diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-lite-5.0.10/changelog.txt shorewall-lite-5.0.11/changelog.txt
--- shorewall-lite-5.0.10/changelog.txt 2016-06-30 17:54:28.892526829 -0700
+++ shorewall-lite-5.0.11/changelog.txt 2016-08-06 07:57:47.397240319 -0700
@@ -1,3 +1,29 @@
+Changes in 5.0.11 Beta 2
+
+1) Update release documents
+
+2) Default DSCP rules to the POSTROUTING chain.
+
+3) Correct 'trace' handing of in-rule comments.
+
+4) Correct handling of a provider interface that matches a wildcard.
+
+5) Re-add a handle to flow classifiers.
+
+Changes in 5.0.11 Beta 1
+
+1) Update release documents
+
+2) Allow 'comment' in alternate input.
+
+Changes in 5.0.10.1
+
+1) Update release documents
+
+2) Update Debian SysV init scripts (Roberto Sánchez).
+
+3) Implement LOGFILE=systemd (Scott Shumate).
+
Changes in 5.0.10
1) Update release documents
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-lite-5.0.10/configure shorewall-lite-5.0.11/configure
--- shorewall-lite-5.0.10/configure 2016-06-30 17:54:28.892526829 -0700
+++ shorewall-lite-5.0.11/configure 2016-08-06 07:57:47.397240319 -0700
@@ -28,7 +28,7 @@
#
# Build updates this
#
-VERSION=5.0.10
+VERSION=5.0.11
case "$BASH_VERSION" in
[4-9].*)
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-lite-5.0.10/configure.pl shorewall-lite-5.0.11/configure.pl
--- shorewall-lite-5.0.10/configure.pl 2016-06-30 17:54:28.892526829 -0700
+++ shorewall-lite-5.0.11/configure.pl 2016-08-06 07:57:47.401240293 -0700
@@ -31,7 +31,7 @@
# Build updates this
#
use constant {
- VERSION => '5.0.10'
+ VERSION => '5.0.11'
};
my %params;
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-lite-5.0.10/init.debian.sh shorewall-lite-5.0.11/init.debian.sh
--- shorewall-lite-5.0.10/init.debian.sh 2016-06-30 17:49:43.000000000 -0700
+++ shorewall-lite-5.0.11/init.debian.sh 2016-08-04 11:03:36.000000000 -0700
@@ -5,7 +5,7 @@
# Required-Start: $network $remote_fs
# Required-Stop: $network $remote_fs
# Default-Start: S
-# Default-Stop: 0 6
+# Default-Stop: 0 1 6
# Short-Description: Configure the firewall at boot time
# Description: Configure the firewall according to the rules specified in
# /etc/shorewall-lite
@@ -92,10 +92,11 @@
# stop the firewall
shorewall_stop () {
- echo -n "Stopping \"Shorewall firewall\": "
if [ "$SAFESTOP" = 1 ]; then
+ echo -n "Stopping \"Shorewall Lite firewall\": "
$SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
else
+ echo -n "Clearing all \"Shorewall Lite firewall\" rules: "
$SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
fi
return 0
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-lite-5.0.10/install.sh shorewall-lite-5.0.11/install.sh
--- shorewall-lite-5.0.10/install.sh 2016-06-30 17:54:28.884518829 -0700
+++ shorewall-lite-5.0.11/install.sh 2016-08-06 07:57:47.385240400 -0700
@@ -22,7 +22,7 @@
# along with this program; if not, see .
#
-VERSION=5.0.10
+VERSION=5.0.11
usage() # $1 = exit status
{
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-lite-5.0.10/manpages/shorewall-lite.8 shorewall-lite-5.0.11/manpages/shorewall-lite.8
--- shorewall-lite-5.0.10/manpages/shorewall-lite.8 2016-06-30 17:55:45.749306830 -0700
+++ shorewall-lite-5.0.11/manpages/shorewall-lite.8 2016-08-06 07:59:19.592621424 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-lite
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 06/30/2016
+.\" Date: 08/06/2016
.\" Manual: Administrative Commands
.\" Source: Administrative Commands
.\" Language: English
.\"
-.TH "SHOREWALL\-LITE" "8" "06/30/2016" "Administrative Commands" "Administrative Commands"
+.TH "SHOREWALL\-LITE" "8" "08/06/2016" "Administrative Commands" "Administrative Commands"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-lite-5.0.10/manpages/shorewall-lite.conf.5 shorewall-lite-5.0.11/manpages/shorewall-lite.conf.5
--- shorewall-lite-5.0.10/manpages/shorewall-lite.conf.5 2016-06-30 17:55:44.460018830 -0700
+++ shorewall-lite-5.0.11/manpages/shorewall-lite.conf.5 2016-08-06 07:59:18.096631467 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-lite.conf
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 06/30/2016
+.\" Date: 08/06/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-LITE\&.CO" "5" "06/30/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-LITE\&.CO" "5" "08/06/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-lite-5.0.10/manpages/shorewall-lite-vardir.5 shorewall-lite-5.0.11/manpages/shorewall-lite-vardir.5
--- shorewall-lite-5.0.10/manpages/shorewall-lite-vardir.5 2016-06-30 17:55:44.964522829 -0700
+++ shorewall-lite-5.0.11/manpages/shorewall-lite-vardir.5 2016-08-06 07:59:18.712627332 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-lite-vardir
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 06/30/2016
+.\" Date: 08/06/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-LITE\-VAR" "5" "06/30/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-LITE\-VAR" "5" "08/06/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-lite-5.0.10/releasenotes.txt shorewall-lite-5.0.11/releasenotes.txt
--- shorewall-lite-5.0.10/releasenotes.txt 2016-06-30 17:54:28.892526829 -0700
+++ shorewall-lite-5.0.11/releasenotes.txt 2016-08-06 07:57:47.397240319 -0700
@@ -1,7 +1,7 @@
----------------------------------------------------------------------------
- S H O R E W A L L 5 . 0 . 1 0
+ S H O R E W A L L 5 . 0 . 1 1
----------------------------
- J u n e 3 0 , 2 0 1 6
+ A u g u s t 1 2 , 2 0 1 6
----------------------------------------------------------------------------
I. PROBLEMS CORRECTED IN THIS RELEASE
@@ -14,26 +14,27 @@
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
-1) This release includes defect repair through Shorewall 5.0.9.2.
+1) This release contains defect repair through Shorewall 5.0.10.1.
-2) Previously, the 'update' commmand could result in updated files
- having the user's default permissions rather than the permissions
- of the original file. That has been corrected.
+2) In Shorewall 5.0, the default chain for DSCP rules was
+ inadvertently chained to PREROUTING (FORWARD, if
+ MARK_IN_FORWARD_CHAIN=Yes).
-3) A number of update and update-compatibility issues have been
- corrected:
+ The default is now restored to POSTROUTING, its earlier value.
- a) : (e.g., "fred:") is once again accepted in USER columns.
- b) The USER column in the mangle file can once again be specified
- when :T is the chain designator.
- c) The 'notrack' file is now correctly appended to the 'mangle'
- file during update.
- d) IPMARK entries in 'tcrules' are now correctly converted into
- the 'mangle' file.
+3) When 'trace' was specified, prevously the output of ip[6]tables
+ rules containing a comment were displayed incorrectly. The "-m
+ comment --comment" specification was missing and the comment was
+ not enclosed in double quotes. This has been corrected.
-4) When multiple zones are configured on an interface, the 'tcpflags',
- 'nosmurfs' and 'maclist' options could previously result in silly
- duplicate rules. That problem has been corrected.
+4) Previously, if a provider interface matched only a wildcard entry
+ (one whose physical interface name ended in '+'), then the
+ generated script would always find the interface to be
+ unusable. That has been corrected.
+
+5) A change released in 5.0.9.1 and that allowed simple traffic
+ shaping to support more than 9 interfaces prevented some users'
+ configurations from starting. That has been corrected.
----------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G
@@ -50,34 +51,21 @@
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
-1) The 'allow' command can now remove entries from the ipset-based
- dynamic blacklists.
-
- allow ...
+1) When using the alternate input form, it is now possible to specify
+ a comment to be attached to the generated ip[6]tables rule. Simply
+ use the 'comment' keyword. If the comment contains embedded white
+ space, then it must be enclosed in double quotes. Any double
+ quotes embedded in the comment must be escaped using a backslash.
-2) A new 'dbl' (Dynamic Blacklist) option is now available in the
- 'interfaces' file. Possible settings are:
+ Example:
- none - equivalent to specifying 'nodbl'.
- src - packets entering the firewall on the interface have their
- source IP address checked against the ipset-based
- blacklist.
- dst - packets entering the firewall on the interface have their
- destination IP address checked against the ipset-based
- blacklist.
- src-dst - packets entering the firewall on the interface have their
- source IP address checked against the ipset-based
- blacklist. Packets originating on the fireawll and
- leaving through the interface have their destination IP
- address checked against the ipset-based blacklist.
+ ACCEPT net $FW { proto=tcp, dport=22, comment="Accept \"SSH\"" }
- The normal setting for an internet-facing interface will be either
- 'src' or 'src-dst'. The normal setting for an internal interface
- will be either 'none' or 'dst'.
+2) OPTIMIZE level 16 no longer deletes duplicate COUNT rules, allowing
+ multiple similar COUNT rules in a chain.
-3) The RPMs from shorewall.net are now created to assume that systemd
- is being used. They are targeted specifically at OpenSuSE and have
- been verified on OpenSuSE 42.1.
+3) Beginning with this release, source RPMs are available on the
+ download sites.
----------------------------------------------------------------------------
I V. M I G R A T I O N I S S U E S
@@ -238,6 +226,91 @@
----------------------------------------------------------------------------
V. N O T E S F R O M O T H E R 5 . 0 R E L E A S E S
----------------------------------------------------------------------------
+ P R O B L E M S C O R R E C T E D I N 5 . 0 . 1 0
+----------------------------------------------------------------------------
+
+5.0.10.1
+
+1) Several issues with the Debian SysV init scripts have been
+ corrected:
+
+ a) The scripts now issue progress messages for the 'stop' command
+ based on the setting of SAFESTOP in /etc/default/shorewall*.
+
+ b) The firewall is now stopped or cleared in runlevel 1 (minimal),
+ based on the setting of SAFESTOP.
+
+ c) A typo in the Shorewall init script prevented the force-stop
+ command from working correctly.
+
+ Roberto Sánchez.
+
+5.0.10
+
+1) This release includes defect repair through Shorewall 5.0.9.2.
+
+2) Previously, the 'update' commmand could result in updated files
+ having the user's default permissions rather than the permissions
+ of the original file. That has been corrected.
+
+3) A number of update and update-compatibility issues have been
+ corrected:
+
+ a) : (e.g., "fred:") is once again accepted in USER columns.
+ b) The USER column in the mangle file can once again be specified
+ when :T is the chain designator.
+ c) The 'notrack' file is now correctly appended to the 'mangle'
+ file during update.
+ d) IPMARK entries in 'tcrules' are now correctly converted into
+ the 'mangle' file.
+
+4) When multiple zones are configured on an interface, the 'tcpflags',
+ 'nosmurfs' and 'maclist' options could previously result in silly
+ duplicate rules. That problem has been corrected.
+
+----------------------------------------------------------------------------
+ N E W F E A T U R E S I N 5 . 0 . 1 0
+----------------------------------------------------------------------------
+
+5.0.10.1
+
+1) You can now specify LOGFILE=systemd to cause 'journelctl -r' to be
+ used to read the system log (journel).
+
+ Scott Sumate.
+
+5.0.10
+
+1) The 'allow' command can now remove entries from the ipset-based
+ dynamic blacklists.
+
+ allow ...
+
+2) A new 'dbl' (Dynamic Blacklist) option is now available in the
+ 'interfaces' file. Possible settings are:
+
+ none - equivalent to specifying 'nodbl'.
+ src - packets entering the firewall on the interface have their
+ source IP address checked against the ipset-based
+ blacklist.
+ dst - packets entering the firewall on the interface have their
+ destination IP address checked against the ipset-based
+ blacklist.
+ src-dst - packets entering the firewall on the interface have their
+ source IP address checked against the ipset-based
+ blacklist. Packets originating on the fireawll and
+ leaving through the interface have their destination IP
+ address checked against the ipset-based blacklist.
+
+ The normal setting for an internet-facing interface will be either
+ 'src' or 'src-dst'. The normal setting for an internal interface
+ will be either 'none' or 'dst'.
+
+3) The RPMs from shorewall.net are now created to assume that systemd
+ is being used. They are targeted specifically at OpenSuSE and have
+ been verified on OpenSuSE 42.1.
+
+----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 5 . 0 . 9
----------------------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-lite-5.0.10/shorewall-lite.spec shorewall-lite-5.0.11/shorewall-lite.spec
--- shorewall-lite-5.0.10/shorewall-lite.spec 2016-06-30 17:54:28.888522830 -0700
+++ shorewall-lite-5.0.11/shorewall-lite.spec 2016-08-06 07:57:47.389240373 -0700
@@ -1,5 +1,5 @@
%define name shorewall-lite
-%define version 5.0.10
+%define version 5.0.11
%define release 0base
%define initdir /etc/init.d
@@ -117,6 +117,16 @@
%doc COPYING changelog.txt releasenotes.txt
%changelog
+* Sat Aug 06 2016 Tom Eastep tom@shorewall.net
+- Updated to 5.0.11-0base
+* Sat Jul 30 2016 Tom Eastep tom@shorewall.net
+- Updated to 5.0.11-0RC1
+* Wed Jul 27 2016 Tom Eastep tom@shorewall.net
+- Updated to 5.0.11-0Beta2
+* Tue Jul 19 2016 Tom Eastep tom@shorewall.net
+- Updated to 5.0.11-0Beta1
+* Fri Jul 08 2016 Tom Eastep tom@shorewall.net
+- Updated to 5.0.10-1
* Sat Jun 25 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.10-0base
* Tue Jun 21 2016 Tom Eastep tom@shorewall.net
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-lite-5.0.10/uninstall.sh shorewall-lite-5.0.11/uninstall.sh
--- shorewall-lite-5.0.10/uninstall.sh 2016-06-30 17:54:28.888522830 -0700
+++ shorewall-lite-5.0.11/uninstall.sh 2016-08-06 07:57:47.389240373 -0700
@@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
-VERSION=5.0.10
+VERSION=5.0.11
PRODUCT=shorewall-lite
Product="Shorewall Lite"