diff -Naurdw -X /home/teastep/bin/exclude.txt shorewall-core-4.6.13/changelog.txt shorewall-core-5.0.0/changelog.txt --- shorewall-core-4.6.13/changelog.txt 2015-09-08 11:10:31.788531068 -0700 +++ shorewall-core-5.0.0/changelog.txt 2015-10-09 13:28:26.289281759 -0700 @@ -1,782 +1,65 @@ -Changes in 4.6.13 Final - -1) Allow non-expoerts access to the user bits in the fw mark. - -Changes in 4.6.13 RC 1 - -1) Update release documents. - -2) Unconditionally get inline matches. - -Changes in 4.6.13 Beta 2 - -1) Update release documents. - -2) Restore tcrules conversion. - -3) Place a header on a newly-created mangle file. - -Changes in 4.6.13 Beta 1 - -1) Update release documents. - -2) Correct 'rules' man pages. - -3) Correct parsing of IPv6 ranges - -4) Correct the shorewall6-hosts(5) manpage. - -6) Improve update - -7) Allow 'second' and 'minute' in LOGLIMIT specifications - -8) Update -t also converts the TOS file - -9) Fix INLINE(...):... - -Changes in 4.6.12.1 - -1) Update release documents. - -2) Correct a warning message. - -3) Attempt a 'restore' after a fatal error during start/restart. - -Changes in 4.6.12 Final - -1) Update release documents. - -2) Correct an error message. - -3) Use NYTProf as the profiler - -Changes in 4.6.12 RC 3 - -1) Fully activate the new update options. - -Changes in 4.6.12 RC 2 - -1) Update release documents. - -2) Update module versions. - -3) Allow =0 on multi-zone interfaces - -4) Port 'update' improvements from 5.0.0. - -Changes in 4.6.12 RC 1 - -1) Update release documents. - -2) Add Debian-specific .service files - -3) Create dual shorewallrc files for Debian - -Changes in 4.6.12 Beta 1 - -1) Update release documents. - -2) Enhance compiler() progress message. - -3) Make script generations repeatable. - -Changes in 4.6.11 Final - -1) Update release documents. - -2) Clean up PATH fix. - -3) Change shorewall6.conf to specify INLINE_MATCHES=No. - -Changes in 4.6.11 RC 1 - -1) Update release documents. - -2) Allow selection in 'show connections' - -3) Ensure that the compiler has a usable PATH - -4) Correctly handle IPv4 DHCP incoming requests with 'rpfilter'. - -Changes in 4.6.11 Beta 3 - -1) Update release documents. - -2) Correct the test for ordinary user accessing the default config. - -3) Eliminated the usage() function in lib.cli-std - -4) Don't get script's version if it was just compiled - -5) Append default PATH to the active PATH in the compiler. - -Changes in 4.6.11 Beta 2 - -1) Update release documents. - -2) Don't invoke 'postcompile' when compilation isn't done. - -Changes in 4.6.11 Beta 1 - -1) Update release documents. - -2) Add WORKAROUNDS option - -3) Merge Tuomo's fixes. - -4) Fix 'compile -c' progress message - -Changes in 4.6.10 Final - -1) Update release documents. - -2) Update Module Versions - -3) Tuomo Soini's fix to enable/disable. - -Changes in 4.6.10 RC 1 - -1) Update release documents. - -2) load= enhancements - -3) Indicate success when no ipsets are saved by the script - -4) load= corrections. - -5) IPv6 findgw. - -Changes in 4.6.10 Beta 2 - -1) Update release documents. - -2) Add queue-balance and queue-bypass options to NFQUEUE. - -3) Implement 'call' in the compiled program and externalize 'call' in - the CLI. - -Changes in 4.6.10 Beta 1 - -1) Update release documents. - -2) Fix Shorewall-init bailing out when a product didn't start/stop - -3) Return exit status 6 for non-configured firewall. - -4) Don't require a helper for ctevents and expevents. - -Changes in 4.6.9 Final - -1) Update release documents. - -Changes in 4.6.9 RC 2 - -1) Update release documents. - -2) Fix generated code. - - - Eliminate syntax error - - Correct handling of required interfaces when 'wait' is specified. - -Changes in 4.6.9 RC 1 - -1) Update release documents. - -2) More detect_configuration() optimization. - -3) Add 'reenable' command. - -4) Fix helper capabilities detection. - -Changes in 4.6.9 Beta 3 - -1) Update release documents. - -2) Clarify how to avoid loading helper modules. - -3) Merge Tuomo Soini's QUIC macro. - -4) Merge Tuomo Soini's deprecation of the JabberSecure macro. - -5) Correct rule generated by SetEvent and ResetEvent. - -6) Optimize detect_configuration() for enable/disable. - -Changes in 4.6.9 Beta 2 - -1) Update release documents. - -2) Add brief mention of 'list' and 'ls' to the CLI manpages. - -3) Add complete syntax in the CLI manpages. - -4) Add Tuomo Soini's fixes for .service files. - -Changes in 4.6.9 Beta 1 - -1) Update release documents. - -2) Implement TCPMSS_TARGET capability. - -Changes in 4.6.8 Final - -1) Update release documents. - -2) Apply Matt Darfeuille's uninstall fixes - -Changes in 4.6.8 RC 1 - -1) Update release documents. - -2) Correct the Shorewall-init installer. - -3) Apply nfw's fix for IP[6]TABLES in the conntrack file. - -Changes in 4.6.8 Beta 3 - -1) Update release documents. - -2) Implement ICMP handling in 'open' and 'close' - -3) Implement 'savesets' command. - -4) Allow comma-separated lists in the rtrules file. - -Changes in 4.6.8 Beta 2 - -1) Update release documents. - -2) Improve the 'close' and 'show opens' commands. - -Changes in 4.6.8 Beta 1 - -1) Update release documents. - -2) Implement the 'open' and 'close' commands - -Changes in 4.6.7 Final - -1) Update release documents. - -Changes in 4.6.7 RC 1 - -1) Update release documents. - -Changes in 4.6.7 Beta 1 - -1) Update release documents. - -2) Add 'tinc' tunnel support. - -3) Add parameter to SAME. - -4) Implement ADD and DEL in the mangle file. - -Changes in 4.6.6.2 - -1) Update release documents. - -2) Clarify Zone Exclusion - -3) Correct handling of +set[n] - -4) Apply Orion Paplawski's MODULE_SUFFIX patch. - -5) Update MODULE_SUFFIX="ko ko.xz" in samples. - -Changes in 4.6.6.1 - -1) Update release documents. - -2) Allow SAVE and RESTORE in the INPUT chain. - -3) Correct manpage descriptions of mangle SAVE and RESTORE - -4) Protect 'enable' and 'disable' with mutex - -5) Change the installation default value of INLINE_MATCHES - -6) Correct the file name in mangle split_line error messages - -7) Propagate the LOCKFILE setting to the generated script - -Changes in 4.6.6 Final - -1) Update release documents. - -2) Apply Tuomo Soini's fix for Shorewall-init. - -3) Make leading 'SHELL' case sensitive. - -4) Zabbix Macro from Tuomo Soini. - -5) Tinc Macro from Răzvan Sandu. - -Changes in 4.6.6 RC 1 - -1) Update release documents. - -2) Add 'primary' provider option. - -3) Correct ipset names in port columns. - -Changes in 4.6.6 Beta 3 - -1) Update release documents. - -2) Add the 'loopback' interface option. - -3) Use 'Iface match' for loopback interfaces where practical. - -Changes in 4.6.6 Beta 2 - -1) Update release documents. - -2) Document the -c option to the 'dump' and 'show routing' commands. - -3) Implement the 'TARPIT' target. - -Changes in 4.6.6 Beta 1 - -1) Update release documents. - -2) Minor reorganization of Shorewall::Compiler::compiler() - -3) Cosmetic/commentary changes to Shorewall::Config - -4) Start firewall after network-online target has been reached - -Changes in 4.6.5.3 - -1) Update release documents. - -2) Correct shorewall-init scripts to use VARLIB rather than VARDIR - (Roberto Sanchez) - -3) Correct handling of dynamic zones - -4) Correct handling of mark ranges - -Changes in 4.6.5.2 - -1) Update release documents. - -2) Fix IPv6 LOG_BACKEND=LOG - -Changes in 4.6.5.1 - -1) Update release documents. - -2) Apply Alan Barrett's dhclient patch - -3) Make emacs sh-mode work better with lib.core - -4) Fix setting of options[SERVICEDIR] in configure - -5) Rename SYSTEMDDIR to SERVICEDIR in shorewallrc.* - -6) Eliminate redundant "/" in the installers - -Changes in 4.6.5 Final - -1) Update release documents. - -2) Apply Thomas D's manpage fixes. - -3) Correct .service files. - -Changes in 4.6.5 RC 1 - -1) Update release documents. - -2) Correct a couple of defects in the -C code. - -3) Fix LOG_BACKEND on kernel 3.17. - -Changes in 4.6.5 Beta 3 - -1) Update release documents. - -2) Process params files with $SHOREWALL_SHELL. - -3) Implement the -C option. - -Changes in 4.6.5 Beta 2 - -1) Update release documents. - -2) Defect repair from the 4.6.4 branch. - -3) Allow both source and dest limits in the RATE LIMIT column. - -Changes in 4.6.5 Beta 1 - -1) Update release documents. - -2) Merge defect repair from 4.6.4. - -Changes in 4.6.5 Beta 1 - -1) Update release documents. - -2) New .service file strategy. - -Changes in 4.6.4.1 - -1) Update release documents - -2) Eliminate confusing output during 'save', 'safe-*' and 'try' - commands. - -3) Remove 'optional' from the Universal interfaces file. - -Changes in 4.6.4 Final - -1) Update release documents - -Changes in 4.6.4 RC 1 - -1) Update release documents - -2) Added FAQ 104 (kernel log messages during compile). - -3) Create INITD in the -lite installer. - -4) Don't link init script if there is none. - -5) Add -n option to the installers and uninstallers. - -6) Support SANDBOX in the installers and uninstallers. - -7) Correct many defects in the uninstallers. - -Changes in 4.6.4 Beta 3 - -1) Update release documents - -2) Allow SAVE_IPSETS to specify a list of ipset names. - -3) Document .spec and actions.std fixes. - -3) Packaging changes. - -Changes in 4.6.4-Beta 2 - -1) Update release documents - -2) Correct minor issue in a warning message. - -3) Implement LOG_BACKEND. - -4) Correct stoppedrules/ADMINISABSENTMINDED=No - -Changes in 4.6.4-Beta 1 - -1) Update release documents - -2) Install support for Centos 7 and Foobar 7 - -3) Tweaks to .service files. - -Changes in 4.6.3.4 - -1) Update release documents - -2) Remove the 'optional' option from the Universal 'net' entry in - interfaces. - -3) Don't check for required interfaces on 'stop' and 'clear'. - -4) Merge the defect repair from 4.6.2.5 into 4.6.3. - -Changes in 4.6.3.3 - -1) Update release documents - -2) Re-enable SECTION PREROUTING in the accounting file - -3) Eliminate many superfluous rules for tcpflags, nosmurfs and maclist - -Changes in 4.6.3.2 - -1) Update release documents - -2) Document the Goto-Meeting macro. - -3) Correct silly logic error - -4) Correct examples in actions manpages. - -5) Issue warning when /etc/iproute2/rt_tables is not writeable. - -6) Remove redundant help text output from -lite CLIs. - -Changes in 4.6.3.1 - -1) Update release documents - -2) Correct the u32 match string in action.DNSAmp. - -3) Clarify REJECT handling in IP[6]TABLES rules. - -Changes in 4.6.3 Final - -1) Update release documents. - -2) Apply Thomas D's fix for SAVE_IPSETS on Debian. - -Changes in 4.6.3 RC 1 - -1) Update release documents. - -2) Minor code and documentation cleanup. - -3) Defect repair from 4.6.2.5. - -hanges in 4.6.3 Beta 2 - -1) Update release documents. - -2) Add DNSAmp action - -3) Allow inline matches in action bodies (from 4.6.2.4) - -4) Allow physical names to be used in the INTERFACE column of the - providers file. - -Changes in 4.6.3 Beta 1 - -1) Update release documents. - -2) Describe new helper assignment in the FTP article. - -3) Merge defect repair from 4.6.2.3. - -4) Implement the 'run' command. - -Changes in 4.6.2.2 - -1) Update release documents. - -2) Detect Header Match when LOAD_MODULES_ONLY = No. - -3) Correct IPv6 ipset support detection on later kernels. - -4) Correct detection of the Ipset Counter capability. - -5) Detect Arptables JF when LOAD_MODULES_ONLY = No. - -6) Update the tcfilter manpages to mention BASIC_FILTER - -Changes in 4.6.2.1 - -1) Update release documents. - -2) Two issues with tcrules processing were corrected. - -Changes in 4.6.2 Final - -1) Update release documents. - -Changes in 4.6.2 RC 1 - -1) Update release documents. - -2) Allow specification of the GATEWAY MAC address. - -3) Fix some brokenness in installation under Cygwin. - -Changes in 4.6.2 Beta 2 - -1) Update release documents. - -2) Update Events.xml with a stateful port knocking example. - -3) Apply Thibaut Chèze's patch for DSCP names. - -4) Allow SAVE/RESTORE rules in the OUTPUT chain. - -5) Add ILO macro from Tuomo Soini. - -6) Apply Tuomo Soini's patch to add additional ports to the IPMI - macro. - -Changes in 4.6.2 Beta 1 - -1) Update release documents. - -2) Implement 'status -i' - -3) Implement 'show bl' - -4) Add TIME column to the mangle file - -Changes in 4.6.1.3 - -1) Update release documents. - -2) Correct handling of DSCP class names. - -3) Allow SAVE and RESTORE in the output chain. - -Changes in 4.6.1.3 - -1) Update release documents. - -2) Correct the compiler's handling of IfEvent. - -Changes in 4.6.1.2 - -1) Update release documents. - -2) Correct 'masq' manpages. - -3) Allow INLINE_MATCHES=Yes with AUTOHELPERS=No to work correctly. - -Changes in 4.6.1.1 - -1) Update release documents. - -2) Raise an error when a server list is specified in a DNAT or - REDIRECT rule. - -3) Correct Shorewall-init Debian init script - -Changes in 4.6.1 - -1) Update release documents. - -2) New Macros - -3) Apply pi-Rho's fix for rpfilter vs. dynamic chain. - -Changes in 4.6.0.3 - -1) Update release documents. - -2) Fix RHEL7 installation of Shorewall-init. - -3) Merge content from 4.5.21.10 - -Changes in 4.6.0.2 - -1) Update release documents. - -2) Correct handling of tcrules upgrade with 'upgrade -A'. - -3) Apply Tuomo Soini's whitespace patch. - -4) Extend Orion Poplawski's RHEL7 patch. - -5) Add FAQ 2e. - -6) Update Support article. - -7) Fix shorewall-masq SOURCE description - -Changes in 4.6.0.1 - -1) Update release documents. - -2) Correct CHECKSUM handling. - -3) Apply Simon Mater's cosmetic changes to 'mangle' file. - -4) Correct chain designator editing. - -Changes in 4.6.0 Final - -1) Update release documents. - -2) Upgrade IPv6 actions to FORMAT-2. - -Changes in 4.6.0 RC 3 - -1) Update release documents. - -2) Deprecate FORMAT-1 actions and macros. - -Changes in 4.6.0 RC 2 - -1) Update release documents. - -2) Add additional tabs to mangle files. - -3) Add link from Multi-ISP to packet marking. - -4) Updated the installers to install the .service files with mode 644 - rather than 600. - -Changes in 4.6.0 RC 1 +Changes in 5.0.0 1) Update release documents. -2) Make LOAD_HELPERS_ONLY=Yes the default. +2) Remove options from 'update' warning messages. -3) Merge 4.5.21.8/9 defect repair. +3) Update documentation for obsolete file removal. -4) Improve host interface inheritance. +4) Apply Erich Titl's 'date' fix. -Changes in 4.6.0 Beta 6 +Changes in 5.0.0 RC 1 1) Update release documents. -2) Merge 4.5.21.7 defect repair. +2) .service file fixes from Tuomo Soini -Changes in 4.6.0 Beta 5 +Changes in 5.0.0 Beta 2 1) Update release documents. -2) Add -t and -A update options. +2) Correct the 'reset' command -3) Implemented the BASIC_FILTERS option. +3) Allow table names in the reset command. -4) Documentation updates. +4) Add Gluster FS action -Changes in 4.6.0 Beta 4 +Changes in 5.0.0 Beta 1 1) Update release documents. -2) Defect repair for issues reported by testers. - -3) Support ipset lists in the tcfilters file. - -4) Cocument ipset use in tcfilters. - -5) Corrected 'dump' help text - -Changes in 4.6.0 Beta 3 - -1) Update release documents. +2) Redefine 'reload' and 'restart'. -2) Merge defect repair from Shorewall 4.5.21.6. +3) Eliminate service.214 files. -3) Implement basic filter generation in the tcfilters file. +4) Add 'reload' to the service files. -Changes in 4.6.0 Beta 2 +5) Allow connlimit by destination. -1) Update release documents. +6) Add the LEGACY_RESTART option. -2) Make tcpflags the default. +7) Deimplement support for several old options -3) ipset names in PORT columns. +8) Merge from 4.6.12 -4) ipset extensions. +9) Correct a warning message to refer to 'mangle' rather than + 'tcrules'. -5) DROP in stoppedrules +10) Drop support for the 'tos', 'tcrules', 'routestopped', 'notrack' + and 'blacklist' files. -Changes in 4.6.0 Beta 1 +11) Disallow bare SECTION, COMMENT and FORMAT lines. -1) Update release documents. +12) The -t update option also converts the 'tos' file. -2) Change ZONE2ZONE default. +13) Merge from 4.6.13. -3) Implement ?SECTION +14) Remove all of the individual options from the 'update' command. -4) Finish INLINE in tcrules. +15) Delimit inline matches with ';;'. -5) Add INLINE to masq. +16) Allow log-tags in shorewall.conf options -6) Implement INLINE_MATCHES +17) Allow non-expoerts access to the user bits in the fw mark. -7) Implement IP[6]TABLES actions in several files. +18) Add a PROBABILITY column to the masq files diff -Naurdw -X /home/teastep/bin/exclude.txt shorewall-core-4.6.13/configure shorewall-core-5.0.0/configure --- shorewall-core-4.6.13/configure 2015-09-08 11:10:31.024527057 -0700 +++ shorewall-core-5.0.0/configure 2015-10-09 13:28:26.101280475 -0700 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=4.6.13 +VERSION=5.0.0 case "$BASH_VERSION" in [4-9].*) diff -Naurdw -X /home/teastep/bin/exclude.txt shorewall-core-4.6.13/configure.pl shorewall-core-5.0.0/configure.pl --- shorewall-core-4.6.13/configure.pl 2015-09-08 11:10:31.032527094 -0700 +++ shorewall-core-5.0.0/configure.pl 2015-10-09 13:28:26.109280537 -0700 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '4.6.13' + VERSION => '5.0.0' }; my %params; diff -Naurdw -X /home/teastep/bin/exclude.txt shorewall-core-4.6.13/INSTALL shorewall-core-5.0.0/INSTALL --- shorewall-core-4.6.13/INSTALL 2015-09-07 11:35:47.000000000 -0700 +++ shorewall-core-5.0.0/INSTALL 2015-10-08 13:16:32.000000000 -0700 @@ -1,4 +1,4 @@ -Shoreline Firewall (Shorewall) Version 4 +Shoreline Firewall (Shorewall) Version 5 ----- ---- ----------------------------------------------------------------------------- diff -Naurdw -X /home/teastep/bin/exclude.txt shorewall-core-4.6.13/install.sh shorewall-core-5.0.0/install.sh --- shorewall-core-4.6.13/install.sh 2015-09-08 11:10:31.008526968 -0700 +++ shorewall-core-5.0.0/install.sh 2015-10-09 13:28:26.089280396 -0700 @@ -22,7 +22,7 @@ # along with this program; if not, see . # -VERSION=4.6.13 +VERSION=5.0.0 usage() # $1 = exit status { diff -Naurdw -X /home/teastep/bin/exclude.txt shorewall-core-4.6.13/lib.base shorewall-core-5.0.0/lib.base --- shorewall-core-4.6.13/lib.base 2015-09-07 11:35:47.000000000 -0700 +++ shorewall-core-5.0.0/lib.base 2015-10-08 13:16:32.000000000 -0700 @@ -1,7 +1,7 @@ # -# Shorewall 4.5 -- /usr/share/shorewall/lib.base +# Shorewall 5.0 -- /usr/share/shorewall/lib.base # -# (c) 1999-2014 - Tom Eastep (teastep@shorewall.net) +# (c) 1999-2015 - Tom Eastep (teastep@shorewall.net) # # Complete documentation is available at http://shorewall.net # diff -Naurdw -X /home/teastep/bin/exclude.txt shorewall-core-4.6.13/lib.cli shorewall-core-5.0.0/lib.cli --- shorewall-core-4.6.13/lib.cli 2015-09-07 11:35:47.000000000 -0700 +++ shorewall-core-5.0.0/lib.cli 2015-10-08 13:16:32.000000000 -0700 @@ -1,7 +1,7 @@ # -# Shorewall 4.5 -- /usr/share/shorewall/lib.cli. +# Shorewall 5.0 -- /usr/share/shorewall/lib.cli. # -# (c) 1999-2014 - Tom Eastep (teastep@shorewall.net) +# (c) 1999-2015 - Tom Eastep (teastep@shorewall.net) # # Complete documentation is available at http://shorewall.net # @@ -388,19 +388,6 @@ status=0 if [ -f ${VARDIR}/firewall ]; then - if [ -n "$WORKAROUNDS" ]; then - if $iptables_save | iptablesbug | grep -v -- '-A dynamic.* -j ACCEPT' > ${VARDIR}/restore-$$; then - cp -f ${VARDIR}/firewall $g_restorepath - mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables - chmod +x $g_restorepath - echo " Currently-running Configuration Saved to $g_restorepath" - run_user_exit save - else - rm -f ${VARDIR}/restore-$$ - echo " ERROR: Currently-running Configuration Not Saved" >&2 - status=1 - fi - else if $iptables_save | grep -v -- '-A dynamic.* -j ACCEPT' > ${VARDIR}/restore-$$; then cp -f ${VARDIR}/firewall $g_restorepath mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables @@ -412,7 +399,6 @@ echo " ERROR: Currently-running Configuration Not Saved" >&2 status=1 fi - fi else echo " ERROR: ${VARDIR}/firewall does not exist" >&2 status=1 @@ -423,18 +409,6 @@ resolve_arptables if [ -n "$arptables" ]; then - if [ -n "$WORKAROUNDS" ]; then - # - # 'sed' command is a hack to work around broken arptables_jf - # - if ${arptables}-save | sed 's/-p[[:space:]]\+0\([[:digit:]]\)00\/ffff/-p 000\1\/ffff/' > ${VARDIR}/restore-$$; then - if grep -q '^-A' ${VARDIR}/restore-$$; then - mv -f ${VARDIR}/restore-$$ ${g_restorepath}-arptables - else - rm -f ${VARDIR}/restore-$$ - fi - fi - else if ${arptables}-save > ${VARDIR}/restore-$$; then if grep -q '^-A' ${VARDIR}/restore-$$; then mv -f ${VARDIR}/restore-$$ ${g_restorepath}-arptables @@ -442,7 +416,6 @@ rm -f ${VARDIR}/restore-$$ fi fi - fi else case "$ARPTABLES" in */*) @@ -481,29 +454,13 @@ esac if [ -n "$IPSET" ]; then - if [ -n "$WORKAROUNDS" ]; then - if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then - # - # The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny - # - hack='| grep -v /31' - else - hack= - fi - - if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then + if eval $IPSET -S > ${VARDIR}/ipsets.tmp; then # # Don't save an 'empty' file # grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets fi fi - elif eval $IPSET -S > ${VARDIR}/ipsets.tmp; then - # - # Don't save an 'empty' file - # - grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets - fi ;; [Nn]o|ipv4|ipv6) ;; @@ -3787,7 +3744,7 @@ } # -# Restart Command Executor +# Reload/Restart Command Executor # restart_command() { local finished @@ -3846,11 +3803,11 @@ [ -n "$g_nolock" ] || mutex_on if [ -x ${VARDIR}/firewall ]; then - run_it ${VARDIR}/firewall $g_debugging restart + run_it ${VARDIR}/firewall $g_debugging $COMMAND rc=$? else error_message "${VARDIR}/firewall is missing or is not executable" - logger -p kern.err "ERROR:$g_product restart failed" + logger -p kern.err "ERROR:$g_product $COMMAND failed" rc=6 fi @@ -4012,7 +3969,6 @@ g_refreshchains=:none: g_confess= g_update= - g_convert= g_annotate= g_recovering= g_timestamp= @@ -4021,14 +3977,10 @@ g_conditional= g_file= g_doing="Compiling" - g_directives= g_inline= - g_tcrules= g_counters= g_loopback= g_compiled= - g_routestopped= - g_notrack= VERBOSE= VERBOSITY=1 @@ -4207,7 +4159,7 @@ run_it $g_firewall $g_debugging reset $@ [ -n "$g_nolock" ] || mutex_off ;; - restart) + reload|restart) get_config Yes Yes shift restart_command $@ diff -Naurdw -X /home/teastep/bin/exclude.txt shorewall-core-4.6.13/lib.common shorewall-core-5.0.0/lib.common --- shorewall-core-4.6.13/lib.common 2015-09-07 11:35:47.000000000 -0700 +++ shorewall-core-5.0.0/lib.common 2015-10-08 13:16:32.000000000 -0700 @@ -1,7 +1,7 @@ # -# Shorewall 4.5 -- /usr/share/shorewall/lib.common. +# Shorewall 5.0 -- /usr/share/shorewall/lib.common. # -# (c) 2010-2014 - Tom Eastep (teastep@shorewall.net) +# (c) 2010-2015 - Tom Eastep (teastep@shorewall.net) # # Complete documentation is available at http://shorewall.net # @@ -71,90 +71,18 @@ } # -# Get the Shorewall version of the passed script -# -get_script_version() { # $1 = script - local temp - local version - local ifs - local digits - local verbosity - - if [ -z "$WORKAROUNDS" -o "$g_compiled" = "$g_file" ]; then - # - # Unless WORKAROUNDS=No, either this script was just compiled or AUTOMAKE - # determined that re-compilation wasn't needed - # - temp="$SHOREWALL_VERSION" - else - verbosity="$VERBOSITY" - VERBOSITY=0 - - temp=$( $SHOREWALL_SHELL $1 version | tail -n 1 ) - fi - - if [ -z "$temp" ]; then - version=0 - else - temp=${temp%-*} - ifs=$IFS - IFS=. - temp=$(echo $temp) - IFS=$ifs - digits=0 - - for temp in $temp; do - version=${version}$(printf '%02d' $temp) - digits=$(($digits + 1)) - [ $digits -eq 3 ] && break - done - fi - - echo $version - - VERBOSITY="$verbosity" -} - -# -# Do required exports or create the required option string and run the passed script using +# Create the required option string and run the passed script using # $SHOREWALL_SHELL # run_it() { local script local options - local version export VARDIR script=$1 shift - version=$(get_script_version $script) - - if [ $version -lt 040408 ]; then - # - # Old script that doesn't understand 4.4.8 script options - # - export RESTOREFILE - export VERBOSITY - export NOROUTES=$g_noroutes - export PURGE=$g_purge - export TIMESTAMP=$g_timestamp - export RECOVERING=$g_recovering - - case "$g_program" in - *-lite) - # - # Shorewall Lite - # - export LOGFORMAT - export IPTABLES - ;; - esac - else - # - # 4.4.8 or later -- no additional exports required - # if [ x$1 = xtrace -o x$1 = xdebug ]; then options="$1 -" shift; @@ -171,7 +99,6 @@ options="${options}V $VERBOSITY" [ -n "$RESTOREFILE" ] && options="${options} -R $RESTOREFILE" - fi $SHOREWALL_SHELL $script $options $@ } @@ -572,9 +499,9 @@ # # Query NetFilter about the existence of a filter chain # -chain_exists() # $1 = chain name +chain_exists() # $1 = chain name, $2 = table name (optional) { - qt1 $g_tool -L $1 -n + qt1 $g_tool -t ${2:-filter} -L $1 -n } # diff -Naurdw -X /home/teastep/bin/exclude.txt shorewall-core-4.6.13/releasenotes.txt shorewall-core-5.0.0/releasenotes.txt --- shorewall-core-4.6.13/releasenotes.txt 2015-09-08 11:10:31.788531068 -0700 +++ shorewall-core-5.0.0/releasenotes.txt 2015-10-09 13:28:26.289281759 -0700 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 6 . 1 3 - ------------------------------ - S e p t e m b e r 0 9 , 2 0 1 5 + S H O R E W A L L 5 . 0 . 0 + ---------------------------- + O c t o b e r 1 0 , 2 0 1 5 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -11,50 +11,13 @@ V. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES ---------------------------------------------------------------------------- - N O T I C E - -Shorewall 4.6.13 is scheduled to be the last 4.6 release. In -the fall of 2015, Shorewall 5.0.0 will be available. Please see -http://www.shorewall.org/Shorewall-5.html for information about -preparing to migrate to Shorewall 5. - ----------------------------------------------------------------------------- I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) The 'rules' file manpages have been corrected regarding the packets - that are processed by rules in the NEW section. - -2) Parsing of IPv6 address ranges has been corrected. Previously, use - of ranges resulted in 'Invalid IPv6 Address' errors. - -3) The shorewall6-hosts man page has been corrected to show the - proper contents of the HOST(S) column. - -4) Previously, INLINE statements in the mangle file were not - recognized if a chain designator (:F, :P, etc.) followed - INLINE(...). As a consequence, additional matches following a - semicolon were interpreted as column/value pairs unless - INLINE_MATCHES=Yes, resulting in compilation failure. - -5) Inline matches on IP[6]TABLE rules could be ignored if - INLINE_MATCHES=No. They are now recognized. - -6) Specifying an action with a logging level in one of the _DEFAULT - options in shorewall[6].conf (e.g., REJECT_DEFAULT=Reject:info) - produced a compilation error: - - ERROR: Invalid value (:info) for first Reject parameter - /usr/share/shorewall/action.Reject (line 52) - - That has been corrected. Note, however, that specifying logging - with a default action tends to defeat one of the main purposes of - default actions which is to suppress logging. +1) This release includes defect repair up through Shorewall 4.6.13.1. -7) Previously, it was necessary to set TC_EXPERT=Yes to have full - access to the user mark in fw marks. That has been corrected so - that any place that a mark or mask can be specified, both the TC - mark and the User mark are accessible. +2) The compiled script now uses the %e date format rather than %_d, + for Busybox compatibilty. (Erich Titl) ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -67,252 +30,214 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) 'update -t' now converts both the tcrules and tos files. - -2) 'second' and 'minute' are now allowed in the LOGLIMIT - specification in place of 'sec' and 'min' respectively. - -3) The 'update' command now converts additional deprecated option - settings: +1) To make the command names more accurately reflect what they do, + several changes have been included: - - LOGRATE/LOGBURST are converted to the equivalent LOGLIMIT - setting. + a) Beginning with this release, the 'restart' command now does a + true restart and is equivalent to a 'stop' followed by a + 'start'. - - BLACKLISTNEWONLY is now converted to the equivalent BLACKLIST - setting. + b) The pre-5.0.0 'load' command has been renamed 'remote_start'. -4) Two settings now have more reasonable defaults if they don't appear - in the .conf file being updated: + c) The pre-5.0.0 'reload' command has been renamed 'remote_reload'. - - USE_DEFAULT_RT now defaults to No - - EXPORTMODULES now defaults to No. + c) The 'reload' command now performs the same function as the + pre-5.0.0 'restart' command. -5) When the 'update' command is converting a deprecated file, it now - makes additional checks when it finds a target file (mangle, - stoppedrules or blrules) to append the converted rules to: + d) A 'remote_restart' command has been added to Shorewall and + Shorewall6 to allow a remote 'restart' after updating the + remote firewall system's compiled script. - - If the file is in the directory $SHAREDIR/$product/configfiles/, - the file is not opened. - - If the file is in the directory - $SHAREDIR/doc/$product/default-config/, the file is not opened. - - If the file is not writable, the file is not opened. +2) For those that can't get used to the idea of using 'reload' in + place of 'restart', a LEGACY_RESTART option has been added. The + option defaults to No but if set to Yes, then the 'restart' command + does what it has always done. - When the file isn't opened because of one of these checks, an - attempt is made to create a new file in either the directory - specified on the command line (if any) or in the first directory - listed in the CONFIG_PATH setting. +3) It is now possible to limit connections by destination address in + the rules file by prefixing the CONNLIMIT setting with 'd:'. ----------------------------------------------------------------------------- - I V. M I G R A T I O N I S S U E S ----------------------------------------------------------------------------- +4) While the WORKAROUNDS setting is still present in the + shorewall[6].conf files: -1) If you are migrating from Shorewall 4.4.x or earlier, please see - http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.21/releasenotes.txt + a) Its default setting has been changed to No. -2) Beginning with Shorewall 4.5.2, using /etc/shorewall-lite/vardir - and /etc/shorewall6-lite/vardir to specify VARDIR is deprecated in - favor of the VARDIR setting in shorewallrc. + b) All workarounds for old distributions have been eliminated. See + the Migration Issues for additional information. - NOTE: While the name of the variable remains VARDIR, the - meaning is slightly different. When set in shorewallrc, - each product (shorewall-lite, and shorewall6-lite) will - create a directory under the specified path name to - hold state information. +5) A number of configuration options have been eliminated: - Example: + - EXPORTPARAMS + - IPSECFILE + - LEGACY_FASTSTART + - LOGRATE * + - LOGBURST * + - WIDE_TC_MARKS * + - HIGH_ROUTE_MARKS * + - BLACKLISTNEWONLY * - VARDIR=/opt/var/ + A fatal error results if those flagged with an asterisk ("*") + appear in the .conf file -- run the 'shorewall[6] update' command + to convert their settings to use supported options. - The state directory for shorewall-lite will be - /opt/var/shorewall-lite/ and the directory for - shorewall6-lite will be /opt/var/shorewall6-lite. + A warning is issued if any of the rest appear in the .conf file. + 'shorewall[6] update' will drop them from the file. - When VARDIR is set in /etc/shorewall[6]/vardir, the - product will save its state directly in the specified - directory. +7) The -b, -D, -r, -s, -t and -n options have been removed from the + 'update' command. The command now behaves as if all of those + options had been specified. - In Shorewall 4.5.8, a VARLIB variable was added to the shorewallrc - file and the meaning of VARDIR is once again consistent. The - default setting of VARDIR for a particular product is - ${VARLIB}/$product. There is an entry of that form in the - shorewallrc file. Because there is a single shorewallrc file for - all installed products, the /etc/shorewall[6]-lite/vardir file - provides the only means for overriding this default. +6) Support has been removed for the 'blacklist', 'tcrules', + 'routestopped', 'notrack' and 'tos' files. -3) Begining with Shorewall 4.5.6, the tcrules file is processed if - MANGLE_ENABLED=Yes, independent of the setting of TC_ENABLED. This - allows actions like TTL and TPROXY to be used without enabling - traffic shaping. + The 'update' command will: - If you have rules in your tcrules file that you only want processed - when TC_ENABLED is other than 'No', then enclose them in + - convert the 'tcrules' and 'tos' files to the equivalent 'mangle' + file. - ?IF $TC_ENABLED - ... - ?ENDIF + - convert the 'blacklist' file into an equivalent 'blrules' file. - If they are to be processed only if TC_ENABLED=Internal, then enclose - them in + - convert the routestopped' file into the equivalent 'stoppedrules' + file. - ?IF TC_ENABLED eq 'Internal' - ... - ?ENDIF + - convert a 'notrack' file to the equivalent 'conntrack' file. -4) Beginning with Shorewall 4.5.7, the deprecated - /etc/shorewall[6]/blacklist files are no longer installed. Existing - files are still processed by the compiler. Note that blacklist - files may be converted to equivalent blrules files using - 'shorewall[6] update -b'. +7) Beginning with this release, all macros and actions are assumed + to be FORMAT-2. FORMAT-1 macros and actions are no longer supported + and will be silently processed as if they were FORMAT-2. For most + macros and actions, this change will be of no concern, but may cause + compilation errors in rare cases. -5) In Shorewall 4.5.7, the /etc/shorewall[6]/notrack file was renamed - /etc/shorewall[6]/conntrack. When upgrading to a release >= 4.5.7, - the conntrack file will be installed along side of an existing - notrack file. When both files exist, a compiler warning is - generated: +8) Beginning with this release, COMMENT, FORMAT and SECTION lines must + begin with a question mark ("?"). The 'update' command makes these + changes for you. - WARNING: Both notrack and conntrack exist; conntrack is ignored +9) As an alternative to INLINE_MATCHES=Yes, you may now specify inline + matches (raw ip[6]tables text) after a double semicolon (';;'). - This warning may be eliminated by moving any entries in the notrack - file to the conntrack file and removing the notrack file. + Example from the 'masq' file to split SNAT between two public + addresses on eth1: -6) In Shorewall 4.5.8, the /etc/shorewall[6]/routestopped files were - deprecated if favor of new /etc/shorewall[6]/stoppedrules - counterparts. The new files have much more familiar and - straightforward semantics. Once a stoppedrules file is populated, - the compiler will process that file and will ignore the - corresponding routestopped file. + #INTERFACE SOURCE ADDRESS + eth1 - 1.2.3.1 ;; -m statistic --mode random --probability 0.50 + eth1 - 1.2.3.2 -7) In Shorewall 4.5.8, a new variable (VARLIB) was added to the - shorewallrc file. This variable assumes the role formerly played by - VARDIR, and VARDIR now designates the configuration directory for a - particular product. +10) Options in shorewall[6].conf that accept a log level now also allow + specification of a log tag. - This change should be transparent to all users: + Example: - a) If VARDIR is set in an existing shorewallrc file and VARLIB is - not, then VARLIB is set to ${VARDIR} and VARDIR is set to - ${VARLIB}/${PRODUCT}. + TCP_FLAGS_LOG_LEVEL=info:,tcpflags - b) If VARLIB is set in a shorewallrc file and VARDIR is not, then - VARDIR is set to ${VARLIB}/${PRODUCT}. +11) A PROBABILITY column has been added to the masq file. One usage + scenario is to balance SNAT between two or more IP addresses on a + WAN interface: - The Shorewall-core installer will automatically update - ~/.shorewallrc and save the original in ~/.shorewallrc.bak + #INTERFACE SOURCE ADDRESS + eth1 - 1.2.3.4 { probability=0.50 } + eth2 - 1.2.3.5 -8) Previously, the macro.SNMP macro opened both UDP ports 161 and 162 - from SOURCE to DEST. This is against the usual practice of opening - these ports in the opposite direction. Beginning with Shorewall - 4.5.8, the SNMP macro opens port 161 from SOURCE to DEST as before, - and a new SNMPTrap macro is added that opens port 162 (from SOURCE - to DEST). +12) Previously, when chain names were included in a 'reset' command, + they were assumed to be filter table chains. Now, both a table name + and a chain name can be given (e.g., mangle:PREROUTING). The + specified table remains the default for the remainder of the + command unless a following entry also includes a table name. -9) Beginning with Shorewall 4.5.11, ?FORMAT is preferred over FORMAT - for specifying the format of records in these configuration files: +13) An action for Gluster FS (action.GlusterFS) has been added. See the + action file for a description of the parameters. - action.* files - conntrack - interface - macro.* files - tcrules +---------------------------------------------------------------------------- + I V. M I G R A T I O N I S S U E S +---------------------------------------------------------------------------- - While deprecated, FORMAT (without the '?') is still supported. +1) If you are migrating from Shorewall 4.4.x or earlier, please see + http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.21/releasenotes.txt - Also, ?COMMENT is preferred over COMMENT for attaching comments to - generated netfilter rules in the following files. +2) It is strongly recommended that you first upgrade your installation + to a 4.6 release >= 5.6.12 prior to upgrading to Shorewall 5.0. - accounting - action.* files - blrules files - conntrack - masq - nat - rules - secmarks - tcrules - tunnels + Once you are on the Shorewall 4.6 release: - When one of the deprecated forms is encountered, a warning message - is issued. + - shorewall update -A - Examples: + If you also run Shorewall6: - WARNING: 'FORMAT' is deprecated in favor of '?FORMAT' - - consider running 'shorewall update -D'. + - shorewall6 update -A - WARNING: 'COMMENT' is deprecated in favor of '?COMMENT' - - consider running 'shorewall update -D'. + These steps are necessary because Shorewall 5.0: - As the warnings indicate, 'update -D' will traverse the CONFIG_PATH - replacing FORMAT and COMMENT lines with ?FORMAT and ?COMMENT - directives respectively. The original version of modified files - will be saved with a .bak suffix. + - Does not contain support for the 'tcrules' and 'tos' files -- + existing 'tcrules' and 'tos' files must be converted to an + equivalent set of 'mangle' file entries. - During the update, .bak files are skipped as are files in - ${SHAREDIR}/shorewall and ${SHAREDIR}/shorewall6. + - Does not contain support for the 'blacklist' file -- it must + be converted to an equivalent 'blrules' file. -10) To allow finer-grained selection of the connection-tracking states - that are passed through blacklists (both dynamic and static), a - BLACKLIST option was added to shorewall.conf and shorewall6.conf in - Shorewall 4.5.13. + - Does not contain support for the 'notrack' file -- it must be + converted to an equivalent 'conntrack' file. - The BLACKLISTNEWONLY option was deprecated at that point. A - 'shorewall update' ( 'shorewall6 update' ) will replace the - BLACKLISTNEWONLY option with the equivalent BLACKLIST option. + - Does not contain support for the 'routestopped' file -- it must + be converted to an equivalent 'stoppedrules' file. -11) In Shorewall 4.5.14, the BLACKLIST_LOGLEVEL option was renamed - BLACKLIST_LOG_LEVEL to be consistent with the other log-level - option names. BLACKLIST_LOGLEVEL continues to be accepted as a - synonym for BLACKLIST_LOG_LEVEL, but a 'shorewall update' or - 'shorewall6 update' command will replace BLACKLIST_LOGLEVEL with - BLACKLIST_LOG_LEVEL in the new .conf file. + Note that you can run the update command(s) after you upgrade to + Shorewall 5 but your firewall will not work correctly until + you do those update(s). -12) Beginning with Shorewall 4.6.0, the default setting for 'ZONE2ZONE' - is '-' rather than '2'. If you prefer to keep your pre-4.6.0 chain - names, then specify ZONE2ZONE=2 in shorewall[6].conf. +3) The following configuration options have been eliminated: -13) Beginning with Shorewall 4.6.0, section headers are now preceded by - '?' (e.g., '?SECTION ...'). If your configuration contains any - bare 'SECTION' entries, the following warning is issued: + - EXPORTPARAMS + - IPSECFILE + - LEGACY_FASTSTART + - LOGRATE * + - LOGBURST * + - WIDE_TC_MARKS * + - HIGH_ROUTE_MARKS * + - BLACKLISTNEWONLY * - WARNING: 'SECTION' is deprecated in favor of '?SECTION' - - consider running 'shorewall update -D' ... + A fatal error results if those flagged with an asterisk ("*") + appear in the .conf file -- run the 'shorewall[6] update' command + to convert their settings to use supported options. - As mentioned in the message, running 'shorewall[6] update -D' will - eliminate the warning. + A warning is issued if any of the rest appear in the .conf file. + 'shorewall[6] update' will drop them from the file. -14) Beginning with Shorewall 4.6.0, the 'tcrules' file has been - superceded by the 'mangle' file. Existing 'tcrules' files will - still be processed, with the restriction that TPROXY is no longer - supported in FORMAT 1. +4) To make the command names more accurately reflect what they do, + several changes have been included: - If your 'tcrules' file has non-commentary entries, the following - warning message is issued: + a) Beginning with this release, the 'restart' command now does a + true restart and is equivalent to a 'stop' followed by a + 'start'. - WARNING: Non-empty tcrules file (...); - consider running 'shorewall update -t' + b) The pre-5.0.0 'load' command has been renamed 'remote_start'. - See shorewall6(8) for limitations of 'update -t'. + c) The pre-5.0.0 'reload' command has been renamed 'remote_reload'. -15) The default value of LOAD_HELPERS_ONLY is now 'Yes'. + c) The 'reload' command now performs the same function as the + pre-5.0.0 'restart' command. -16) Beginning with Shorewall 4.6.0, FORMAT-1 actions and macros are - deprecated and a warning will be issued for each FORMAT-1 action - or macro found. + d) A 'remote_restart' command has been added to Shorewall and + Shorewall6 to allow a remote 'restart' after updating the + remote firewall system's compiled script. - WARNING: FORMAT-1 actions are deprecated and support will be - dropped in a future release. + For those that can't get used to the idea of using 'reload' in + place of 'restart', a LEGACY_RESTART option has been added. The + option defaults to No but if set to Yes, then the 'restart' command + does what it has always done. - WARNING: FORMAT-1 macros are deprecated and support will be - dropped in a future release. +5) While the WORKAROUNDS setting is still present in the + shorewall[6].conf file: - To eliminate these warnings, add the following line before the - first rule in the action or macro: + a) It's default setting has been changed to No. - ?FORMAT 2 + b) All workarounds for old distributions have been eliminated. See + the Migration Issues for additional information. - and adjust the columns appropriately. +6) Beginning with Shorewall 5.0.0, all macros and actions are assumed + to be FORMAT-2. FORMAT-1 macros and actions are no longer supported + and will be silently processed as if they were FORMAT-2. For most + macros and actions, this change will be of no concern, but may cause + compilation errors in rare cases. - FORMAT-1 actions have the following columns: + To review, FORMAT-1 actions have the following columns: TARGET SOURCE @@ -320,11 +245,11 @@ PROTO DEST PORT(S) SOURCE PORT(S) - RATE/LIMIT + RATE USER/GROUP MARK - while FORMAT-2 actions have these columns: + FORMAT-1 macros have these columns: TARGET SOURCE @@ -332,28 +257,10 @@ PROTO DEST PORT(S) SOURCE PORT(S) - ORIGINAL DEST - RATE/LIMIT - USER/GROUP - MARK - CONNLIMIT - TIME - HEADERS (Used in IPv6 only) - CONDITION - HELPER - - FORMAT-1 macros have the following columns: - - TARGET - SOURCE - DEST - PROTO - DEST PORT(S) - SOURCE PORTS(S) - RATE/LIMIT + RATE USER/GROUP - while FORMAT-2 macros have these columns: + FORMAT-2 actions and macros, on the other hand, have: TARGET SOURCE @@ -362,1262 +269,25 @@ DEST PORT(S) SOURCE PORT(S) ORIGINAL DEST - RATE/LIMIT + RATE USER/GROUP MARK CONNLIMIT TIME - HEADERS (Used in IPv6 only) - CONDITION + HEADERS (Only valid for IPv6) + SWITCH HELPER -17) Prior to Shorewall 4.6.4, the stoppedrules file did not work - properly when ADMINISABSENTMINDED=No. - - - A warning message was issued stating that the file would be - processed as if ADMINISABSENTMINDED=Yes, and it was. - - - Unfortunately, part of the surrounding rule-generating logic - proceded as if ADMINISABSENTMINDED=No, leading to an unusable - ruleset. - - In Shorewall 4.6.4, this problem was corrected by changing the way - that stoppedrules works with ADMINISABSENTMINDED=No. In the new - implementation: - - - All existing connections continue to work. - - Response packets and related connection requests to new accepted - connections are accepted (in other words, the resulting ruleset - is stateful). - - See shorewall[6].conf(5) for additional details. - ----------------------------------------------------------------------------- - V. N O T E S F R O M O T H E R 4 . 6 R E L E A S E S ----------------------------------------------------------------------------- - P R O B L E M S C O R R E C T E D I N 4 . 6 . 1 2 ----------------------------------------------------------------------------- - -4.6.12.1 - -1) Beginning with Shorewall 4.6.10, a fatal error during a start or - restart operation can leave the firewall in an indeterminent state. - That problem has been corrected so that the intended action takes - place: - - - If there is a current executable RESTOREFILE, then the firewall - is restored using that file. - - - Otherwise, the firewall is placed in the stopped state. - -2) Previously, if 'none' were passed as the log level argument to the - AutoBL action, compilation failed silently. Now, the intended - behavior (no logging) is produced. - -4.6.12 - -1) This release includes defect repair up through Shorewall 4.6.11.1. - -2) Previously, when Perl 5.18.0 or later was used with Shorewall, - multiple compilations of an unchanging configuration could produce - different but equivalent script files. Now, the script files - produced will be identical (except for dates and times) for any - given Shorewall version. - -3) Previously, if a binary interface option (those that have a value - of zero or 1) was specified with a value of zero on such an - interface, compilation failed. - - For example, this interface definition: - - - eth2 arp_filter=0,routeback=0,tcpflags=0,proxyarp=0 - - would generate the following error message: - - ERROR: The "routeback" option may not be specified on a - multi-zone interface - - Now, the option is allowed. - -4) Several issues with 'update -b' have been corrected. - ----------------------------------------------------------------------------- - N E W F E A T U R E S I N 4 . 6 . 1 2 ----------------------------------------------------------------------------- - -1) The initial 'Compiling...', 'Checking...' and 'Updating..." - progress messages now include the Product name and version. - -2) Debian-specific .service files have been added. - -3) There are now two shorewallrc files for Debian - one for sysvinit - and one for systemd. The configure and configure.pl scrips - determine which to use by examining /sbin/init. - -4) Two new options are available for the 'update' command: - - -r converts a routestopped file to an equivalent stoppedrules file. - - -n converts a notrack file to an equivalent conntrack file. If - there is already an existing conntrack file, the converted rules - are appended to the existing file. - - WARNING: If you include /usr/share/shorewall/configfiles (or - wherever your distro places empty files) in your CONFIG_FILE - setting and there is no new file in your config directory (such as - /etc/shorewall), then the 'update' command will update the copy of - the file in /usr/share/shorewall/configfiles. This is probably not - what you want, since files in that directory (or your distro's - corresponding directory) will be overwritten by the next upgrade. - -5) Shorewall now uses NYTProf as its profiler rather than the - deprecated DProf. - ----------------------------------------------------------------------------- - P R O B L E M S C O R R E C T E D I N 4 . 6 . 1 1 ----------------------------------------------------------------------------- - -1. This release includes defect repair up to and including Shorewall - 4.6.10.1. - -2. Previously, when the -c option was given to the 'compile' command, - the progress message "Compiling..." was issued before it was - determined if compilation was necessary. Now, that message is - suppressed when re-compilation is not required. - -3. Previously, when the -c option was given to the 'compile' command, - the 'postcompile' extension script was executed even when there was - no (re-)compilation. Now, the 'postcompile' script is only invoked - when a new script is generated. - -4. If CONFDIR was other than /etc, then ordinary users would not - receive a clear error message when they attempted to execute one of - the commands that change the firewall state. - -5. Previously, IPv4 DHCP client broadcasts were blocked by the - 'rpfilter' interface option. That has been corrected. - -6) The 'update' command incorrectly added the INLINE_MATCHES option - to shorewall6.conf with a default value of 'Yes'. This caused - 'start' to fail with invalid ip6tables rules when the alternate - input format using ';' is used. - ----------------------------------------------------------------------------- - N E W F E A T U R E S I N 4 . 6 . 1 1 ----------------------------------------------------------------------------- - -1) Over the years, a number of changes have been added to Shorewall - that work around defects in other products. When running a current - distribution, these workarounds are unnecessary and add to the time - required for normal Shorewall operations. - - Beginning in this release, those workarounds may be disabled by - setting WORKAROUNDS=No in shorewall.conf. - -2) Previously, both lib.cli and lib.cli-std included nearly-identical - usage() functions. Now, only lib.cli includes the function which - produces its output based on which product's CLI is invoking it. - -3) To accomodate compiled scripts produced by Shorewall versions - before 4.4.8, Shorewall products from 4.4.8 onward have run scripts - twice. The first time is simply to capture the output of the - 'version' command. Based on the script's version, it is then invoked - to execute the requested command. - - Beginning in this release, scripts will only be run once if: - - - WORKAROUNDS=No, or - - the script was compiled as part of executing the command, or - - AUTOMAKE=Yes and it was determined that re-compilation was not - required. - -4) When the 'conntrack' utility program is installed, the 'show - connections' command can now display a subset of the entire - conntrack table by simply following the 'connections' keyword with - one or more conntrack filter parameters. - - For example, to display all http connections: - - shorewall show connections -p tcp --dport 80 - - See conntrack(8) for a description of the available parameters. - -5) To ensure that the compiler has an adequate PATH, the default - Shorewall PATH is now appended to the compiler's active PATH. - ----------------------------------------------------------------------------- - P R O B L E M S C O R R E C T E D I N 4 . 6 . 1 0 ----------------------------------------------------------------------------- - -1) On some distributions, Shorewall-init would fail if one of the - configured products had a problem. Now, Shorewall-init goes on to - the next product rather than stopping. - -2) Previously, when startup was disabled (STARTUP_ENABLED=No or no - compiled firewall on a -lite system), exit status 2 was - returned. Now, exit status 6 is returned. - -3) Previously, if SAVE_IPSETS=ipv4 (or ipv6) but the configuration did - not use ipsets, then a superfluous warning message was issued: - - WARNING: Invalid value (ipv4) for SAVE_IPSETS - - That warning is now suppressed. - -4) Previously, the algorithm used to normalize the probabilities - defined in the 'load' provider option was incorrect and could - result in probabilities > 1.0. When this occurred, the firewall - would fail to start. - ----------------------------------------------------------------------------- - N E W F E A T U R E S I N 4 . 6 . 1 0 ----------------------------------------------------------------------------- - -1) Previously, the 'ctevents' and 'expevents' options could only be - specified in the conntrack file if a helper was named. That is no - longer necessary. - - Example: - - #ACTION SOURCE DESTINATION PROTO DEST ... - # PORT(S) ... - # - CT:ctevents:assured,destroy\ - all - - - -2) Two new options have been added to the NFQUEUE target. - - - By default, if no userspace program is listening on an NFQUEUE, - then all packets that are to be queued are dropped. When the new - 'bypass' option is used, the NFQUEUE rule is silently bypassed - instead. The packet will move on to the next rule. - - Examples: - - NFQUEUE(bypass) - NFQUEUE(3,bypass) - - - Now, a queue range of the form n:m may be specified. Packets are - then balanced across the given queues. This is useful for - multicore systems: start multiple instances of the userspace - program on queues x, x+1, .. x+n and use "x:x+n". Packets - belonging to the same connection are put into the same nfqueue. - - Examples: - - NFQUEUE(4:6) - NFQUEUE(4:6,bypass) - - Queue ranges are also permitted in an NFQUEUE policy; the - 'bypass' option is not permitted there. - -3) The 'call' command is now documented. It provides a way to call - shell functions in the Shorewall libraries or in the generated - script. - - call [ ... ] - - must name a shell function in one of the Shorewall - libraries or in the generated script. The function is first - searched for in lib.base, lib.common, lib.cli and lib.cli-std - (lib.cli-std is not searched by the '-lite' products). If the - function is found, it is called with any supplied s. - - If the function is not found in the libraries, the call command - is passed to the generated script for processing. - -4) Several changes have been made to the processing of the 'load' - option in provider files: - - - load values are normalized to 8-digit precision and 10-byte - length. - - a warning is issued if the sum of the loads is not 1.000000. - - if the normalized probability for an interface is >= - 1.000000 then the probability match part of the generated rule is - omitted. - -5) There is now an ipv6 'findgw' skeleton file. - -6) The 'disable' and 'enable' commands now succed if the interface is - already disabled or enabled respectively. Tuomo Soini. - ----------------------------------------------------------------------------- - P R O B L E M S C O R R E C T E D I N 4 . 6 . 9 ----------------------------------------------------------------------------- - -1) This release contains defect repair from Shorewall 4.6.8.1 and - earlier releases. - -2) The means for preventing loading of helper modules has been - clarified in the documentation. - -3) The SetEvent and ResetEvent actions previously set/reset the event - even if the packet did not match the other specified columns. This - has been corrected. - -4) Previously, the 'show capabilities' command was ignoring the - HELPERS setting. This resulted in unwanted modules being autoloaded - and, when the -f option was given, an incorrect capabilities file - was generated. - -6) Previously, when 'wait' was specified for an interface, the - generated script erroneously checked for required interfaces on all - commands rather than just start, restart and restore. - ----------------------------------------------------------------------------- - N E W F E A T U R E S I N 4 . 6 . 9 ----------------------------------------------------------------------------- - -1) There is now a TCPMSS Target (TCPMSS_TARGET) capability. Your - iptables and kernel must support this capability in order to use - the CLAMPMSS option in shorewall.conf and the 'mss=' option in the - zones, interfaces and hosts files. This capability was added when - it was learned that Debian on ARM doesn't provide the feature. - - When using a capabilities file from at earlier release, the - compiler assumes that this capability is available, since most - distributions have traditionally provided the capability. - -2) The CLI manpages now state explicitly that 'list' and 'ls' are - synonyms for 'show' and refer the reader to the description of - 'show'. - -3) The complete syntax of each CLI command is now repeated in the - detailed description of the command in the man pages. - -4) Tuomo Soini has contributed a QUIC macro. - -5) The JabberSecure macro is now deprecated. Configure Jabber to use - TLS and use the Jabber macro instead. (Tuomo Soini). - -6) The enable and disable commands now execute more quickly on slow - hardware. - -7) The CLI programs now support a 'reenable' command. This command is - logically equivalent to a 'disable' command followed by an 'enable' - command, with the exception that no error is generated if the - specified interface or provider is disabled at the time the - command is given. - ----------------------------------------------------------------------------- - P R O B L E M S C O R R E C T E D I N 4 . 6 . 8 ----------------------------------------------------------------------------- - -1) This release includes defect repair from Shorewall 4.6.6.2 and - earlier releases. - -2) Previously, when the -n option was specified and NetworkManager was - installed on the target system, the Shorewall-init installer would - still create - ${DESTDIR}etc/NetworkManager/dispatcher.d/01-shorewall, regardless - of the setting of $CONFDIR. That has been corrected such that the - directory - ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/01-shorewall is - created instead. - -3) Previously, handling of the IPTABLES and IP6TABLES actions in the - conntrack file was broken. nfw provided a fix on IRC. - -4) The Shorewall-core and Shorewall6 installers would previously - report incorrectly that the product release was not installed. Matt - Darfeuille provided fixes. - ----------------------------------------------------------------------------- - N E W F E A T U R E S I N 4 . 6 . 8 ----------------------------------------------------------------------------- - -1) The CLI programs (shorewall, shorewall6, etc) now support 'open' - and 'close' commands. The 'open' command temporarily opens the - firewall for a specified type of connection; the syntax is: - - open [ [ ] ] - - The and may be any of the following: - - - a host IP address - - a network IP address - - a valid DNS name (usual warnings apply) - - the word 'all', indicating that the or is - not restricted - - The protocol may be specified by number or by a name. Same with - . - - Example: Open SSH connections to 1.2.3.4 in Shorewall: - - shorewall open all 1.2.3.4 tcp ssh - - The 'close' command reverses the effect of an earlier 'open' - command and has two forms: - - close - close [ is the number displayed in the - 'num' column of the 'shorewall list opens' command (see below). - - In the second form, the parameters must match those of the earlier - 'open' command to be reversed. All temporary connections opens may - be deleted by simply restarting the firewall. - - Both commands require that the firewall be in the started state and - that DYNAMIC_BLACKLIST=Yes in the active configuration. - - The iptables rules created via 'open' commands can be displayed - using the 'show opens' command. - - Example (after the above open command was executed): - - Shorewall 4.6.8 Temporarily opened connections at gateway - Fri Mar 6 09:47:06 PST 2015 - Chain dynamic (14 references) - num pkts bytes target prot opt in out source destination - 1 0 0 ACCEPT tcp -- * * 0.0.0.0/0 1.2.3.4 multiport dports 22 - root@gateway:~# - -2) A 'safesets' command is now available to proactively save changes - to ipset contents. Using this command can guard against accidental - loss of ipset changes in the event of a system failure before a - 'stop' command has been completed. The exact action taken by the - command depends on the setting of SAVE_IPSETS in shorewall[6].conf. - -3) The SOURCE and DEST columns in the rtrules file may now contains - comma-separated lists of addresses. - ----------------------------------------------------------------------------- - P R O B L E M S C O R R E C T E D I N 4 . 6 . 7 ----------------------------------------------------------------------------- - -None. - ----------------------------------------------------------------------------- - N E W F E A T U R E S I N 4 . 6 . 7 ----------------------------------------------------------------------------- - -1) The 'tunnels' file now supports 'tinc' tunnels. - -2) Previously, the SAME action in the mangle file had a fixed timeout - of 300 seconds (5 minutes). That action now allows specification of - a different timeout. - -3) It is now possible to add or delete addresses from an ipset with - entries in the mangle file. The ADD and DEL actions have the same - behavior in the mangle file as they do in the rules file. - ----------------------------------------------------------------------------- - P R O B L E M S C O R R E C T E D I N 4 . 6 . 6 ----------------------------------------------------------------------------- - -1) This release includes defect repair from Shorewall 4.6.5.5 and - earlier releases. - -2) Previously, a line beginning with 'shell' was interpreted as a - shell script. Now, the line must begin with 'SHELL' - (case-sensitive). - - Note that ?SHELL and BEGIN SHELL are still case-insensitive. - ----------------------------------------------------------------------------- - N E W F E A T U R E S I N 4 . 6 . 6 ----------------------------------------------------------------------------- - -4.6.6.2 - -1) The compiler failed to parse the construct +[n] where n is an - integer (e.g., +bad[2]). - -2) Orion Paplawski has provided a patch that adds 'ko.xz' to the - default MODULE_SUFFIX setting. This change deals with recent Fedora - releases where the module names now end with ".ko.xz". - - In addition to Orion's patch, the sample configurations have been - modified to specify MODULE_SUFFIX="ko ko.xz". - -4.6.6.1 - -1) Previously the SAVE and RESTORE actions were erroneously disallowed - in the INPUT chain within the mangle file. - -2) The manpage descriptions of the mangle SAVE and RESTORE actions - incorrectly required a slash (/) prior to the mask value. - -3) Race conditions could previously occur between the 'start' command - and the 'enable' and 'disable' commands. - -4) The 'update' command incorrectly added the INLINE_MATCHES option - to shorewall.conf with a default value of 'Yes'. This caused - 'start' to fail with invalid iptables rules when the alternate - input format using ';' is used. - -6) Previously the LOCKFILE setting was not propagated to the generated - script. So when the script was run directly, the script - unconditionally used ${VARDIR}/lock. - -1) Previously, the firewall products (Shorewall, Shorewall6 and - *-lite) specified "After=network.target" in their .service files. - - Beginning with this release, those products specify - "After=network-online.target" like the service.214 files. This - change is intended to delay firewall startup until after network - initialization is complete. - -2) The 'TARPIT' target is now supported in the rules file. Using this - target requires the appropriate support in your kernel and - iptables. This feature implements a new "TARPIT Target" capability, - so if you use a capabilities file, then you need to regenerate the - file after installing this release. - - TARPIT captures and holds incoming TCP connections using no local - per-connection resources. - - - TARPIT only works with the PROTO column set to tcp (6), and is - totally application agnostic. This module will answer a TCP request - and play along like a listening server, but aside from sending an - ACK or RST, no data is sent. Incoming packets are ignored and - dropped. The attacker will terminate the session eventually. This - module allows the initial packets of an attack to be captured by - other software for inspection. In most cases this is sufficient to - determine the nature of the attack. - - - This offers similar functionality to LaBrea - but does not require dedicated - hardware or IPs. Any TCP port that you would normally DROP or - REJECT can instead become a tarpit. - - The target accepts a single optional parameter: - - tarpit (default) - - This mode completes a connection with the attacker but limits - the window size to 0, thus keeping the attacker waiting long - periods of time. While he is maintaining state of the - connection and trying to continue every 60-240 seconds, we - keep none, so it is very lightweight. Attempts to close the - connection are ignored, forcing the remote side to time out - the connection in 12-24 minutes. - - honeypot - - This mode completes a connection with the attacker, but - signals a normal window size, so that the remote side will - attempt to send data, often with some very nasty exploit - attempts. We can capture these packets for decoding and - further analysis. The module does not send any data, so if - the remote expects an application level response, the game - is up. - - reset - - This mode is handy because we can send an inline RST - (reset). It has no other function. - -3) A 'loopback' option has been added to the interfaces files to - designate the interface as the loopback device. This option is - assumed if the device's physical name is 'lo'. Only one - interface may specify 'loopback'. - - If no interface has physical name 'lo' and no interface specifies - the 'loopback' option, then the compiler implicitly defines an - interface as follows: - - #ZONE INTERFACE OPTIONS - - lo ignore,loopback - -4) The compiler now takes advantage of the iptables 'iface' match - capability for identifying loopback traffic. - -5) The 'primary' provider option has been added as a synonym for - 'balance=1'. The rationale for this addition is that 'balance' - seems inappropriate when only a single provider specifies that - option. For example, if there are two providers and one specifies - 'fallback', then the other would specify 'primary' rather than - 'balance'. - -6) Two new Macros have been contributed: - - Zabbix - Tuomo Soini - Tinc - Răzvan Sandu - ----------------------------------------------------------------------------- - P R O B L E M S C O R R E C T E D I N 4 . 6 . 5 ----------------------------------------------------------------------------- - -4.6.5.5 - -1) The Shorewall-init ifupdown scripts were looking for the firewall - script in the wrong directory. Correction was provider by Tuomo - Soini. - -4.6.5.4 - -1) The '-c' option of the 'dump' and 'show routing' commands is now - documented. - -2) The handling of the 'DIGEST' environmental variable has been - corrected in the Shorewall installer. Previously, specifying that - option would not correctly update the Chains module which led to a - Perl compilation failure. - -3) Handling of ipset names on PORT columns has been - corrected. Previously, such usage resulted in an invalid iptables - rule being generated. - -4.6.5.3 - -1) The Shorewall-init scripts were using the incorrect - variable to set the state directory. - -2) For normal dynamic zones, the 'add' command failed with a - diagnostic such as: - - ERROR: Zone ast, interface net0 does not have a dynamic host list - -3) When a mark range was used in the marks (tcrules) file, a run-time - error occured while attempting to load the generated ruleset. - -4.6.5.2 - -1) LOG_BACKEND=LOG failed at run-time for all but the most recent - kernels. - -4.6.5.1 - -1) The generated script can now detect an gateway address assigned by - later versions of that program (Alan Barrett). - -2) In 4.6.5, the bash-based configure script would issue the following - diagnostic if SERVICEDIR was not specified in the shorewallrc - file: - - ./configure: line 199: [SERVICEDIR]=: command not found - - This was compounded by the fact that all of the released - shorewallrc files still specified SYSTEMDDIR rather than SERVICEDIR - (Evangelos Foutras) - -3) The shorewallrc.archlinux file now reflects a change in SBINDIR - that occurred in Arch Linux in mid 2013 (Evangelos Foutras). - -4.6.5 - -1) This release includes defect repair through release 4.6.4.3. - -2) On kernel 3.17, LOG_BACKEND=LOG previously failed with the - diagnostics: - - Setting up log backend - /var/lib/shorewall/.restart: line 2075: echo: write error: - No such file or directory - WARNING: Unable to set log backend to ipt_LOG - -3) A number of corrections have been made to the manpages (Thomas D). - -4) Previously, if $OPTIONS was set in /etc/sysconfig/shorewall-init, - then servicd failed to start/stop Shorewall-init. - ----------------------------------------------------------------------------- - N E W F E A T U R E S I N 4 . 6 . 5 ----------------------------------------------------------------------------- - -1) The configure scripts and installers now support SERVICEDIR as an - alternative to SYSTEMD. For compatability, SERVICED is an alias - for SERVICEDIR. - -2) The installers now offer a choice of .service files, selected by - the SERVICEFILE option. The default remains $PRODUCT.service. Each - product supplying a .service file now supplies a .service.214. The - differences between the standard .service files and the service.214 - files are: - - a) They specify 'after=network-online.target' rather than - 'after=network.target'. - - b) The file shorewall-init.service.214 specifies - 'before=network-pre.target' rather than - 'before=network.target'. That file requires serviced 214 or - later, hence the names of the new files. - - Regardless of which file is selected, it is installed in - $SERVICEDIR/$PRODUCT.service. - -3) The RATE LIMIT column of the rules files now allows specification - of both a per-source and per-destination limit. See - shorewall[6]-rules(5) for details. - -4) Previously, /bin/sh was used unconditionally to process the helper - script 'getparams'. That shell script reads the params file and - passes back the (variable,value) pairs to the compiler. Beginning - with this release, $SHOREWALL_SHELL is used to process that script, - unless the compilation is for export, in which case /bin/sh is - still used. - - Note that the default value of $SHOREWALL_SHELL is /bin/sh, so - unless your configuration sets that variable, this enhancement will - have no effect. Similarly, on an administrative system, this - enhancement has no effect on the processing of the 'compile -e', - 'load', 'reload' and 'export' commands. - -5) A -C option has been added to several commands to allow the - ip[6]tables packet and byte counters to be preserved. - - - save command - - Causes the packet and byte counters to be saved along with the - chains and rules. - - - restore command - - Causes the packet and byte counters (if saved) to be restored - along with the chains and rules. - - - start command - - With Shorewall and Shorewall6, the -C option only has an effect - if the -f option is also specified. If a previously-saved - configuration is restored, then the packet and byte counters (if - saved) will be restored along with the chains and rules. - - - restart command - - If an existing compiled script is used (no recompilation - required) and if that script generated the current running - configuration, then the current netfilter configuration is - reloaded as is so as to preserve the current packet and byte - counters. - - If you wish to (approximately) preserve the counters over a - possibly unexpected reboot, then: - - - Create a cron job that periodically does 'shorewall save -C' - - - Specify the -C and -f option in the STARTOPTIONS variable in - either /etc/default/shorewall[6][-lite] or - /etc/sysconfig/shorewall[6][-lite], whichever is supported by your - distribution. Note that some distributions do not distribute these - files so you may have to create the one(s) you need (such as - /etc/sysconfig/shorewall). - ----------------------------------------------------------------------------- - P R O B L E M S C O R R E C T E D I N 4 . 6 . 4 ----------------------------------------------------------------------------- - -4.6.4.1 - -1) Confusing 'usage' output was produced under the following - conditions: - - a) 4.6.4 installed - - b) The running firewall was compiled on an earlier release. - - c) A 'safe-start', 'save-restart', 'save' or 'try' command is - executed. - - This problem has been corrected. - -2) The 'optional' option has been removed from the IPv4 Universal - interfaces file, as that option caused startup failures. - -4.6.4 Final. - -1) This release includes defect repair through release 4.6.3.4. - -2) Two corrections have been made to the .service files: - - - The .service files now correctly specify - - WantedBy=basic.target - - - Conflicting services have been added. - -3) A warning message generated during stoppedrules processing - previously referred to the file as routestopped. - -4) Previously, the stoppedrules file did not work properly when - ADMINISABSENTMINDED=No. - - - A warning message was issued stating that the file would be - processed as if ADMINISABSENTMINDED=Yes, and it was. - - - Unfortunately, part of the surrounding rule-generating logic - proceded as if ADMINISABSENTMINDED=No, leading to an unusable - ruleset. - - This problem has been corrected by changing the way that - stoppedrules works with ADMINISABSENTMINDED=No. In the new - implementation: - - - All existing connections continue to work. - - Response packets and related connection requests to new accepted - connections are accepted (in other words, the resulting ruleset - is stateful). - - See shorewall[6].conf(5) for additional details. - -5) The .spec files now set SBINDIR correctly. - -6) The -lite installers now create INITDIR if it doesn't exist. - -7) The installers no longer attempt to create a symbolic link to the - init script when no init script is installed. - -8) A large number of defects in the uninstallers have been corrected. - ----------------------------------------------------------------------------- - N E W F E A T U R E S I N 4 . 6 . 4 ----------------------------------------------------------------------------- - -1) Install support for Centos 7 and Foobar 7 has been added (Tuomo - Soini). - -2) A 'terminating' option has been added to shorewall[6].actions. - this option, when used with the 'builtin' option, indicates to the - compiler that the built-in action is terminating. This allows the - optimizer to omit rules after an unconditional jump to the - built-in. - -3) A LOG_BACKEND option has been added to allow specification of the - default logging backends. See shorewall.conf(5) and - shorewall6.conf(5) for details. - -4) The SAVE_IPSETS option may now specify a list of ipsets to be - saved. When such a list is specified, only those ipsets together - with the ipsets supporting dynamic zones are saved. - - Shorewall6 now supports the SAVE_IPSETS option. When - SAVE_IPSETS=Yes, only ipv6 ipsets are saved. For Shorewall, if - SAVE_IPSETS=ipv4, then only ipv4 ipsets are saved. Both features - require ipset version 5 or later. - - Note that shorewall.conf and shorewall6.conf may now both specify - SAVE_IPSETS. - -5) The SBINDIR setting for SuSE now defaults to /usr/sbin/. - -6) With the exception of Shorewall-core, the tarball installers and - uninstallers now support a -n option which inhibits any attempt to - change the startup configuration. The -n option can be - automatically invoked by setting the SANDBOX variable to a - non-empty value, either in the environment or in your shorewallrc - file. - ----------------------------------------------------------------------------- - P R O B L E M S C O R R E C T E D I N 4 . 6 . 3 ----------------------------------------------------------------------------- - -4.6.3.1 - -1) The DNSAmp action released in 4.6.3 matched more packets than it - should have. That has now been corrected. - -4.6.3 - -1) This release contains defect repair up through release 4.6.2.5. - -2) The SAVE_IPSETS option in the Debian version of Shorewall-init now - works correctly. Thomas D. - ----------------------------------------------------------------------------- - N E W F E A T U R E S I N 4 . 6 . 3 ----------------------------------------------------------------------------- - -1) A new 'run' command has been implemented. This command allows you - to run an arbitrary command in the context of the generated - script. - - shorewall[6][-lite] run [ ... ] - - Normally, will be a function declared in lib.private. - -2) A DNSAmp action has been added. This action matches recursive UDP - DNS queries. The default disposition is DROP which can be - overridden by the single action parameter (e.g, 'DNSAmp(REJECT)' - will reject these queries). Recursive DNS queries are the basis for - 'DNS Amplification' attacks; hence the action name. - ----------------------------------------------------------------------------- - P R O B L E M S C O R R E C T E D I N 4 . 6 . 2 ----------------------------------------------------------------------------- - -4.6.2.5 - -1) Previously, when an interface specified the 'physical=' option and - the physical interface name was specified in the INTERFACES column - of the providers file, compilation would fail with diagnostics - similar to the following: - - Use of uninitialized value $physical in pattern match - (m//) at /usr/lib/perl5/vendor_perl/5.18.1/ - Shorewall/Providers.pm line 463, <$currentfile> line 2. - ERROR: A provider interface must have at least one - associated zone /opt/etc/shorewall/providers (line 2) - -2) Shorewall-init now works correctly on systems with systemd. - By Louis Lagendijk. - -4.6.2.4 - -1) Previously, inline matches were incorrectly disallowed in action - files. These matches are now allowed. - -4.6.2.3 - -1) Previously, the compiler would fail with a Perl diagnostic if: - - - Optimize Level 8 was enabled. - - Perl 5.20 was being used. This is the current Perl version on - Arch Linux. - - The diagnostic was: - - Can't use string ("nat") as a HASH ref while "strict refs" in use - at /usr/share/shorewall/Shorewall/Chains.pm line 3486. - -4.6.2.2 - -1) The compiler now correctly detects the IPv6 "Header Match" - capability when LOAD_MODULES_ONLY=No. - -2) The compiler now correctly detects the IPv6 "Ipset Match" - capability on systems running a 3.14 or later kernel. - -3) The compiler now correctly detects "Arptables JF" capability when - LOAD_MODULES_ONLY=No. - -3) The tcfilter manpages previously failed to mention that - BASIC_FILTERS=Yes is required to use ipsets in the tcfilters files. - -4.6.2.1 - -1) Two issues with tcrules processing have been corrected: - - - SAVE and RESTORE generated fatal compilation errors. - - '|' and '&' were ignored. - -4.6.2 - -1) The DSCP match in the mangle and tcrules files didn't work with - service class names such as EF, BE, CS1, ... (Thibaut Chèze) - -2) The SAVE and RESTORE actions were disallowed in the OUTPUT chain in - tcrules and mangle; this was a regression from 4.5.21. - -3) Additional ports required by Asus, Supermicro and Dell have been - added to the IPMI macro (Tuomo Soini). - -4) Some issues regarding install under Cygwin64 have been addressed. - - - configure.pl did not understand CYGWIN returned from `uname` - - Shorewall-core install.sh did not understand CYGWIN returned from - `uname`. - - The Shorewall and Shorewall6 installers tried to run the command - 'mkdir -p //etc/shorewall[6]' which is broken in the current - Cygwin64. - ----------------------------------------------------------------------------- - N E W F E A T U R E S I N 4 . 6 . 2 ----------------------------------------------------------------------------- - -1) The 'status' command now allows a -i option which causes the state - of all optional and provider interfaces to be displayed. - - Example: - - root@gateway:/etc/shorewall# shorewall status -i - Shorewall-4.6.1 Status at gateway - Wed Jun 18 14:27:19 PDT 2014 - - Shorewall is running - State:Started (Wed Jun 18 09:50:01 PDT 2014) from /etc/shorewall/ - (/var/lib/shorewall/firewall compiled by Shorewall version 4.6.1) - - Interface eth0 is Enabled - Interface eth1 is Enabled - Interface lo is Enabled - -2) A 'shorewall show blacklists' command has been - implemented. The abbreviation 'bl' may be used in place of - 'blacklists'. - - The command displays the output of the 'dynamic' chain together - with the chains created by entries in the blrules file. - -3) A TIME column has been added to the mangle file. It has the same - use in that file as the corresponding column in the rules file. - -4) A stateful port knocking example has been added to the Events - article (http://www.shorewall.net/Events.html). This example allows - a sequence of knocking ports to be defined (Gerhard Weisinger). - -5) A macro supporting HP's Integrated Lights Out (ILO) has been added - (Tuomo Soini). - -6) It is now possible to specify the MAC address of a provider - GATEWAY. This is useful when there are multiple providers serviced - by a single interface as it avoids the need for the generated - script to detect the MAC during start/restart. - -7) The copyrights in the sample configuration files have been updated. - ----------------------------------------------------------------------------- - P R O B L E M S C O R R E C T E D I N 4 . 6 . 1 ----------------------------------------------------------------------------- - -4.6.1.4 - -1) The DSCP match in the mangle and tcrles files didn't work with - service class names such as EF, BE, CS1, ... - -2) The SAVE and RESTORE actions were disallowed in the OUTPUT chain in - tcrules and mangle; this was a regression from 4.6.21. - -4.6.1.3 - -1) Use of the 'IfEvent' action resulted in a compilation failure: - - ERROR: -j is only allowed when the ACTION is INLINE with no - parameter /usr/share/shorewall/action.IfEvent (line 139) - from /etc/shorewall/action.SSHKnock (line 8) - from /etc/shorewall/rules (line 31) - -4.6.1.2 - -1) The shorewall-masq(5) and shorewall6-masq(5) manpages had a mangled - heading for the description of the SOURCE column, leading some - readers to assert the that description was missing. - -2) When INLINE_MATCHES=Yes and AUTOHELPERS=No, start or restart could - fail during script execution with this diagnostic: - - Running /sbin/iptables-restore... - Bad argument `helper=netbios-ns' - Error occurred at line: nnn - Try `iptables-restore -h' or 'iptables-restore --help' for more - information. - ERROR: iptables-restore Failed. Input is in - /var/lib/shorewall/.iptables-restore-input - -4.6.1.1 - -1) An improved error message is generatred when a server address list - is specified in the DEST colume of a DNAT or REDIRECT - rule. At one time, iptables supported such lists, but now only a - single address or an address range is supported. - - The previous error message was: - - ERROR: Unkknown Host (192.168.1.4,192.168.1.22) - - The new error message is: - - ERROR: An address list (192.168.1.4,192.168.1.22) is not - allowed in the DEST column of a xxx RULE - - where xxx is DNAT or REDIRECT as appropriate. - -2) Two problems have been corrected in the Shorewall-init Debian init - script. - - a) A cosmetic problem which resulted in 'echo_notdone' being - displayed on failure rather than 'not done'. - - b) More seriously, the test for the existance of compiled - firewall scripts was incorrect, with the result that the - firewall scripts were not executed. - - These defects, introduced in Shorewall 4.5.17, have now been - corrected. - -4.6.1 - -1) When the 'rpfilter' option is specified on all interfaces, no - references to the 'dynamic' chain were created and that chain was - optimized away. - ----------------------------------------------------------------------------- - N E W F E A T U R E S I N 4 . 6 . 1 ----------------------------------------------------------------------------- - -1) Tuomo Soini has provided new macros for AMOP, MongoDB, Redis, Sieve - and IPMI (RMCP). - ----------------------------------------------------------------------------- - P R O B L E M S C O R R E C T E D I N 4 . 6 . 0 ----------------------------------------------------------------------------- - -4.6.0.3 - -1) The Shorewall-init package now installs correctly on RHEL7. - -2) 1:1 NAT is now enabled in IPv6. - -3) A subtle interaction between NAT and sub-zones is explained in - shorewall-nat. - -4) The 'show filters' command now works with Simple TC. - -4.6.0.2 - -1) The 'upgrade -A' command now converts the tcrules file to a mangle - file. Previously, that didn't happen. - -2) The install components now support RHEL7. - -3) Whitespace issues in the skeleton configuration files have been - corrected (Tuomo Soini). - -4) The install components now support RHEL7. - -5) FAQ 2e has been added which describes additional steps required to - achieve hairpin NAT on a bridge where the modified packets are to - go out the same bridge port as they entered. - -6) shorewall-masq(5) has been corrected to include the word SOURCE on - the description of that column. Previously, the description read - '(formerly called SUBNET)'. - -7) The output of 'shorewall show filters' once again shows ingress - (policing) filters. This works around undocumented changes to the - behavior of the 'tc' utility. - -4.6.0.1 - -1) The CHECKSUM target in the tcrules and mangle files was broken and - resulted in this error diagnostic: - - Running /sbin/iptables-restore... - iptables-restore v1.4.7: CHECKSUM target: Parameter --checksum-fill is - required - Error occurred at line: 41 - Try `iptables-restore -h' or 'iptables-restore --help' for more - information. - ERROR: iptables-restore Failed. Input is in - /var/lib/shorewall/.iptables-restore-input - - The compiler is now generating the correct rule. - -2) Some cosmetic issues in the 'mangle' files have been resolved. - -3) When an invalid chain designator was supplied in 'tcrules' or - 'mangle', the compiler's error message was garbled and a - Perl diagnostic was issued. - -4.6.0 - -This release includes all defect repair from releases up through -4.5.21.9. + To summarize, if your action or macro only uses the first 6 + columns (which most do), then it will process fine as + FORMAT-2. Otherwise, it must be modified to place specifications in + the proper columns. -1) The tarball installers, now install .service files with mode 644 - rather than mode 600. +7) COMMENT, FORMAT and SECTION lines must now begin with a question + mark ("?"). The 'update' command will change all bare COMMENT, + FORMAT and SECTION lines to include the question mark. ---------------------------------------------------------------------------- - N E W F E A T U R E S I N 4 . 6 . 0 + V. N O T E S F R O M O T H E R 5 . 0 R E L E A S E S ---------------------------------------------------------------------------- -1) SECTION entries in the accounting and rules files now allow - "SECTION" to be immediately preceded by "?" (e.g., ?SECTION). The - new form is preferred and if any SECTION entries do not have the - question mark, a warning is issued (see Migration Issues below). - -2) The default setting for ZONE2ZONE has been changed from '2' to '-' - for increased readability when zone names contain '2'. - -3) The 'tcrules' file has been superceded by the 'mangle' - file. Existing 'tcrules' files will still be processed, with the - restriction that TPROXY is no longer supported in FORMAT 1. - - You can convert your tcrules file into the equivalent mangle file - using the command: - - shorewall update -t - - See shorewall(8) and shorewall6(8) for important restrictions of - the -t option. - -4) Prior to now, the ability to specify raw iptables matches has been - tied to the INLINE action. Beginning with this release, the two can - be separated by specifying INLINE_MATCHES=Yes. - - When INLINE_MATCHES=Yes, then inline matches may be specified after - a semicolon in the following files: - - action files - macros - rules - mangle - masq - - Note that semicolons are not allowed in any other files. If you - want to use the alternative input format in those files, then you - must inclosed the specifications in curly brackets ({...}). The -i - option of the 'check' command will warn you of lines that need to - be changed from using ";" to using "{...}". - -5) The 'conntrack', 'raw', 'mangle' and 'rules' files now support an IPTABLES - (IP6TABLES) action. This action is similar to INLINE in that it - allows arbitrary ip[6]tables matches to be specified after a - semicolon (even when INLINE_MATCHES=No). It differs in that the - parameter passed is an iptables target with target options. - - Example (rules file): - - #ACTION SOURCE DEST PROTO - IPTABLES(TARPIT --honeypot) net pot - - If the particular target that you wish to use is unknown to - Shorewall, you will get this error message: - - ERROR: Unknown TARGET () - - You can eliminate that error by adding your target as a builtin - action in /etc/shorewall[6]/actions. - - As part if this change, the /etc/shorewall[6]/actions file options - have been extended to allow you to specify the Netfilter table(s) - where the target is accepted. When 'builtin' is specified, you can - also include the following options: - - filter - nat - mangle - raw - - If no table is given, 'filter' is assumed for backward - compatibility. - -6) The 'tcpflags' option is now set by default. To disable the option, - specify 'tcpflags=0' in the OPTIONS column of the interface file. - -7) You may now use ipset names (preceded by '+') in PORT columns, - allowing you to take advantage of bitmap:port ipsets. - -8) The counter extensions to ipset matches have been - implemented. See shorewall[6]-ipsets for details. - -9) DROP is now a valid action in the stoppedrules files. DROP occurs - in the raw table PREROUTING chain which avoids conntrack entry - creation. - -10) A new BASIC_FILTERS option is now supported. When set to 'Yes', - this option causes the compiler to generate basic TC filters from - tcfilters entries rather than u32 filters. - - Basic filters are more straight-forward than u32 filters and, in - later iptables/kernel versions, basic filters support ipset - matches. Please note that Shorewall cannot reliably detect whether - your iptables/kernel support ipset matches, so an error-free - compilation does not guarantee that the firewall will start - successfully when ipset names are specified in tcfilters entries. - -11) The update command now supports an -A option. This is intended to - perform all available updates to the configuration and is currently - equivalent to '-b -D -t'. - -12) Beginning with this release, FORMAT-1 actions and macros are - deprecated and a warning will be issued for each FORMAT-1 action - or macro found. See the Migration Issues for further information. - -13) To facilitate creation of ipsets with characteristics different - from what Shorewall generates, the 'init' user exit is now executed - before Shorewall creates ipsets that don't exist. diff -Naurdw -X /home/teastep/bin/exclude.txt shorewall-core-4.6.13/shorewall-core.spec shorewall-core-5.0.0/shorewall-core.spec --- shorewall-core-4.6.13/shorewall-core.spec 2015-09-08 11:10:31.788531068 -0700 +++ shorewall-core-5.0.0/shorewall-core.spec 2015-10-09 13:28:26.289281759 -0700 @@ -1,5 +1,5 @@ %define name shorewall-core -%define version 4.6.13 +%define version 5.0.0 %define release 0base Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. @@ -63,26 +63,14 @@ %doc COPYING INSTALL changelog.txt releasenotes.txt %changelog -* Mon Sep 07 2015 Tom Eastep tom@shorewall.net -- Updated to 4.6.13-0base -* Sun Aug 30 2015 Tom Eastep tom@shorewall.net -- Updated to 4.6.13-0RC1 -* Fri Aug 28 2015 Tom Eastep tom@shorewall.net -- Updated to 4.6.13-0Beta2 -* Thu Aug 27 2015 Tom Eastep tom@shorewall.net -- Updated to 4.6.13-0Beta1 -* Sat Aug 22 2015 Tom Eastep tom@shorewall.net -- Updated to 4.6.12-2 -* Fri Aug 21 2015 Tom Eastep tom@shorewall.net -- Updated to 4.6.12-1 -* Mon Aug 17 2015 Tom Eastep tom@shorewall.net -- Updated to 4.6.12-0base -* Sun Aug 16 2015 Tom Eastep tom@shorewall.net -- Updated to 4.6.12-0RC3 -* Thu Aug 13 2015 Tom Eastep tom@shorewall.net -- Updated to 4.6.12-0RC2 -* Thu Jul 30 2015 Tom Eastep tom@shorewall.net -- Updated to 4.6.12-0RC1 +* Sat Oct 03 2015 Tom Eastep tom@shorewall.net +- Updated to 5.0.0-0base +* Mon Sep 21 2015 Tom Eastep tom@shorewall.net +- Updated to 5.0.0-0RC1 +* Thu Sep 10 2015 Tom Eastep tom@shorewall.net +- Updated to 5.0.0-0Beta2 +* Mon Jul 27 2015 Tom Eastep tom@shorewall.net +- Updated to 5.0.0-0Beta1 * Mon Jul 13 2015 Tom Eastep tom@shorewall.net - Updated to 4.6.12-0Beta2 * Wed Jul 08 2015 Tom Eastep tom@shorewall.net diff -Naurdw -X /home/teastep/bin/exclude.txt shorewall-core-4.6.13/shorewallrc.apple shorewall-core-5.0.0/shorewallrc.apple --- shorewall-core-4.6.13/shorewallrc.apple 2015-09-07 11:35:47.000000000 -0700 +++ shorewall-core-5.0.0/shorewallrc.apple 2015-10-08 13:16:32.000000000 -0700 @@ -1,5 +1,5 @@ # -# Apple OS X Shorewall 4.5 rc file +# Apple OS X Shorewall 5.0 rc file # BUILD=apple HOST=apple diff -Naurdw -X /home/teastep/bin/exclude.txt shorewall-core-4.6.13/shorewallrc.archlinux shorewall-core-5.0.0/shorewallrc.archlinux --- shorewall-core-4.6.13/shorewallrc.archlinux 2015-09-07 11:35:47.000000000 -0700 +++ shorewall-core-5.0.0/shorewallrc.archlinux 2015-10-08 13:16:32.000000000 -0700 @@ -1,5 +1,5 @@ # -# Arch Linux Shorewall 4.5 rc file +# Arch Linux Shorewall 5.0 rc file # BUILD= #Default is to detect the build system HOST=archlinux diff -Naurdw -X /home/teastep/bin/exclude.txt shorewall-core-4.6.13/shorewallrc.cygwin shorewall-core-5.0.0/shorewallrc.cygwin --- shorewall-core-4.6.13/shorewallrc.cygwin 2015-09-07 11:35:47.000000000 -0700 +++ shorewall-core-5.0.0/shorewallrc.cygwin 2015-10-08 13:16:32.000000000 -0700 @@ -1,5 +1,5 @@ # -# Cygwin Shorewall 4.5 rc file +# Cygwin Shorewall 5.0 rc file # BUILD=cygwin HOST=cygwin diff -Naurdw -X /home/teastep/bin/exclude.txt shorewall-core-4.6.13/shorewallrc.default shorewall-core-5.0.0/shorewallrc.default --- shorewall-core-4.6.13/shorewallrc.default 2015-09-07 11:35:47.000000000 -0700 +++ shorewall-core-5.0.0/shorewallrc.default 2015-10-08 13:16:32.000000000 -0700 @@ -1,5 +1,5 @@ # -# Default Shorewall 4.5 rc file +# Default Shorewall 5.0 rc file # HOST=linux #Generic Linux BUILD= #Default is to detect the build system diff -Naurdw -X /home/teastep/bin/exclude.txt shorewall-core-4.6.13/shorewallrc.redhat shorewall-core-5.0.0/shorewallrc.redhat --- shorewall-core-4.6.13/shorewallrc.redhat 2015-09-07 11:35:47.000000000 -0700 +++ shorewall-core-5.0.0/shorewallrc.redhat 2015-10-08 13:16:32.000000000 -0700 @@ -1,5 +1,5 @@ # -# RedHat/FedoraShorewall 4.5 rc file +# RedHat/FedoraShorewall 5.0 rc file # BUILD= #Default is to detect the build system HOST=redhat diff -Naurdw -X /home/teastep/bin/exclude.txt shorewall-core-4.6.13/shorewallrc.slackware shorewall-core-5.0.0/shorewallrc.slackware --- shorewall-core-4.6.13/shorewallrc.slackware 2015-09-07 11:35:47.000000000 -0700 +++ shorewall-core-5.0.0/shorewallrc.slackware 2015-10-08 13:16:32.000000000 -0700 @@ -1,5 +1,5 @@ # -# Slackware Shorewall 4.5 rc file +# Slackware Shorewall 5.0 rc file # BUILD=slackware HOST=slackware diff -Naurdw -X /home/teastep/bin/exclude.txt shorewall-core-4.6.13/shorewallrc.suse shorewall-core-5.0.0/shorewallrc.suse --- shorewall-core-4.6.13/shorewallrc.suse 2015-09-07 11:35:47.000000000 -0700 +++ shorewall-core-5.0.0/shorewallrc.suse 2015-10-08 13:16:32.000000000 -0700 @@ -1,5 +1,5 @@ # -# SuSE Shorewall 4.5 rc file +# SuSE Shorewall 5.0 rc file # BUILD= #Default is to detect the build system HOST=suse diff -Naurdw -X /home/teastep/bin/exclude.txt shorewall-core-4.6.13/uninstall.sh shorewall-core-5.0.0/uninstall.sh --- shorewall-core-4.6.13/uninstall.sh 2015-09-08 11:10:31.016527015 -0700 +++ shorewall-core-5.0.0/uninstall.sh 2015-10-09 13:28:26.097280453 -0700 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.6.13 +VERSION=5.0.0 usage() # $1 = exit status {