diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.9/changelog.txt shorewall-5.0.10/changelog.txt --- shorewall-5.0.9/changelog.txt 2016-06-04 14:49:09.383267082 -0700 +++ shorewall-5.0.10/changelog.txt 2016-06-30 17:54:28.416050830 -0700 @@ -1,3 +1,34 @@ +Changes in 5.0.10 + +1) Update release documents + +2) Avoid silly duplicate rules. + +Changes in 5.0.10 RC 1 + +1) Update release documents + +2) Convert the RPMs to use systemd + +Changes in 5.0.10 Beta 2 + +1) Update release documents + +2) Add 'dbl' interface option. + +3) Transfer permissions during 'update' + +4) Allow ':' in USER columns + +5) Correct update/compatibility issues. + +Changes in 5.0.10 Beta 1 + +1) Update release documents + +2) Allow can now re-enable addresses disabled using the 'blacklist' + command. + Changes in 5.0.9 Final 1) Update release documents diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.9/configfiles/interfaces.annotated shorewall-5.0.10/configfiles/interfaces.annotated --- shorewall-5.0.9/configfiles/interfaces.annotated 2016-06-04 14:49:43.186874101 -0700 +++ shorewall-5.0.10/configfiles/interfaces.annotated 2016-06-30 17:54:55.883490830 -0700 @@ -180,6 +180,37 @@ # Designates the interface as a bridge. Beginning with Shorewall 4.4.7, # setting this option also sets routeback. # +# dbl={none|src|dst|src-dst} +# +# Added in Shorewall 5.0.10. This option defined whether or not dynamic +# blacklisting is applied to packets entering the firewall through this +# interface and whether the source address and/or destination address is +# to be compared against the ipset-based dynamic blacklist +# (DYNAMIC_BLACKLIST=ipset... in shorewall.conf(5)). The default is +# determine by the setting of DYNAMIC_BLACKLIST: +# +# DYNAMIC_BLACKLIST=No +# +# Default is none (e.g., no dynamic blacklist checking). +# +# DYNAMIC_BLACKLIST=Yes +# +# Default is src (e.g., the source IP address is checked). +# +# DYNAMIC_BLACKLIST=ipset[-only] +# +# Default is src. +# +# DYNAMIC_BLACKLIST=ipset[-only],src-dst... +# +# Default is src-dst (e.g., the source IP addresses in checked +# against the ipset on input and the destination IP address is +# checked against the ipset on packets originating from the firewall +# and leaving through this interface). +# +# The normal setting for this option will be dst or none for internal +# interfaces and src or src-dst for Internet-facing interfaces. +# # destonly # # Added in Shorewall 4.5.17. Causes the compiler to omit rules to handle @@ -202,7 +233,7 @@ # Note # # If you use Shorewall-perl for firewall/bridging, then you need to -# include DHCP-specific rules in shorewall-rules(8). DHCP uses UDP +# include DHCP-specific rules in shorewall-rules(5). DHCP uses UDP # ports 67 and 68. # # This option allows DHCP datagrams to enter and leave the interface. @@ -286,7 +317,8 @@ # nodbl # # Added in Shorewall 5.0.8. When specified, dynamic blacklisting is -# disabled on the interface. +# disabled on the interface. Beginning with Shorewall 5.0.10, nodbl is +# equivalent to dbl=none. # # nosmurfs # diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.9/configure shorewall-5.0.10/configure --- shorewall-5.0.9/configure 2016-06-04 14:49:09.387270351 -0700 +++ shorewall-5.0.10/configure 2016-06-30 17:54:28.416050830 -0700 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=5.0.9 +VERSION=5.0.10 case "$BASH_VERSION" in [4-9].*) diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.9/configure.pl shorewall-5.0.10/configure.pl --- shorewall-5.0.9/configure.pl 2016-06-04 14:49:09.387270351 -0700 +++ shorewall-5.0.10/configure.pl 2016-06-30 17:54:28.416050830 -0700 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '5.0.9' + VERSION => '5.0.10' }; my %params; diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.9/install.sh shorewall-5.0.10/install.sh --- shorewall-5.0.9/install.sh 2016-06-04 14:49:09.299198423 -0700 +++ shorewall-5.0.10/install.sh 2016-06-30 17:54:28.343978829 -0700 @@ -22,7 +22,7 @@ # along with this program; if not, see . # -VERSION=5.0.9 +VERSION=5.0.10 # # Change to the directory containing this script @@ -1215,7 +1215,7 @@ fi run_install $OWNERSHIP -m 0644 ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/$PRODUCT - echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}" + echo "$SYSCONFFILE file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}" fi if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.9/manpages/shorewall.8 shorewall-5.0.10/manpages/shorewall.8 --- shorewall-5.0.9/manpages/shorewall.8 2016-06-04 14:49:39.283686412 -0700 +++ shorewall-5.0.10/manpages/shorewall.8 2016-06-30 17:54:52.676286830 -0700 @@ -2,12 +2,12 @@ .\" Title: shorewall .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 06/04/2016 +.\" Date: 06/30/2016 .\" Manual: Administrative Commands .\" Source: Administrative Commands .\" Language: English .\" -.TH "SHOREWALL" "8" "06/04/2016" "Administrative Commands" "Administrative Commands" +.TH "SHOREWALL" "8" "06/30/2016" "Administrative Commands" "Administrative Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -235,6 +235,8 @@ \fBlogdrop\fR, \fBreject\fR, or \fBlogreject\fR +command\&. Beginning with Shorewall 5\&.0\&.10, this command can also re\-enable addresses blacklisted using the +\fBblacklist\fR command\&. .RE .PP diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.9/manpages/shorewall-accounting.5 shorewall-5.0.10/manpages/shorewall-accounting.5 --- shorewall-5.0.9/manpages/shorewall-accounting.5 2016-06-04 14:49:11.969379130 -0700 +++ shorewall-5.0.10/manpages/shorewall-accounting.5 2016-06-30 17:54:30.386018829 -0700 @@ -2,12 +2,12 @@ .\" Title: shorewall-accounting .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 06/04/2016 +.\" Date: 06/30/2016 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-ACCOUNTIN" "5" "06/04/2016" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-ACCOUNTIN" "5" "06/30/2016" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.9/manpages/shorewall-actions.5 shorewall-5.0.10/manpages/shorewall-actions.5 --- shorewall-5.0.9/manpages/shorewall-actions.5 2016-06-04 14:49:12.569869543 -0700 +++ shorewall-5.0.10/manpages/shorewall-actions.5 2016-06-30 17:54:30.890522829 -0700 @@ -2,12 +2,12 @@ .\" Title: shorewall-actions .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 06/04/2016 +.\" Date: 06/30/2016 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-ACTIONS" "5" "06/04/2016" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-ACTIONS" "5" "06/30/2016" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.9/manpages/shorewall-arprules.5 shorewall-5.0.10/manpages/shorewall-arprules.5 --- shorewall-5.0.9/manpages/shorewall-arprules.5 2016-06-04 14:49:13.190376304 -0700 +++ shorewall-5.0.10/manpages/shorewall-arprules.5 2016-06-30 17:54:31.379010829 -0700 @@ -2,12 +2,12 @@ .\" Title: shorewall-arprules .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 06/04/2016 +.\" Date: 06/30/2016 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-ARPRULES" "5" "06/04/2016" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-ARPRULES" "5" "06/30/2016" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.9/manpages/shorewall-blrules.5 shorewall-5.0.10/manpages/shorewall-blrules.5 --- shorewall-5.0.9/manpages/shorewall-blrules.5 2016-06-04 14:49:13.822892873 -0700 +++ shorewall-5.0.10/manpages/shorewall-blrules.5 2016-06-30 17:54:31.983614829 -0700 @@ -2,12 +2,12 @@ .\" Title: shorewall-blrules .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 06/04/2016 +.\" Date: 06/30/2016 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-BLRULES" "5" "06/04/2016" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-BLRULES" "5" "06/30/2016" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.9/manpages/shorewall.conf.5 shorewall-5.0.10/manpages/shorewall.conf.5 --- shorewall-5.0.9/manpages/shorewall.conf.5 2016-06-04 14:49:16.749282823 -0700 +++ shorewall-5.0.10/manpages/shorewall.conf.5 2016-06-30 17:54:34.450078830 -0700 @@ -2,12 +2,12 @@ .\" Title: shorewall.conf .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 06/04/2016 +.\" Date: 06/30/2016 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\&.CONF" "5" "06/04/2016" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\&.CONF" "5" "06/30/2016" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.9/manpages/shorewall-conntrack.5 shorewall-5.0.10/manpages/shorewall-conntrack.5 --- shorewall-5.0.9/manpages/shorewall-conntrack.5 2016-06-04 14:49:17.473874588 -0700 +++ shorewall-5.0.10/manpages/shorewall-conntrack.5 2016-06-30 17:54:35.058686830 -0700 @@ -2,12 +2,12 @@ .\" Title: shorewall6-conntrack .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 06/04/2016 +.\" Date: 06/30/2016 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL6\-CONNTRAC" "5" "06/04/2016" "Configuration Files" "Configuration Files" +.TH "SHOREWALL6\-CONNTRAC" "5" "06/30/2016" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.9/manpages/shorewall-ecn.5 shorewall-5.0.10/manpages/shorewall-ecn.5 --- shorewall-5.0.9/manpages/shorewall-ecn.5 2016-06-04 14:49:18.038335577 -0700 +++ shorewall-5.0.10/manpages/shorewall-ecn.5 2016-06-30 17:54:35.559186829 -0700 @@ -2,12 +2,12 @@ .\" Title: shorewall-ecn .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 06/04/2016 +.\" Date: 06/30/2016 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-ECN" "5" "06/04/2016" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-ECN" "5" "06/30/2016" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.9/manpages/shorewall-exclusion.5 shorewall-5.0.10/manpages/shorewall-exclusion.5 --- shorewall-5.0.9/manpages/shorewall-exclusion.5 2016-06-04 14:49:18.678858685 -0700 +++ shorewall-5.0.10/manpages/shorewall-exclusion.5 2016-06-30 17:54:36.055682830 -0700 @@ -2,12 +2,12 @@ .\" Title: shorewall-exclusion .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 06/04/2016 +.\" Date: 06/30/2016 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-EXCLUSION" "5" "06/04/2016" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-EXCLUSION" "5" "06/30/2016" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.9/manpages/shorewall-hosts.5 shorewall-5.0.10/manpages/shorewall-hosts.5 --- shorewall-5.0.9/manpages/shorewall-hosts.5 2016-06-04 14:49:19.351407948 -0700 +++ shorewall-5.0.10/manpages/shorewall-hosts.5 2016-06-30 17:54:36.564190829 -0700 @@ -2,12 +2,12 @@ .\" Title: shorewall-hosts .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 06/04/2016 +.\" Date: 06/30/2016 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-HOSTS" "5" "06/04/2016" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-HOSTS" "5" "06/30/2016" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.9/manpages/shorewall-init.8 shorewall-5.0.10/manpages/shorewall-init.8 --- shorewall-5.0.9/manpages/shorewall-init.8 2016-06-04 14:49:19.911865668 -0700 +++ shorewall-5.0.10/manpages/shorewall-init.8 2016-06-30 17:54:37.012638830 -0700 @@ -2,12 +2,12 @@ .\" Title: shorewall-init .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 06/04/2016 +.\" Date: 06/30/2016 .\" Manual: Administrative Commands .\" Source: Administrative Commands .\" Language: English .\" -.TH "SHOREWALL\-INIT" "8" "06/04/2016" "Administrative Commands" "Administrative Commands" +.TH "SHOREWALL\-INIT" "8" "06/30/2016" "Administrative Commands" "Administrative Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.9/manpages/shorewall-interfaces.5 shorewall-5.0.10/manpages/shorewall-interfaces.5 --- shorewall-5.0.9/manpages/shorewall-interfaces.5 2016-06-04 14:49:20.780575133 -0700 +++ shorewall-5.0.10/manpages/shorewall-interfaces.5 2016-06-30 17:54:37.765390830 -0700 @@ -2,12 +2,12 @@ .\" Title: shorewall-interfaces .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 06/04/2016 +.\" Date: 06/30/2016 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-INTERFACE" "5" "06/04/2016" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-INTERFACE" "5" "06/30/2016" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -286,6 +286,49 @@ \fBrouteback\fR\&. .RE .PP +\fBdbl={none|src|dst|src\-dst}\fR +.RS 4 +Added in Shorewall 5\&.0\&.10\&. This option defined whether or not dynamic blacklisting is applied to packets entering the firewall through this interface and whether the source address and/or destination address is to be compared against the ipset\-based dynamic blacklist (DYNAMIC_BLACKLIST=ipset\&.\&.\&. in +\m[blue]\fBshorewall\&.conf(5)\fR\m[]\&\s-2\u[8]\d\s+2)\&. The default is determine by the setting of DYNAMIC_BLACKLIST: +.PP +DYNAMIC_BLACKLIST=No +.RS 4 +Default is +\fBnone\fR +(e\&.g\&., no dynamic blacklist checking)\&. +.RE +.PP +DYNAMIC_BLACKLIST=Yes +.RS 4 +Default is +\fBsrc\fR +(e\&.g\&., the source IP address is checked)\&. +.RE +.PP +DYNAMIC_BLACKLIST=ipset[\-only] +.RS 4 +Default is +\fBsrc\fR\&. +.RE +.PP +DYNAMIC_BLACKLIST=ipset[\-only],src\-dst\&.\&.\&. +.RS 4 +Default is +\fBsrc\-dst\fR +(e\&.g\&., the source IP addresses in checked against the ipset on input and the destination IP address is checked against the ipset on packets originating from the firewall and leaving through this interface)\&. +.RE +.sp +The normal setting for this option will be +\fBdst\fR +or +\fBnone\fR +for internal interfaces and +\fBsrc\fR +or +\fBsrc\-dst\fR +for Internet\-facing interfaces\&. +.RE +.PP \fBdestonly\fR .RS 4 Added in Shorewall 4\&.5\&.17\&. Causes the compiler to omit rules to handle traffic from this interface\&. @@ -337,7 +380,7 @@ .IP " 4." 4.2 .\} the interface is a -\m[blue]\fBsimple bridge\fR\m[]\&\s-2\u[8]\d\s+2 +\m[blue]\fBsimple bridge\fR\m[]\&\s-2\u[9]\d\s+2 with a DHCP server on one port and DHCP clients on another port\&. .if n \{\ .sp @@ -352,8 +395,8 @@ .ps -1 .br If you use -\m[blue]\fBShorewall\-perl for firewall/bridging\fR\m[]\&\s-2\u[9]\d\s+2, then you need to include DHCP\-specific rules in -\m[blue]\fBshorewall\-rules\fR\m[]\&\s-2\u[10]\d\s+2(8)\&. DHCP uses UDP ports 67 and 68\&. +\m[blue]\fBShorewall\-perl for firewall/bridging\fR\m[]\&\s-2\u[10]\d\s+2, then you need to include DHCP\-specific rules in +\m[blue]\fBshorewall\-rules\fR\m[]\&\s-2\u[11]\d\s+2(5)\&. DHCP uses UDP ports 67 and 68\&. .sp .5v .RE .RE @@ -370,7 +413,7 @@ Beginning with Shorewall 4\&.5\&.5, may be specified as \*(Aq\fBignore=1\fR\*(Aq which only causes the generated script to ignore up/down events from Shorewall\-init; hairpin filtering is still applied\&. In this case, the above restrictions on the ZONE and OPTIONS columns are lifted\&. .RE .PP -loopback +\fBloopback\fR .RS 4 Added in Shorewall 4\&.6\&.6\&. Designates the interface as the loopback interface\&. This option is assumed if the interface\*(Aqs physical name is \*(Aqlo\*(Aq\&. Only one interface man have the \fBloopback\fR @@ -429,16 +472,16 @@ .sp .5v .RE This option may also be enabled globally in the -\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[11]\d\s+2(5) file\&. +\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[12]\d\s+2(5) file\&. .RE .PP \fBmaclist\fR .RS 4 Connection requests from this interface are compared against the contents of -\m[blue]\fBshorewall\-maclist\fR\m[]\&\s-2\u[12]\d\s+2(5)\&. If this option is specified, the interface must be an Ethernet NIC and must be up before Shorewall is started\&. +\m[blue]\fBshorewall\-maclist\fR\m[]\&\s-2\u[13]\d\s+2(5)\&. If this option is specified, the interface must be an Ethernet NIC and must be up before Shorewall is started\&. .RE .PP -\fBmss\fR=\fInumber\fR +\fB\fBmss\fR\fR\fB=\fR\fInumber\fR .RS 4 Added in Shorewall 4\&.0\&.3\&. Causes forwarded TCP SYN packets entering or leaving on this interface to have their MSS field set to the specified \fInumber\fR\&. @@ -455,13 +498,16 @@ .RS 4 Defines the zone as dynamic\&. Requires ipset match support in your iptables and kernel\&. See -\m[blue]\fBhttp://www\&.shorewall\&.net/Dynamic\&.html\fR\m[]\&\s-2\u[13]\d\s+2 +\m[blue]\fBhttp://www\&.shorewall\&.net/Dynamic\&.html\fR\m[]\&\s-2\u[14]\d\s+2 for further information\&. .RE .PP \fBnodbl\fR .RS 4 -Added in Shorewall 5\&.0\&.8\&. When specified, dynamic blacklisting is disabled on the interface\&. +Added in Shorewall 5\&.0\&.8\&. When specified, dynamic blacklisting is disabled on the interface\&. Beginning with Shorewall 5\&.0\&.10, +\fBnodbl\fR +is equivalent to +\fBdbl=none\fR\&. .RE .PP \fBnosmurfs\fR @@ -469,7 +515,7 @@ Filter packets for smurfs (packets with a broadcast address as the source)\&. .sp Smurfs will be optionally logged based on the setting of SMURF_LOG_LEVEL in -\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[11]\d\s+2(5)\&. After logging, the packets are dropped\&. +\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[12]\d\s+2(5)\&. After logging, the packets are dropped\&. .RE .PP \fBoptional\fR @@ -509,7 +555,7 @@ \fBphysical\fR=\fB\fIname\fR\fR .RS 4 Added in Shorewall 4\&.4\&.4\&. When specified, the interface or port name in the INTERFACE column is a logical name that refers to the name given in this option\&. It is useful when you want to specify the same wildcard port name on two or more bridges\&. See -\m[blue]\fBhttp://www\&.shorewall\&.net/bridge\-Shorewall\-perl\&.html#Multiple\fR\m[]\&\s-2\u[14]\d\s+2\&. +\m[blue]\fBhttp://www\&.shorewall\&.net/bridge\-Shorewall\-perl\&.html#Multiple\fR\m[]\&\s-2\u[15]\d\s+2\&. .sp If the \fIinterface\fR @@ -527,8 +573,8 @@ \fBproxyarp[={0|1}]\fR .RS 4 Sets /proc/sys/net/ipv4/conf/\fIinterface\fR/proxy_arp\&. Do NOT use this option if you are employing Proxy ARP through entries in -\m[blue]\fBshorewall\-proxyarp\fR\m[]\&\s-2\u[15]\d\s+2(5)\&. This option is intended solely for use with Proxy ARP sub\-networking as described at: -\m[blue]\fBhttp://tldp\&.org/HOWTO/Proxy\-ARP\-Subnet/index\&.html\&.\fR\m[]\&\s-2\u[16]\d\s+2 +\m[blue]\fBshorewall\-proxyarp\fR\m[]\&\s-2\u[16]\d\s+2(5)\&. This option is intended solely for use with Proxy ARP sub\-networking as described at: +\m[blue]\fBhttp://tldp\&.org/HOWTO/Proxy\-ARP\-Subnet/index\&.html\&.\fR\m[]\&\s-2\u[17]\d\s+2 .sp \fBNote\fR: This option does not work with a wild\-card \fIinterface\fR @@ -589,7 +635,7 @@ .sp .5v .RE This option can also be enabled globally via the ROUTE_FILTER option in the -\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[11]\d\s+2(5) file\&. +\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[12]\d\s+2(5) file\&. .if n \{\ .sp .\} @@ -603,7 +649,7 @@ .ps -1 .br If ROUTE_FILTER=Yes in -\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[11]\d\s+2(5), or if your distribution sets net\&.ipv4\&.conf\&.all\&.rp_filter=1 in +\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[12]\d\s+2(5), or if your distribution sets net\&.ipv4\&.conf\&.all\&.rp_filter=1 in /etc/sysctl\&.conf, then setting \fBroutefilter\fR=0 in an \fIinterface\fR @@ -640,8 +686,8 @@ .IP \(bu 2.3 .\} If USE_DEFAULT_RT=Yes in -\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[11]\d\s+2(5) and the interface is listed in -\m[blue]\fBshorewall\-providers\fR\m[]\&\s-2\u[17]\d\s+2(5)\&. +\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[12]\d\s+2(5) and the interface is listed in +\m[blue]\fBshorewall\-providers\fR\m[]\&\s-2\u[18]\d\s+2(5)\&. .RE .sp .RS 4 @@ -653,7 +699,7 @@ .IP \(bu 2.3 .\} If there is an entry for the interface in -\m[blue]\fBshorewall\-providers\fR\m[]\&\s-2\u[17]\d\s+2(5) that doesn\*(Aqt specify the +\m[blue]\fBshorewall\-providers\fR\m[]\&\s-2\u[18]\d\s+2(5) that doesn\*(Aqt specify the \fBbalance\fR option\&. .RE @@ -784,7 +830,7 @@ \fBupnp\fR .RS 4 Incoming requests from this interface may be remapped via UPNP (upnpd)\&. See -\m[blue]\fBhttp://www\&.shorewall\&.net/UPnP\&.html\fR\m[]\&\s-2\u[18]\d\s+2\&. +\m[blue]\fBhttp://www\&.shorewall\&.net/UPnP\&.html\fR\m[]\&\s-2\u[19]\d\s+2\&. .RE .PP \fBupnpclient\fR @@ -883,7 +929,7 @@ /etc/shorewall/interfaces .SH "SEE ALSO" .PP -\m[blue]\fBhttp://www\&.shorewall\&.net/configuration_file_basics\&.htm#Pairs\fR\m[]\&\s-2\u[19]\d\s+2 +\m[blue]\fBhttp://www\&.shorewall\&.net/configuration_file_basics\&.htm#Pairs\fR\m[]\&\s-2\u[20]\d\s+2 .PP shorewall(8), shorewall\-accounting(5), shorewall\-actions(5), shorewall\-blacklist(5), shorewall\-hosts(5), shorewall\-maclist(5), shorewall\-masq(5), shorewall\-nat(5), shorewall\-netmap(5), shorewall\-params(5), shorewall\-policy(5), shorewall\-providers(5), shorewall\-proxyarp(5), shorewall\-rtrules(5), shorewall\-routestopped(5), shorewall\-rules(5), shorewall\&.conf(5), shorewall\-secmarks(5), shorewall\-tcclasses(5), shorewall\-tcdevices(5), shorewall\-mangle(5), shorewall\-tos(5), shorewall\-tunnels(5), shorewall\-zones(5) .SH "NOTES" @@ -923,61 +969,66 @@ \%http://www.shorewall.net/manpages/shorewall-zones.html .RE .IP " 8." 4 +shorewall.conf(5) +.RS 4 +\%http://www.shorewall.netmanpages/shorewall.conf.html +.RE +.IP " 9." 4 simple bridge .RS 4 \%http://www.shorewall.net../SimpleBridge.html .RE -.IP " 9." 4 +.IP "10." 4 Shorewall-perl for firewall/bridging .RS 4 \%http://www.shorewall.net../bridge-Shorewall-perl.html .RE -.IP "10." 4 +.IP "11." 4 shorewall-rules .RS 4 \%http://www.shorewall.net/manpages/shorewall-rules.html .RE -.IP "11." 4 +.IP "12." 4 shorewall.conf .RS 4 \%http://www.shorewall.net/manpages/shorewall.conf.html .RE -.IP "12." 4 +.IP "13." 4 shorewall-maclist .RS 4 \%http://www.shorewall.net/manpages/shorewall-maclist.html .RE -.IP "13." 4 +.IP "14." 4 http://www.shorewall.net/Dynamic.html .RS 4 \%http://www.shorewall.net/Dynamic.html .RE -.IP "14." 4 +.IP "15." 4 http://www.shorewall.net/bridge-Shorewall-perl.html#Multiple .RS 4 \%http://www.shorewall.net/bridge-Shorewall-perl.html#Multiple .RE -.IP "15." 4 +.IP "16." 4 shorewall-proxyarp .RS 4 \%http://www.shorewall.net/manpages/shorewall-proxyarp.html .RE -.IP "16." 4 +.IP "17." 4 http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html. .RS 4 \%http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html .RE -.IP "17." 4 +.IP "18." 4 shorewall-providers .RS 4 \%http://www.shorewall.net/manpages/shorewall-providers.html .RE -.IP "18." 4 +.IP "19." 4 http://www.shorewall.net/UPnP.html .RS 4 \%http://www.shorewall.net/UPnP.html .RE -.IP "19." 4 +.IP "20." 4 http://www.shorewall.net/configuration_file_basics.htm#Pairs .RS 4 \%http://www.shorewall.net/configuration_file_basics.htm#Pairs diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.9/manpages/shorewall-ipsets.5 shorewall-5.0.10/manpages/shorewall-ipsets.5 --- shorewall-5.0.9/manpages/shorewall-ipsets.5 2016-06-04 14:49:21.413091702 -0700 +++ shorewall-5.0.10/manpages/shorewall-ipsets.5 2016-06-30 17:54:38.261886830 -0700 @@ -2,12 +2,12 @@ .\" Title: shorewall-ipsets .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 06/04/2016 +.\" Date: 06/30/2016 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-IPSETS" "5" "06/04/2016" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-IPSETS" "5" "06/30/2016" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.9/manpages/shorewall-maclist.5 shorewall-5.0.10/manpages/shorewall-maclist.5 --- shorewall-5.0.9/manpages/shorewall-maclist.5 2016-06-04 14:49:22.113663851 -0700 +++ shorewall-5.0.10/manpages/shorewall-maclist.5 2016-06-30 17:54:38.742366830 -0700 @@ -2,12 +2,12 @@ .\" Title: shorewall-maclist .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 06/04/2016 +.\" Date: 06/30/2016 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-MACLIST" "5" "06/04/2016" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-MACLIST" "5" "06/30/2016" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.9/manpages/shorewall-mangle.5 shorewall-5.0.10/manpages/shorewall-mangle.5 --- shorewall-5.0.9/manpages/shorewall-mangle.5 2016-06-04 14:49:23.082455052 -0700 +++ shorewall-5.0.10/manpages/shorewall-mangle.5 2016-06-30 17:54:39.523146829 -0700 @@ -2,12 +2,12 @@ .\" Title: shorewall-mangle .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 06/04/2016 +.\" Date: 06/30/2016 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-MANGLE" "5" "06/04/2016" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-MANGLE" "5" "06/30/2016" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.9/manpages/shorewall-masq.5 shorewall-5.0.10/manpages/shorewall-masq.5 --- shorewall-5.0.9/manpages/shorewall-masq.5 2016-06-04 14:49:23.823059895 -0700 +++ shorewall-5.0.10/manpages/shorewall-masq.5 2016-06-30 17:54:40.103726830 -0700 @@ -2,12 +2,12 @@ .\" Title: shorewall-masq .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 06/04/2016 +.\" Date: 06/30/2016 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-MASQ" "5" "06/04/2016" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-MASQ" "5" "06/30/2016" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.9/manpages/shorewall-modules.5 shorewall-5.0.10/manpages/shorewall-modules.5 --- shorewall-5.0.9/manpages/shorewall-modules.5 2016-06-04 14:49:24.423550309 -0700 +++ shorewall-5.0.10/manpages/shorewall-modules.5 2016-06-30 17:54:40.596218830 -0700 @@ -2,12 +2,12 @@ .\" Title: shorewall-modules .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 06/04/2016 +.\" Date: 06/30/2016 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-MODULES" "5" "06/04/2016" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-MODULES" "5" "06/30/2016" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.9/manpages/shorewall-nat.5 shorewall-5.0.10/manpages/shorewall-nat.5 --- shorewall-5.0.9/manpages/shorewall-nat.5 2016-06-04 14:49:25.020037453 -0700 +++ shorewall-5.0.10/manpages/shorewall-nat.5 2016-06-30 17:54:41.108730829 -0700 @@ -2,12 +2,12 @@ .\" Title: shorewall-nat .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 06/04/2016 +.\" Date: 06/30/2016 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-NAT" "5" "06/04/2016" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-NAT" "5" "06/30/2016" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.9/manpages/shorewall-nesting.5 shorewall-5.0.10/manpages/shorewall-nesting.5 --- shorewall-5.0.9/manpages/shorewall-nesting.5 2016-06-04 14:49:25.628534405 -0700 +++ shorewall-5.0.10/manpages/shorewall-nesting.5 2016-06-30 17:54:41.625246830 -0700 @@ -2,12 +2,12 @@ .\" Title: shorewall-nesting .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 06/04/2016 +.\" Date: 06/30/2016 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-NESTING" "5" "06/04/2016" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-NESTING" "5" "06/30/2016" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.9/manpages/shorewall-netmap.5 shorewall-5.0.10/manpages/shorewall-netmap.5 --- shorewall-5.0.9/manpages/shorewall-netmap.5 2016-06-04 14:49:26.245037897 -0700 +++ shorewall-5.0.10/manpages/shorewall-netmap.5 2016-06-30 17:54:42.121742829 -0700 @@ -2,12 +2,12 @@ .\" Title: shorewall-netmap .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 06/04/2016 +.\" Date: 06/30/2016 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-NETMAP" "5" "06/04/2016" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-NETMAP" "5" "06/30/2016" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.9/manpages/shorewall-params.5 shorewall-5.0.10/manpages/shorewall-params.5 --- shorewall-5.0.9/manpages/shorewall-params.5 2016-06-04 14:49:26.853534849 -0700 +++ shorewall-5.0.10/manpages/shorewall-params.5 2016-06-30 17:54:42.598218830 -0700 @@ -2,12 +2,12 @@ .\" Title: shorewall-params .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 06/04/2016 +.\" Date: 06/30/2016 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-PARAMS" "5" "06/04/2016" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-PARAMS" "5" "06/30/2016" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.9/manpages/shorewall-policy.5 shorewall-5.0.10/manpages/shorewall-policy.5 --- shorewall-5.0.9/manpages/shorewall-policy.5 2016-06-04 14:49:27.498061227 -0700 +++ shorewall-5.0.10/manpages/shorewall-policy.5 2016-06-30 17:54:43.126746829 -0700 @@ -2,12 +2,12 @@ .\" Title: shorewall-policy .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 06/04/2016 +.\" Date: 06/30/2016 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-POLICY" "5" "06/04/2016" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-POLICY" "5" "06/30/2016" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.9/manpages/shorewall-providers.5 shorewall-5.0.10/manpages/shorewall-providers.5 --- shorewall-5.0.9/manpages/shorewall-providers.5 2016-06-04 14:49:28.162603952 -0700 +++ shorewall-5.0.10/manpages/shorewall-providers.5 2016-06-30 17:54:43.663282829 -0700 @@ -2,12 +2,12 @@ .\" Title: shorewall-providers .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 06/04/2016 +.\" Date: 06/30/2016 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-PROVIDERS" "5" "06/04/2016" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-PROVIDERS" "5" "06/30/2016" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.9/manpages/shorewall-proxyarp.5 shorewall-5.0.10/manpages/shorewall-proxyarp.5 --- shorewall-5.0.9/manpages/shorewall-proxyarp.5 2016-06-04 14:49:28.763094364 -0700 +++ shorewall-5.0.10/manpages/shorewall-proxyarp.5 2016-06-30 17:54:44.151770830 -0700 @@ -2,12 +2,12 @@ .\" Title: shorewall-proxyarp .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 06/04/2016 +.\" Date: 06/30/2016 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-PROXYARP" "5" "06/04/2016" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-PROXYARP" "5" "06/30/2016" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.9/manpages/shorewall-routes.5 shorewall-5.0.10/manpages/shorewall-routes.5 --- shorewall-5.0.9/manpages/shorewall-routes.5 2016-06-04 14:49:29.347571701 -0700 +++ shorewall-5.0.10/manpages/shorewall-routes.5 2016-06-30 17:54:44.636254829 -0700 @@ -2,12 +2,12 @@ .\" Title: shorewall-routes .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 06/04/2016 +.\" Date: 06/30/2016 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-ROUTES" "5" "06/04/2016" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-ROUTES" "5" "06/30/2016" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.9/manpages/shorewall-rtrules.5 shorewall-5.0.10/manpages/shorewall-rtrules.5 --- shorewall-5.0.9/manpages/shorewall-rtrules.5 2016-06-04 14:49:29.948062114 -0700 +++ shorewall-5.0.10/manpages/shorewall-rtrules.5 2016-06-30 17:54:45.132750830 -0700 @@ -2,12 +2,12 @@ .\" Title: shorewall-rtrules .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 06/04/2016 +.\" Date: 06/30/2016 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-RTRULES" "5" "06/04/2016" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-RTRULES" "5" "06/30/2016" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.9/manpages/shorewall-rules.5 shorewall-5.0.10/manpages/shorewall-rules.5 --- shorewall-5.0.9/manpages/shorewall-rules.5 2016-06-04 14:49:31.649451620 -0700 +++ shorewall-5.0.10/manpages/shorewall-rules.5 2016-06-30 17:54:46.470086829 -0700 @@ -2,12 +2,12 @@ .\" Title: shorewall-rules .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 06/04/2016 +.\" Date: 06/30/2016 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-RULES" "5" "06/04/2016" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-RULES" "5" "06/30/2016" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.9/manpages/shorewall-secmarks.5 shorewall-5.0.10/manpages/shorewall-secmarks.5 --- shorewall-5.0.9/manpages/shorewall-secmarks.5 2016-06-04 14:49:32.297981266 -0700 +++ shorewall-5.0.10/manpages/shorewall-secmarks.5 2016-06-30 17:54:47.006622829 -0700 @@ -2,12 +2,12 @@ .\" Title: shorewall-secmarks .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 06/04/2016 +.\" Date: 06/30/2016 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-SECMARKS" "5" "06/04/2016" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-SECMARKS" "5" "06/30/2016" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.9/manpages/shorewall-stoppedrules.5 shorewall-5.0.10/manpages/shorewall-stoppedrules.5 --- shorewall-5.0.9/manpages/shorewall-stoppedrules.5 2016-06-04 14:49:32.890465141 -0700 +++ shorewall-5.0.10/manpages/shorewall-stoppedrules.5 2016-06-30 17:54:47.503118829 -0700 @@ -2,12 +2,12 @@ .\" Title: shorewall-stoppedrules .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 06/04/2016 +.\" Date: 06/30/2016 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-STOPPEDRU" "5" "06/04/2016" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-STOPPEDRU" "5" "06/30/2016" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.9/manpages/shorewall-tcclasses.5 shorewall-5.0.10/manpages/shorewall-tcclasses.5 --- shorewall-5.0.9/manpages/shorewall-tcclasses.5 2016-06-04 14:49:33.571020944 -0700 +++ shorewall-5.0.10/manpages/shorewall-tcclasses.5 2016-06-30 17:54:48.067682829 -0700 @@ -2,12 +2,12 @@ .\" Title: shorewall-tcclasses .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 06/04/2016 +.\" Date: 06/30/2016 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-TCCLASSES" "5" "06/04/2016" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-TCCLASSES" "5" "06/30/2016" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.9/manpages/shorewall-tcdevices.5 shorewall-5.0.10/manpages/shorewall-tcdevices.5 --- shorewall-5.0.9/manpages/shorewall-tcdevices.5 2016-06-04 14:49:34.235563669 -0700 +++ shorewall-5.0.10/manpages/shorewall-tcdevices.5 2016-06-30 17:54:48.584198829 -0700 @@ -2,12 +2,12 @@ .\" Title: shorewall-tcdevices .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 06/04/2016 +.\" Date: 06/30/2016 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-TCDEVICES" "5" "06/04/2016" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-TCDEVICES" "5" "06/30/2016" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.9/manpages/shorewall-tcfilters.5 shorewall-5.0.10/manpages/shorewall-tcfilters.5 --- shorewall-5.0.9/manpages/shorewall-tcfilters.5 2016-06-04 14:49:34.848063890 -0700 +++ shorewall-5.0.10/manpages/shorewall-tcfilters.5 2016-06-30 17:54:49.112726829 -0700 @@ -2,12 +2,12 @@ .\" Title: shorewall-tcfilters .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 06/04/2016 +.\" Date: 06/30/2016 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-TCFILTERS" "5" "06/04/2016" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-TCFILTERS" "5" "06/30/2016" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.9/manpages/shorewall-tcinterfaces.5 shorewall-5.0.10/manpages/shorewall-tcinterfaces.5 --- shorewall-5.0.9/manpages/shorewall-tcinterfaces.5 2016-06-04 14:49:35.476577189 -0700 +++ shorewall-5.0.10/manpages/shorewall-tcinterfaces.5 2016-06-30 17:54:49.609222830 -0700 @@ -2,12 +2,12 @@ .\" Title: shorewall-tcinterfaces .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 06/04/2016 +.\" Date: 06/30/2016 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-TCINTERFA" "5" "06/04/2016" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-TCINTERFA" "5" "06/30/2016" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.9/manpages/shorewall-tcpri.5 shorewall-5.0.10/manpages/shorewall-tcpri.5 --- shorewall-5.0.9/manpages/shorewall-tcpri.5 2016-06-04 14:49:36.153129723 -0700 +++ shorewall-5.0.10/manpages/shorewall-tcpri.5 2016-06-30 17:54:50.133746830 -0700 @@ -2,12 +2,12 @@ .\" Title: shorewall-tcpri .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 06/04/2016 +.\" Date: 06/30/2016 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-TCPRI" "5" "06/04/2016" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-TCPRI" "5" "06/30/2016" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.9/manpages/shorewall-tunnels.5 shorewall-5.0.10/manpages/shorewall-tunnels.5 --- shorewall-5.0.9/manpages/shorewall-tunnels.5 2016-06-04 14:49:36.781643022 -0700 +++ shorewall-5.0.10/manpages/shorewall-tunnels.5 2016-06-30 17:54:50.646258829 -0700 @@ -2,12 +2,12 @@ .\" Title: shorewall-tunnels .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 06/04/2016 +.\" Date: 06/30/2016 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-TUNNELS" "5" "06/04/2016" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-TUNNELS" "5" "06/30/2016" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.9/manpages/shorewall-vardir.5 shorewall-5.0.10/manpages/shorewall-vardir.5 --- shorewall-5.0.9/manpages/shorewall-vardir.5 2016-06-04 14:49:37.382133436 -0700 +++ shorewall-5.0.10/manpages/shorewall-vardir.5 2016-06-30 17:54:51.126738830 -0700 @@ -2,12 +2,12 @@ .\" Title: shorewall-vardir .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 06/04/2016 +.\" Date: 06/30/2016 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-VARDIR" "5" "06/04/2016" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-VARDIR" "5" "06/30/2016" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.9/manpages/shorewall-zones.5 shorewall-5.0.10/manpages/shorewall-zones.5 --- shorewall-5.0.9/manpages/shorewall-zones.5 2016-06-04 14:49:39.996268369 -0700 +++ shorewall-5.0.10/manpages/shorewall-zones.5 2016-06-30 17:54:53.260870829 -0700 @@ -2,12 +2,12 @@ .\" Title: shorewall-zones .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 06/04/2016 +.\" Date: 06/30/2016 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-ZONES" "5" "06/04/2016" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-ZONES" "5" "06/30/2016" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.9/Perl/Shorewall/Chains.pm shorewall-5.0.10/Perl/Shorewall/Chains.pm --- shorewall-5.0.9/Perl/Shorewall/Chains.pm 2016-06-04 14:49:09.427303045 -0700 +++ shorewall-5.0.10/Perl/Shorewall/Chains.pm 2016-06-30 17:54:28.472106830 -0700 @@ -296,7 +296,7 @@ Exporter::export_ok_tags('internal'); -our $VERSION = '5.0_9'; +our $VERSION = '5.0_10'; # # Chain Table @@ -5220,6 +5220,8 @@ if ( supplied $2 ) { $user = $2; + $user =~ s/:$//; + if ( $user =~ /^(\d+)(-(\d+))?$/ ) { if ( supplied $2 ) { fatal_error "Invalid User Range ($user)" unless $3 >= $1; diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.9/Perl/Shorewall/Config.pm shorewall-5.0.10/Perl/Shorewall/Config.pm --- shorewall-5.0.9/Perl/Shorewall/Config.pm 2016-06-04 14:49:09.455325931 -0700 +++ shorewall-5.0.10/Perl/Shorewall/Config.pm 2016-06-30 17:54:28.512146830 -0700 @@ -165,6 +165,7 @@ directive_callback add_ipset all_ipsets + transfer_permissions $product $Product @@ -240,7 +241,7 @@ Exporter::export_ok_tags('internal'); -our $VERSION = '5.0_9'; +our $VERSION = '5.0_10'; # # describe the current command, it's present progressive, and it's completion. @@ -741,7 +742,7 @@ TC_SCRIPT => '', EXPORT => 0, KLUDGEFREE => '', - VERSION => "5.0.9", + VERSION => "5.0.10", CAPVERSION => 50004 , BLACKLIST_LOG_TAG => '', RELATED_LOG_TAG => '', @@ -3894,9 +3895,10 @@ sub validate_level( $;$ ) { my ( $rawlevel, $option ) = @_; - my $level = uc $rawlevel; + my $level; - if ( supplied ( $level ) ) { + if ( supplied ( $rawlevel ) ) { + $level = uc $rawlevel; $level =~ s/!$//; my $value = $level; my $qualifier; @@ -5088,6 +5090,19 @@ $config{$var} = $val unless defined $config{$var}; } +# +# Transfer the permissions from an old .bak file to a newly-created file +# +sub transfer_permissions( $$ ) { + my ( $old, $new ) = @_; + + my @stat = stat $old; + + if ( @stat ) { + fatal_error "Can't transfer permissions from $old to $new" unless chmod( $stat[2] & 0777, $new ); + } +} + sub update_config_file( $ ) { my ( $annotate ) = @_; @@ -5237,6 +5252,7 @@ if ( system( "diff -q $configfile $configfile.bak > /dev/null" ) ) { progress_message3 "Configuration file $configfile updated - old file renamed $configfile.bak"; + transfer_permissions( "$configfile.bak", $configfile ); } else { if ( rename "$configfile.bak", $configfile ) { progress_message3 "No update required to configuration file $configfile; $configfile.bak not saved"; @@ -5766,7 +5782,7 @@ close_file; - warning_message "Version Mismatch: Shorewall6 is version $currentline, while the Shorewal version is $globals{VERSION}" unless $currentline eq $globals{VERSION}; + warning_message "Version Mismatch: Shorewall6 is version $currentline, while the Shorewall version is $globals{VERSION}" unless $currentline eq $globals{VERSION}; } my $have_capabilities; @@ -6186,6 +6202,8 @@ } else { default_yes_no( 'DYNAMIC_BLACKLIST' , 'Yes' ); } + } else { + default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' ); } default_yes_no 'REQUIRE_INTERFACE' , ''; diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.9/Perl/Shorewall/Misc.pm shorewall-5.0.10/Perl/Shorewall/Misc.pm --- shorewall-5.0.9/Perl/Shorewall/Misc.pm 2016-06-04 14:49:09.467335740 -0700 +++ shorewall-5.0.10/Perl/Shorewall/Misc.pm 2016-06-30 17:54:28.520154830 -0700 @@ -48,7 +48,7 @@ generate_matrix ); our @EXPORT_OK = qw( initialize ); -our $VERSION = '5.0_9'; +our $VERSION = '5.0_10'; our $family; @@ -200,6 +200,7 @@ if ( $changed ) { rename $fn, "$fn.bak" or fatal_error "Unable to rename $fn to $fn.bak: $!"; rename "$fn.new", $fn or fatal_error "Unable to rename $fn.new to $fn: $!"; + transfer_permissions( "$fn.bak", $fn ); progress_message2 "\u$file file $fn saved in $fn.bak" } } @@ -308,6 +309,7 @@ open $blrules, '>>', $fn1 or fatal_error "Unable to open $fn1: $!"; } else { open $blrules, '>', $fn1 or fatal_error "Unable to open $fn1: $!"; + transfer_permissions( $fn, $fn1 ); print $blrules <<'EOF'; # # Shorewall version 5.0 - Blacklist Rules File @@ -401,6 +403,7 @@ open $stoppedrules, '>>', $fn1 or fatal_error "Unable to open $fn1: $!"; } else { open $stoppedrules, '>', $fn1 or fatal_error "Unable to open $fn1: $!"; + transfer_permissions( $fn, $fn1 ); print $stoppedrules <<'EOF'; # # Shorewall version 5 - Stopped Rules File @@ -866,13 +869,30 @@ } } - if ( $dbl_ipset && ! get_interface_option( $interface, 'nodbl' ) ) { + if ( $dbl_ipset && ( ( my $setting = get_interface_option( $interface, 'dbl' ) ) ne '0:0' ) ) { + + my ( $in, $out ) = split /:/, $setting; + + if ( $in == 1 ) { + # + # src + # add_ijump_extended( $filter_table->{input_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" ); - add_ijump_extended( $filter_table->{output_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" ) if $dbl_type =~ /,src-dst$/; + add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" ); + } elsif ( $in == 2 ) { + add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" ); + } + + if ( $out == 2 ) { + # + # dst + # + add_ijump_extended( $filter_table->{output_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" ); + } } for ( option_chains( $interface ) ) { - add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref && ! get_interface_option( $interface, 'nodbl' ); + add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref && ( get_interface_option( $interface, 'dbl' ) ne '0:0' ); add_ijump_extended( $filter_table->{$_}, j => 'ACCEPT', $origin{FASTACCEPT}, state_imatch $faststate )->{comment} = '' if $config{FASTACCEPT}; } } diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.9/Perl/Shorewall/Raw.pm shorewall-5.0.10/Perl/Shorewall/Raw.pm --- shorewall-5.0.9/Perl/Shorewall/Raw.pm 2016-06-04 14:49:09.479345548 -0700 +++ shorewall-5.0.10/Perl/Shorewall/Raw.pm 2016-06-30 17:54:28.532166830 -0700 @@ -36,7 +36,7 @@ our @ISA = qw(Exporter); our @EXPORT = qw( setup_conntrack ); our @EXPORT_OK = qw( handle_helper_rule ); -our $VERSION = '5.0_9'; +our $VERSION = '5.0_10'; our %valid_ctevent = ( new => 1, related => 1, @@ -369,11 +369,18 @@ my $conntrack; my $empty = 1; my $date = compiletime; + my $fn1 = find_writable_file 'conntrack'; - if ( $fn ) { - open $conntrack, '>>', $fn or fatal_error "Unable to open $fn for notrack conversion: $!"; + $fn = open_file( 'notrack' , 3, 1 ) || fatal_error "Unable to open the notrack file for conversion: $!"; + + if ( -f $fn1 ) { + open $conntrack, '>>', $fn1 or fatal_error "Unable to open $fn for notrack conversion: $!"; } else { - open $conntrack, '>', $fn = find_file 'conntrack' or fatal_error "Unable to open $fn for notrack conversion: $!"; + open $conntrack, '>' , $fn1 or fatal_error "Unable to open $fn for notrack conversion: $!"; + # + # Transfer permissions from the existing notrack file + # + transfer_permissions( $fn, $fn1 ); print $conntrack <<'EOF'; # @@ -396,8 +403,6 @@ "# Rules generated from notrack file $fn by Shorewall $globals{VERSION} - $date\n" , "#\n" ); - $fn = open_file( 'notrack' , 3, 1 ) || fatal_error "Unable to open the notrack file for conversion: $!"; - while ( read_a_line( PLAIN_READ ) ) { # # Don't copy the header comments from the old notrack file diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.9/Perl/Shorewall/Rules.pm shorewall-5.0.10/Perl/Shorewall/Rules.pm --- shorewall-5.0.9/Perl/Shorewall/Rules.pm 2016-06-04 14:49:09.491355355 -0700 +++ shorewall-5.0.10/Perl/Shorewall/Rules.pm 2016-06-30 17:54:28.540174830 -0700 @@ -77,7 +77,7 @@ Exporter::export_ok_tags('Traffic'); -our $VERSION = '5.0_9'; +our $VERSION = '5.0_10'; # # Globals are documented in the initialize() function # @@ -4749,10 +4749,6 @@ } } - unless ( ( $chain || $default_chain ) == OUTPUT ) { - fatal_error 'A USER/GROUP may only be specified when the SOURCE is $FW' unless $user eq '-'; - } - if ( $dest ne '-' ) { if ( $dest eq $fw ) { fatal_error 'Rules with DEST $FW must use the INPUT chain' if $designator && $designator ne INPUT; @@ -4795,6 +4791,7 @@ fatal_error "Duplicate STATE ($_)" if $state{$_}++; } } + # # Call the command's processing function # @@ -4805,12 +4802,23 @@ if ( $chain == ACTIONCHAIN ) { fatal_error "$cmd rules are not allowed in the $chainlabels{$chain} chain" unless $commandref->{allowedchains} & $chainref->{allowedchains}; $chainref->{allowedchains} &= $commandref->{allowedchains}; + $chainref->{allowedchains} &= (OUTPUT | POSTROUTING ) if $user ne '-'; } else { + # + # Inline within one of the standard chains + # fatal_error "$cmd rules are not allowed in the $chainlabels{$chain} chain" unless $commandref->{allowedchains} & $chain; + unless ( $chain == OUTPUT || $chain == POSTROUTING ) { + fatal_error 'A USER/GROUP may only be specified when the SOURCE is $FW' unless $user eq '-'; + } } } else { $resolve_chain->(); fatal_error "$cmd rules are not allowed in the $chainlabels{$chain} chain" unless $commandref->{allowedchains} & $chain; + unless ( $chain == OUTPUT || $chain == POSTROUTING ) { + fatal_error 'A USER/GROUP may only be specified when the SOURCE is $FW' unless $user eq '-'; + } + $chainref = ensure_chain( 'mangle', $chainnames{$chain} ); } @@ -4976,6 +4984,13 @@ $mark = $rest; } elsif ( supplied $2 ) { $mark = $2; + if ( supplied $mark && $command eq 'IPMARK' ) { + my @params = split ',', $mark; + $params[1] = '0xff' unless supplied $params[1]; + $params[2] = '0x00' unless supplied $params[2]; + $params[3] = '0' unless supplied $params[3]; + $mark = join ',', @params; + } } else { $mark = ''; } @@ -4986,7 +5001,7 @@ } } - $command = ( $command ? "$command($mark)" : $mark ) . $designator; + $command = ( $command ? supplied $mark ? "$command($mark)" : $command : $mark ) . $designator; my $line = ( $family == F_IPV6 ? "$command\t$source\t$dest\t$proto\t$ports\t$sports\t$user\t$testval\t$length\t$tos\t$connbytes\t$helper\t$headers\t$probability\t$dscp\t$state" : "$command\t$source\t$dest\t$proto\t$ports\t$sports\t$user\t$testval\t$length\t$tos\t$connbytes\t$helper\t$probability\t$dscp\t$state" ); diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.9/Perl/Shorewall/Tc.pm shorewall-5.0.10/Perl/Shorewall/Tc.pm --- shorewall-5.0.9/Perl/Shorewall/Tc.pm 2016-06-04 14:49:09.495358625 -0700 +++ shorewall-5.0.10/Perl/Shorewall/Tc.pm 2016-06-30 17:54:28.544178829 -0700 @@ -43,7 +43,7 @@ our @ISA = qw(Exporter); our @EXPORT = qw( process_tc setup_tc ); our @EXPORT_OK = qw( process_tc_rule initialize ); -our $VERSION = '5.0_7'; +our $VERSION = '5.0_10'; our %flow_keys = ( 'src' => 1, 'dst' => 1, @@ -352,7 +352,7 @@ my $prio = 16 | $i; emit "run_tc qdisc add dev $physical parent $number:$i handle ${number}${i}: sfq quantum 1875 limit 127 perturb 10"; emit "run_tc filter add dev $physical protocol all prio $prio parent $number: handle $i fw classid $number:$i"; - emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: handle ${number}${i} flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER'; + emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER'; emit ''; } @@ -2234,13 +2234,19 @@ } } -sub open_mangle_for_output() { +sub open_mangle_for_output( $ ) { + my ($fn ) = @_; my ( $mangle, $fn1 ); if ( -f ( $fn1 = find_writable_file( 'mangle' ) ) ) { open( $mangle , '>>', $fn1 ) || fatal_error "Unable to open $fn1:$!"; } else { open( $mangle , '>', $fn1 ) || fatal_error "Unable to open $fn1:$!"; + # + # Transfer permissions from the existing tcrules file to the new mangle file + # + transfer_permissions( $fn, $fn1 ); + print $mangle <<'EOF'; # # Shorewall version 4 - Mangle File @@ -2326,7 +2332,7 @@ # # We are going to convert this tcrules file to the equivalent mangle file # - ( $mangle, $fn1 ) = open_mangle_for_output; + ( $mangle, $fn1 ) = open_mangle_for_output( $fn ); directive_callback( sub () { print $mangle "$_[1]\n" unless $_[0] eq 'FORMAT'; 0; } ); @@ -2376,7 +2382,7 @@ # # We are going to convert this tosfile to the equivalent mangle file # - ( $mangle, $fn1 ) = open_mangle_for_output; + ( $mangle, $fn1 ) = open_mangle_for_output( $fn ); convert_tos( $mangle, $fn1 ); close $mangle; } diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.9/Perl/Shorewall/Zones.pm shorewall-5.0.10/Perl/Shorewall/Zones.pm --- shorewall-5.0.9/Perl/Shorewall/Zones.pm 2016-06-04 14:49:09.503365165 -0700 +++ shorewall-5.0.10/Perl/Shorewall/Zones.pm 2016-06-30 17:54:28.548182829 -0700 @@ -108,7 +108,7 @@ ); our @EXPORT_OK = qw( initialize ); -our $VERSION = '5.0_8'; +our $VERSION = '5.0_10'; # # IPSEC Option types @@ -337,6 +337,7 @@ arp_ignore => ENUM_IF_OPTION, blacklist => SIMPLE_IF_OPTION + IF_OPTION_HOST, bridge => SIMPLE_IF_OPTION, + dbl => ENUM_IF_OPTION, destonly => SIMPLE_IF_OPTION + IF_OPTION_HOST, detectnets => OBSOLETE_IF_OPTION, dhcp => SIMPLE_IF_OPTION, @@ -387,6 +388,7 @@ %validinterfaceoptions = ( accept_ra => NUMERIC_IF_OPTION, blacklist => SIMPLE_IF_OPTION + IF_OPTION_HOST, bridge => SIMPLE_IF_OPTION, + dbl => ENUM_IF_OPTION, destonly => SIMPLE_IF_OPTION + IF_OPTION_HOST, dhcp => SIMPLE_IF_OPTION, ignore => NUMERIC_IF_OPTION + IF_OPTION_WILDOK, @@ -1191,6 +1193,7 @@ my %options; $options{port} = 1 if $port; + $options{dbl} = $config{DYNAMIC_BLACKLIST} =~ /^ipset(-only)?,src-dst/ ? '1:2' : $config{DYNAMIC_BLACKLIST} ? '1:0' : '0:0'; my $hostoptionsref = {}; @@ -1234,6 +1237,8 @@ } else { warning_message "The 'blacklist' option is ignored on multi-zone interfaces"; } + } elsif ( $option eq 'nodbl' ) { + $options{dbl} = '0:0'; } else { $options{$option} = 1; $hostoptions{$option} = 1 if $hostopt; @@ -1256,6 +1261,11 @@ } else { $options{arp_ignore} = 1; } + } elsif ( $option eq 'dbl' ) { + my %values = ( none => '0:0', src => '1:0', dst => '2:0', 'src-dst' => '1:2' ); + + fatal_error q(The 'dbl' option requires a value) unless defined $value; + fatal_error qq(Invalid setting ($value) for 'dbl') unless defined ( $options{dbl} = $values{$value} ); } else { assert( 0 ); } @@ -1906,7 +1916,7 @@ my $returnvalue = 0; - my $interfaces = find_interfaces_by_option 'wait'; + my $interfaces = find_interfaces_by_option( 'wait'); if ( @$interfaces ) { my $first = 1; @@ -1972,7 +1982,7 @@ } - $interfaces = find_interfaces_by_option 'required'; + $interfaces = find_interfaces_by_option( 'required' ); if ( @$interfaces ) { @@ -2160,7 +2170,7 @@ # $interface = '%vserver%' if $type & VSERVER; - add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref, 1 ); + add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref, 0 ); progress_message " Host \"$currentline\" validated"; diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.9/releasenotes.txt shorewall-5.0.10/releasenotes.txt --- shorewall-5.0.9/releasenotes.txt 2016-06-04 14:49:09.383267082 -0700 +++ shorewall-5.0.10/releasenotes.txt 2016-06-30 17:54:28.416050830 -0700 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 5 . 0 . 9 + S H O R E W A L L 5 . 0 . 1 0 ---------------------------- - J u n e 0 4 , 2 0 1 6 + J u n e 3 0 , 2 0 1 6 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,7 +14,26 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) This release contains defect repair through Shorewall 5.0.8.2. +1) This release includes defect repair through Shorewall 5.0.9.2. + +2) Previously, the 'update' commmand could result in updated files + having the user's default permissions rather than the permissions + of the original file. That has been corrected. + +3) A number of update and update-compatibility issues have been + corrected: + + a) : (e.g., "fred:") is once again accepted in USER columns. + b) The USER column in the mangle file can once again be specified + when :T is the chain designator. + c) The 'notrack' file is now correctly appended to the 'mangle' + file during update. + d) IPMARK entries in 'tcrules' are now correctly converted into + the 'mangle' file. + +4) When multiple zones are configured on an interface, the 'tcpflags', + 'nosmurfs' and 'maclist' options could previously result in silly + duplicate rules. That problem has been corrected. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -27,88 +46,38 @@ correctly in configurations with USE_DEFAULT_RT=No and optional providers listed in the DUPLICATE column. -3) Previously, if: - - - DOCKER=Yes - - docker0 was defined in /etc/shorewall/interfaces - - Docker was not running - - then Shorewall would fail to start with an error similar to this - - iptables-restore v1.4.21: Couldn't load target `DOCKER': - No such file or directory - Error occurred at line: 29 - Try `iptables-restore -h' or - 'iptables-restore --help' for more information. - ERROR: /sbin/iptables-restore Failed. - - This has been corrected such that Shorewall starts correctly under - these conditions. - ---------------------------------------------------------------------------- I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) The file 'lib.core' has been renamed 'lib.runtime' to more - accurately reflect the file's role. - -2) The CLI now produces helpful error messages rather than simply - dumping out the complete usage syntax. - -3) The 'status' and 'version -a" command outputs now include the time - and date when the current firewall script was compiled. - - This feature implements a new 'info' command that is recognized by - the compiled script. That command produces output similar to the - following: - - compiled Thu Apr 28 14:18:58 2016 by Shorewall version 5.0.9 - - Note 1: The time and date of compilation will only be displayed - after the firewall script has been compiled using this or a later - Shorewall release. - - Note 2: Information about the current firewall script is only - displayed by the 'version -a' command when the command is executed - by root. - - Caution: If you execute 'shorewall compile', a subsequent 'status' - command will display the compilation information for the newly - compiled script and not for the one that was used to instantiate - the running firewall configuration. Note that the compilation - date/time, in this case, will be later than the started date/time: - - Example: - - State:Started Sun Apr 24 12:22:18 PDT 2016 from /etc/shorewall/ - (/var/lib/shorewall/firewall compiled Thu Apr 28 14:18:58 2016 - by Shorewall version 5.0.9) - -4) The ?INFO and ?WARNING directives added in Shorewall 5.0.8 include - the current filename and line number in the generated message. That - behavior can be suppressed by using ?INFO! AND ?WARNING! - instead. Additionally, the default behavior can be changed by - setting VERBOSE_MESSAGES=No in shorewall[6].conf. In that case, - including the exclaimation point causes the filename and line - number to be included. - -5) NFLOG(...) is now supported in the mangle files. - -6) The compiler now checks the version of the installed Shorewall-core - and issues a warning message if there is a mis-match. +1) The 'allow' command can now remove entries from the ipset-based + dynamic blacklists. - Example (folded to fit within 72 columns): + allow
... - WARNING: Version Mismatch: Shorewall-core is version 5.0.8.2, - while the Shorewall version is 5.0.9-Beta2 +2) A new 'dbl' (Dynamic Blacklist) option is now available in the + 'interfaces' file. Possible settings are: - When compiling for IPv6, the Shorewall6 version is also verified - and a similar warning is issued in the case of a mismatch. + none - equivalent to specifying 'nodbl'. + src - packets entering the firewall on the interface have their + source IP address checked against the ipset-based + blacklist. + dst - packets entering the firewall on the interface have their + destination IP address checked against the ipset-based + blacklist. + src-dst - packets entering the firewall on the interface have their + source IP address checked against the ipset-based + blacklist. Packets originating on the fireawll and + leaving through the interface have their destination IP + address checked against the ipset-based blacklist. -7) The sample configurations now have AUTOMAKE enabled. + The normal setting for an internet-facing interface will be either + 'src' or 'src-dst'. The normal setting for an internal interface + will be either 'none' or 'dst'. -8) Full date and time strings generated by the compiler are now in - 'date' format rather than Perl's 'localtime' format. +3) The RPMs from shorewall.net are now created to assume that systemd + is being used. They are targeted specifically at OpenSuSE and have + been verified on OpenSuSE 42.1. ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -269,6 +238,95 @@ ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 5 . 0 R E L E A S E S ---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 5 . 0 . 9 +---------------------------------------------------------------------------- + +1) This release contains defect repair through Shorewall 5.0.8.2. + +2) Previously, if: + + - DOCKER=Yes + - docker0 was defined in /etc/shorewall/interfaces + - Docker was not running + + then Shorewall would fail to start with an error similar to this + + iptables-restore v1.4.21: Couldn't load target `DOCKER': + No such file or directory + Error occurred at line: 29 + Try `iptables-restore -h' or + 'iptables-restore --help' for more information. + ERROR: /sbin/iptables-restore Failed. + + This has been corrected such that Shorewall starts correctly under + these conditions. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 5 . 0 . 9 +---------------------------------------------------------------------------- + +1) The file 'lib.core' has been renamed 'lib.runtime' to more + accurately reflect the file's role. + +2) The CLI now produces helpful error messages rather than simply + dumping out the complete usage syntax. + +3) The 'status' and 'version -a" command outputs now include the time + and date when the current firewall script was compiled. + + This feature implements a new 'info' command that is recognized by + the compiled script. That command produces output similar to the + following: + + compiled Thu Apr 28 14:18:58 2016 by Shorewall version 5.0.9 + + Note 1: The time and date of compilation will only be displayed + after the firewall script has been compiled using this or a later + Shorewall release. + + Note 2: Information about the current firewall script is only + displayed by the 'version -a' command when the command is executed + by root. + + Caution: If you execute 'shorewall compile', a subsequent 'status' + command will display the compilation information for the newly + compiled script and not for the one that was used to instantiate + the running firewall configuration. Note that the compilation + date/time, in this case, will be later than the started date/time: + + Example: + + State:Started Sun Apr 24 12:22:18 PDT 2016 from /etc/shorewall/ + (/var/lib/shorewall/firewall compiled Thu Apr 28 14:18:58 2016 + by Shorewall version 5.0.9) + +4) The ?INFO and ?WARNING directives added in Shorewall 5.0.8 include + the current filename and line number in the generated message. That + behavior can be suppressed by using ?INFO! AND ?WARNING! + instead. Additionally, the default behavior can be changed by + setting VERBOSE_MESSAGES=No in shorewall[6].conf. In that case, + including the exclaimation point causes the filename and line + number to be included. + +5) NFLOG(...) is now supported in the mangle files. + +6) The compiler now checks the version of the installed Shorewall-core + and issues a warning message if there is a mis-match. + + Example (folded to fit within 72 columns): + + WARNING: Version Mismatch: Shorewall-core is version 5.0.8.2, + while the Shorewall version is 5.0.9-Beta2 + + When compiling for IPv6, the Shorewall6 version is also verified + and a similar warning is issued in the case of a mismatch. + +7) The sample configurations now have AUTOMAKE enabled. + +8) Full date and time strings generated by the compiler are now in + 'date' format rather than Perl's 'localtime' format. + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 5 . 0 . 8 ---------------------------------------------------------------------------- diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.9/Samples/one-interface/interfaces.annotated shorewall-5.0.10/Samples/one-interface/interfaces.annotated --- shorewall-5.0.9/Samples/one-interface/interfaces.annotated 2016-06-04 14:49:51.117350831 -0700 +++ shorewall-5.0.10/Samples/one-interface/interfaces.annotated 2016-06-30 17:55:02.241842828 -0700 @@ -183,6 +183,37 @@ # Designates the interface as a bridge. Beginning with Shorewall 4.4.7, # setting this option also sets routeback. # +# dbl={none|src|dst|src-dst} +# +# Added in Shorewall 5.0.10. This option defined whether or not dynamic +# blacklisting is applied to packets entering the firewall through this +# interface and whether the source address and/or destination address is +# to be compared against the ipset-based dynamic blacklist +# (DYNAMIC_BLACKLIST=ipset... in shorewall.conf(5)). The default is +# determine by the setting of DYNAMIC_BLACKLIST: +# +# DYNAMIC_BLACKLIST=No +# +# Default is none (e.g., no dynamic blacklist checking). +# +# DYNAMIC_BLACKLIST=Yes +# +# Default is src (e.g., the source IP address is checked). +# +# DYNAMIC_BLACKLIST=ipset[-only] +# +# Default is src. +# +# DYNAMIC_BLACKLIST=ipset[-only],src-dst... +# +# Default is src-dst (e.g., the source IP addresses in checked +# against the ipset on input and the destination IP address is +# checked against the ipset on packets originating from the firewall +# and leaving through this interface). +# +# The normal setting for this option will be dst or none for internal +# interfaces and src or src-dst for Internet-facing interfaces. +# # destonly # # Added in Shorewall 4.5.17. Causes the compiler to omit rules to handle @@ -205,7 +236,7 @@ # Note # # If you use Shorewall-perl for firewall/bridging, then you need to -# include DHCP-specific rules in shorewall-rules(8). DHCP uses UDP +# include DHCP-specific rules in shorewall-rules(5). DHCP uses UDP # ports 67 and 68. # # This option allows DHCP datagrams to enter and leave the interface. @@ -289,7 +320,8 @@ # nodbl # # Added in Shorewall 5.0.8. When specified, dynamic blacklisting is -# disabled on the interface. +# disabled on the interface. Beginning with Shorewall 5.0.10, nodbl is +# equivalent to dbl=none. # # nosmurfs # diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.9/Samples/three-interfaces/interfaces.annotated shorewall-5.0.10/Samples/three-interfaces/interfaces.annotated --- shorewall-5.0.9/Samples/three-interfaces/interfaces.annotated 2016-06-04 14:49:53.191044392 -0700 +++ shorewall-5.0.10/Samples/three-interfaces/interfaces.annotated 2016-06-30 17:55:03.787386830 -0700 @@ -183,6 +183,37 @@ # Designates the interface as a bridge. Beginning with Shorewall 4.4.7, # setting this option also sets routeback. # +# dbl={none|src|dst|src-dst} +# +# Added in Shorewall 5.0.10. This option defined whether or not dynamic +# blacklisting is applied to packets entering the firewall through this +# interface and whether the source address and/or destination address is +# to be compared against the ipset-based dynamic blacklist +# (DYNAMIC_BLACKLIST=ipset... in shorewall.conf(5)). The default is +# determine by the setting of DYNAMIC_BLACKLIST: +# +# DYNAMIC_BLACKLIST=No +# +# Default is none (e.g., no dynamic blacklist checking). +# +# DYNAMIC_BLACKLIST=Yes +# +# Default is src (e.g., the source IP address is checked). +# +# DYNAMIC_BLACKLIST=ipset[-only] +# +# Default is src. +# +# DYNAMIC_BLACKLIST=ipset[-only],src-dst... +# +# Default is src-dst (e.g., the source IP addresses in checked +# against the ipset on input and the destination IP address is +# checked against the ipset on packets originating from the firewall +# and leaving through this interface). +# +# The normal setting for this option will be dst or none for internal +# interfaces and src or src-dst for Internet-facing interfaces. +# # destonly # # Added in Shorewall 4.5.17. Causes the compiler to omit rules to handle @@ -205,7 +236,7 @@ # Note # # If you use Shorewall-perl for firewall/bridging, then you need to -# include DHCP-specific rules in shorewall-rules(8). DHCP uses UDP +# include DHCP-specific rules in shorewall-rules(5). DHCP uses UDP # ports 67 and 68. # # This option allows DHCP datagrams to enter and leave the interface. @@ -289,7 +320,8 @@ # nodbl # # Added in Shorewall 5.0.8. When specified, dynamic blacklisting is -# disabled on the interface. +# disabled on the interface. Beginning with Shorewall 5.0.10, nodbl is +# equivalent to dbl=none. # # nosmurfs # diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.9/Samples/two-interfaces/interfaces.annotated shorewall-5.0.10/Samples/two-interfaces/interfaces.annotated --- shorewall-5.0.9/Samples/two-interfaces/interfaces.annotated 2016-06-04 14:49:55.721110669 -0700 +++ shorewall-5.0.10/Samples/two-interfaces/interfaces.annotated 2016-06-30 17:55:05.877474830 -0700 @@ -183,6 +183,37 @@ # Designates the interface as a bridge. Beginning with Shorewall 4.4.7, # setting this option also sets routeback. # +# dbl={none|src|dst|src-dst} +# +# Added in Shorewall 5.0.10. This option defined whether or not dynamic +# blacklisting is applied to packets entering the firewall through this +# interface and whether the source address and/or destination address is +# to be compared against the ipset-based dynamic blacklist +# (DYNAMIC_BLACKLIST=ipset... in shorewall.conf(5)). The default is +# determine by the setting of DYNAMIC_BLACKLIST: +# +# DYNAMIC_BLACKLIST=No +# +# Default is none (e.g., no dynamic blacklist checking). +# +# DYNAMIC_BLACKLIST=Yes +# +# Default is src (e.g., the source IP address is checked). +# +# DYNAMIC_BLACKLIST=ipset[-only] +# +# Default is src. +# +# DYNAMIC_BLACKLIST=ipset[-only],src-dst... +# +# Default is src-dst (e.g., the source IP addresses in checked +# against the ipset on input and the destination IP address is +# checked against the ipset on packets originating from the firewall +# and leaving through this interface). +# +# The normal setting for this option will be dst or none for internal +# interfaces and src or src-dst for Internet-facing interfaces. +# # destonly # # Added in Shorewall 4.5.17. Causes the compiler to omit rules to handle @@ -205,7 +236,7 @@ # Note # # If you use Shorewall-perl for firewall/bridging, then you need to -# include DHCP-specific rules in shorewall-rules(8). DHCP uses UDP +# include DHCP-specific rules in shorewall-rules(5). DHCP uses UDP # ports 67 and 68. # # This option allows DHCP datagrams to enter and leave the interface. @@ -289,7 +320,8 @@ # nodbl # # Added in Shorewall 5.0.8. When specified, dynamic blacklisting is -# disabled on the interface. +# disabled on the interface. Beginning with Shorewall 5.0.10, nodbl is +# equivalent to dbl=none. # # nosmurfs # diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.9/Samples/Universal/interfaces.annotated shorewall-5.0.10/Samples/Universal/interfaces.annotated --- shorewall-5.0.9/Samples/Universal/interfaces.annotated 2016-06-04 14:49:58.267190023 -0700 +++ shorewall-5.0.10/Samples/Universal/interfaces.annotated 2016-06-30 17:55:07.963558829 -0700 @@ -179,6 +179,37 @@ # Designates the interface as a bridge. Beginning with Shorewall 4.4.7, # setting this option also sets routeback. # +# dbl={none|src|dst|src-dst} +# +# Added in Shorewall 5.0.10. This option defined whether or not dynamic +# blacklisting is applied to packets entering the firewall through this +# interface and whether the source address and/or destination address is +# to be compared against the ipset-based dynamic blacklist +# (DYNAMIC_BLACKLIST=ipset... in shorewall.conf(5)). The default is +# determine by the setting of DYNAMIC_BLACKLIST: +# +# DYNAMIC_BLACKLIST=No +# +# Default is none (e.g., no dynamic blacklist checking). +# +# DYNAMIC_BLACKLIST=Yes +# +# Default is src (e.g., the source IP address is checked). +# +# DYNAMIC_BLACKLIST=ipset[-only] +# +# Default is src. +# +# DYNAMIC_BLACKLIST=ipset[-only],src-dst... +# +# Default is src-dst (e.g., the source IP addresses in checked +# against the ipset on input and the destination IP address is +# checked against the ipset on packets originating from the firewall +# and leaving through this interface). +# +# The normal setting for this option will be dst or none for internal +# interfaces and src or src-dst for Internet-facing interfaces. +# # destonly # # Added in Shorewall 4.5.17. Causes the compiler to omit rules to handle @@ -201,7 +232,7 @@ # Note # # If you use Shorewall-perl for firewall/bridging, then you need to -# include DHCP-specific rules in shorewall-rules(8). DHCP uses UDP +# include DHCP-specific rules in shorewall-rules(5). DHCP uses UDP # ports 67 and 68. # # This option allows DHCP datagrams to enter and leave the interface. @@ -285,7 +316,8 @@ # nodbl # # Added in Shorewall 5.0.8. When specified, dynamic blacklisting is -# disabled on the interface. +# disabled on the interface. Beginning with Shorewall 5.0.10, nodbl is +# equivalent to dbl=none. # # nosmurfs # diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.9/shorewallrc.suse shorewall-5.0.10/shorewallrc.suse --- shorewall-5.0.9/shorewallrc.suse 2016-06-04 14:49:09.387270351 -0700 +++ shorewall-5.0.10/shorewallrc.suse 2016-06-30 17:54:28.416050830 -0700 @@ -7,15 +7,15 @@ CONFDIR=/etc #Directory where subsystem configurations are installed SHAREDIR=${PREFIX}/share #Directory for arch-neutral files. LIBEXECDIR=${PREFIX}/lib #Directory for executable scripts. -PERLLIBDIR=${PREFIX}/lib/perl5/vendor_perl/5.14.2 #Directory to install Shorewall Perl module directory +PERLLIBDIR=${PREFIX}/lib/perl5/site-perl #Directory to install Shorewall Perl module directory SBINDIR=/usr/sbin #Directory where system administration programs are installed MANDIR=${SHAREDIR}/man/ #Directory where manpages are installed. INITDIR=/etc/init.d #Directory where SysV init scripts are installed. -INITFILE=$PRODUCT #Name of the product's SysV init script +INITFILE= #Name of the product's SysV init script INITSOURCE=init.suse.sh #Name of the distributed file to be installed as the SysV init script ANNOTATED= #If non-zero, annotated configuration files are installed -SERVICEDIR= #Directory where .service files are installed (systems running systemd only) -SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service +SERVICEDIR=/usr/lib/systemd/system #Directory where .service files are installed (systems running systemd only) +SERVICEFILE=$PRODUCT.service #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service SYSCONFFILE=sysconfig #Name of the distributed file to be installed in $SYSCONFDIR SYSCONFDIR=/etc/sysconfig/ #Directory where SysV init parameter files are installed SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.9/shorewall.spec shorewall-5.0.10/shorewall.spec --- shorewall-5.0.9/shorewall.spec 2016-06-04 14:49:09.383267082 -0700 +++ shorewall-5.0.10/shorewall.spec 2016-06-30 17:54:28.416050830 -0700 @@ -1,5 +1,5 @@ %define name shorewall -%define version 5.0.9 +%define version 5.0.10 %define release 0base Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. @@ -45,9 +45,13 @@ %post if [ $1 -eq 1 ]; then - if [ -x /usr%{_sbindir}/insserv ]; then - /usr%{_sbindir}/insserv %{_initddir}/shorewall - elif [ -x /usr%{_sbindir}/chkconfig ]; then + if [ -x %{_sbindir}/systemctl ]; then + %{_sbindir}/systemctl enable shorewall + elif [ -x /usr/bin/systemctl ]; then + /usr/bin/systemctl enable shorewall + elif [ -x %{_sbindir}/insserv ]; then + %{_sbindir}/insserv %{_initddir}/shorewall + elif [ -x %{_sbindir}/chkconfig ]; then %{_sbindir}/chkconfig --add shorewall; fi fi @@ -55,7 +59,11 @@ %preun if [ $1 = 0 ]; then - if [ -x %{_sbindir}/insserv ]; then + if [ -x %{_sbindir}/systemctl ]; then + %{_sbindir}/systemctl disable shorewall + elif [ -x /usr/bin/systemctl ]; then + /usr/bin/systemctl disable shorewall + elif [ -x %{_sbindir}/insserv ]; then %{_sbindir}/insserv -r %{_initddir}/shorewall elif [ -x %{_sbindir}/chkconfig ]; then %{_sbindir}/chkconfig --del shorewall @@ -75,7 +83,7 @@ %files %defattr(0644,root,root,0755) -%attr(0544,root,root) %{_initddir}/shorewall +%attr(644,root,root) /usr/lib/systemd/system/shorewall.service %attr(0755,root,root) %dir /etc/shorewall %ghost %attr(0644,root,root) /etc/shorewall/isusable %ghost %attr(0644,root,root) /etc/shorewall/notrack @@ -138,9 +146,17 @@ %attr(0644,root,root) %{_mandir}/man5/* %attr(0644,root,root) %{_mandir}/man8/* -%doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples +%doc COPYING INSTALL changelog.txt releasenotes.txt Samples %changelog +* Sat Jun 25 2016 Tom Eastep tom@shorewall.net +- Updated to 5.0.10-0base +* Tue Jun 21 2016 Tom Eastep tom@shorewall.net +- Updated to 5.0.10-0RC1 +* Tue Jun 14 2016 Tom Eastep tom@shorewall.net +- Updated to 5.0.10-0Beta2 +* Mon Jun 06 2016 Tom Eastep tom@shorewall.net +- Updated to 5.0.10-0Beta1 * Thu May 12 2016 Tom Eastep tom@shorewall.net - Updated to 5.0.9-0base * Thu May 05 2016 Tom Eastep tom@shorewall.net diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.9/uninstall.sh shorewall-5.0.10/uninstall.sh --- shorewall-5.0.9/uninstall.sh 2016-06-04 14:49:09.299198423 -0700 +++ shorewall-5.0.10/uninstall.sh 2016-06-30 17:54:28.347982830 -0700 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=5.0.9 +VERSION=5.0.10 PRODUCT=shorewall usage() # $1 = exit status