diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-core-5.0.9/changelog.txt shorewall-core-5.0.10/changelog.txt --- shorewall-core-5.0.9/changelog.txt 2016-06-04 14:49:09.383267082 -0700 +++ shorewall-core-5.0.10/changelog.txt 2016-06-30 17:54:28.412046830 -0700 @@ -1,3 +1,34 @@ +Changes in 5.0.10 + +1) Update release documents + +2) Avoid silly duplicate rules. + +Changes in 5.0.10 RC 1 + +1) Update release documents + +2) Convert the RPMs to use systemd + +Changes in 5.0.10 Beta 2 + +1) Update release documents + +2) Add 'dbl' interface option. + +3) Transfer permissions during 'update' + +4) Allow ':' in USER columns + +5) Correct update/compatibility issues. + +Changes in 5.0.10 Beta 1 + +1) Update release documents + +2) Allow can now re-enable addresses disabled using the 'blacklist' + command. + Changes in 5.0.9 Final 1) Update release documents diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-core-5.0.9/configure shorewall-core-5.0.10/configure --- shorewall-core-5.0.9/configure 2016-06-04 14:49:08.742743974 -0700 +++ shorewall-core-5.0.10/configure 2016-06-30 17:54:27.663298829 -0700 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=5.0.9 +VERSION=5.0.10 case "$BASH_VERSION" in [4-9].*) diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-core-5.0.9/configure.pl shorewall-core-5.0.10/configure.pl --- shorewall-core-5.0.9/configure.pl 2016-06-04 14:49:08.746747243 -0700 +++ shorewall-core-5.0.10/configure.pl 2016-06-30 17:54:27.671306830 -0700 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '5.0.9' + VERSION => '5.0.10' }; my %params; diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-core-5.0.9/install.sh shorewall-core-5.0.10/install.sh --- shorewall-core-5.0.9/install.sh 2016-06-04 14:49:08.738740705 -0700 +++ shorewall-core-5.0.10/install.sh 2016-06-30 17:54:27.655290829 -0700 @@ -22,7 +22,7 @@ # along with this program; if not, see . # -VERSION=5.0.9 +VERSION=5.0.10 PRODUCT=shorewall-core Product="Shorewall Core" diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-core-5.0.9/lib.cli shorewall-core-5.0.10/lib.cli --- shorewall-core-5.0.9/lib.cli 2016-05-22 17:50:51.000000000 -0700 +++ shorewall-core-5.0.10/lib.cli 2016-06-30 17:49:43.000000000 -0700 @@ -2522,21 +2522,46 @@ # 'allow' command executor # allow_command() { + [ -n "$g_debugging" ] && set -x [ $# -eq 1 ] && missing_argument + if product_is_started ; then + local allowed local which which='-s' local range range='--src-range' + local dynexists - if ! chain_exists dynamic; then + if [ -n "$g_blacklistipset" ]; then + + case ${IPSET:=ipset} in + */*) + if [ ! -x "$IPSET" ]; then + fatal_error "IPSET=$IPSET does not exist or is not executable" + fi + ;; + *) + IPSET="$(mywhich $IPSET)" + [ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located" + ;; + esac + fi + + if chain_exists dynamic; then + dynexists=Yes + elif [ -z "$g_blacklistipset" ]; then fatal_error "Dynamic blacklisting is not enabled in the current $g_product configuration" fi [ -n "$g_nolock" ] || mutex_on + while [ $# -gt 1 ]; do shift + + allowed='' + case $1 in from) which='-s' @@ -2549,29 +2574,48 @@ continue ;; *-*) + if [ -n "$g_blacklistipset" ]; then + if qt $IPSET -D $g_blacklistipset $1; then + allowed=Yes + fi + fi + + if [ -n "$dynexists" ]; then if qt $g_tool -D dynamic -m iprange $range $1 -j reject ||\ qt $g_tool -D dynamic -m iprange $range $1 -j DROP ||\ qt $g_tool -D dynamic -m iprange $range $1 -j logdrop ||\ qt $g_tool -D dynamic -m iprange $range $1 -j logreject then - echo "$1 Allowed" - else - echo "$1 Not Dropped or Rejected" + allowed=Yes + fi fi ;; *) + if [ -n "$g_blacklistipset" ]; then + if qt $IPSET -D $g_blacklistipset $1; then + allowed=Yes + fi + fi + + if [ -n "$dynexists" ]; then if qt $g_tool -D dynamic $which $1 -j reject ||\ qt $g_tool -D dynamic $which $1 -j DROP ||\ qt $g_tool -D dynamic $which $1 -j logdrop ||\ qt $g_tool -D dynamic $which $1 -j logreject then - echo "$1 Allowed" - else - echo "$1 Not Dropped or Rejected" + allowed=Yes + fi fi ;; esac + + if [ -n "$allowed" ]; then + progress_message2 "$1 Allowed" + else + error_message "WARNING: $1 already allowed (not dynamically blacklisted)" + fi done + [ -n "$g_nolock" ] || mutex_off else error_message "ERROR: $g_product is not started" @@ -3507,7 +3551,7 @@ ;; esac - $IPSET -A $g_blacklistipset $@ || { error_message "ERROR: Address $1 not blacklisted"; return 1; } + $IPSET -A $g_blacklistipset $@ && progress_message2 "$1 Blacklisted" || { error_message "ERROR: Address $1 not blacklisted"; return 1; } return 0 } @@ -4559,6 +4603,11 @@ # # It's a shell function -- call it # + $@ + elif type $1 2> /dev/null | fgrep -q 'is a shell function'; then + # + # It's a shell function -- call it + # $@ else # diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-core-5.0.9/lib.common shorewall-core-5.0.10/lib.common --- shorewall-core-5.0.9/lib.common 2016-05-22 17:50:51.000000000 -0700 +++ shorewall-core-5.0.10/lib.common 2016-06-30 17:49:43.000000000 -0700 @@ -776,7 +776,7 @@ error_message "WARNING: Stale lockfile ${lockf} removed" elif [ $lockpid -eq $$ ]; then return 0 - elif ! qt ps p ${lockpid}; then + elif ! ps | grep -v grep | qt grep ${lockpid}; then rm -f ${lockf} error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed" fi @@ -788,10 +788,8 @@ echo $$ > ${lockf} chmod u-w ${lockf} elif qt mywhich lock; then - lock -${MUTEX_TIMEOUT} -r1 ${lockf} - chmod u+w ${lockf} - echo $$ > ${lockf} - chmod u-w ${lockf} + lock ${lockf} + chmod u=r ${lockf} else while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do sleep 1 @@ -813,6 +811,7 @@ # mutex_off() { + [ -f ${CONFDIR}/rc.common ] && lock -u ${LOCKFILE:=${VARDIR}/lock} rm -f ${LOCKFILE:=${VARDIR}/lock} } diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-core-5.0.9/releasenotes.txt shorewall-core-5.0.10/releasenotes.txt --- shorewall-core-5.0.9/releasenotes.txt 2016-06-04 14:49:09.383267082 -0700 +++ shorewall-core-5.0.10/releasenotes.txt 2016-06-30 17:54:28.412046830 -0700 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 5 . 0 . 9 + S H O R E W A L L 5 . 0 . 1 0 ---------------------------- - J u n e 0 4 , 2 0 1 6 + J u n e 3 0 , 2 0 1 6 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,7 +14,26 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) This release contains defect repair through Shorewall 5.0.8.2. +1) This release includes defect repair through Shorewall 5.0.9.2. + +2) Previously, the 'update' commmand could result in updated files + having the user's default permissions rather than the permissions + of the original file. That has been corrected. + +3) A number of update and update-compatibility issues have been + corrected: + + a) : (e.g., "fred:") is once again accepted in USER columns. + b) The USER column in the mangle file can once again be specified + when :T is the chain designator. + c) The 'notrack' file is now correctly appended to the 'mangle' + file during update. + d) IPMARK entries in 'tcrules' are now correctly converted into + the 'mangle' file. + +4) When multiple zones are configured on an interface, the 'tcpflags', + 'nosmurfs' and 'maclist' options could previously result in silly + duplicate rules. That problem has been corrected. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -27,88 +46,38 @@ correctly in configurations with USE_DEFAULT_RT=No and optional providers listed in the DUPLICATE column. -3) Previously, if: - - - DOCKER=Yes - - docker0 was defined in /etc/shorewall/interfaces - - Docker was not running - - then Shorewall would fail to start with an error similar to this - - iptables-restore v1.4.21: Couldn't load target `DOCKER': - No such file or directory - Error occurred at line: 29 - Try `iptables-restore -h' or - 'iptables-restore --help' for more information. - ERROR: /sbin/iptables-restore Failed. - - This has been corrected such that Shorewall starts correctly under - these conditions. - ---------------------------------------------------------------------------- I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) The file 'lib.core' has been renamed 'lib.runtime' to more - accurately reflect the file's role. - -2) The CLI now produces helpful error messages rather than simply - dumping out the complete usage syntax. - -3) The 'status' and 'version -a" command outputs now include the time - and date when the current firewall script was compiled. - - This feature implements a new 'info' command that is recognized by - the compiled script. That command produces output similar to the - following: - - compiled Thu Apr 28 14:18:58 2016 by Shorewall version 5.0.9 - - Note 1: The time and date of compilation will only be displayed - after the firewall script has been compiled using this or a later - Shorewall release. - - Note 2: Information about the current firewall script is only - displayed by the 'version -a' command when the command is executed - by root. - - Caution: If you execute 'shorewall compile', a subsequent 'status' - command will display the compilation information for the newly - compiled script and not for the one that was used to instantiate - the running firewall configuration. Note that the compilation - date/time, in this case, will be later than the started date/time: - - Example: - - State:Started Sun Apr 24 12:22:18 PDT 2016 from /etc/shorewall/ - (/var/lib/shorewall/firewall compiled Thu Apr 28 14:18:58 2016 - by Shorewall version 5.0.9) - -4) The ?INFO and ?WARNING directives added in Shorewall 5.0.8 include - the current filename and line number in the generated message. That - behavior can be suppressed by using ?INFO! AND ?WARNING! - instead. Additionally, the default behavior can be changed by - setting VERBOSE_MESSAGES=No in shorewall[6].conf. In that case, - including the exclaimation point causes the filename and line - number to be included. - -5) NFLOG(...) is now supported in the mangle files. - -6) The compiler now checks the version of the installed Shorewall-core - and issues a warning message if there is a mis-match. +1) The 'allow' command can now remove entries from the ipset-based + dynamic blacklists. - Example (folded to fit within 72 columns): + allow
... - WARNING: Version Mismatch: Shorewall-core is version 5.0.8.2, - while the Shorewall version is 5.0.9-Beta2 +2) A new 'dbl' (Dynamic Blacklist) option is now available in the + 'interfaces' file. Possible settings are: - When compiling for IPv6, the Shorewall6 version is also verified - and a similar warning is issued in the case of a mismatch. + none - equivalent to specifying 'nodbl'. + src - packets entering the firewall on the interface have their + source IP address checked against the ipset-based + blacklist. + dst - packets entering the firewall on the interface have their + destination IP address checked against the ipset-based + blacklist. + src-dst - packets entering the firewall on the interface have their + source IP address checked against the ipset-based + blacklist. Packets originating on the fireawll and + leaving through the interface have their destination IP + address checked against the ipset-based blacklist. -7) The sample configurations now have AUTOMAKE enabled. + The normal setting for an internet-facing interface will be either + 'src' or 'src-dst'. The normal setting for an internal interface + will be either 'none' or 'dst'. -8) Full date and time strings generated by the compiler are now in - 'date' format rather than Perl's 'localtime' format. +3) The RPMs from shorewall.net are now created to assume that systemd + is being used. They are targeted specifically at OpenSuSE and have + been verified on OpenSuSE 42.1. ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -269,6 +238,95 @@ ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 5 . 0 R E L E A S E S ---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 5 . 0 . 9 +---------------------------------------------------------------------------- + +1) This release contains defect repair through Shorewall 5.0.8.2. + +2) Previously, if: + + - DOCKER=Yes + - docker0 was defined in /etc/shorewall/interfaces + - Docker was not running + + then Shorewall would fail to start with an error similar to this + + iptables-restore v1.4.21: Couldn't load target `DOCKER': + No such file or directory + Error occurred at line: 29 + Try `iptables-restore -h' or + 'iptables-restore --help' for more information. + ERROR: /sbin/iptables-restore Failed. + + This has been corrected such that Shorewall starts correctly under + these conditions. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 5 . 0 . 9 +---------------------------------------------------------------------------- + +1) The file 'lib.core' has been renamed 'lib.runtime' to more + accurately reflect the file's role. + +2) The CLI now produces helpful error messages rather than simply + dumping out the complete usage syntax. + +3) The 'status' and 'version -a" command outputs now include the time + and date when the current firewall script was compiled. + + This feature implements a new 'info' command that is recognized by + the compiled script. That command produces output similar to the + following: + + compiled Thu Apr 28 14:18:58 2016 by Shorewall version 5.0.9 + + Note 1: The time and date of compilation will only be displayed + after the firewall script has been compiled using this or a later + Shorewall release. + + Note 2: Information about the current firewall script is only + displayed by the 'version -a' command when the command is executed + by root. + + Caution: If you execute 'shorewall compile', a subsequent 'status' + command will display the compilation information for the newly + compiled script and not for the one that was used to instantiate + the running firewall configuration. Note that the compilation + date/time, in this case, will be later than the started date/time: + + Example: + + State:Started Sun Apr 24 12:22:18 PDT 2016 from /etc/shorewall/ + (/var/lib/shorewall/firewall compiled Thu Apr 28 14:18:58 2016 + by Shorewall version 5.0.9) + +4) The ?INFO and ?WARNING directives added in Shorewall 5.0.8 include + the current filename and line number in the generated message. That + behavior can be suppressed by using ?INFO! AND ?WARNING! + instead. Additionally, the default behavior can be changed by + setting VERBOSE_MESSAGES=No in shorewall[6].conf. In that case, + including the exclaimation point causes the filename and line + number to be included. + +5) NFLOG(...) is now supported in the mangle files. + +6) The compiler now checks the version of the installed Shorewall-core + and issues a warning message if there is a mis-match. + + Example (folded to fit within 72 columns): + + WARNING: Version Mismatch: Shorewall-core is version 5.0.8.2, + while the Shorewall version is 5.0.9-Beta2 + + When compiling for IPv6, the Shorewall6 version is also verified + and a similar warning is issued in the case of a mismatch. + +7) The sample configurations now have AUTOMAKE enabled. + +8) Full date and time strings generated by the compiler are now in + 'date' format rather than Perl's 'localtime' format. + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 5 . 0 . 8 ---------------------------------------------------------------------------- diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-core-5.0.9/shorewall-core.spec shorewall-core-5.0.10/shorewall-core.spec --- shorewall-core-5.0.9/shorewall-core.spec 2016-06-04 14:49:09.383267082 -0700 +++ shorewall-core-5.0.10/shorewall-core.spec 2016-06-30 17:54:28.412046830 -0700 @@ -1,5 +1,5 @@ %define name shorewall-core -%define version 5.0.9 +%define version 5.0.10 %define release 0base Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. @@ -63,6 +63,14 @@ %doc COPYING INSTALL changelog.txt releasenotes.txt %changelog +* Sat Jun 25 2016 Tom Eastep tom@shorewall.net +- Updated to 5.0.10-0base +* Tue Jun 21 2016 Tom Eastep tom@shorewall.net +- Updated to 5.0.10-0RC1 +* Tue Jun 14 2016 Tom Eastep tom@shorewall.net +- Updated to 5.0.10-0Beta2 +* Mon Jun 06 2016 Tom Eastep tom@shorewall.net +- Updated to 5.0.10-0Beta1 * Thu May 12 2016 Tom Eastep tom@shorewall.net - Updated to 5.0.9-0base * Thu May 05 2016 Tom Eastep tom@shorewall.net diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-core-5.0.9/shorewallrc.suse shorewall-core-5.0.10/shorewallrc.suse --- shorewall-core-5.0.9/shorewallrc.suse 2016-05-22 17:50:51.000000000 -0700 +++ shorewall-core-5.0.10/shorewallrc.suse 2016-06-30 17:49:43.000000000 -0700 @@ -7,15 +7,15 @@ CONFDIR=/etc #Directory where subsystem configurations are installed SHAREDIR=${PREFIX}/share #Directory for arch-neutral files. LIBEXECDIR=${PREFIX}/lib #Directory for executable scripts. -PERLLIBDIR=${PREFIX}/lib/perl5/vendor_perl/5.14.2 #Directory to install Shorewall Perl module directory +PERLLIBDIR=${PREFIX}/lib/perl5/site-perl #Directory to install Shorewall Perl module directory SBINDIR=/usr/sbin #Directory where system administration programs are installed MANDIR=${SHAREDIR}/man/ #Directory where manpages are installed. INITDIR=/etc/init.d #Directory where SysV init scripts are installed. -INITFILE=$PRODUCT #Name of the product's SysV init script +INITFILE= #Name of the product's SysV init script INITSOURCE=init.suse.sh #Name of the distributed file to be installed as the SysV init script ANNOTATED= #If non-zero, annotated configuration files are installed -SERVICEDIR= #Directory where .service files are installed (systems running systemd only) -SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service +SERVICEDIR=/usr/lib/systemd/system #Directory where .service files are installed (systems running systemd only) +SERVICEFILE=$PRODUCT.service #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service SYSCONFFILE=sysconfig #Name of the distributed file to be installed in $SYSCONFDIR SYSCONFDIR=/etc/sysconfig/ #Directory where SysV init parameter files are installed SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-core-5.0.9/uninstall.sh shorewall-core-5.0.10/uninstall.sh --- shorewall-core-5.0.9/uninstall.sh 2016-06-04 14:49:08.742743974 -0700 +++ shorewall-core-5.0.10/uninstall.sh 2016-06-30 17:54:27.659294829 -0700 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=5.0.9 +VERSION=5.0.10 PRODUCT="shorewall-core" Product="Shorewall Core"