diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-init-5.0.10/changelog.txt shorewall-init-5.0.11/changelog.txt --- shorewall-init-5.0.10/changelog.txt 2016-06-30 17:54:28.840474829 -0700 +++ shorewall-init-5.0.11/changelog.txt 2016-08-06 07:57:47.329240776 -0700 @@ -1,3 +1,29 @@ +Changes in 5.0.11 Beta 2 + +1) Update release documents + +2) Default DSCP rules to the POSTROUTING chain. + +3) Correct 'trace' handing of in-rule comments. + +4) Correct handling of a provider interface that matches a wildcard. + +5) Re-add a handle to flow classifiers. + +Changes in 5.0.11 Beta 1 + +1) Update release documents + +2) Allow 'comment' in alternate input. + +Changes in 5.0.10.1 + +1) Update release documents + +2) Update Debian SysV init scripts (Roberto Sánchez). + +3) Implement LOGFILE=systemd (Scott Shumate). + Changes in 5.0.10 1) Update release documents diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-init-5.0.10/configure shorewall-init-5.0.11/configure --- shorewall-init-5.0.10/configure 2016-06-30 17:54:28.836470830 -0700 +++ shorewall-init-5.0.11/configure 2016-08-06 07:57:47.321240829 -0700 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=5.0.10 +VERSION=5.0.11 case "$BASH_VERSION" in [4-9].*) diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-init-5.0.10/configure.pl shorewall-init-5.0.11/configure.pl --- shorewall-init-5.0.10/configure.pl 2016-06-30 17:54:28.840474829 -0700 +++ shorewall-init-5.0.11/configure.pl 2016-08-06 07:57:47.325240803 -0700 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '5.0.10' + VERSION => '5.0.11' }; my %params; diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-init-5.0.10/init.debian.sh shorewall-init-5.0.11/init.debian.sh --- shorewall-init-5.0.10/init.debian.sh 2016-06-30 17:49:43.000000000 -0700 +++ shorewall-init-5.0.11/init.debian.sh 2016-08-04 11:03:36.000000000 -0700 @@ -30,7 +30,7 @@ # Required-Stop: $local_fs # X-Stop-After: $network # Default-Start: S -# Default-Stop: 0 6 +# Default-Stop: 0 1 6 # Short-Description: Initialize the firewall at boot time # Description: Place the firewall in a safe state at boot time prior to # bringing up the network diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-init-5.0.10/install.sh shorewall-init-5.0.11/install.sh --- shorewall-init-5.0.10/install.sh 2016-06-30 17:54:28.832466830 -0700 +++ shorewall-init-5.0.11/install.sh 2016-08-06 07:57:47.313240884 -0700 @@ -27,7 +27,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=5.0.10 +VERSION=5.0.11 PRODUCT=shorewall-init Product="Shorewall Init" diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-init-5.0.10/releasenotes.txt shorewall-init-5.0.11/releasenotes.txt --- shorewall-init-5.0.10/releasenotes.txt 2016-06-30 17:54:28.840474829 -0700 +++ shorewall-init-5.0.11/releasenotes.txt 2016-08-06 07:57:47.329240776 -0700 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 5 . 0 . 1 0 + S H O R E W A L L 5 . 0 . 1 1 ---------------------------- - J u n e 3 0 , 2 0 1 6 + A u g u s t 1 2 , 2 0 1 6 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,26 +14,27 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) This release includes defect repair through Shorewall 5.0.9.2. +1) This release contains defect repair through Shorewall 5.0.10.1. -2) Previously, the 'update' commmand could result in updated files - having the user's default permissions rather than the permissions - of the original file. That has been corrected. +2) In Shorewall 5.0, the default chain for DSCP rules was + inadvertently chained to PREROUTING (FORWARD, if + MARK_IN_FORWARD_CHAIN=Yes). -3) A number of update and update-compatibility issues have been - corrected: + The default is now restored to POSTROUTING, its earlier value. - a) : (e.g., "fred:") is once again accepted in USER columns. - b) The USER column in the mangle file can once again be specified - when :T is the chain designator. - c) The 'notrack' file is now correctly appended to the 'mangle' - file during update. - d) IPMARK entries in 'tcrules' are now correctly converted into - the 'mangle' file. +3) When 'trace' was specified, prevously the output of ip[6]tables + rules containing a comment were displayed incorrectly. The "-m + comment --comment" specification was missing and the comment was + not enclosed in double quotes. This has been corrected. -4) When multiple zones are configured on an interface, the 'tcpflags', - 'nosmurfs' and 'maclist' options could previously result in silly - duplicate rules. That problem has been corrected. +4) Previously, if a provider interface matched only a wildcard entry + (one whose physical interface name ended in '+'), then the + generated script would always find the interface to be + unusable. That has been corrected. + +5) A change released in 5.0.9.1 and that allowed simple traffic + shaping to support more than 9 interfaces prevented some users' + configurations from starting. That has been corrected. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -50,34 +51,21 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) The 'allow' command can now remove entries from the ipset-based - dynamic blacklists. - - allow
... +1) When using the alternate input form, it is now possible to specify + a comment to be attached to the generated ip[6]tables rule. Simply + use the 'comment' keyword. If the comment contains embedded white + space, then it must be enclosed in double quotes. Any double + quotes embedded in the comment must be escaped using a backslash. -2) A new 'dbl' (Dynamic Blacklist) option is now available in the - 'interfaces' file. Possible settings are: + Example: - none - equivalent to specifying 'nodbl'. - src - packets entering the firewall on the interface have their - source IP address checked against the ipset-based - blacklist. - dst - packets entering the firewall on the interface have their - destination IP address checked against the ipset-based - blacklist. - src-dst - packets entering the firewall on the interface have their - source IP address checked against the ipset-based - blacklist. Packets originating on the fireawll and - leaving through the interface have their destination IP - address checked against the ipset-based blacklist. + ACCEPT net $FW { proto=tcp, dport=22, comment="Accept \"SSH\"" } - The normal setting for an internet-facing interface will be either - 'src' or 'src-dst'. The normal setting for an internal interface - will be either 'none' or 'dst'. +2) OPTIMIZE level 16 no longer deletes duplicate COUNT rules, allowing + multiple similar COUNT rules in a chain. -3) The RPMs from shorewall.net are now created to assume that systemd - is being used. They are targeted specifically at OpenSuSE and have - been verified on OpenSuSE 42.1. +3) Beginning with this release, source RPMs are available on the + download sites. ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -238,6 +226,91 @@ ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 5 . 0 R E L E A S E S ---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 5 . 0 . 1 0 +---------------------------------------------------------------------------- + +5.0.10.1 + +1) Several issues with the Debian SysV init scripts have been + corrected: + + a) The scripts now issue progress messages for the 'stop' command + based on the setting of SAFESTOP in /etc/default/shorewall*. + + b) The firewall is now stopped or cleared in runlevel 1 (minimal), + based on the setting of SAFESTOP. + + c) A typo in the Shorewall init script prevented the force-stop + command from working correctly. + + Roberto Sánchez. + +5.0.10 + +1) This release includes defect repair through Shorewall 5.0.9.2. + +2) Previously, the 'update' commmand could result in updated files + having the user's default permissions rather than the permissions + of the original file. That has been corrected. + +3) A number of update and update-compatibility issues have been + corrected: + + a) : (e.g., "fred:") is once again accepted in USER columns. + b) The USER column in the mangle file can once again be specified + when :T is the chain designator. + c) The 'notrack' file is now correctly appended to the 'mangle' + file during update. + d) IPMARK entries in 'tcrules' are now correctly converted into + the 'mangle' file. + +4) When multiple zones are configured on an interface, the 'tcpflags', + 'nosmurfs' and 'maclist' options could previously result in silly + duplicate rules. That problem has been corrected. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 5 . 0 . 1 0 +---------------------------------------------------------------------------- + +5.0.10.1 + +1) You can now specify LOGFILE=systemd to cause 'journelctl -r' to be + used to read the system log (journel). + + Scott Sumate. + +5.0.10 + +1) The 'allow' command can now remove entries from the ipset-based + dynamic blacklists. + + allow
... + +2) A new 'dbl' (Dynamic Blacklist) option is now available in the + 'interfaces' file. Possible settings are: + + none - equivalent to specifying 'nodbl'. + src - packets entering the firewall on the interface have their + source IP address checked against the ipset-based + blacklist. + dst - packets entering the firewall on the interface have their + destination IP address checked against the ipset-based + blacklist. + src-dst - packets entering the firewall on the interface have their + source IP address checked against the ipset-based + blacklist. Packets originating on the fireawll and + leaving through the interface have their destination IP + address checked against the ipset-based blacklist. + + The normal setting for an internet-facing interface will be either + 'src' or 'src-dst'. The normal setting for an internal interface + will be either 'none' or 'dst'. + +3) The RPMs from shorewall.net are now created to assume that systemd + is being used. They are targeted specifically at OpenSuSE and have + been verified on OpenSuSE 42.1. + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 5 . 0 . 9 ---------------------------------------------------------------------------- diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-init-5.0.10/shorewall-init.spec shorewall-init-5.0.11/shorewall-init.spec --- shorewall-init-5.0.10/shorewall-init.spec 2016-06-30 17:54:28.836470830 -0700 +++ shorewall-init-5.0.11/shorewall-init.spec 2016-08-06 07:57:47.321240829 -0700 @@ -1,5 +1,5 @@ %define name shorewall-init -%define version 5.0.10 +%define version 5.0.11 %define release 0base Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall). @@ -135,6 +135,16 @@ %doc COPYING changelog.txt releasenotes.txt %changelog +* Sat Aug 06 2016 Tom Eastep tom@shorewall.net +- Updated to 5.0.11-0base +* Sat Jul 30 2016 Tom Eastep tom@shorewall.net +- Updated to 5.0.11-0RC1 +* Wed Jul 27 2016 Tom Eastep tom@shorewall.net +- Updated to 5.0.11-0Beta2 +* Tue Jul 19 2016 Tom Eastep tom@shorewall.net +- Updated to 5.0.11-0Beta1 +* Fri Jul 08 2016 Tom Eastep tom@shorewall.net +- Updated to 5.0.10-1 * Sat Jun 25 2016 Tom Eastep tom@shorewall.net - Updated to 5.0.10-0base * Tue Jun 21 2016 Tom Eastep tom@shorewall.net diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-init-5.0.10/uninstall.sh shorewall-init-5.0.11/uninstall.sh --- shorewall-init-5.0.10/uninstall.sh 2016-06-30 17:54:28.836470830 -0700 +++ shorewall-init-5.0.11/uninstall.sh 2016-08-06 07:57:47.317240856 -0700 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=5.0.10 +VERSION=5.0.11 PRODUCT=shorewall-init Product="Shorewall Init"