent 'stoppedrules' file. -11) In Shorewall 4.5.14, the BLACKLIST_LOGLEVEL option was renamed - BLACKLIST_LOG_LEVEL to be consistent with the other log-level - option names. BLACKLIST_LOGLEVEL continues to be accepted as a - synonym for BLACKLIST_LOG_LEVEL, but a 'shorewall update' or - 'shorewall6 update' command will replace BLACKLIST_LOGLEVEL with - BLACKLIST_LOG_LEVEL in the new .conf file. + Note that you can run the update command(s) after you upgrade to + Shorewall 5 but your firewall will not work correctly until + you do those update(s). -12) Beginning with Shorewall 4.6.0, the default setting for 'ZONE2ZONE' - is '-' rather than '2'. If you prefer to keep your pre-4.6.0 chain - names, then specify ZONE2ZONE=2 in shorewall[6].conf. +3) The following configuration options have been eliminated: -13) Beginning with Shorewall 4.6.0, section headers are now preceded by - '?' (e.g., '?SECTION ...'). If your configuration contains any - bare 'SECTION' entries, the following warning is issued: + - EXPORTPARAMS + - IPSECFILE + - LEGACY_FASTSTART + - LOGRATE * + - LOGBURST * + - WIDE_TC_MARKS * + - HIGH_ROUTE_MARKS * + - BLACKLISTNEWONLY * - WARNING: 'SECTION' is deprecated in favor of '?SECTION' - - consider running 'shorewall update -D' ... + A fatal error results if those flagged with an asterisk ("*") + appear in the .conf file -- run the 'shorewall[6] update' command + to convert their settings to use supported options. - As mentioned in the message, running 'shorewall[6] update -D' will - eliminate the warning. + A warning is issued if any of the rest appear in the .conf file. + 'shorewall[6] update' will drop them from the file. -14) Beginning with Shorewall 4.6.0, the 'tcrules' file has been - superceded by the 'mangle' file. Existing 'tcrules' files will - still be processed, with the restriction that TPROXY is no longer - supported in FORMAT 1. +4) To make the command names more accurately reflect what they do, + several changes have been included: - If your 'tcrules' file has non-commentary entries, the following - warning message is issued: + a) Beginning with this release, the 'restart' command now does a + true restart and is equivalent to a 'stop' followed by a + 'start'. - WARNING: Non-empty tcrules file (...); - consider running 'shorewall update -t' + b) The pre-5.0.0 'load' command has been renamed 'remote_start'. - See shorewall6(8) for limitations of 'update -t'. + c) The pre-5.0.0 'reload' command has been renamed 'remote_reload'. -15) The default value of LOAD_HELPERS_ONLY is now 'Yes'. + c) The 'reload' command now performs the same function as the + pre-5.0.0 'restart' command. -16) Beginning with Shorewall 4.6.0, FORMAT-1 actions and macros are - deprecated and a warning will be issued for each FORMAT-1 action - or macro found. + d) A 'remote_restart' command has been added to Shorewall and + Shorewall6 to allow a remote 'restart' after updating the + remote firewall system's compiled script. - WARNING: FORMAT-1 actions are deprecated and support will be - dropped in a future release. + For those that can't get used to the idea of using 'reload' in + place of 'restart', a LEGACY_RESTART option has been added. The + option defaults to No but if set to Yes, then the 'restart' command + does what it has always done. - WARNING: FORMAT-1 macros are deprecated and support will be - dropped in a future release. +5) While the WORKAROUNDS setting is still present in the + shorewall[6].conf file: - To eliminate these warnings, add the following line before the - first rule in the action or macro: + a) It's default setting has been changed to No. - ?FORMAT 2 + b) All workarounds for old distributions have been eliminated. See + the Migration Issues for additional information. - and adjust the columns appropriately. +6) Beginning with Shorewall 5.0.0, all macros and actions are assumed + to be FORMAT-2. FORMAT-1 macros and actions are no longer supported + and will be silently processed as if they were FORMAT-2. For most + macros and actions, this change will be of no concern, but may cause + compilation errors in rare cases. - FORMAT-1 actions have the following columns: + To review, FORMAT-1 actions have the following columns: TARGET SOURCE @@ -320,11 +245,11 @@ PROTO DEST PORT(S) SOURCE PORT(S) - RATE/LIMIT + RATE USER/GROUP MARK - while FORMAT-2 actions have these columns: + FORMAT-1 macros have these columns: TARGET SOURCE @@ -332,28 +257,10 @@ PROTO DEST PORT(S) SOURCE PORT(S) - ORIGINAL DEST - RATE/LIMIT - USER/GROUP - MARK - CONNLIMIT - TIME - HEADERS (Used in IPv6 only) - CONDITION - HELPER - - FORMAT-1 macros have the following columns: - - TARGET - SOURCE - DEST - PROTO - DEST PORT(S) - SOURCE PORTS(S) - RATE/LIMIT + RATE USER/GROUP - while FORMAT-2 macros have these columns: + FORMAT-2 actions and macros, on the other hand, have: TARGET SOURCE @@ -362,1262 +269,25 @@ DEST PORT(S) SOURCE PORT(S) ORIGINAL DEST - RATE/LIMIT + RATE USER/GROUP MARK CONNLIMIT TIME - HEADERS (Used in IPv6 only) - CONDITION + HEADERS (Only valid for IPv6) + SWITCH HELPER -17) Prior to Shorewall 4.6.4, the stoppedrules file did not work - properly when ADMINISABSENTMINDED=No. - - - A warning message was issued stating that the file would be - processed as if ADMINISABSENTMINDED=Yes, and it was. - - - Unfortunately, part of the surrounding rule-generating logic - proceded as if ADMINISABSENTMINDED=No, leading to an unusable - ruleset. - - In Shorewall 4.6.4, this problem was corrected by changing the way - that stoppedrules works with ADMINISABSENTMINDED=No. In the new - implementation: - - - All existing connections continue to work. - - Response packets and related connection requests to new accepted - connections are accepted (in other words, the resulting ruleset - is stateful). - - See shorewall[6].conf(5) for additional details. - ----------------------------------------------------------------------------- - V. N O T E S F R O M O T H E R 4 . 6 R E L E A S E S ----------------------------------------------------------------------------- - P R O B L E M S C O R R E C T E D I N 4 . 6 . 1 2 ----------------------------------------------------------------------------- - -4.6.12.1 - -1) Beginning with Shorewall 4.6.10, a fatal error during a start or - restart operation can leave the firewall in an indeterminent state. - That problem has been corrected so that the intended action takes - place: - - - If there is a current executable RESTOREFILE, then the firewall - is restored using that file. - - - Otherwise, the firewall is placed in the stopped state. - -2) Previously, if 'none' were passed as the log level argument to the - AutoBL action, compilation failed silently. Now, the intended - behavior (no logging) is produced. - -4.6.12 - -1) This release includes defect repair up through Shorewall 4.6.11.1. - -2) Previously, when Perl 5.18.0 or later was used with Shorewall, - multiple compilations of an unchanging configuration could produce - different but equivalent script files. Now, the script files - produced will be identical (except for dates and times) for any - given Shorewall version. - -3) Previously, if a binary interface option (those that have a value - of zero or 1) was specified with a value of zero on such an - interface, compilation failed. - - For example, this interface definition: - - - eth2 arp_filter=0,routeback=0,tcpflags=0,proxyarp=0 - - would generate the following error message: - - ERROR: The "routeback" option may not be specified on a - multi-zone interface - - Now, the option is allowed. - -4) Several issues with 'update -b' have been corrected. - ----------------------------------------------------------------------------- - N E W F E A T U R E S I N 4 . 6 . 1 2 ----------------------------------------------------------------------------- - -1) The initial 'Compiling...', 'Checking...' and 'Updating..." - progress messages now include the Product name and version. - -2) Debian-specific .service files have been added. - -3) There are now two shorewallrc files for Debian - one for sysvinit - and one for systemd. The configure and configure.pl scrips - determine which to use by examining /sbin/init. - -4) Two new options are available for the 'update' command: - - -r converts a routestopped file to an equivalent stoppedrules file. - - -n converts a notrack file to an equivalent conntrack file. If - there is already an existing conntrack file, the converted rules - are appended to the existing file. - - WARNING: If you include /usr/share/shorewall/configfiles (or - wherever your distro places empty files) in your CONFIG_FILE - setting and there is no new file in your config directory (such as - /etc/shorewall), then the 'update' command will update the copy of - the file in /usr/share/shorewall/configfiles. This is probably not - what you want, since files in that directory (or your distro's - corresponding directory) will be overwritten by the next upgrade. - -5) Shorewall now uses NYTProf as its profiler rather than the - deprecated DProf. - ----------------------------------------------------------------------------- - P R O B L E M S C O R R E C T E D I N 4 . 6 . 1 1 ----------------------------------------------------------------------------- - -1. This release includes defect repair up to and including Shorewall - 4.6.10.1. - -2. Previously, when the -c option was given to the 'compile' command, - the progress message "Compiling..." was issued before it was - determined if compilation was necessary. Now, that message is - suppressed when re-compilation is not required. - -3. Previously, when the -c option was given to the 'compile' command, - the 'postcompile' extension script was executed even when there was - no (re-)compilation. Now, the 'postcompile' script is only invoked - when a new script is generated. - -4. If CONFDIR was other than /etc, then ordinary users would not - receive a clear error message when they attempted to execute one of - the commands that change the firewall state. - -5. Previously, IPv4 DHCP client broadcasts were blocked by the - 'rpfilter' interface option. That has been corrected. - -6) The 'update' command incorrectly added the INLINE_MATCHES option - to shorewall6.conf with a default value of 'Yes'. This caused - 'start' to fail with invalid ip6tables rules when the alternate - input format using ';' is used. - ----------------------------------------------------------------------------- - N E W F E A T U R E S I N 4 . 6 . 1 1 ----------------------------------------------------------------------------- - -1) Over the years, a number of changes have been added to Shorewall - that work around defects in other products. When running a current - distribution, these workarounds are unnecessary and add to the time - required for normal Shorewall operations. - - Beginning in this release, those workarounds may be disabled by - setting WORKAROUNDS=No in shorewall.conf. - -2) Previously, both lib.cli and lib.cli-std included nearly-identical - usage() functions. Now, only lib.cli includes the function which - produces its output based on which product's CLI is invoking it. - -3) To accomodate compiled scripts produced by Shorewall versions - before 4.4.8, Shorewall products from 4.4.8 onward have run scripts - twice. The first time is simply to capture the output of the - 'version' command. Based on the script's version, it is then invoked - to execute the requested command. - - Beginning in this release, scripts will only be run once if: - - - WORKAROUNDS=No, or - - the script was compiled as part of executing the command, or - - AUTOMAKE=Yes and it was determined that re-compilation was not - required. - -4) When the 'conntrack' utility program is installed, the 'show - connections' command can now display a subset of the entire - conntrack table by simply following the 'connections' keyword with - one or more conntrack filter parameters. - - For example, to display all http connections: - - shorewall show connections -p tcp --dport 80 - - See conntrack(8) for a description of the available parameters. - -5) To ensure that the compiler has an adequate PATH, the default - Shorewall PATH is now appended to the compiler's active PATH. - ----------------------------------------------------------------------------- - P R O B L E M S C O R R E C T E D I N 4 . 6 . 1 0 ----------------------------------------------------------------------------- - -1) On some distributions, Shorewall-init would fail if one of the - configured products had a problem. Now, Shorewall-init goes on to - the next product rather than stopping. - -2) Previously, when startup was disabled (STARTUP_ENABLED=No or no - compiled firewall on a -lite system), exit status 2 was - returned. Now, exit status 6 is returned. - -3) Previously, if SAVE_IPSETS=ipv4 (or ipv6) but the configuration did - not use ipsets, then a superfluous warning message was issued: - - WARNING: Invalid value (ipv4) for SAVE_IPSETS - - That warning is now suppressed. - -4) Previously, the algorithm used to normalize the probabilities - defined in the 'load' provider option was incorrect and could - result in probabilities > 1.0. When this occurred, the firewall - would fail to start. - ----------------------------------------------------------------------------- - N E W F E A T U R E S I N 4 . 6 . 1 0 ----------------------------------------------------------------------------- - -1) Previously, the 'ctevents' and 'expevents' options could only be - specified in the conntrack file if a helper was named. That is no - longer necessary. - - Example: - - #ACTION SOURCE DESTINATION PROTO DEST ... - # PORT(S) ... - # - CT:ctevents:assured,destroy\ - all - - - -2) Two new options have been added to the NFQUEUE target. - - - By default, if no userspace program is listening on an NFQUEUE, - then all packets that are to be queued are dropped. When the new - 'bypass' option is used, the NFQUEUE rule is silently bypassed - instead. The packet will move on to the next rule. - - Examples: - - NFQUEUE(bypass) - NFQUEUE(3,bypass) - - - Now, a queue range of the form n:m may be specified. Packets are - then balanced across the given queues. This is useful for - multicore systems: start multiple instances of the userspace - program on queues x, x+1, .. x+n and use "x:x+n". Packets - belonging to the same connection are put into the same nfqueue. - - Examples: - - NFQUEUE(4:6) - NFQUEUE(4:6,bypass) - - Queue ranges are also permitted in an NFQUEUE policy; the - 'bypass' option is not permitted there. - -3) The 'call' command is now documented. It provides a way to call - shell functions in the Shorewall libraries or in the generated - script. - - call [ ... ] - - must name a shell function in one of the Shorewall - libraries or in the generated script. The function is first - searched for in lib.base, lib.common, lib.cli and lib.cli-std - (lib.cli-std is not searched by the '-lite' products). If the - function is found, it is called with any supplied s. - - If the function is not found in the libraries, the call command - is passed to the generated script for processing. - -4) Several changes have been made to the processing of the 'load' - option in provider files: - - - load values are normalized to 8-digit precision and 10-byte - length. - - a warning is issued if the sum of the loads is not 1.000000. - - if the normalized probability for an interface is >= - 1.000000 then the probability match part of the generated rule is - omitted. - -5) There is now an ipv6 'findgw' skeleton file. - -6) The 'disable' and 'enable' commands now succed if the interface is - already disabled or enabled respectively. Tuomo Soini. - ----------------------------------------------------------------------------- - P R O B L E M S C O R R E C T E D I N 4 . 6 . 9 ----------------------------------------------------------------------------- - -1) This release contains defect repair from Shorewall 4.6.8.1 and - earlier releases. - -2) The means for preventing loading of helper modules has been - clarified in the documentation. - -3) The SetEvent and ResetEvent actions previously set/reset the event - even if the packet did not match the other specified columns. This - has been corrected. - -4) Previously, the 'show capabilities' command was ignoring the - HELPERS setting. This resulted in unwanted modules being autoloaded - and, when the -f option was given, an incorrect capabilities file - was generated. - -6) Previously, when 'wait' was specified for an interface, the - generated script erroneously checked for required interfaces on all - commands rather than just start, restart and restore. - ----------------------------------------------------------------------------- - N E W F E A T U R E S I N 4 . 6 . 9 ----------------------------------------------------------------------------- - -1) There is now a TCPMSS Target (TCPMSS_TARGET) capability. Your - iptables and kernel must support this capability in order to use - the CLAMPMSS option in shorewall.conf and the 'mss=' option in the - zones, interfaces and hosts files. This capability was added when - it was learned that Debian on ARM doesn't provide the feature. - - When using a capabilities file from at earlier release, the - compiler assumes that this capability is available, since most - distributions have traditionally provided the capability. - -2) The CLI manpages now state explicitly that 'list' and 'ls' are - synonyms for 'show' and refer the reader to the description of - 'show'. - -3) The complete syntax of each CLI command is now repeated in the - detailed description of the command in the man pages. - -4) Tuomo Soini has contributed a QUIC macro. - -5) The JabberSecure macro is now deprecated. Configure Jabber to use - TLS and use the Jabber macro instead. (Tuomo Soini). - -6) The enable and disable commands now execute more quickly on slow - hardware. - -7) The CLI programs now support a 'reenable' command. This command is - logically equivalent to a 'disable' command followed by an 'enable' - command, with the exception that no error is generated if the - specified interface or provider is disabled at the time the - command is given. - ----------------------------------------------------------------------------- - P R O B L E M S C O R R E C T E D I N 4 . 6 . 8 ----------------------------------------------------------------------------- - -1) This release includes defect repair from Shorewall 4.6.6.2 and - earlier releases. - -2) Previously, when the -n option was specified and NetworkManager was - installed on the target system, the Shorewall-init installer would - still create - ${DESTDIR}etc/NetworkManager/dispatcher.d/01-shorewall, regardless - of the setting of $CONFDIR. That has been corrected such that the - directory - ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/01-shorewall is - created instead. - -3) Previously, handling of the IPTABLES and IP6TABLES actions in the - conntrack file was broken. nfw provided a fix on IRC. - -4) The Shorewall-core and Shorewall6 installers would previously - report incorrectly that the product release was not installed. Matt - Darfeuille provided fixes. - ----------------------------------------------------------------------------- - N E W F E A T U R E S I N 4 . 6 . 8 ----------------------------------------------------------------------------- - -1) The CLI programs (shorewall, shorewall6, etc) now support 'open' - and 'close' commands. The 'open' command temporarily opens the - firewall for a specified type of connection; the syntax is: - - open [ [ ] ] - - The and may be any of the following: - - - a host IP address - - a network IP address - - a valid DNS name (usual warnings apply) - - the word 'all', indicating that the or is - not restricted - - The protocol may be specified by number or by a name. Same with - . - - Example: Open SSH connections to 1.2.3.4 in Shorewall: - - shorewall open all 1.2.3.4 tcp ssh - - The 'close' command reverses the effect of an earlier 'open' - command and has two forms: - - close - close [ is the number displayed in the - 'num' column of the 'shorewall list opens' command (see below). - - In the second form, the parameters must match those of the earlier - 'open' command to be reversed. All temporary connections opens may - be deleted by simply restarting the firewall. - - Both commands require that the firewall be in the started state and - that DYNAMIC_BLACKLIST=Yes in the active configuration. - - The iptables rules created via 'open' commands can be displayed - using the 'show opens' command. - - Example (after the above open command was executed): - - Shorewall 4.6.8 Temporarily opened connections at gateway - Fri Mar 6 09:47:06 PST 2015 - Chain dynamic (14 references) - num pkts bytes target prot opt in out source destination - 1 0 0 ACCEPT tcp -- * * 0.0.0.0/0 1.2.3.4 multiport dports 22 - root@gateway:~# - -2) A 'safesets' command is now available to proactively save changes - to ipset contents. Using this command can guard against accidental - loss of ipset changes in the event of a system failure before a - 'stop' command has been completed. The exact action taken by the - command depends on the setting of SAVE_IPSETS in shorewall[6].conf. - -3) The SOURCE and DEST columns in the rtrules file may now contains - comma-separated lists of addresses. - ----------------------------------------------------------------------------- - P R O B L E M S C O R R E C T E D I N 4 . 6 . 7 ----------------------------------------------------------------------------- - -None. - ----------------------------------------------------------------------------- - N E W F E A T U R E S I N 4 . 6 . 7 ----------------------------------------------------------------------------- - -1) The 'tunnels' file now supports 'tinc' tunnels. - -2) Previously, the SAME action in the mangle file had a fixed timeout - of 300 seconds (5 minutes). That action now allows specification of - a different timeout. - -3) It is now possible to add or delete addresses from an ipset with - entries in the mangle file. The ADD and DEL actions have the same - behavior in the mangle file as they do in the rules file. - ----------------------------------------------------------------------------- - P R O B L E M S C O R R E C T E D I N 4 . 6 . 6 ----------------------------------------------------------------------------- - -1) This release includes defect repair from Shorewall 4.6.5.5 and - earlier releases. - -2) Previously, a line beginning with 'shell' was interpreted as a - shell script. Now, the line must begin with 'SHELL' - (case-sensitive). - - Note that ?SHELL and BEGIN SHELL are still case-insensitive. - ----------------------------------------------------------------------------- - N E W F E A T U R E S I N 4 . 6 . 6 ----------------------------------------------------------------------------- - -4.6.6.2 - -1) The compiler failed to parse the construct +[n] where n is an - integer (e.g., +bad[2]). - -2) Orion Paplawski has provided a patch that adds 'ko.xz' to the - default MODULE_SUFFIX setting. This change deals with recent Fedora - releases where the module names now end with ".ko.xz". - - In addition to Orion's patch, the sample configurations have been - modified to specify MODULE_SUFFIX="ko ko.xz". - -4.6.6.1 - -1) Previously the SAVE and RESTORE actions were erroneously disallowed - in the INPUT chain within the mangle file. - -2) The manpage descriptions of the mangle SAVE and RESTORE actions - incorrectly required a slash (/) prior to the mask value. - -3) Race conditions could previously occur between the 'start' command - and the 'enable' and 'disable' commands. - -4) The 'update' command incorrectly added the INLINE_MATCHES option - to shorewall.conf with a default value of 'Yes'. This caused - 'start' to fail with invalid iptables rules when the alternate - input format using ';' is used. - -6) Previously the LOCKFILE setting was not propagated to the generated - script. So when the script was run directly, the script - unconditionally used ${VARDIR}/lock. - -1) Previously, the firewall products (Shorewall, Shorewall6 and - *-lite) specified "After=network.target" in their .service files. - - Beginning with this release, those products specify - "After=network-online.target" like the service.214 files. This - change is intended to delay firewall startup until after network - initialization is complete. - -2) The 'TARPIT' target is now supported in the rules file. Using this - target requires the appropriate support in your kernel and - iptables. This feature implements a new "TARPIT Target" capability, - so if you use a capabilities file, then you need to regenerate the - file after installing this release. - - TARPIT captures and holds incoming TCP connections using no local - per-connection resources. - - - TARPIT only works with the PROTO column set to tcp (6), and is - totally application agnostic. This module will answer a TCP request - and play along like a listening server, but aside from sending an - ACK or RST, no data is sent. Incoming packets are ignored and - dropped. The attacker will terminate the session eventually. This - module allows the initial packets of an attack to be captured by - other software for inspection. In most cases this is sufficient to - determine the nature of the attack. - - - This offers similar functionality to LaBrea - but does not require dedicated - hardware or IPs. Any TCP port that you would normally DROP or - REJECT can instead become a tarpit. - - The target accepts a single optional parameter: - - tarpit (default) - - This mode completes a connection with the attacker but limits - the window size to 0, thus keeping the attacker waiting long - periods of time. While he is maintaining state of the - connection and trying to continue every 60-240 seconds, we - keep none, so it is very lightweight. Attempts to close the - connection are ignored, forcing the remote side to time out - the connection in 12-24 minutes. - - honeypot - - This mode completes a connection with the attacker, but - signals a normal window size, so that the remote side will - attempt to send data, often with some very nasty exploit - attempts. We can capture these packets for decoding and - further analysis. The module does not send any data, so if - the remote expects an application level response, the game - is up. - - reset - - This mode is handy because we can send an inline RST - (reset). It has no other function. - -3) A 'loopback' option has been added to the interfaces files to - designate the interface as the loopback device. This option is - assumed if the device's physical name is 'lo'. Only one - interface may specify 'loopback'. - - If no interface has physical name 'lo' and no interface specifies - the 'loopback' option, then the compiler implicitly defines an - interface as follows: - - #ZONE INTERFACE OPTIONS - - lo ignore,loopback - -4) The compiler now takes advantage of the iptables 'iface' match - capability for identifying loopback traffic. - -5) The 'primary' provider option has been added as a synonym for - 'balance=1'. The rationale for this addition is that 'balance' - seems inappropriate when only a single provider specifies that - option. For example, if there are two providers and one specifies - 'fallback', then the other would specify 'primary' rather than - 'balance'. - -6) Two new Macros have been contributed: - - Zabbix - Tuomo Soini - Tinc - Răzvan Sandu - ----------------------------------------------------------------------------- - P R O B L E M S C O R R E C T E D I N 4 . 6 . 5 ----------------------------------------------------------------------------- - -4.6.5.5 - -1) The Shorewall-init ifupdown scripts were looking for the firewall - script in the wrong directory. Correction was provider by Tuomo - Soini. - -4.6.5.4 - -1) The '-c' option of the 'dump' and 'show routing' commands is now - documented. - -2) The handling of the 'DIGEST' environmental variable has been - corrected in the Shorewall installer. Previously, specifying that - option would not correctly update the Chains module which led to a - Perl compilation failure. - -3) Handling of ipset names on PORT columns has been - corrected. Previously, such usage resulted in an invalid iptables - rule being generated. - -4.6.5.3 - -1) The Shorewall-init scripts were using the incorrect - variable to set the state directory. - -2) For normal dynamic zones, the 'add' command failed with a - diagnostic such as: - - ERROR: Zone ast, interface net0 does not have a dynamic host list - -3) When a mark range was used in the marks (tcrules) file, a run-time - error occured while attempting to load the generated ruleset. - -4.6.5.2 - -1) LOG_BACKEND=LOG failed at run-time for all but the most recent - kernels. - -4.6.5.1 - -1) The generated script can now detect an gateway address assigned by - later versions of that program (Alan Barrett). - -2) In 4.6.5, the bash-based configure script would issue the following - diagnostic if SERVICEDIR was not specified in the shorewallrc - file: - - ./configure: line 199: [SERVICEDIR]=: command not found - - This was compounded by the fact that all of the released - shorewallrc files still specified SYSTEMDDIR rather than SERVICEDIR - (Evangelos Foutras) - -3) The shorewallrc.archlinux file now reflects a change in SBINDIR - that occurred in Arch Linux in mid 2013 (Evangelos Foutras). - -4.6.5 - -1) This release includes defect repair through release 4.6.4.3. - -2) On kernel 3.17, LOG_BACKEND=LOG previously failed with the - diagnostics: - - Setting up log backend - /var/lib/shorewall/.restart: line 2075: echo: write error: - No such file or directory - WARNING: Unable to set log backend to ipt_LOG - -3) A number of corrections have been made to the manpages (Thomas D). - -4) Previously, if $OPTIONS was set in /etc/sysconfig/shorewall-init, - then servicd failed to start/stop Shorewall-init. - ----------------------------------------------------------------------------- - N E W F E A T U R E S I N 4 . 6 . 5 ----------------------------------------------------------------------------- - -1) The configure scripts and installers now support SERVICEDIR as an - alternative to SYSTEMD. For compatability, SERVICED is an alias - for SERVICEDIR. - -2) The installers now offer a choice of .service files, selected by - the SERVICEFILE option. The default remains $PRODUCT.service. Each - product supplying a .service file now supplies a .service.214. The - differences between the standard .service files and the service.214 - files are: - - a) They specify 'after=network-online.target' rather than - 'after=network.target'. - - b) The file shorewall-init.service.214 specifies - 'before=network-pre.target' rather than - 'before=network.target'. That file requires serviced 214 or - later, hence the names of the new files. - - Regardless of which file is selected, it is installed in - $SERVICEDIR/$PRODUCT.service. - -3) The RATE LIMIT column of the rules files now allows specification - of both a per-source and per-destination limit. See - shorewall[6]-rules(5) for details. - -4) Previously, /bin/sh was used unconditionally to process the helper - script 'getparams'. That shell script reads the params file and - passes back the (variable,value) pairs to the compiler. Beginning - with this release, $SHOREWALL_SHELL is used to process that script, - unless the compilation is for export, in which case /bin/sh is - still used. - - Note that the default value of $SHOREWALL_SHELL is /bin/sh, so - unless your configuration sets that variable, this enhancement will - have no effect. Similarly, on an administrative system, this - enhancement has no effect on the processing of the 'compile -e', - 'load', 'reload' and 'export' commands. - -5) A -C option has been added to several commands to allow the - ip[6]tables packet and byte counters to be preserved. - - - save command - - Causes the packet and byte counters to be saved along with the - chains and rules. - - - restore command - - Causes the packet and byte counters (if saved) to be restored - along with the chains and rules. - - - start command - - With Shorewall and Shorewall6, the -C option only has an effect - if the -f option is also specified. If a previously-saved - configuration is restored, then the packet and byte counters (if - saved) will be restored along with the chains and rules. - - - restart command - - If an existing compiled script is used (no recompilation - required) and if that script generated the current running - configuration, then the current netfilter configuration is - reloaded as is so as to preserve the current packet and byte - counters. - - If you wish to (approximately) preserve the counters over a - possibly unexpected reboot, then: - - - Create a cron job that periodically does 'shorewall save -C' - - - Specify the -C and -f option in the STARTOPTIONS variable in - either /etc/default/shorewall[6][-lite] or - /etc/sysconfig/shorewall[6][-lite], whichever is supported by your - distribution. Note that some distributions do not distribute these - files so you may have to create the one(s) you need (such as - /etc/sysconfig/shorewall). - ----------------------------------------------------------------------------- - P R O B L E M S C O R R E C T E D I N 4 . 6 . 4 ----------------------------------------------------------------------------- - -4.6.4.1 - -1) Confusing 'usage' output was produced under the following - conditions: - - a) 4.6.4 installed - - b) The running firewall was compiled on an earlier release. - - c) A 'safe-start', 'save-restart', 'save' or 'try' command is - executed. - - This problem has been corrected. - -2) The 'optional' option has been removed from the IPv4 Universal - interfaces file, as that option caused startup failures. - -4.6.4 Final. - -1) This release includes defect repair through release 4.6.3.4. - -2) Two corrections have been made to the .service files: - - - The .service files now correctly specify - - WantedBy=basic.target - - - Conflicting services have been added. - -3) A warning message generated during stoppedrules processing - previously referred to the file as routestopped. - -4) Previously, the stoppedrules file did not work properly when - ADMINISABSENTMINDED=No. - - - A warning message was issued stating that the file would be - processed as if ADMINISABSENTMINDED=Yes, and it was. - - - Unfortunately, part of the surrounding rule-generating logic - proceded as if ADMINISABSENTMINDED=No, leading to an unusable - ruleset. - - This problem has been corrected by changing the way that - stoppedrules works with ADMINISABSENTMINDED=No. In the new - implementation: - - - All existing connections continue to work. - - Response packets and related connection requests to new accepted - connections are accepted (in other words, the resulting ruleset - is stateful). - - See shorewall[6].conf(5) for additional details. - -5) The .spec files now set SBINDIR correctly. - -6) The -lite installers now create INITDIR if it doesn't exist. - -7) The installers no longer attempt to create a symbolic link to the - init script when no init script is installed. - -8) A large number of defects in the uninstallers have been corrected. - ----------------------------------------------------------------------------- - N E W F E A T U R E S I N 4 . 6 . 4 ----------------------------------------------------------------------------- - -1) Install support for Centos 7 and Foobar 7 has been added (Tuomo - Soini). - -2) A 'terminating' option has been added to shorewall[6].actions. - this option, when used with the 'builtin' option, indicates to the - compiler that the built-in action is terminating. This allows the - optimizer to omit rules after an unconditional jump to the - built-in. - -3) A LOG_BACKEND option has been added to allow specification of the - default logging backends. See shorewall.conf(5) and - shorewall6.conf(5) for details. - -4) The SAVE_IPSETS option may now specify a list of ipsets to be - saved. When such a list is specified, only those ipsets together - with the ipsets supporting dynamic zones are saved. - - Shorewall6 now supports the SAVE_IPSETS option. When - SAVE_IPSETS=Yes, only ipv6 ipsets are saved. For Shorewall, if - SAVE_IPSETS=ipv4, then only ipv4 ipsets are saved. Both features - require ipset version 5 or later. - - Note that shorewall.conf and shorewall6.conf may now both specify - SAVE_IPSETS. - -5) The SBINDIR setting for SuSE now defaults to /usr/sbin/. - -6) With the exception of Shorewall-core, the tarball installers and - uninstallers now support a -n option which inhibits any attempt to - change the startup configuration. The -n option can be - automatically invoked by setting the SANDBOX variable to a - non-empty value, either in the environment or in your shorewallrc - file. - ----------------------------------------------------------------------------- - P R O B L E M S C O R R E C T E D I N 4 . 6 . 3 ----------------------------------------------------------------------------- - -4.6.3.1 - -1) The DNSAmp action released in 4.6.3 matched more packets than it - should have. That has now been corrected. - -4.6.3 - -1) This release contains defect repair up through release 4.6.2.5. - -2) The SAVE_IPSETS option in the Debian version of Shorewall-init now - works correctly. Thomas D. - ----------------------------------------------------------------------------- - N E W F E A T U R E S I N 4 . 6 . 3 ----------------------------------------------------------------------------- - -1) A new 'run' command has been implemented. This command allows you - to run an arbitrary command in the context of the generated - script. - - shorewall[6][-lite] run [ ... ] - - Normally, will be a function declared in lib.private. - -2) A DNSAmp action has been added. This action matches recursive UDP - DNS queries. The default disposition is DROP which can be - overridden by the single action parameter (e.g, 'DNSAmp(REJECT)' - will reject these queries). Recursive DNS queries are the basis for - 'DNS Amplification' attacks; hence the action name. - ----------------------------------------------------------------------------- - P R O B L E M S C O R R E C T E D I N 4 . 6 . 2 ----------------------------------------------------------------------------- - -4.6.2.5 - -1) Previously, when an interface specified the 'physical=' option and - the physical interface name was specified in the INTERFACES column - of the providers file, compilation would fail with diagnostics - similar to the following: - - Use of uninitialized value $physical in pattern match - (m//) at /usr/lib/perl5/vendor_perl/5.18.1/ - Shorewall/Providers.pm line 463, <$currentfile> line 2. - ERROR: A provider interface must have at least one - associated zone /opt/etc/shorewall/providers (line 2) - -2) Shorewall-init now works correctly on systems with systemd. - By Louis Lagendijk. - -4.6.2.4 - -1) Previously, inline matches were incorrectly disallowed in action - files. These matches are now allowed. - -4.6.2.3 - -1) Previously, the compiler would fail with a Perl diagnostic if: - - - Optimize Level 8 was enabled. - - Perl 5.20 was being used. This is the current Perl version on - Arch Linux. - - The diagnostic was: - - Can't use string ("nat") as a HASH ref while "strict refs" in use - at /usr/share/shorewall/Shorewall/Chains.pm line 3486. - -4.6.2.2 - -1) The compiler now correctly detects the IPv6 "Header Match" - capability when LOAD_MODULES_ONLY=No. - -2) The compiler now correctly detects the IPv6 "Ipset Match" - capability on systems running a 3.14 or later kernel. - -3) The compiler now correctly detects "Arptables JF" capability when - LOAD_MODULES_ONLY=No. - -3) The tcfilter manpages previously failed to mention that - BASIC_FILTERS=Yes is required to use ipsets in the tcfilters files. - -4.6.2.1 - -1) Two issues with tcrules processing have been corrected: - - - SAVE and RESTORE generated fatal compilation errors. - - '|' and '&' were ignored. - -4.6.2 - -1) The DSCP match in the mangle and tcrules files didn't work with - service class names such as EF, BE, CS1, ... (Thibaut Chèze) - -2) The SAVE and RESTORE actions were disallowed in the OUTPUT chain in - tcrules and mangle; this was a regression from 4.5.21. - -3) Additional ports required by Asus, Supermicro and Dell have been - added to the IPMI macro (Tuomo Soini). - -4) Some issues regarding install under Cygwin64 have been addressed. - - - configure.pl did not understand CYGWIN returned from `uname` - - Shorewall-core install.sh did not understand CYGWIN returned from - `uname`. - - The Shorewall and Shorewall6 installers tried to run the command - 'mkdir -p //etc/shorewall[6]' which is broken in the current - Cygwin64. - ----------------------------------------------------------------------------- - N E W F E A T U R E S I N 4 . 6 . 2 ----------------------------------------------------------------------------- - -1) The 'status' command now allows a -i option which causes the state - of all optional and provider interfaces to be displayed. - - Example: - - root@gateway:/etc/shorewall# shorewall status -i - Shorewall-4.6.1 Status at gateway - Wed Jun 18 14:27:19 PDT 2014 - - Shorewall is running - State:Started (Wed Jun 18 09:50:01 PDT 2014) from /etc/shorewall/ - (/var/lib/shorewall/firewall compiled by Shorewall version 4.6.1) - - Interface eth0 is Enabled - Interface eth1 is Enabled - Interface lo is Enabled - -2) A 'shorewall show blacklists' command has been - implemented. The abbreviation 'bl' may be used in place of - 'blacklists'. - - The command displays the output of the 'dynamic' chain together - with the chains created by entries in the blrules file. - -3) A TIME column has been added to the mangle file. It has the same - use in that file as the corresponding column in the rules file. - -4) A stateful port knocking example has been added to the Events - article (http://www.shorewall.net/Events.html). This example allows - a sequence of knocking ports to be defined (Gerhard Weisinger). - -5) A macro supporting HP's Integrated Lights Out (ILO) has been added - (Tuomo Soini). - -6) It is now possible to specify the MAC address of a provider - GATEWAY. This is useful when there are multiple providers serviced - by a single interface as it avoids the need for the generated - script to detect the MAC during start/restart. - -7) The copyrights in the sample configuration files have been updated. - ----------------------------------------------------------------------------- - P R O B L E M S C O R R E C T E D I N 4 . 6 . 1 ----------------------------------------------------------------------------- - -4.6.1.4 - -1) The DSCP match in the mangle and tcrles files didn't work with - service class names such as EF, BE, CS1, ... - -2) The SAVE and RESTORE actions were disallowed in the OUTPUT chain in - tcrules and mangle; this was a regression from 4.6.21. - -4.6.1.3 - -1) Use of the 'IfEvent' action resulted in a compilation failure: - - ERROR: -j is only allowed when the ACTION is INLINE with no - parameter /usr/share/shorewall/action.IfEvent (line 139) - from /etc/shorewall/action.SSHKnock (line 8) - from /etc/shorewall/rules (line 31) - -4.6.1.2 - -1) The shorewall-masq(5) and shorewall6-masq(5) manpages had a mangled - heading for the description of the SOURCE column, leading some - readers to assert the that description was missing. - -2) When INLINE_MATCHES=Yes and AUTOHELPERS=No, start or restart could - fail during script execution with this diagnostic: - - Running /sbin/iptables-restore... - Bad argument `helper=netbios-ns' - Error occurred at line: nnn - Try `iptables-restore -h' or 'iptables-restore --help' for more - information. - ERROR: iptables-restore Failed. Input is in - /var/lib/shorewall/.iptables-restore-input - -4.6.1.1 - -1) An improved error message is generatred when a server address list - is specified in the DEST colume of a DNAT or REDIRECT - rule. At one time, iptables supported such lists, but now only a - single address or an address range is supported. - - The previous error message was: - - ERROR: Unkknown Host (192.168.1.4,192.168.1.22) - - The new error message is: - - ERROR: An address list (192.168.1.4,192.168.1.22) is not - allowed in the DEST column of a xxx RULE - - where xxx is DNAT or REDIRECT as appropriate. - -2) Two problems have been corrected in the Shorewall-init Debian init - script. - - a) A cosmetic problem which resulted in 'echo_notdone' being - displayed on failure rather than 'not done'. - - b) More seriously, the test for the existance of compiled - firewall scripts was incorrect, with the result that the - firewall scripts were not executed. - - These defects, introduced in Shorewall 4.5.17, have now been - corrected. - -4.6.1 - -1) When the 'rpfilter' option is specified on all interfaces, no - references to the 'dynamic' chain were created and that chain was - optimized away. - ----------------------------------------------------------------------------- - N E W F E A T U R E S I N 4 . 6 . 1 ----------------------------------------------------------------------------- - -1) Tuomo Soini has provided new macros for AMOP, MongoDB, Redis, Sieve - and IPMI (RMCP). - ----------------------------------------------------------------------------- - P R O B L E M S C O R R E C T E D I N 4 . 6 . 0 ----------------------------------------------------------------------------- - -4.6.0.3 - -1) The Shorewall-init package now installs correctly on RHEL7. - -2) 1:1 NAT is now enabled in IPv6. - -3) A subtle interaction between NAT and sub-zones is explained in - shorewall-nat. - -4) The 'show filters' command now works with Simple TC. - -4.6.0.2 - -1) The 'upgrade -A' command now converts the tcrules file to a mangle - file. Previously, that didn't happen. - -2) The install components now support RHEL7. - -3) Whitespace issues in the skeleton configuration files have been - corrected (Tuomo Soini). - -4) The install components now support RHEL7. - -5) FAQ 2e has been added which describes additional steps required to - achieve hairpin NAT on a bridge where the modified packets are to - go out the same bridge port as they entered. - -6) shorewall-masq(5) has been corrected to include the word SOURCE on - the description of that column. Previously, the description read - '(formerly called SUBNET)'. - -7) The output of 'shorewall show filters' once again shows ingress - (policing) filters. This works around undocumented changes to the - behavior of the 'tc' utility. - -4.6.0.1 - -1) The CHECKSUM target in the tcrules and mangle files was broken and - resulted in this error diagnostic: - - Running /sbin/iptables-restore... - iptables-restore v1.4.7: CHECKSUM target: Parameter --checksum-fill is - required - Error occurred at line: 41 - Try `iptables-restore -h' or 'iptables-restore --help' for more - information. - ERROR: iptables-restore Failed. Input is in - /var/lib/shorewall/.iptables-restore-input - - The compiler is now generating the correct rule. - -2) Some cosmetic issues in the 'mangle' files have been resolved. - -3) When an invalid chain designator was supplied in 'tcrules' or - 'mangle', the compiler's error message was garbled and a - Perl diagnostic was issued. - -4.6.0 - -This release includes all defect repair from releases up through -4.5.21.9. + To summarize, if your action or macro only uses the first 6 + columns (which most do), then it will process fine as + FORMAT-2. Otherwise, it must be modified to place specifications in + the proper columns. -1) The tarball installers, now install .service files with mode 644 - rather than mode 600. +7) COMMENT, FORMAT and SECTION lines must now begin with a question + mark ("?"). The 'update' command will change all bare COMMENT, + FORMAT and SECTION lines to include the question mark. ---------------------------------------------------------------------------- - N E W F E A T U R E S I N 4 . 6 . 0 + V. N O T E S F R O M O T H E R 5 . 0 R E L E A S E S ---------------------------------------------------------------------------- -1) SECTION entries in the accounting and rules files now allow - "SECTION" to be immediately preceded by "?" (e.g., ?SECTION). The - new form is preferred and if any SECTION entries do not have the - question mark, a warning is issued (see Migration Issues below). - -2) The default setting for ZONE2ZONE has been changed from '2' to '-' - for increased readability when zone names contain '2'. - -3) The 'tcrules' file has been superceded by the 'mangle' - file. Existing 'tcrules' files will still be processed, with the - restriction that TPROXY is no longer supported in FORMAT 1. - - You can convert your tcrules file into the equivalent mangle file - using the command: - - shorewall update -t - - See shorewall(8) and shorewall6(8) for important restrictions of - the -t option. - -4) Prior to now, the ability to specify raw iptables matches has been - tied to the INLINE action. Beginning with this release, the two can - be separated by specifying INLINE_MATCHES=Yes. - - When INLINE_MATCHES=Yes, then inline matches may be specified after - a semicolon in the following files: - - action files - macros - rules - mangle - masq - - Note that semicolons are not allowed in any other files. If you - want to use the alternative input format in those files, then you - must inclosed the specifications in curly brackets ({...}). The -i - option of the 'check' command will warn you of lines that need to - be changed from using ";" to using "{...}". - -5) The 'conntrack', 'raw', 'mangle' and 'rules' files now support an IPTABLES - (IP6TABLES) action. This action is similar to INLINE in that it - allows arbitrary ip[6]tables matches to be specified after a - semicolon (even when INLINE_MATCHES=No). It differs in that the - parameter passed is an iptables target with target options. - - Example (rules file): - - #ACTION SOURCE DEST PROTO - IPTABLES(TARPIT --honeypot) net pot - - If the particular target that you wish to use is unknown to - Shorewall, you will get this error message: - - ERROR: Unknown TARGET () - - You can eliminate that error by adding your target as a builtin - action in /etc/shorewall[6]/actions. - - As part if this change, the /etc/shorewall[6]/actions file options - have been extended to allow you to specify the Netfilter table(s) - where the target is accepted. When 'builtin' is specified, you can - also include the following options: - - filter - nat - mangle - raw - - If no table is given, 'filter' is assumed for backward - compatibility. - -6) The 'tcpflags' option is now set by default. To disable the option, - specify 'tcpflags=0' in the OPTIONS column of the interface file. - -7) You may now use ipset names (preceded by '+') in PORT columns, - allowing you to take advantage of bitmap:port ipsets. - -8) The counter extensions to ipset matches have been - implemented. See shorewall[6]-ipsets for details. - -9) DROP is now a valid action in the stoppedrules files. DROP occurs - in the raw table PREROUTING chain which avoids conntrack entry - creation. - -10) A new BASIC_FILTERS option is now supported. When set to 'Yes', - this option causes the compiler to generate basic TC filters from - tcfilters entries rather than u32 filters. - - Basic filters are more straight-forward than u32 filters and, in - later iptables/kernel versions, basic filters support ipset - matches. Please note that Shorewall cannot reliably detect whether - your iptables/kernel support ipset matches, so an error-free - compilation does not guarantee that the firewall will start - successfully when ipset names are specified in tcfilters entries. - -11) The update command now supports an -A option. This is intended to - perform all available updates to the configuration and is currently - equivalent to '-b -D -t'. - -12) Beginning with this release, FORMAT-1 actions and macros are - deprecated and a warning will be issued for each FORMAT-1 action - or macro found. See the Migration Issues for further information. - -13) To facilitate creation of ipsets with characteristics different - from what Shorewall generates, the 'init' user exit is now executed - before Shorewall creates ipsets that don't exist. diff -Naurdw -X /home/teastep/bin/exclude.txt shorewall6-lite-4.6.13/shorewall6-lite.conf shorewall6-lite-5.0.0/shorewall6-lite.conf --- shorewall6-lite-4.6.13/shorewall6-lite.conf 2015-09-07 11:35:47.000000000 -0700 +++ shorewall6-lite-5.0.0/shorewall6-lite.conf 2015-10-08 13:16:32.000000000 -0700 @@ -1,5 +1,5 @@ ############################################################################### -# /etc/shorewall6-lite/shorewall6-lite.conf Version 4 - Change the following +# /etc/shorewall6-lite/shorewall6-lite.conf Version 5 - Change the following # variables to override the values in the shorewall.conf file used to # compile /var/lib/shorewall-lite/firewall. Those values may be found in # /var/lib/shorewall-lite/firewall.conf. diff -Naurdw -X /home/teastep/bin/exclude.txt shorewall6-lite-4.6.13/shorewall6-lite.service.debian shorewall6-lite-5.0.0/shorewall6-lite.service.debian --- shorewall6-lite-4.6.13/shorewall6-lite.service.debian 2015-09-07 11:35:47.000000000 -0700 +++ shorewall6-lite-5.0.0/shorewall6-lite.service.debian 2015-10-08 13:16:32.000000000 -0700 @@ -12,10 +12,11 @@ [Service] Type=oneshot RemainAfterExit=yes -EnvironmentFile=-/etc/sysconfig/shorewall6-lite +EnvironmentFile=-/etc/default/shorewall6-lite StandardOutput=syslog -ExecStart=/sbin/shorewall6-lite $OPTIONS start $STARTOPTIONS +ExecStart=/sbin/shorewall6-lite $OPTIONS start ExecStop=/sbin/shorewall6-lite $OPTIONS stop +ExecReload=/sbin/shorewall6-lite $OPTIONS reload [Install] WantedBy=basic.target diff -Naurdw -X /home/teastep/bin/exclude.txt shorewall6-lite-4.6.13/shorewall6-lite.spec shorewall6-lite-5.0.0/shorewall6-lite.spec --- shorewall6-lite-4.6.13/shorewall6-lite.spec 2015-09-08 11:10:32.568535158 -0700 +++ shorewall6-lite-5.0.0/shorewall6-lite.spec 2015-10-09 13:28:27.013286704 -0700 @@ -1,5 +1,5 @@ %define name shorewall6-lite -%define version 4.6.13 +%define version 5.0.0 %define release 0base Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems. @@ -96,26 +96,14 @@ %doc COPYING changelog.txt releasenotes.txt %changelog -* Mon Sep 07 2015 Tom Eastep tom@shorewall.net -- Updated to 4.6.13-0base -* Sun Aug 30 2015 Tom Eastep tom@shorewall.net -- Updated to 4.6.13-0RC1 -* Fri Aug 28 2015 Tom Eastep tom@shorewall.net -- Updated to 4.6.13-0Beta2 -* Thu Aug 27 2015 Tom Eastep tom@shorewall.net -- Updated to 4.6.13-0Beta1 -* Sat Aug 22 2015 Tom Eastep tom@shorewall.net -- Updated to 4.6.12-2 -* Fri Aug 21 2015 Tom Eastep tom@shorewall.net -- Updated to 4.6.12-1 -* Mon Aug 17 2015 Tom Eastep tom@shorewall.net -- Updated to 4.6.12-0base -* Sun Aug 16 2015 Tom Eastep tom@shorewall.net -- Updated to 4.6.12-0RC3 -* Thu Aug 13 2015 Tom Eastep tom@shorewall.net -- Updated to 4.6.12-0RC2 -* Thu Jul 30 2015 Tom Eastep tom@shorewall.net -- Updated to 4.6.12-0RC1 +* Sat Oct 03 2015 Tom Eastep tom@shorewall.net +- Updated to 5.0.0-0base +* Mon Sep 21 2015 Tom Eastep tom@shorewall.net +- Updated to 5.0.0-0RC1 +* Thu Sep 10 2015 Tom Eastep tom@shorewall.net +- Updated to 5.0.0-0Beta2 +* Mon Jul 27 2015 Tom Eastep tom@shorewall.net +- Updated to 5.0.0-0Beta1 * Mon Jul 13 2015 Tom Eastep tom@shorewall.net - Updated to 4.6.12-0Beta2 * Wed Jul 08 2015 Tom Eastep tom@shorewall.net diff -Naurdw -X /home/teastep/bin/exclude.txt shorewall6-lite-4.6.13/shorewallrc.apple shorewall6-lite-5.0.0/shorewallrc.apple --- shorewall6-lite-4.6.13/shorewallrc.apple 2015-09-08 11:10:32.584535235 -0700 +++ shorewall6-lite-5.0.0/shorewallrc.apple 2015-10-09 13:28:27.029286819 -0700 @@ -1,5 +1,5 @@ # -# Apple OS X Shorewall 4.5 rc file +# Apple OS X Shorewall 5.0 rc file # BUILD=apple HOST=apple diff -Naurdw -X /home/teastep/bin/exclude.txt shorewall6-lite-4.6.13/shorewallrc.archlinux shorewall6-lite-5.0.0/shorewallrc.archlinux --- shorewall6-lite-4.6.13/shorewallrc.archlinux 2015-09-08 11:10:32.584535235 -0700 +++ shorewall6-lite-5.0.0/shorewallrc.archlinux 2015-10-09 13:28:27.029286819 -0700 @@ -1,5 +1,5 @@ # -# Arch Linux Shorewall 4.5 rc file +# Arch Linux Shorewall 5.0 rc file # BUILD= #Default is to detect the build system HOST=archlinux diff -Naurdw -X /home/teastep/bin/exclude.txt shorewall6-lite-4.6.13/shorewallrc.cygwin shorewall6-lite-5.0.0/shorewallrc.cygwin --- shorewall6-lite-4.6.13/shorewallrc.cygwin 2015-09-08 11:10:32.584535235 -0700 +++ shorewall6-lite-5.0.0/shorewallrc.cygwin 2015-10-09 13:28:27.029286819 -0700 @@ -1,5 +1,5 @@ # -# Cygwin Shorewall 4.5 rc file +# Cygwin Shorewall 5.0 rc file # BUILD=cygwin HOST=cygwin diff -Naurdw -X /home/teastep/bin/exclude.txt shorewall6-lite-4.6.13/shorewallrc.default shorewall6-lite-5.0.0/shorewallrc.default --- shorewall6-lite-4.6.13/shorewallrc.default 2015-09-08 11:10:32.584535235 -0700 +++ shorewall6-lite-5.0.0/shorewallrc.default 2015-10-09 13:28:27.029286819 -0700 @@ -1,5 +1,5 @@ # -# Default Shorewall 4.5 rc file +# Default Shorewall 5.0 rc file # HOST=linux #Generic Linux BUILD= #Default is to detect the build system diff -Naurdw -X /home/teastep/bin/exclude.txt shorewall6-lite-4.6.13/shorewallrc.redhat shorewall6-lite-5.0.0/shorewallrc.redhat --- shorewall6-lite-4.6.13/shorewallrc.redhat 2015-09-08 11:10:32.584535235 -0700 +++ shorewall6-lite-5.0.0/shorewallrc.redhat 2015-10-09 13:28:27.029286819 -0700 @@ -1,5 +1,5 @@ # -# RedHat/FedoraShorewall 4.5 rc file +# RedHat/FedoraShorewall 5.0 rc file # BUILD= #Default is to detect the build system HOST=redhat diff -Naurdw -X /home/teastep/bin/exclude.txt shorewall6-lite-4.6.13/shorewallrc.slackware shorewall6-lite-5.0.0/shorewallrc.slackware --- shorewall6-lite-4.6.13/shorewallrc.slackware 2015-09-08 11:10:32.584535235 -0700 +++ shorewall6-lite-5.0.0/shorewallrc.slackware 2015-10-09 13:28:27.029286819 -0700 @@ -1,5 +1,5 @@ # -# Slackware Shorewall 4.5 rc file +# Slackware Shorewall 5.0 rc file # BUILD=slackware HOST=slackware diff -Naurdw -X /home/teastep/bin/exclude.txt shorewall6-lite-4.6.13/shorewallrc.suse shorewall6-lite-5.0.0/shorewallrc.suse --- shorewall6-lite-4.6.13/shorewallrc.suse 2015-09-08 11:10:32.584535235 -0700 +++ shorewall6-lite-5.0.0/shorewallrc.suse 2015-10-09 13:28:27.029286819 -0700 @@ -1,5 +1,5 @@ # -# SuSE Shorewall 4.5 rc file +# SuSE Shorewall 5.0 rc file # BUILD= #Default is to detect the build system HOST=suse diff -Naurdw -X /home/teastep/bin/exclude.txt shorewall6-lite-4.6.13/uninstall.sh shorewall6-lite-5.0.0/uninstall.sh --- shorewall6-lite-4.6.13/uninstall.sh 2015-09-08 11:10:32.564535133 -0700 +++ shorewall6-lite-5.0.0/uninstall.sh 2015-10-09 13:28:27.013286704 -0700 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.6.13 +VERSION=5.0.0 PRODUCT=shorewall6-lite usage() # $1 = exit status