diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-lite-5.0.9/changelog.txt shorewall-lite-5.0.10/changelog.txt --- shorewall-lite-5.0.9/changelog.txt 2016-06-04 14:49:09.991764034 -0700 +++ shorewall-lite-5.0.10/changelog.txt 2016-06-30 17:54:28.892526829 -0700 @@ -1,3 +1,34 @@ +Changes in 5.0.10 + +1) Update release documents + +2) Avoid silly duplicate rules. + +Changes in 5.0.10 RC 1 + +1) Update release documents + +2) Convert the RPMs to use systemd + +Changes in 5.0.10 Beta 2 + +1) Update release documents + +2) Add 'dbl' interface option. + +3) Transfer permissions during 'update' + +4) Allow ':' in USER columns + +5) Correct update/compatibility issues. + +Changes in 5.0.10 Beta 1 + +1) Update release documents + +2) Allow can now re-enable addresses disabled using the 'blacklist' + command. + Changes in 5.0.9 Final 1) Update release documents diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-lite-5.0.9/configure shorewall-lite-5.0.10/configure --- shorewall-lite-5.0.9/configure 2016-06-04 14:49:09.995767303 -0700 +++ shorewall-lite-5.0.10/configure 2016-06-30 17:54:28.892526829 -0700 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=5.0.9 +VERSION=5.0.10 case "$BASH_VERSION" in [4-9].*) diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-lite-5.0.9/configure.pl shorewall-lite-5.0.10/configure.pl --- shorewall-lite-5.0.9/configure.pl 2016-06-04 14:49:09.999770573 -0700 +++ shorewall-lite-5.0.10/configure.pl 2016-06-30 17:54:28.892526829 -0700 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '5.0.9' + VERSION => '5.0.10' }; my %params; diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-lite-5.0.9/install.sh shorewall-lite-5.0.10/install.sh --- shorewall-lite-5.0.9/install.sh 2016-06-04 14:49:09.983757495 -0700 +++ shorewall-lite-5.0.10/install.sh 2016-06-30 17:54:28.884518829 -0700 @@ -22,7 +22,7 @@ # along with this program; if not, see . # -VERSION=5.0.9 +VERSION=5.0.10 usage() # $1 = exit status { @@ -550,7 +550,7 @@ fi install_file ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/${PRODUCT} 0640 - echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}" + echo "$SYSCONFFILE file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}" fi if [ ${SHAREDIR} != /usr/share ]; then diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-lite-5.0.9/manpages/shorewall-lite.8 shorewall-lite-5.0.10/manpages/shorewall-lite.8 --- shorewall-lite-5.0.9/manpages/shorewall-lite.8 2016-06-04 14:50:44.705115345 -0700 +++ shorewall-lite-5.0.10/manpages/shorewall-lite.8 2016-06-30 17:55:45.749306830 -0700 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 06/04/2016 +.\" Date: 06/30/2016 .\" Manual: Administrative Commands .\" Source: Administrative Commands .\" Language: English .\" -.TH "SHOREWALL\-LITE" "8" "06/04/2016" "Administrative Commands" "Administrative Commands" +.TH "SHOREWALL\-LITE" "8" "06/30/2016" "Administrative Commands" "Administrative Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -205,6 +205,8 @@ \fBlogdrop\fR, \fBreject\fR, or \fBlogreject\fR +command\&. Beginning with Shorewall 5\&.0\&.10, this command can also re\-enable addresses blacklisted using the +\fBblacklist\fR command\&. .RE .PP diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-lite-5.0.9/manpages/shorewall-lite.conf.5 shorewall-lite-5.0.10/manpages/shorewall-lite.conf.5 --- shorewall-lite-5.0.9/manpages/shorewall-lite.conf.5 2016-06-04 14:50:43.107810845 -0700 +++ shorewall-lite-5.0.10/manpages/shorewall-lite.conf.5 2016-06-30 17:55:44.460018830 -0700 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite.conf .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 06/04/2016 +.\" Date: 06/30/2016 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-LITE\&.CO" "5" "06/04/2016" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-LITE\&.CO" "5" "06/30/2016" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-lite-5.0.9/manpages/shorewall-lite-vardir.5 shorewall-lite-5.0.10/manpages/shorewall-lite-vardir.5 --- shorewall-lite-5.0.9/manpages/shorewall-lite-vardir.5 2016-06-04 14:50:43.780360108 -0700 +++ shorewall-lite-5.0.10/manpages/shorewall-lite-vardir.5 2016-06-30 17:55:44.964522829 -0700 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite-vardir .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 06/04/2016 +.\" Date: 06/30/2016 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-LITE\-VAR" "5" "06/04/2016" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-LITE\-VAR" "5" "06/30/2016" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-lite-5.0.9/manpages/shorewall-lite.xml shorewall-lite-5.0.10/manpages/shorewall-lite.xml --- shorewall-lite-5.0.9/manpages/shorewall-lite.xml 2016-06-04 14:50:44.753154579 -0700 +++ shorewall-lite-5.0.10/manpages/shorewall-lite.xml 2016-06-30 17:55:45.789346830 -0700 @@ -702,7 +702,9 @@ blacklisted by a drop, logdrop, reject, or logreject command. + role="bold">logreject command. Beginning with Shorewall + 5.0.10, this command can also re-enable addresses blacklisted using + the blacklist command. diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-lite-5.0.9/releasenotes.txt shorewall-lite-5.0.10/releasenotes.txt --- shorewall-lite-5.0.9/releasenotes.txt 2016-06-04 14:49:09.991764034 -0700 +++ shorewall-lite-5.0.10/releasenotes.txt 2016-06-30 17:54:28.892526829 -0700 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 5 . 0 . 9 + S H O R E W A L L 5 . 0 . 1 0 ---------------------------- - J u n e 0 4 , 2 0 1 6 + J u n e 3 0 , 2 0 1 6 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,7 +14,26 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) This release contains defect repair through Shorewall 5.0.8.2. +1) This release includes defect repair through Shorewall 5.0.9.2. + +2) Previously, the 'update' commmand could result in updated files + having the user's default permissions rather than the permissions + of the original file. That has been corrected. + +3) A number of update and update-compatibility issues have been + corrected: + + a) : (e.g., "fred:") is once again accepted in USER columns. + b) The USER column in the mangle file can once again be specified + when :T is the chain designator. + c) The 'notrack' file is now correctly appended to the 'mangle' + file during update. + d) IPMARK entries in 'tcrules' are now correctly converted into + the 'mangle' file. + +4) When multiple zones are configured on an interface, the 'tcpflags', + 'nosmurfs' and 'maclist' options could previously result in silly + duplicate rules. That problem has been corrected. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -27,88 +46,38 @@ correctly in configurations with USE_DEFAULT_RT=No and optional providers listed in the DUPLICATE column. -3) Previously, if: - - - DOCKER=Yes - - docker0 was defined in /etc/shorewall/interfaces - - Docker was not running - - then Shorewall would fail to start with an error similar to this - - iptables-restore v1.4.21: Couldn't load target `DOCKER': - No such file or directory - Error occurred at line: 29 - Try `iptables-restore -h' or - 'iptables-restore --help' for more information. - ERROR: /sbin/iptables-restore Failed. - - This has been corrected such that Shorewall starts correctly under - these conditions. - ---------------------------------------------------------------------------- I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) The file 'lib.core' has been renamed 'lib.runtime' to more - accurately reflect the file's role. - -2) The CLI now produces helpful error messages rather than simply - dumping out the complete usage syntax. - -3) The 'status' and 'version -a" command outputs now include the time - and date when the current firewall script was compiled. - - This feature implements a new 'info' command that is recognized by - the compiled script. That command produces output similar to the - following: - - compiled Thu Apr 28 14:18:58 2016 by Shorewall version 5.0.9 - - Note 1: The time and date of compilation will only be displayed - after the firewall script has been compiled using this or a later - Shorewall release. - - Note 2: Information about the current firewall script is only - displayed by the 'version -a' command when the command is executed - by root. - - Caution: If you execute 'shorewall compile', a subsequent 'status' - command will display the compilation information for the newly - compiled script and not for the one that was used to instantiate - the running firewall configuration. Note that the compilation - date/time, in this case, will be later than the started date/time: - - Example: - - State:Started Sun Apr 24 12:22:18 PDT 2016 from /etc/shorewall/ - (/var/lib/shorewall/firewall compiled Thu Apr 28 14:18:58 2016 - by Shorewall version 5.0.9) - -4) The ?INFO and ?WARNING directives added in Shorewall 5.0.8 include - the current filename and line number in the generated message. That - behavior can be suppressed by using ?INFO! AND ?WARNING! - instead. Additionally, the default behavior can be changed by - setting VERBOSE_MESSAGES=No in shorewall[6].conf. In that case, - including the exclaimation point causes the filename and line - number to be included. - -5) NFLOG(...) is now supported in the mangle files. - -6) The compiler now checks the version of the installed Shorewall-core - and issues a warning message if there is a mis-match. +1) The 'allow' command can now remove entries from the ipset-based + dynamic blacklists. - Example (folded to fit within 72 columns): + allow
... - WARNING: Version Mismatch: Shorewall-core is version 5.0.8.2, - while the Shorewall version is 5.0.9-Beta2 +2) A new 'dbl' (Dynamic Blacklist) option is now available in the + 'interfaces' file. Possible settings are: - When compiling for IPv6, the Shorewall6 version is also verified - and a similar warning is issued in the case of a mismatch. + none - equivalent to specifying 'nodbl'. + src - packets entering the firewall on the interface have their + source IP address checked against the ipset-based + blacklist. + dst - packets entering the firewall on the interface have their + destination IP address checked against the ipset-based + blacklist. + src-dst - packets entering the firewall on the interface have their + source IP address checked against the ipset-based + blacklist. Packets originating on the fireawll and + leaving through the interface have their destination IP + address checked against the ipset-based blacklist. -7) The sample configurations now have AUTOMAKE enabled. + The normal setting for an internet-facing interface will be either + 'src' or 'src-dst'. The normal setting for an internal interface + will be either 'none' or 'dst'. -8) Full date and time strings generated by the compiler are now in - 'date' format rather than Perl's 'localtime' format. +3) The RPMs from shorewall.net are now created to assume that systemd + is being used. They are targeted specifically at OpenSuSE and have + been verified on OpenSuSE 42.1. ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -269,6 +238,95 @@ ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 5 . 0 R E L E A S E S ---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 5 . 0 . 9 +---------------------------------------------------------------------------- + +1) This release contains defect repair through Shorewall 5.0.8.2. + +2) Previously, if: + + - DOCKER=Yes + - docker0 was defined in /etc/shorewall/interfaces + - Docker was not running + + then Shorewall would fail to start with an error similar to this + + iptables-restore v1.4.21: Couldn't load target `DOCKER': + No such file or directory + Error occurred at line: 29 + Try `iptables-restore -h' or + 'iptables-restore --help' for more information. + ERROR: /sbin/iptables-restore Failed. + + This has been corrected such that Shorewall starts correctly under + these conditions. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 5 . 0 . 9 +---------------------------------------------------------------------------- + +1) The file 'lib.core' has been renamed 'lib.runtime' to more + accurately reflect the file's role. + +2) The CLI now produces helpful error messages rather than simply + dumping out the complete usage syntax. + +3) The 'status' and 'version -a" command outputs now include the time + and date when the current firewall script was compiled. + + This feature implements a new 'info' command that is recognized by + the compiled script. That command produces output similar to the + following: + + compiled Thu Apr 28 14:18:58 2016 by Shorewall version 5.0.9 + + Note 1: The time and date of compilation will only be displayed + after the firewall script has been compiled using this or a later + Shorewall release. + + Note 2: Information about the current firewall script is only + displayed by the 'version -a' command when the command is executed + by root. + + Caution: If you execute 'shorewall compile', a subsequent 'status' + command will display the compilation information for the newly + compiled script and not for the one that was used to instantiate + the running firewall configuration. Note that the compilation + date/time, in this case, will be later than the started date/time: + + Example: + + State:Started Sun Apr 24 12:22:18 PDT 2016 from /etc/shorewall/ + (/var/lib/shorewall/firewall compiled Thu Apr 28 14:18:58 2016 + by Shorewall version 5.0.9) + +4) The ?INFO and ?WARNING directives added in Shorewall 5.0.8 include + the current filename and line number in the generated message. That + behavior can be suppressed by using ?INFO! AND ?WARNING! + instead. Additionally, the default behavior can be changed by + setting VERBOSE_MESSAGES=No in shorewall[6].conf. In that case, + including the exclaimation point causes the filename and line + number to be included. + +5) NFLOG(...) is now supported in the mangle files. + +6) The compiler now checks the version of the installed Shorewall-core + and issues a warning message if there is a mis-match. + + Example (folded to fit within 72 columns): + + WARNING: Version Mismatch: Shorewall-core is version 5.0.8.2, + while the Shorewall version is 5.0.9-Beta2 + + When compiling for IPv6, the Shorewall6 version is also verified + and a similar warning is issued in the case of a mismatch. + +7) The sample configurations now have AUTOMAKE enabled. + +8) Full date and time strings generated by the compiler are now in + 'date' format rather than Perl's 'localtime' format. + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 5 . 0 . 8 ---------------------------------------------------------------------------- diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-lite-5.0.9/shorewall-lite.spec shorewall-lite-5.0.10/shorewall-lite.spec --- shorewall-lite-5.0.9/shorewall-lite.spec 2016-06-04 14:49:09.987760765 -0700 +++ shorewall-lite-5.0.10/shorewall-lite.spec 2016-06-30 17:54:28.888522830 -0700 @@ -1,5 +1,5 @@ %define name shorewall-lite -%define version 5.0.9 +%define version 5.0.10 %define release 0base %define initdir /etc/init.d @@ -55,7 +55,11 @@ %post if [ $1 -eq 1 ]; then - if [ -x %{_sbindir}/insserv ]; then + if [ -x %{_sbindir}/systemctl ]; then + %{_sbindir}/systemctl enable shorewall-lite + elif [ -x /usr/bin/systemctl ]; then + /usr/bin/systemctl enable shorewall-lite + elif [ -x %{_sbindir}/insserv ]; then %{_sbindir}/insserv %{_initddir}/shorewall-lite elif [ -x %{_sbindir}/chkconfig ]; then %{_sbindir}/chkconfig --add shorewall-lite; @@ -70,7 +74,11 @@ %preun if [ $1 -eq 0 ]; then - if [ -x %{_sbindir}/insserv ]; then + if [ -x %{_sbindir}/systemctl ]; then + %{_sbindir}/systemctl disable shorewall-lite + elif [ -x /usr/bin/systemctl ]; then + /usr/bin/systemctl disable shorewall-lite + elif [ -x %{_sbindir}/insserv ]; then %{_sbindir}/insserv -r %{_initddir}/shorewall-lite elif [ -x %{_sbindir}/chkconfig ]; then %{_sbindir}/chkconfig --del shorewall-lite @@ -82,7 +90,7 @@ %attr(0755,root,root) %dir /etc/shorewall-lite %attr(0644,root,root) %config(noreplace) /etc/shorewall-lite/shorewall-lite.conf %attr(0644,root,root) /etc/shorewall-lite/Makefile -%attr(0544,root,root) %{_initddir}/shorewall-lite +%attr(0644,root,root) /usr/lib/systemd/system/shorewall-lite.service %attr(0755,root,root) %dir /usr/share/shorewall-lite %attr(0700,root,root) %dir /var/lib/shorewall-lite @@ -109,6 +117,14 @@ %doc COPYING changelog.txt releasenotes.txt %changelog +* Sat Jun 25 2016 Tom Eastep tom@shorewall.net +- Updated to 5.0.10-0base +* Tue Jun 21 2016 Tom Eastep tom@shorewall.net +- Updated to 5.0.10-0RC1 +* Tue Jun 14 2016 Tom Eastep tom@shorewall.net +- Updated to 5.0.10-0Beta2 +* Mon Jun 06 2016 Tom Eastep tom@shorewall.net +- Updated to 5.0.10-0Beta1 * Thu May 12 2016 Tom Eastep tom@shorewall.net - Updated to 5.0.9-0base * Thu May 05 2016 Tom Eastep tom@shorewall.net diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-lite-5.0.9/shorewallrc.suse shorewall-lite-5.0.10/shorewallrc.suse --- shorewall-lite-5.0.9/shorewallrc.suse 2016-06-04 14:49:09.999770573 -0700 +++ shorewall-lite-5.0.10/shorewallrc.suse 2016-06-30 17:54:28.892526829 -0700 @@ -7,15 +7,15 @@ CONFDIR=/etc #Directory where subsystem configurations are installed SHAREDIR=${PREFIX}/share #Directory for arch-neutral files. LIBEXECDIR=${PREFIX}/lib #Directory for executable scripts. -PERLLIBDIR=${PREFIX}/lib/perl5/vendor_perl/5.14.2 #Directory to install Shorewall Perl module directory +PERLLIBDIR=${PREFIX}/lib/perl5/site-perl #Directory to install Shorewall Perl module directory SBINDIR=/usr/sbin #Directory where system administration programs are installed MANDIR=${SHAREDIR}/man/ #Directory where manpages are installed. INITDIR=/etc/init.d #Directory where SysV init scripts are installed. -INITFILE=$PRODUCT #Name of the product's SysV init script +INITFILE= #Name of the product's SysV init script INITSOURCE=init.suse.sh #Name of the distributed file to be installed as the SysV init script ANNOTATED= #If non-zero, annotated configuration files are installed -SERVICEDIR= #Directory where .service files are installed (systems running systemd only) -SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service +SERVICEDIR=/usr/lib/systemd/system #Directory where .service files are installed (systems running systemd only) +SERVICEFILE=$PRODUCT.service #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service SYSCONFFILE=sysconfig #Name of the distributed file to be installed in $SYSCONFDIR SYSCONFDIR=/etc/sysconfig/ #Directory where SysV init parameter files are installed SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-lite-5.0.9/uninstall.sh shorewall-lite-5.0.10/uninstall.sh --- shorewall-lite-5.0.9/uninstall.sh 2016-06-04 14:49:09.983757495 -0700 +++ shorewall-lite-5.0.10/uninstall.sh 2016-06-30 17:54:28.888522830 -0700 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=5.0.9 +VERSION=5.0.10 PRODUCT=shorewall-lite Product="Shorewall Lite"