diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/changelog.txt shorewall-5.0.12/changelog.txt
--- shorewall-5.0.11/changelog.txt 2016-08-06 07:57:47.021242844 -0700
+++ shorewall-5.0.12/changelog.txt 2016-10-01 14:48:18.456874042 -0700
@@ -1,3 +1,61 @@
+Changes in 5.0.12 Final
+
+1) Update release documents.
+
+2) Correct permissions of files created by the 'save' command.
+
+Changes in 5.0.12 RC 3
+
+1) Update release documents.
+
+2) Correct disabled persistent' WRT start, restart and reload.
+
+3) Don't assume that all probability-balanced interfaces are optional.
+
+Changes in 5.0.12 RC 2
+
+1) Update release documents.
+
+2) Handle down or missing interfaces in the disable logic.
+
+Changes in 5.0.12 RC 1
+
+1) Update release documents.
+
+2) Add DEFAULT_PAGER to shorewallrc.
+
+3) Add support for the 'contiguous' time option.
+
+4) Clear packet marks in PREROUTING and OUTPUT.
+
+Changes in 5.0.12 Beta 2
+
+1) Update release documents.
+
+2) Restore 'use Shorewall::Config(shorewall)' in ?PERL handling.
+
+3) Make POSTROUTING the default chain for CHECKSUM.
+
+Changes in 5.0.12 Beta 1
+
+1) Update release documents.
+
+2) Minor cleanup in the Rules module
+
+3) Allow zone lists in policy SOURCE and DEST columns.
+
+Changes in 5.0.11 Final
+
+1) Update release documents.
+
+Changes in 5.0.11 RC 1
+
+1) Update release documents.
+
+2) Update module versions.
+
+3) Allow provider interface to match wildcard interfaces entry.
+
Changes in 5.0.11 Beta 2
1) Update release documents
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/configfiles/mangle.annotated shorewall-5.0.12/configfiles/mangle.annotated
--- shorewall-5.0.11/configfiles/mangle.annotated 2016-08-06 07:58:20.753016407 -0700
+++ shorewall-5.0.12/configfiles/mangle.annotated 2016-10-01 14:48:49.263650043 -0700
@@ -767,6 +767,12 @@
#
# Defines the ending time of day.
#
+# contiguous
+#
+# Added in Shoreawll 5.0.12. When timestop is smaller than timestart
+# value, match this as a single time period instead of distinct
+# intervals.
+#
# utc
#
# Times are expressed in Greenwich Mean Time.
@@ -830,7 +836,7 @@
# fashion between addresses 1.1.1.1, 1.1.1.3, and 1.1.1.9 (Shorewall 4.5.9
# and later).
#
-# /etc/shorewall/tcrules:
+# /etc/shorewall/mangle:
#
# #ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
# CONNMARK(1-3):F 192.168.1.0/24 eth0 ; state=NEW
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/configfiles/policy.annotated shorewall-5.0.12/configfiles/policy.annotated
--- shorewall-5.0.11/configfiles/policy.annotated 2016-08-06 07:58:22.317005908 -0700
+++ shorewall-5.0.12/configfiles/policy.annotated 2016-10-01 14:48:50.885270042 -0700
@@ -18,7 +18,7 @@
# This file determines what to do with a new connection request if we don't get a
# match from the /etc/shorewall/rules file . For each source/destination pair,
# the file is processed in order until a match is found ("all" will match any
-# client or server).
+# source or destination).
#
# Important
#
@@ -38,7 +38,7 @@
# different name in parentheses, the different name is used in the alternate
# specification syntax).
#
-# SOURCE - zone|$FW|all|all+
+# SOURCE - zone[,...[+]]|$FW|all|all+
#
# Source zone. Must be the name of a zone defined in shorewall-zones(5), $FW,
# "all" or "all+".
@@ -46,7 +46,12 @@
# Support for "all+" was added in Shorewall 4.5.17. "all" does not override
# the implicit intra-zone ACCEPT policy while "all+" does.
#
-# DEST - zone|$FW|all|all+
+# Beginning with Shorewall 5.0.12, multiple zones may be listed separated by
+# commas. As above, if '+' is specified after two or more zone names, then
+# the policy overrides the implicit intra-zone ACCEPT policy if the same zone
+# appears in both the SOURCE and DEST columns.
+#
+# DEST - zone[,...[+]]|$FW|all|all+
#
# Destination zone. Must be the name of a zone defined in shorewall-zones(5),
# $FW, "all" or "all+". If the DEST is a bport zone, then the SOURCE must be
@@ -56,6 +61,11 @@
# Support for "all+" was added in Shorewall 4.5.17. "all" does not override
# the implicit intra-zone ACCEPT policy while "all+" does.
#
+# Beginning with Shorewall 5.0.12, multiple zones may be listed separated by
+# commas. As above, if '+' is specified after two or more zone names, then
+# the policy overrides the implicit intra-zone ACCEPT policy if the same zone
+# appears in both the SOURCE and DEST columns.
+#
# POLICY - {ACCEPT|DROP|REJECT|CONTINUE|QUEUE|NFQUEUE[(queuenumber1[:queuenumber2
# ])]|NONE}[:{default-action-or-macro[:level]|None}]
#
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/configfiles/providers.annotated shorewall-5.0.12/configfiles/providers.annotated
--- shorewall-5.0.11/configfiles/providers.annotated 2016-08-06 07:58:22.665003571 -0700
+++ shorewall-5.0.12/configfiles/providers.annotated 2016-10-01 14:48:51.201586043 -0700
@@ -218,6 +218,13 @@
#
# ☆ Persistent routing rules in shorewall-rtrules(5) are present.
#
+# Note
+#
+# The generated script will attempt to reenable a disabled persistent
+# provider during execution of the start, restart and reload commands.
+# When persistent is not specified, only the enable and reenable commands
+# can reenable the provider.
+#
# COPY - [{none|interface[,interface]...}]
#
# A comma-separated list of other interfaces on your firewall. Wildcards
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/configfiles/rules.annotated shorewall-5.0.12/configfiles/rules.annotated
--- shorewall-5.0.11/configfiles/rules.annotated 2016-08-06 07:58:23.968994819 -0700
+++ shorewall-5.0.12/configfiles/rules.annotated 2016-10-01 14:48:52.478862043 -0700
@@ -956,6 +956,12 @@
#
# Defines the ending time of day.
#
+# contiguous
+#
+# Added in Shoreawll 5.0.12. When timestop is smaller than timestart
+# value, match this as a single time period instead of distinct
+# intervals.
+#
# utc
#
# Times are expressed in Greenwich Mean Time.
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/configfiles/shorewall.conf shorewall-5.0.12/configfiles/shorewall.conf
--- shorewall-5.0.11/configfiles/shorewall.conf 2016-08-04 11:03:36.000000000 -0700
+++ shorewall-5.0.12/configfiles/shorewall.conf 2016-10-01 13:49:35.000000000 -0700
@@ -248,6 +248,8 @@
WORKAROUNDS=No
+ZERO_MARKS=No
+
ZONE2ZONE=-
###############################################################################
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/configfiles/shorewall.conf.annotated shorewall-5.0.12/configfiles/shorewall.conf.annotated
--- shorewall-5.0.11/configfiles/shorewall.conf.annotated 2016-08-06 07:58:24.768989449 -0700
+++ shorewall-5.0.12/configfiles/shorewall.conf.annotated 2016-10-01 14:48:53.407790043 -0700
@@ -91,6 +91,9 @@
# and the dump command are piped through the named program when the output
# file is a terminal.
#
+# Beginning with Shorewall 5.0.12, the default value of this option is the
+# DEFAULT_PAGER setting in shorewallrc.
+#
###############################################################################
# L O G G I N G
###############################################################################
@@ -476,10 +479,10 @@
#
# SHOREWALL_SHELL=[pathname]
#
-# This option is used to specify the shell program to be used to run the
-# Shorewall compiler and to interpret the compiled script. If not specified
-# or specified as a null value, /bin/sh is assumed. Using a light-weight
-# shell such as ash or dash can significantly improve performance.
+# This option is used to specify the shell program to be used to interpret
+# the compiled script. If not specified or specified as a null value, /bin/sh
+# is assumed. Using a light-weight shell such as ash or dash can
+# significantly improve performance.
#
SUBSYSLOCK=/var/lock/subsys/shorewall
#
@@ -667,6 +670,9 @@
# continue to work and all new connections from the firewall system
# itself are allowed.
#
+# Note that the routestopped file is not supported in Shorewall 5.0 and
+# later versions.
+#
# stoppedrules
#
# All existing connections continue to work. To sever all existing
@@ -775,7 +781,7 @@
#
# ALL sends all packets through the blacklist chains.
#
-# Note: The ESTABLISHED state may not be specified if FASTACCEPT is
+# Note: The ESTABLISHED state may not be specified if FASTACCEPT=Yes is
# specified.
#
CHAIN_SCRIPTS=Yes
@@ -811,13 +817,13 @@
# CLEAR_TC=[Yes|No]
#
# If this option is set to No then Shorewall won't clear the current traffic
-# control rules during [re]start. This setting is intended for use by people
-# who prefer to configure traffic shaping when the network interfaces come up
-# rather than when the firewall is started. If that is what you want to do,
-# set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an /etc/shorewall/
-# tcstart file. That way, your traffic shaping rules can still use the
-# “fwmark” classifier based on packet marking defined in shorewall-tcrules
-# (5). If not specified, CLEAR_TC=Yes is assumed.
+# control rules during [re]start or reload. This setting is intended for use
+# by people who prefer to configure traffic shaping when the network
+# interfaces come up rather than when the firewall is started. If that is
+# what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do not supply
+# an /etc/shorewall/tcstart file. That way, your traffic shaping rules can
+# still use the “fwmark” classifier based on packet marking defined in
+# shorewall-tcrules(5). If not specified, CLEAR_TC=Yes is assumed.
#
COMPLETE=No
#
@@ -854,10 +860,10 @@
#
# DELETE_THEN_ADD={Yes|No}
#
-# If set to Yes (the default value), entries in the /etc/shorewall/
-# route_stopped files cause an 'ip rule del' command to be generated in
-# addition to an 'ip rule add' command. Setting this option to No, causes the
-# 'ip rule del' command to be omitted.
+# If set to Yes (the default value), entries in the /etc/shorewall/rtrules
+# files cause an 'ip rule del' command to be generated in addition to an 'ip
+# rule add' command. Setting this option to No, causes the 'ip rule del'
+# command to be omitted.
#
DETECT_DNAT_IPADDRS=No
#
@@ -957,7 +963,7 @@
# commands), the compiler will copy the modules or helpers file from the
# administrative system into the script. When set to No or not specified, the
# compiler will not copy the modules or helpers file from /usr/share/
-# shorewall but will copy the found in another location on the CONFIG_PATH.
+# shorewall but will copy those found in another location on the CONFIG_PATH.
#
# When compiling for direct use by Shorewall, causes the contents of the
# local module or helpers file to be copied into the compiled script. When
@@ -982,8 +988,8 @@
#
# FORWARD_CLEAR_MARK={Yes|No}
#
-# Added in Shorewall 4.4.11 Beta 3. Traditionally, Shorewall has cleared the
-# packet mark in the first rule in the mangle FORWARD chain. This behavior is
+# Added in Shorewall 4.4.11. Traditionally, Shorewall has cleared the packet
+# mark in the first rule in the mangle FORWARD chain. This behavior is
# maintained with the default setting of this option (FORWARD_CLEAR_MARK=
# Yes). If FORWARD_CLEAR_MARK is set to 'No', packet marks set in the mangle
# PREROUTING chain are retained in the FORWARD chains.
@@ -1420,18 +1426,18 @@
# #TARGET SOURCE DEST PROTO
# Broadcast(DROP) - - -
# DROP - - 2
-# INLINE - - 6 ; -j REJECT --reject-with tcp-reset
+# INLINE - - 6 ;; -j REJECT --reject-with tcp-reset
# ?if __ENHANCED_REJECT
-# INLINE - - 17 ; -j REJECT
+# INLINE - - 17 ;; -j REJECT
# ?if __IPV4
-# INLINE - - 1 ; -j REJECT --reject-with icmp-host-unreachable
-# INLINE - - - ; -j REJECT --reject-with icmp-host-prohibited
+# INLINE - - 1 ;; -j REJECT --reject-with icmp-host-unreachable
+# INLINE - - - ;; -j REJECT --reject-with icmp-host-prohibited
# ?else
-# INLINE - - 58 ; -j REJECT --reject-with icmp6-addr-unreachable
-# INLINE - - - ; -j REJECT --reject-with icmp6-adm-prohibited
+# INLINE - - 58 ;; -j REJECT --reject-with icmp6-addr-unreachable
+# INLINE - - - ;; -j REJECT --reject-with icmp6-adm-prohibited
# ?endif
# ?else
-# INLINE - - - ; -j REJECT
+# INLINE - - - ;; -j REJECT
# ?endif
#
REQUIRE_INTERFACE=No
@@ -1477,9 +1483,9 @@
# Added in Shorewall 4.5.9. When set to Yes (the default), provider marks are
# restored unconditionally at the top of the mangle OUTPUT and PREROUTING
# chains, even if the saved mark is zero. When this option is set to No, the
-# mark is restored even when it is zero. If you have problems with IPSEC ESP
-# packets not being routed correctly on output, try setting this option to No
-# .
+# mark is restored only if it is non-zero. If you have problems with IPSEC
+# ESP packets not being routed correctly on output, try setting this option
+# to No.
#
RETAIN_ALIASES=No
#
@@ -1741,6 +1747,20 @@
# Shorewall-generated scripts (such as created by the save command) built by
# Shorewall 4.4.7 or older.
#
+ZERO_MARKS=No
+#
+# ZERO_MARKS=[Yes|No]
+#
+# Added in Shorewall 5.0.12, this is a workaround for an issue where packet
+# marks are not zeroed by the kernel. It should be set to No (the default)
+# unless you find that incoming packets are being mis-routed for no apparent
+# reasons.
+#
+# Caution
+#
+# Do not set this option to Yes if you have IPSEC software running on the
+# firewall system.
+#
ZONE2ZONE=-
#
# ZONE2ZONE=[2|-]
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/configure shorewall-5.0.12/configure
--- shorewall-5.0.11/configure 2016-08-06 07:57:47.021242844 -0700
+++ shorewall-5.0.12/configure 2016-10-01 14:48:18.456874042 -0700
@@ -28,7 +28,7 @@
#
# Build updates this
#
-VERSION=5.0.11
+VERSION=5.0.12
case "$BASH_VERSION" in
[4-9].*)
@@ -235,7 +235,8 @@
SPARSE \
ANNOTATED \
VARLIB \
- VARDIR
+ VARDIR \
+ DEFAULT_PAGER
do
echo "$on=${options[${on}]}"
echo "$on=${options[${on}]}" >> shorewallrc
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/configure.pl shorewall-5.0.12/configure.pl
--- shorewall-5.0.11/configure.pl 2016-08-06 07:57:47.021242844 -0700
+++ shorewall-5.0.12/configure.pl 2016-10-01 14:48:18.456874042 -0700
@@ -31,7 +31,7 @@
# Build updates this
#
use constant {
- VERSION => '5.0.11'
+ VERSION => '5.0.12'
};
my %params;
@@ -209,7 +209,8 @@
SPARSE
ANNOTATED
VARLIB
- VARDIR / ) {
+ VARDIR
+ DEFAULT_PAGER / ) {
my $val = $options{$_} || '';
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/install.sh shorewall-5.0.12/install.sh
--- shorewall-5.0.11/install.sh 2016-08-06 07:57:46.997243004 -0700
+++ shorewall-5.0.12/install.sh 2016-10-01 14:48:18.404822043 -0700
@@ -22,7 +22,7 @@
# along with this program; if not, see .
#
-VERSION=5.0.11
+VERSION=5.0.12
#
# Change to the directory containing this script
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/lib.cli-std shorewall-5.0.12/lib.cli-std
--- shorewall-5.0.11/lib.cli-std 2016-08-04 11:03:36.000000000 -0700
+++ shorewall-5.0.12/lib.cli-std 2016-10-01 13:49:35.000000000 -0700
@@ -316,6 +316,8 @@
g_loopback=$(find_loopback_interfaces)
+ [ -n "$PAGER" ] || PAGER=$DEFAULT_PAGER
+
if [ -n "$PAGER" -a -t 1 ]; then
case $PAGER in
/*)
@@ -323,7 +325,7 @@
[ -f "$g_pager" ] || fatal_error "PAGER $PAGER does not exist"
;;
*)
- g_pager=$(mywhich pager 2> /dev/null)
+ g_pager=$(mywhich $PAGER 2> /dev/null)
[ -n "$g_pager" ] || fatal_error "PAGER $PAGER not found"
;;
esac
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/manpages/shorewall.8 shorewall-5.0.12/manpages/shorewall.8
--- shorewall-5.0.11/manpages/shorewall.8 2016-08-06 07:58:16.085047743 -0700
+++ shorewall-5.0.12/manpages/shorewall.8 2016-10-01 14:48:44.639030043 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Administrative Commands
.\" Source: Administrative Commands
.\" Language: English
.\"
-.TH "SHOREWALL" "8" "08/06/2016" "Administrative Commands" "Administrative Commands"
+.TH "SHOREWALL" "8" "10/01/2016" "Administrative Commands" "Administrative Commands"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/manpages/shorewall-accounting.5 shorewall-5.0.12/manpages/shorewall-accounting.5
--- shorewall-5.0.11/manpages/shorewall-accounting.5 2016-08-06 07:57:49.225228048 -0700
+++ shorewall-5.0.12/manpages/shorewall-accounting.5 2016-10-01 14:48:19.766182043 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-accounting
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-ACCOUNTIN" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-ACCOUNTIN" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/manpages/shorewall-actions.5 shorewall-5.0.12/manpages/shorewall-actions.5
--- shorewall-5.0.11/manpages/shorewall-actions.5 2016-08-06 07:57:49.877223672 -0700
+++ shorewall-5.0.12/manpages/shorewall-actions.5 2016-10-01 14:48:20.342758043 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-actions
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-ACTIONS" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-ACTIONS" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/manpages/shorewall-arprules.5 shorewall-5.0.12/manpages/shorewall-arprules.5
--- shorewall-5.0.11/manpages/shorewall-arprules.5 2016-08-06 07:57:50.565219053 -0700
+++ shorewall-5.0.12/manpages/shorewall-arprules.5 2016-10-01 14:48:20.903318045 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-arprules
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-ARPRULES" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-ARPRULES" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/manpages/shorewall-blrules.5 shorewall-5.0.12/manpages/shorewall-blrules.5
--- shorewall-5.0.11/manpages/shorewall-blrules.5 2016-08-06 07:57:51.229214596 -0700
+++ shorewall-5.0.12/manpages/shorewall-blrules.5 2016-10-01 14:48:21.507922043 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-blrules
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-BLRULES" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-BLRULES" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/manpages/shorewall.conf.5 shorewall-5.0.12/manpages/shorewall.conf.5
--- shorewall-5.0.11/manpages/shorewall.conf.5 2016-08-06 07:57:54.037195746 -0700
+++ shorewall-5.0.12/manpages/shorewall.conf.5 2016-10-01 14:48:24.110522043 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall.conf
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\&.CONF" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\&.CONF" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -257,6 +257,8 @@
routestopped
is accepted when Shorewall is stopped\&. When ADMINISABSENTMINDED=Yes, in addition to traffic to/from addresses in
routestopped, connections that were active when Shorewall stopped continue to work and all new connections from the firewall system itself are allowed\&.
+.sp
+Note that the routestopped file is not supported in Shorewall 5\&.0 and later versions\&.
.RE
.PP
stoppedrules
@@ -431,7 +433,7 @@
.sp
ALL sends all packets through the blacklist chains\&.
.sp
-Note: The ESTABLISHED state may not be specified if FASTACCEPT is specified\&.
+Note: The ESTABLISHED state may not be specified if FASTACCEPT=Yes is specified\&.
.RE
.PP
\fBBLACKLIST_DISPOSITION=\fR[\fBDROP\fR|A_DROP|\fBREJECT|A_REJECT\fR]
@@ -484,7 +486,9 @@
.RS 4
If this option is set to
\fBNo\fR
-then Shorewall won\*(Aqt clear the current traffic control rules during [re]start\&. This setting is intended for use by people who prefer to configure traffic shaping when the network interfaces come up rather than when the firewall is started\&. If that is what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file\&. That way, your traffic shaping rules can still use the \(lqfwmark\(rq classifier based on packet marking defined in
+then Shorewall won\*(Aqt clear the current traffic control rules during [\fBre\fR]\fBstart\fR
+or
+\fBreload\fR\&. This setting is intended for use by people who prefer to configure traffic shaping when the network interfaces come up rather than when the firewall is started\&. If that is what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file\&. That way, your traffic shaping rules can still use the \(lqfwmark\(rq classifier based on packet marking defined in
\m[blue]\fBshorewall\-tcrules\fR\m[]\&\s-2\u[11]\d\s+2(5)\&. If not specified, CLEAR_TC=Yes is assumed\&.
.RE
.PP
@@ -568,7 +572,7 @@
.PP
\fBDELETE_THEN_ADD=\fR{\fBYes\fR|\fBNo\fR}
.RS 4
-If set to Yes (the default value), entries in the /etc/shorewall/route_stopped files cause an \*(Aqip rule del\*(Aq command to be generated in addition to an \*(Aqip rule add\*(Aq command\&. Setting this option to No, causes the \*(Aqip rule del\*(Aq command to be omitted\&.
+If set to Yes (the default value), entries in the /etc/shorewall/rtrules files cause an \*(Aqip rule del\*(Aq command to be generated in addition to an \*(Aqip rule add\*(Aq command\&. Setting this option to No, causes the \*(Aqip rule del\*(Aq command to be omitted\&.
.RE
.PP
\fBDETECT_DNAT_IPADDRS=\fR[\fBYes\fR|\fBNo\fR]
@@ -704,7 +708,7 @@
\fBshorewall export\fR
commands), the compiler will copy the modules or helpers file from the administrative system into the script\&. When set to No or not specified, the compiler will not copy the modules or helpers file from
/usr/share/shorewall
-but will copy the found in another location on the CONFIG_PATH\&.
+but will copy those found in another location on the CONFIG_PATH\&.
.sp
When compiling for direct use by Shorewall, causes the contents of the local module or helpers file to be copied into the compiled script\&. When set to No or not set, the compiled script reads the file itself\&.
.RE
@@ -719,7 +723,7 @@
.PP
\fBFORWARD_CLEAR_MARK=\fR{\fBYes\fR|\fBNo\fR}
.RS 4
-Added in Shorewall 4\&.4\&.11 Beta 3\&. Traditionally, Shorewall has cleared the packet mark in the first rule in the mangle FORWARD chain\&. This behavior is maintained with the default setting of this option (FORWARD_CLEAR_MARK=Yes)\&. If FORWARD_CLEAR_MARK is set to \*(AqNo\*(Aq, packet marks set in the mangle PREROUTING chain are retained in the FORWARD chains\&.
+Added in Shorewall 4\&.4\&.11\&. Traditionally, Shorewall has cleared the packet mark in the first rule in the mangle FORWARD chain\&. This behavior is maintained with the default setting of this option (FORWARD_CLEAR_MARK=Yes)\&. If FORWARD_CLEAR_MARK is set to \*(AqNo\*(Aq, packet marks set in the mangle PREROUTING chain are retained in the FORWARD chains\&.
.RE
.PP
\fBGEOIPDIR\fR=[\fIpathname\fR]
@@ -1727,6 +1731,8 @@
commands and the
\fBdump\fR
command are piped through the named program when the output file is a terminal\&.
+.sp
+Beginning with Shorewall 5\&.0\&.12, the default value of this option is the DEFAULT_PAGER setting in shorewallrc\&.
.RE
.PP
\fBPATH=\fR\fIpathname\fR[\fB:\fR\fIpathname\fR]\&.\&.\&.
@@ -1906,18 +1912,18 @@
#TARGET SOURCE DEST PROTO
Broadcast(DROP) \- \- \-
DROP \- \- 2
-INLINE \- \- 6 ; \-j REJECT \-\-reject\-with tcp\-reset
+INLINE \- \- 6 ;; \-j REJECT \-\-reject\-with tcp\-reset
?if __ENHANCED_REJECT
-INLINE \- \- 17 ; \-j REJECT
+INLINE \- \- 17 ;; \-j REJECT
?if __IPV4
-INLINE \- \- 1 ; \-j REJECT \-\-reject\-with icmp\-host\-unreachable
-INLINE \- \- \- ; \-j REJECT \-\-reject\-with icmp\-host\-prohibited
+INLINE \- \- 1 ;; \-j REJECT \-\-reject\-with icmp\-host\-unreachable
+INLINE \- \- \- ;; \-j REJECT \-\-reject\-with icmp\-host\-prohibited
?else
-INLINE \- \- 58 ; \-j REJECT \-\-reject\-with icmp6\-addr\-unreachable
-INLINE \- \- \- ; \-j REJECT \-\-reject\-with icmp6\-adm\-prohibited
+INLINE \- \- 58 ;; \-j REJECT \-\-reject\-with icmp6\-addr\-unreachable
+INLINE \- \- \- ;; \-j REJECT \-\-reject\-with icmp6\-adm\-prohibited
?endif
?else
-INLINE \- \- \- ; \-j REJECT
+INLINE \- \- \- ;; \-j REJECT
?endif
.fi
.if n \{\
@@ -1963,7 +1969,7 @@
Added in Shorewall 4\&.5\&.9\&. When set to
\fBYes\fR
(the default), provider marks are restored unconditionally at the top of the mangle OUTPUT and PREROUTING chains, even if the saved mark is zero\&. When this option is set to
-\fBNo\fR, the mark is restored even when it is zero\&. If you have problems with IPSEC ESP packets not being routed correctly on output, try setting this option to
+\fBNo\fR, the mark is restored only if it is non\-zero\&. If you have problems with IPSEC ESP packets not being routed correctly on output, try setting this option to
\fBNo\fR\&.
.RE
.PP
@@ -2092,7 +2098,7 @@
.PP
\fBSHOREWALL_SHELL=\fR[\fIpathname\fR]
.RS 4
-This option is used to specify the shell program to be used to run the Shorewall compiler and to interpret the compiled script\&. If not specified or specified as a null value, /bin/sh is assumed\&. Using a light\-weight shell such as ash or dash can significantly improve performance\&.
+This option is used to specify the shell program to be used to interpret the compiled script\&. If not specified or specified as a null value, /bin/sh is assumed\&. Using a light\-weight shell such as ash or dash can significantly improve performance\&.
.RE
.PP
\fBSMURF_DISPOSITION=\fR[\fBDROP\fR|A_DROP]
@@ -2458,6 +2464,26 @@
.sp .5v
.RE
.RE
+.PP
+\fBZERO_MARKS=\fR[\fBYes\fR|\fBNo\fR]
+.RS 4
+Added in Shorewall 5\&.0\&.12, this is a workaround for an issue where packet marks are not zeroed by the kernel\&. It should be set to No (the default) unless you find that incoming packets are being mis\-routed for no apparent reasons\&.
+.if n \{\
+.sp
+.\}
+.RS 4
+.it 1 an-trap
+.nr an-no-space-flag 1
+.nr an-break-flag 1
+.br
+.ps +1
+\fBCaution\fR
+.ps -1
+.br
+Do not set this option to Yes if you have IPSEC software running on the firewall system\&.
+.sp .5v
+.RE
+.RE
.PP
\fBZONE_BITS\fR=[\fInumber\fR]
.RS 4
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/manpages/shorewall-conntrack.5 shorewall-5.0.12/manpages/shorewall-conntrack.5
--- shorewall-5.0.11/manpages/shorewall-conntrack.5 2016-08-06 07:57:54.777190779 -0700
+++ shorewall-5.0.12/manpages/shorewall-conntrack.5 2016-10-01 14:48:24.775186043 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-conntrack
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-CONNTRAC" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-CONNTRAC" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/manpages/shorewall-ecn.5 shorewall-5.0.12/manpages/shorewall-ecn.5
--- shorewall-5.0.11/manpages/shorewall-ecn.5 2016-08-06 07:57:55.393186643 -0700
+++ shorewall-5.0.12/manpages/shorewall-ecn.5 2016-10-01 14:48:25.315726042 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-ecn
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-ECN" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-ECN" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/manpages/shorewall-exclusion.5 shorewall-5.0.12/manpages/shorewall-exclusion.5
--- shorewall-5.0.11/manpages/shorewall-exclusion.5 2016-08-06 07:57:56.013182482 -0700
+++ shorewall-5.0.12/manpages/shorewall-exclusion.5 2016-10-01 14:48:25.880290043 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-exclusion
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-EXCLUSION" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-EXCLUSION" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/manpages/shorewall-hosts.5 shorewall-5.0.12/manpages/shorewall-hosts.5
--- shorewall-5.0.11/manpages/shorewall-hosts.5 2016-08-06 07:57:56.713177783 -0700
+++ shorewall-5.0.12/manpages/shorewall-hosts.5 2016-10-01 14:48:26.456866043 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-hosts
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-HOSTS" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-HOSTS" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/manpages/shorewall-init.8 shorewall-5.0.12/manpages/shorewall-init.8
--- shorewall-5.0.11/manpages/shorewall-init.8 2016-08-06 07:57:57.269174050 -0700
+++ shorewall-5.0.12/manpages/shorewall-init.8 2016-10-01 14:48:26.961370043 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-init
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Administrative Commands
.\" Source: Administrative Commands
.\" Language: English
.\"
-.TH "SHOREWALL\-INIT" "8" "08/06/2016" "Administrative Commands" "Administrative Commands"
+.TH "SHOREWALL\-INIT" "8" "10/01/2016" "Administrative Commands" "Administrative Commands"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/manpages/shorewall-interfaces.5 shorewall-5.0.12/manpages/shorewall-interfaces.5
--- shorewall-5.0.11/manpages/shorewall-interfaces.5 2016-08-06 07:57:58.169168009 -0700
+++ shorewall-5.0.12/manpages/shorewall-interfaces.5 2016-10-01 14:48:27.786194043 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-interfaces
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-INTERFACE" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-INTERFACE" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/manpages/shorewall-ipsets.5 shorewall-5.0.12/manpages/shorewall-ipsets.5
--- shorewall-5.0.11/manpages/shorewall-ipsets.5 2016-08-06 07:57:58.873163283 -0700
+++ shorewall-5.0.12/manpages/shorewall-ipsets.5 2016-10-01 14:48:28.358766042 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-ipsets
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-IPSETS" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-IPSETS" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/manpages/shorewall-maclist.5 shorewall-5.0.12/manpages/shorewall-maclist.5
--- shorewall-5.0.11/manpages/shorewall-maclist.5 2016-08-06 07:57:59.469159282 -0700
+++ shorewall-5.0.12/manpages/shorewall-maclist.5 2016-10-01 14:48:28.907314044 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-maclist
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-MACLIST" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-MACLIST" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/manpages/shorewall-mangle.5 shorewall-5.0.12/manpages/shorewall-mangle.5
--- shorewall-5.0.11/manpages/shorewall-mangle.5 2016-08-06 07:58:00.441152757 -0700
+++ shorewall-5.0.12/manpages/shorewall-mangle.5 2016-10-01 14:48:29.780186042 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-mangle
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-MANGLE" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-MANGLE" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -1083,6 +1083,15 @@
Defines the ending time of day\&.
.RE
.PP
+contiguous
+.RS 4
+Added in Shoreawll 5\&.0\&.12\&. When
+\fBtimestop\fR
+is smaller than
+\fBtimestart\fR
+value, match this as a single time period instead of distinct intervals\&.
+.RE
+.PP
utc
.RS 4
Times are expressed in Greenwich Mean Time\&.
@@ -1168,7 +1177,7 @@
.RS 4
.\}
.nf
-/etc/shorewall/tcrules:
+/etc/shorewall/mangle:
#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
CONNMARK(1\-3):F 192\&.168\&.1\&.0/24 eth0 ; state=NEW
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/manpages/shorewall-masq.5 shorewall-5.0.12/manpages/shorewall-masq.5
--- shorewall-5.0.11/manpages/shorewall-masq.5 2016-08-06 07:58:01.233147440 -0700
+++ shorewall-5.0.12/manpages/shorewall-masq.5 2016-10-01 14:48:30.408814043 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-masq
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-MASQ" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-MASQ" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/manpages/shorewall-modules.5 shorewall-5.0.12/manpages/shorewall-modules.5
--- shorewall-5.0.11/manpages/shorewall-modules.5 2016-08-06 07:58:01.917142850 -0700
+++ shorewall-5.0.12/manpages/shorewall-modules.5 2016-10-01 14:48:30.977382043 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-modules
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-MODULES" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-MODULES" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/manpages/shorewall-nat.5 shorewall-5.0.12/manpages/shorewall-nat.5
--- shorewall-5.0.11/manpages/shorewall-nat.5 2016-08-06 07:58:02.589138338 -0700
+++ shorewall-5.0.12/manpages/shorewall-nat.5 2016-10-01 14:48:31.557962043 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-nat
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-NAT" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-NAT" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/manpages/shorewall-nesting.5 shorewall-5.0.12/manpages/shorewall-nesting.5
--- shorewall-5.0.11/manpages/shorewall-nesting.5 2016-08-06 07:58:03.181134364 -0700
+++ shorewall-5.0.12/manpages/shorewall-nesting.5 2016-10-01 14:48:32.126530043 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-nesting
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-NESTING" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-NESTING" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/manpages/shorewall-netmap.5 shorewall-5.0.12/manpages/shorewall-netmap.5
--- shorewall-5.0.11/manpages/shorewall-netmap.5 2016-08-06 07:58:03.765130443 -0700
+++ shorewall-5.0.12/manpages/shorewall-netmap.5 2016-10-01 14:48:32.695098043 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-netmap
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-NETMAP" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-NETMAP" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/manpages/shorewall-params.5 shorewall-5.0.12/manpages/shorewall-params.5
--- shorewall-5.0.11/manpages/shorewall-params.5 2016-08-06 07:58:04.333126632 -0700
+++ shorewall-5.0.12/manpages/shorewall-params.5 2016-10-01 14:48:33.239642043 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-params
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-PARAMS" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-PARAMS" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/manpages/shorewall-policy.5 shorewall-5.0.12/manpages/shorewall-policy.5
--- shorewall-5.0.11/manpages/shorewall-policy.5 2016-08-06 07:58:04.965122388 -0700
+++ shorewall-5.0.12/manpages/shorewall-policy.5 2016-10-01 14:48:33.856258043 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-policy
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-POLICY" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-POLICY" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -51,7 +51,7 @@
.PP
The order of entries in this file is important
.PP
-This file determines what to do with a new connection request if we don\*(Aqt get a match from the /etc/shorewall/rules file \&. For each source/destination pair, the file is processed in order until a match is found ("all" will match any client or server)\&.
+This file determines what to do with a new connection request if we don\*(Aqt get a match from the /etc/shorewall/rules file \&. For each source/destination pair, the file is processed in order until a match is found ("all" will match any source or destination)\&.
.sp .5v
.RE
.if n \{\
@@ -77,20 +77,28 @@
.PP
The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in the alternate specification syntax)\&.
.PP
-\fBSOURCE\fR \- \fIzone\fR|\fB$FW\fR|\fBall\fR|\fBall+\fR
+\fBSOURCE\fR \- \fIzone\fR[,\&.\&.\&.[+]]|\fB$FW\fR|\fBall\fR|\fBall+\fR
.RS 4
Source zone\&. Must be the name of a zone defined in
\m[blue]\fBshorewall\-zones\fR\m[]\&\s-2\u[1]\d\s+2(5), $FW, "all" or "all+"\&.
.sp
Support for "all+" was added in Shorewall 4\&.5\&.17\&. "all" does not override the implicit intra\-zone ACCEPT policy while "all+" does\&.
+.sp
+Beginning with Shorewall 5\&.0\&.12, multiple zones may be listed separated by commas\&. As above, if \*(Aq+\*(Aq is specified after two or more zone names, then the policy overrides the implicit intra\-zone ACCEPT policy if the same
+\fIzone\fR
+appears in both the SOURCE and DEST columns\&.
.RE
.PP
-\fBDEST\fR \- \fIzone\fR|\fB$FW\fR|\fBall\fR|\fBall+\fR
+\fBDEST\fR \- \fIzone\fR[,\&.\&.\&.[+]]|\fB$FW\fR|\fBall\fR|\fBall+\fR
.RS 4
Destination zone\&. Must be the name of a zone defined in
\m[blue]\fBshorewall\-zones\fR\m[]\&\s-2\u[1]\d\s+2(5), $FW, "all" or "all+"\&. If the DEST is a bport zone, then the SOURCE must be "all", "all+", another bport zone associated with the same bridge, or it must be an ipv4 zone that is associated with only the same bridge\&.
.sp
Support for "all+" was added in Shorewall 4\&.5\&.17\&. "all" does not override the implicit intra\-zone ACCEPT policy while "all+" does\&.
+.sp
+Beginning with Shorewall 5\&.0\&.12, multiple zones may be listed separated by commas\&. As above, if \*(Aq+\*(Aq is specified after two or more zone names, then the policy overrides the implicit intra\-zone ACCEPT policy if the same
+\fIzone\fR
+appears in both the SOURCE and DEST columns\&.
.RE
.PP
\fBPOLICY\fR \- {\fBACCEPT\fR|\fBDROP\fR|\fBREJECT\fR|\fBCONTINUE\fR|\fBQUEUE\fR|\fBNFQUEUE\fR[(\fIqueuenumber1\fR[:\fIqueuenumber2\fR])]|\fBNONE\fR}[\fB:\fR{\fIdefault\-action\-or\-macro\fR[:level]|\fBNone\fR}]
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/manpages/shorewall-providers.5 shorewall-5.0.12/manpages/shorewall-providers.5
--- shorewall-5.0.11/manpages/shorewall-providers.5 2016-08-06 07:58:05.617118012 -0700
+++ shorewall-5.0.12/manpages/shorewall-providers.5 2016-10-01 14:48:34.472874043 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-providers
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-PROVIDERS" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-PROVIDERS" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -325,6 +325,33 @@
\m[blue]\fBshorewall\-rtrules(5)\fR\m[]\&\s-2\u[5]\d\s+2
are present\&.
.RE
+.sp
+.if n \{\
+.sp
+.\}
+.RS 4
+.it 1 an-trap
+.nr an-no-space-flag 1
+.nr an-break-flag 1
+.br
+.ps +1
+\fBNote\fR
+.ps -1
+.br
+The generated script will attempt to reenable a disabled persistent provider during execution of the
+\fBstart\fR,
+\fBrestart\fR
+and
+\fBreload\fR
+commands\&. When
+\fBpersistent\fR
+is not specified, only the
+\fBenable\fR
+and
+\fBreenable\fR
+commands can reenable the provider\&.
+.sp .5v
+.RE
.RE
.RE
.PP
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/manpages/shorewall-proxyarp.5 shorewall-5.0.12/manpages/shorewall-proxyarp.5
--- shorewall-5.0.11/manpages/shorewall-proxyarp.5 2016-08-06 07:58:06.229113903 -0700
+++ shorewall-5.0.12/manpages/shorewall-proxyarp.5 2016-10-01 14:48:35.029430043 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-proxyarp
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-PROXYARP" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-PROXYARP" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/manpages/shorewall-routes.5 shorewall-5.0.12/manpages/shorewall-routes.5
--- shorewall-5.0.11/manpages/shorewall-routes.5 2016-08-06 07:58:06.789110144 -0700
+++ shorewall-5.0.12/manpages/shorewall-routes.5 2016-10-01 14:48:35.585986043 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-routes
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-ROUTES" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-ROUTES" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/manpages/shorewall-rtrules.5 shorewall-5.0.12/manpages/shorewall-rtrules.5
--- shorewall-5.0.11/manpages/shorewall-rtrules.5 2016-08-06 07:58:07.369106251 -0700
+++ shorewall-5.0.12/manpages/shorewall-rtrules.5 2016-10-01 14:48:36.138538043 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-rtrules
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-RTRULES" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-RTRULES" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/manpages/shorewall-rules.5 shorewall-5.0.12/manpages/shorewall-rules.5
--- shorewall-5.0.11/manpages/shorewall-rules.5 2016-08-06 07:58:08.881096101 -0700
+++ shorewall-5.0.12/manpages/shorewall-rules.5 2016-10-01 14:48:37.608006043 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-rules
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-RULES" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-RULES" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -1268,6 +1268,15 @@
Defines the ending time of day\&.
.RE
.PP
+contiguous
+.RS 4
+Added in Shoreawll 5\&.0\&.12\&. When
+\fBtimestop\fR
+is smaller than
+\fBtimestart\fR
+value, match this as a single time period instead of distinct intervals\&.
+.RE
+.PP
utc
.RS 4
Times are expressed in Greenwich Mean Time\&.
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/manpages/shorewall-secmarks.5 shorewall-5.0.12/manpages/shorewall-secmarks.5
--- shorewall-5.0.11/manpages/shorewall-secmarks.5 2016-08-06 07:58:09.473092127 -0700
+++ shorewall-5.0.12/manpages/shorewall-secmarks.5 2016-10-01 14:48:38.228626043 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-secmarks
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-SECMARKS" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-SECMARKS" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/manpages/shorewall-stoppedrules.5 shorewall-5.0.12/manpages/shorewall-stoppedrules.5
--- shorewall-5.0.11/manpages/shorewall-stoppedrules.5 2016-08-06 07:58:10.101087911 -0700
+++ shorewall-5.0.12/manpages/shorewall-stoppedrules.5 2016-10-01 14:48:38.797194043 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-stoppedrules
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-STOPPEDRU" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-STOPPEDRU" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/manpages/shorewall-tcclasses.5 shorewall-5.0.12/manpages/shorewall-tcclasses.5
--- shorewall-5.0.11/manpages/shorewall-tcclasses.5 2016-08-06 07:58:10.749083561 -0700
+++ shorewall-5.0.12/manpages/shorewall-tcclasses.5 2016-10-01 14:48:39.437834043 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-tcclasses
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-TCCLASSES" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-TCCLASSES" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/manpages/shorewall-tcdevices.5 shorewall-5.0.12/manpages/shorewall-tcdevices.5
--- shorewall-5.0.11/manpages/shorewall-tcdevices.5 2016-08-06 07:58:11.341079588 -0700
+++ shorewall-5.0.12/manpages/shorewall-tcdevices.5 2016-10-01 14:48:40.042438043 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-tcdevices
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-TCDEVICES" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-TCDEVICES" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/manpages/shorewall-tcfilters.5 shorewall-5.0.12/manpages/shorewall-tcfilters.5
--- shorewall-5.0.11/manpages/shorewall-tcfilters.5 2016-08-06 07:58:11.965075399 -0700
+++ shorewall-5.0.12/manpages/shorewall-tcfilters.5 2016-10-01 14:48:40.647042043 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-tcfilters
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-TCFILTERS" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-TCFILTERS" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/manpages/shorewall-tcinterfaces.5 shorewall-5.0.12/manpages/shorewall-tcinterfaces.5
--- shorewall-5.0.11/manpages/shorewall-tcinterfaces.5 2016-08-06 07:58:12.537071559 -0700
+++ shorewall-5.0.12/manpages/shorewall-tcinterfaces.5 2016-10-01 14:48:41.211606043 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-tcinterfaces
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-TCINTERFA" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-TCINTERFA" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/manpages/shorewall-tcpri.5 shorewall-5.0.12/manpages/shorewall-tcpri.5
--- shorewall-5.0.11/manpages/shorewall-tcpri.5 2016-08-06 07:58:13.145067478 -0700
+++ shorewall-5.0.12/manpages/shorewall-tcpri.5 2016-10-01 14:48:41.784178043 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-tcpri
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-TCPRI" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-TCPRI" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/manpages/shorewall-tunnels.5 shorewall-5.0.12/manpages/shorewall-tunnels.5
--- shorewall-5.0.11/manpages/shorewall-tunnels.5 2016-08-06 07:58:13.733063530 -0700
+++ shorewall-5.0.12/manpages/shorewall-tunnels.5 2016-10-01 14:48:42.352746043 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-tunnels
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-TUNNELS" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-TUNNELS" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/manpages/shorewall-vardir.5 shorewall-5.0.12/manpages/shorewall-vardir.5
--- shorewall-5.0.11/manpages/shorewall-vardir.5 2016-08-06 07:58:14.293059771 -0700
+++ shorewall-5.0.12/manpages/shorewall-vardir.5 2016-10-01 14:48:42.897290043 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-vardir
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-VARDIR" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-VARDIR" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/manpages/shorewall-zones.5 shorewall-5.0.12/manpages/shorewall-zones.5
--- shorewall-5.0.11/manpages/shorewall-zones.5 2016-08-06 07:58:16.761043205 -0700
+++ shorewall-5.0.12/manpages/shorewall-zones.5 2016-10-01 14:48:45.267658043 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-zones
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-ZONES" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-ZONES" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/Perl/compiler.pl shorewall-5.0.12/Perl/compiler.pl
--- shorewall-5.0.11/Perl/compiler.pl 2016-08-04 11:03:36.000000000 -0700
+++ shorewall-5.0.12/Perl/compiler.pl 2016-10-01 13:49:35.000000000 -0700
@@ -41,10 +41,7 @@
# --shorewallrc1= # Path to export shorewallrc file.
# --config_path= # Search path for config files
# --inline # Update alternative column specifications
-# --update # Update configuration to this release
-# --tcrules # Create mangle from tcrules
-# --routestopped # Create stoppedrules from routestopped
-# --notrack # Create conntrack from notrack
+# --update # Update configuration to current release
#
use strict;
use FindBin;
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/Perl/lib.runtime shorewall-5.0.12/Perl/lib.runtime
--- shorewall-5.0.11/Perl/lib.runtime 2016-08-04 11:03:36.000000000 -0700
+++ shorewall-5.0.12/Perl/lib.runtime 2016-10-01 13:49:35.000000000 -0700
@@ -599,7 +599,15 @@
}
interface_enabled() {
- return $(cat ${VARDIR}/$1.status)
+ status=0
+
+ if [ -f ${VARDIR}/${1}_disabled ]; then
+ status=1
+ elif [ -f ${VARDIR}/${1}.status ]; then
+ status=$(cat ${VARDIR}/${1}.status)
+ fi
+
+ return status
}
distribute_load() {
@@ -678,8 +686,10 @@
if ! loopback_interface $1; then
if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ]; then
- [ "$COMMAND" = enable ] || run_isusable_exit $1
+ if [ "$COMMAND" != enable ]; then
+ [ ! -f ${VARDIR}/${1}_disabled ] && run_isusable_exit $1
status=$?
+ fi
else
status=1
fi
@@ -996,9 +1006,16 @@
if [ -n "$route" ]; then
if echo $route | grep -qF ' nexthop '; then
+ if interface_is_up $3; then
gateway="nexthop $gateway"
+ else
+ gateway="nexthop $gateway dead"
+ fi
+
+ if eval echo $route \| fgrep -q \'$gateway\'; then
eval route=\`echo $route \| sed \'s/$gateway/ /\'\`
run_ip route replace table $2 $route
+ fi
else
dev=$(find_device $route)
[ "$dev" = "$3" ] && run_ip route delete default table $2
@@ -1095,8 +1112,10 @@
if [ "$1" != lo ]; then
if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ]; then
- [ "$COMMAND" = enable ] || run_isusable_exit $1
+ if [ "$COMMAND" != enable ]; then
+ [ ! -f ${VARDIR}/${1}_disabled ] && run_isusable_exit $1
status=$?
+ fi
else
status=1
fi
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/Perl/Shorewall/Chains.pm shorewall-5.0.12/Perl/Shorewall/Chains.pm
--- shorewall-5.0.11/Perl/Shorewall/Chains.pm 2016-08-06 07:57:47.073242494 -0700
+++ shorewall-5.0.12/Perl/Shorewall/Chains.pm 2016-10-01 14:48:18.496914043 -0700
@@ -296,7 +296,7 @@
Exporter::export_ok_tags('internal');
-our $VERSION = '5.0_11';
+our $VERSION = '5.0_12';
#
# Chain Table
@@ -337,7 +337,7 @@
# digest => SHA1 digest of the string representation of the chain's rules for use in optimization
# level 8.
# complete => The last rule in the chain is a -g or a simple -j to a terminating target
-# Suppresses adding additional rules to the chain end of the chain
+# Suppresses adding additional rules to the end of the chain
# sections => { = 1, ... } - Records sections that have been completed.
# chainnumber => Numeric enumeration of the builtin chains (mangle table only).
# allowedchains
@@ -3186,17 +3186,17 @@
#
sub calculate_digest( $ ) {
my $chainref = shift;
- my $digest = '';
+ my $rules = '';
for ( @{$chainref->{rules}} ) {
- if ( $digest ) {
- $digest .= ' |' . format_rule( $chainref, $_, 1 );
+ if ( $rules ) {
+ $rules .= ' |' . format_rule( $chainref, $_, 1 );
} else {
- $digest = format_rule( $chainref, $_, 1 );
+ $rules = format_rule( $chainref, $_, 1 );
}
}
- $chainref->{digest} = sha1_hex $digest;
+ $chainref->{digest} = sha1_hex $rules;
}
#
@@ -3485,7 +3485,7 @@
$progress = 1;
} elsif ( $chainref->{builtin} || ! $globals{KLUDGEFREE} || $firstrule->{policy} ) {
#
- # This case requires a new rule merging algorithm. Ignore this chain for
+ # This case requires a new rule merging algorithm. Ignore this chain from
# now on.
#
$chainref->{optflags} |= DONT_OPTIMIZE;
@@ -3493,7 +3493,7 @@
#
# Replace references to this chain with the target and add the matches
#
- $progress = 1 if replace_references1 $chainref, $firstrule;
+ $progress = 1 if replace_references1( $chainref, $firstrule );
}
}
} else {
@@ -3539,7 +3539,7 @@
#empty builtin chain -- change it's policy
#
$chainref->{policy} = $target;
- trace( $chainref, 'P', undef, 'ACCEPT' ) if $debug;
+ trace( $chainref, 'P', undef, $target ) if $debug;
$count++;
}
@@ -3693,7 +3693,12 @@
if ( $chainref->{digest} eq $chainref1->{digest} ) {
progress_message " Chain $chainref1->{name} combined with $chainref->{name}";
$progress = 1;
- replace_references $chainref1, $chainref->{name}, undef, '', '', 1;
+ replace_references( $chainref1,
+ $chainref->{name},
+ undef, # Target Opts
+ '', # Comment
+ '', # Origin
+ 1 ); # Recalculate digests of modified chains
unless ( $chainref->{name} =~ /^~/ || $chainref1->{name} =~ /^%/ ) {
#
@@ -5185,7 +5190,7 @@
$result .= "--monthday $days ";
} elsif ( $element =~ /^(datestart|datestop)=(\d{4}(-\d{2}(-\d{2}(T\d{1,2}(:\d{1,2}){0,2})?)?)?)$/ ) {
$result .= "--$1 $2 ";
- } elsif ( $element =~ /^(utc|localtz|kerneltz)$/ ) {
+ } elsif ( $element =~ /^(utc|localtz|kerneltz|contiguous)$/ ) {
$result .= "--$1 ";
} else {
fatal_error "Invalid time element ($element)";
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/Perl/Shorewall/Config.pm shorewall-5.0.12/Perl/Shorewall/Config.pm
--- shorewall-5.0.11/Perl/Shorewall/Config.pm 2016-08-06 07:57:47.089242387 -0700
+++ shorewall-5.0.12/Perl/Shorewall/Config.pm 2016-10-01 14:48:18.512930043 -0700
@@ -241,7 +241,7 @@
Exporter::export_ok_tags('internal');
-our $VERSION = '5.0_11';
+our $VERSION = '5.0_12';
#
# describe the current command, it's present progressive, and it's completion.
@@ -744,7 +744,7 @@
TC_SCRIPT => '',
EXPORT => 0,
KLUDGEFREE => '',
- VERSION => "5.0.11",
+ VERSION => "5.0.12",
CAPVERSION => 50004 ,
BLACKLIST_LOG_TAG => '',
RELATED_LOG_TAG => '',
@@ -897,6 +897,7 @@
PAGER => undef ,
MINIUPNPD => undef ,
VERBOSE_MESSAGES => undef ,
+ ZERO_MARKS => undef ,
#
# Packet Disposition
#
@@ -3400,7 +3401,7 @@
sub embedded_perl( $ ) {
my $multiline = shift;
- my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber );
+ my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\nuse Shorewall::Config (qw/shorewall/);\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber );
$directive_callback->( 'PERL', $currentline ) if $directive_callback;
@@ -3853,8 +3854,10 @@
$shorewallrc{VARDIR} = "$shorewallrc{VARLIB}/$product";
}
} elsif ( supplied $shorewallrc{VARLIB} ) {
- $shorewallrc{VARDIR} = "$shorewallrc{VARLIB}/$product" unless supplied $shorewallrc{VARDIR};
+ $shorewallrc{VARDIR} = "$shorewallrc{VARLIB}/$product";
}
+
+ $shorewallrc{DEFAULT_PAGER} = '' unless supplied $shorewallrc{DEFAULT_PAGER};
}
#
@@ -5228,7 +5231,7 @@
update_default( 'USE_DEFAULT_RT', 'No' );
update_default( 'EXPORTMODULES', 'No' );
update_default( 'RESTART', 'reload' );
- update_default( 'PAGER', '' );
+ update_default( 'PAGER', $shorewallrc1{DEFAULT_PAGER} );
my $fn;
@@ -6290,6 +6293,7 @@
default_yes_no 'DEFER_DNS_RESOLUTION' , 'Yes';
default_yes_no 'MINIUPNPD' , '';
default_yes_no 'VERBOSE_MESSAGES' , 'Yes';
+ default_yes_no 'ZERO_MARKS' , '';
$config{IPSET} = '' if supplied $config{IPSET} && $config{IPSET} eq 'ipset';
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/Perl/Shorewall/Providers.pm shorewall-5.0.12/Perl/Shorewall/Providers.pm
--- shorewall-5.0.11/Perl/Shorewall/Providers.pm 2016-08-06 07:57:47.109242252 -0700
+++ shorewall-5.0.12/Perl/Shorewall/Providers.pm 2016-10-01 14:48:18.536954043 -0700
@@ -47,7 +47,7 @@
map_provider_to_interface
);
our @EXPORT_OK = qw( initialize provider_realm );
-our $VERSION = '5.0_9';
+our $VERSION = '5.0_12';
use constant { LOCAL_TABLE => 255,
MAIN_TABLE => 254,
@@ -125,6 +125,13 @@
my $exmask = have_capability( 'EXMARK' ) ? "/$mask" : '';
require_capability( $_ , q(The provider 'track' option) , 's' ) for qw/CONNMARK_MATCH CONNMARK/;
+ #
+ # Clear the mark -- we have seen cases where the mark is non-zero even in the raw table chains!
+ #
+
+ if ( $config{ZERO_MARKS} ) {
+ add_ijump( $mangle_table->{$_}, j => 'MARK', targetopts => '--set-mark 0' ) for qw/PREROUTING OUTPUT/;
+ }
if ( $config{RESTORE_ROUTEMARKS} ) {
add_ijump $mangle_table->{$_} , j => 'CONNMARK', targetopts => "--restore-mark --mask $mask" for qw/PREROUTING OUTPUT/;
@@ -802,6 +809,10 @@
push_indent;
+ emit( "if interface_is_up $physical; then" );
+
+ push_indent;
+
if ( $gatewaycase eq 'omitted' ) {
if ( $tproxy ) {
emit 'run_ip route add local ' . ALLIP . " dev $physical table $id";
@@ -819,14 +830,19 @@
if ( $family == F_IPV4 ) {
emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
+ emit qq(echo "\$IP route del $gateway src $address dev $physical ${mtu} > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
+ emit qq(echo "\$IP route del $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
} else {
emit qq(qt \$IP -6 route add $gateway src $address dev $physical ${mtu});
emit qq(qt \$IP -6 route del $gateway src $address dev $physical ${mtu}table $id $realm);
emit qq(run_ip route add $gateway src $address dev $physical ${mtu}table $id $realm);
+ emit qq(echo "\$IP -6 route del $gateway src $address dev $physical ${mtu} > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing );
+ emit qq(echo "\$IP -6 route del $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
}
}
- emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm";
+ emit( "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm" );
+ emit( qq( echo "\$IP route del default via $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing) );
}
if ( ! $noautosrc ) {
@@ -855,8 +871,10 @@
}
}
- emit( qq(\n),
- qq(rm -f \${VARDIR}/${physical}_enabled) );
+ pop_indent;
+
+ emit( qq(fi\n),
+ qq(echo 1 > \${VARDIR}/${physical}_disabled) );
pop_indent;
@@ -1070,7 +1088,7 @@
emit( "setup_${dev}_tc" ) if $tcdevices->{$interface};
}
- emit( qq( echo 1 > \${VARDIR}/${physical}_enabled) ) if $persistent;
+ emit( qq( rm -f \${VARDIR}/${physical}_disabled) );
emit_started_message( '', 2, $pseudo, $table, $number );
pop_indent;
@@ -1078,7 +1096,7 @@
unless ( $pseudo ) {
emit( 'else' );
emit( qq( echo $weight > \${VARDIR}/${physical}_weight) );
- emit( qq( echo 1 > \${VARDIR}/${physical}_enabled) ) if $persistent;
+ emit( qq( rm -f \${VARDIR}/${physical}_disabled) ) if $persistent;
emit_started_message( ' ', '', $pseudo, $table, $number );
}
@@ -1172,7 +1190,7 @@
'if [ $COMMAND = disable ]; then',
" do_persistent_${what}_${table}",
"else",
- " rm -f \${VARDIR}/${physical}_enabled\n",
+ " echo 1 > \${VARDIR}/${physical}_disabled\n",
"fi\n",
);
}
@@ -1677,7 +1695,7 @@
emit ( " if [ ! -f \${VARDIR}/undo_${provider}_routing ]; then",
" start_interface_$provider" );
} elsif ( $providerref->{persistent} ) {
- emit ( " if [ ! -f \${VARDIR}/$providerref->{physical}_enabled ]; then",
+ emit ( " if [ -f \${VARDIR}/$providerref->{physical}_disabled ]; then",
" start_provider_$provider" );
} else {
emit ( " if [ -z \"`\$IP -$family route ls table $providerref->{number}`\" ]; then",
@@ -1728,7 +1746,7 @@
if ( $providerref->{pseudo} ) {
emit( " if [ -f \${VARDIR}/undo_${provider}_routing ]; then" );
} elsif ( $providerref->{persistent} ) {
- emit( " if [ -f \${VARDIR}/$providerref->{physical}_enabled ]; then" );
+ emit( " if [ ! -f \${VARDIR}/$providerref->{physical}_disabled ]; then" );
} else {
emit( " if [ -n \"`\$IP -$family route ls table $providerref->{number}`\" ]; then" );
}
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/Perl/Shorewall/Rules.pm shorewall-5.0.12/Perl/Shorewall/Rules.pm
--- shorewall-5.0.11/Perl/Shorewall/Rules.pm 2016-08-06 07:57:47.125242146 -0700
+++ shorewall-5.0.12/Perl/Shorewall/Rules.pm 2016-10-01 14:48:18.552970043 -0700
@@ -77,7 +77,7 @@
Exporter::export_ok_tags('Traffic');
-our $VERSION = '5.0_11';
+our $VERSION = '5.0_12';
#
# Globals are documented in the initialize() function
#
@@ -295,7 +295,7 @@
# known until the compiler has started.
#
# 2. The compiler can run multiple times in the same process so it has to be
-# able to re-initialize its dependent modules' state.
+# able to re-initialize the state of its dependent modules.
#
sub initialize( $ ) {
$family = shift;
@@ -345,11 +345,11 @@
#
$macro_nest_level = 0;
#
- # All builtin actions plus those mentioned in /etc/shorewall[6]/actions and /usr/share/shorewall[6]/actions
+ # All builtin actions plus those mentioned in /etc/shorewall[6]/actions and /usr/share/shorewall[6]/actions.std
#
%actions = ();
#
- # Action variants actually used. Key is :::; value is corresponding chain name
+ # Action variants actually used. Key is ::::; value is corresponding chain name
#
%usedactions = ();
@@ -628,29 +628,20 @@
#
# Process an entry in the policy file.
#
-sub process_a_policy() {
+sub process_a_policy1($$$$$$$) {
our %validpolicies;
our @zonelist;
- my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit ) =
- split_line 'policy file', { source => 0, dest => 1, policy => 2, loglevel => 3, limit => 4, connlimit => 5 } ;
-
- $loglevel = '' if $loglevel eq '-';
- $synparams = '' if $synparams eq '-';
- $connlimit = '' if $connlimit eq '-';
-
- fatal_error 'SOURCE must be specified' if $client eq '-';
- fatal_error 'DEST must be specified' if $server eq '-';
- fatal_error 'POLICY must be specified' if $originalpolicy eq '-';
+ my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit, $intrazone ) = @_;
my $clientwild = ( "\L$client" =~ /^all(\+)?$/ );
- my $intrazone = $clientwild && $1;
+ $intrazone = $clientwild && $1;
fatal_error "Undefined zone ($client)" unless $clientwild || defined_zone( $client );
my $serverwild = ( "\L$server" =~ /^all(\+)?/ );
- $intrazone ||= $serverwild && $1;
+ $intrazone ||= ( $serverwild && $1 );
fatal_error "Undefined zone ($server)" unless $serverwild || defined_zone( $server );
@@ -758,6 +749,40 @@
}
}
+sub process_a_policy() {
+
+ our %validpolicies;
+ our @zonelist;
+
+ my ( $clients, $servers, $policy, $loglevel, $synparams, $connlimit ) =
+ split_line 'policy file', { source => 0, dest => 1, policy => 2, loglevel => 3, limit => 4, connlimit => 5 } ;
+
+ $loglevel = '' if $loglevel eq '-';
+ $synparams = '' if $synparams eq '-';
+ $connlimit = '' if $connlimit eq '-';
+
+ my $intrazone;
+
+ if ( $intrazone = $clients =~ /.*,.*\+$/) {
+ $clients =~ s/\+$//;
+ }
+
+ if ( $servers =~ /.*,.*\+$/ ) {
+ $servers =~ s/\+$//;
+ $intrazone = 1;
+ }
+
+ fatal_error 'SOURCE must be specified' if $clients eq '-';
+ fatal_error 'DEST must be specified' if $servers eq '-';
+ fatal_error 'POLICY must be specified' if $policy eq '-';
+
+ for my $client ( split_list( $clients, 'zone' ) ) {
+ for my $server ( split_list( $servers, 'zone' ) ) {
+ process_a_policy1( $client, $server, $policy, $loglevel, $synparams, $connlimit, $intrazone );
+ }
+ }
+}
+
#
# Generate contents of the /var/lib/shorewall[6]/.policies file as 'here documents' in the generated script
#
@@ -1352,7 +1377,7 @@
# Create and record a log action chain -- Log action chains have names
# that are formed from the action name by prepending a "%" and appending
# a 1- or 2-digit sequence number. In the functions that follow,
-# the $chain, $level and $tag variable serves as arguments to the user's
+# the $chain, $level and $tag variables serve as arguments to the user's
# exit. We call the exit corresponding to the name of the action but we
# set $chain to the name of the iptables chain where rules are to be added.
# Similarly, $level and $tag contain the log level and log tag respectively.
@@ -1533,7 +1558,7 @@
{
my $macro = $_[0];
- $macro =~ s/^macro.//;
+ $macro =~ s/^macro\.//;
my $macrofile = find_file "macro.$macro";
@@ -2957,8 +2982,7 @@
# And we need the dest zone for local/loopback/off-firewall/destonly checks
#
$destref = find_zone( $chainref->{destzone} ) if $chainref->{destzone};
- } else {
- unless ( $actiontype & NATONLY ) {
+ } elsif ( ! ( $actiontype & NATONLY ) ) {
#
# Check for illegal bridge port rule
#
@@ -3017,7 +3041,6 @@
$chainref = $auxref;
}
}
- }
#
# Handle 'local/loopback' warnings
#
@@ -3562,7 +3585,7 @@
sub process_section ($) {
my $sect = shift;
#
- # split_line1 has already verified that there are exactly two tokens on the line
+ # split_line2 has already verified that there are exactly two tokens on the line
#
fatal_error "Invalid SECTION ($sect)" unless defined $sections{$sect};
fatal_error "Duplicate or out of order SECTION $sect" if $sections{$sect};
@@ -3706,7 +3729,7 @@
fatal_error "Invalid or missing ACTION ($target)" unless defined $action;
if ( @protos > 1 ) {
- fatal_error "Inversion not allowed in a PROTO list" if $protos =~ tr/!/!/;
+ fatal_error "Inversion not allowed in a PROTO list" if $protos =~ /!/;
}
for $source ( @source ) {
@@ -4173,8 +4196,8 @@
},
CHECKSUM => {
- defaultchain => 0,
- allowedchains => ALLCHAINS,
+ defaultchain => POSTROUTING,
+ allowedchains => POSTROUTING | FORWARD | OUTPUT,
minparams => 0,
maxparams => 0 ,
function => sub() {
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/releasenotes.txt shorewall-5.0.12/releasenotes.txt
--- shorewall-5.0.11/releasenotes.txt 2016-08-06 07:57:47.021242844 -0700
+++ shorewall-5.0.12/releasenotes.txt 2016-10-01 14:48:18.456874042 -0700
@@ -1,7 +1,7 @@
----------------------------------------------------------------------------
- S H O R E W A L L 5 . 0 . 1 1
+ S H O R E W A L L 5 . 0 . 1 2
----------------------------
- A u g u s t 1 2 , 2 0 1 6
+ O c t o b e r 0 3 , 2 0 1 6
----------------------------------------------------------------------------
I. PROBLEMS CORRECTED IN THIS RELEASE
@@ -14,27 +14,48 @@
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
-1) This release contains defect repair through Shorewall 5.0.10.1.
+1) Minor cleanup, mostly commentary, in the Rules.pm module.
-2) In Shorewall 5.0, the default chain for DSCP rules was
- inadvertently chained to PREROUTING (FORWARD, if
- MARK_IN_FORWARD_CHAIN=Yes).
+2) In Shorewall 5.0.7, The assumed 'use Shorewall::Config(shorewall)'
+ statement in ?PERL and ?BEGIN PERL...?END PERL handling was
+ inadvertently removed. This results in Perl compilation errors if
+ the 'shorewall' function is invoked. The statement has now been
+ restored.
- The default is now restored to POSTROUTING, its earlier value.
+3) Previously, the firewall would fail to start if the configuration
+ contained a CHECKSUM rule without a chain designator and
+ MARK_IN_FORWARD_CHAIN=No. Now, the compiler defaults these rules to
+ the POSTROUTING chain and forbids them in the PREROUTING chain.
-3) When 'trace' was specified, prevously the output of ip[6]tables
- rules containing a comment were displayed incorrectly. The "-m
- comment --comment" specification was missing and the comment was
- not enclosed in double quotes. This has been corrected.
+4) Recently, a case was observed where certain incoming packets had a
+ non-zero packet mark in the raw PREROUTING chain, causing them to
+ be misrouted. To guard against this issue, packet marks are now
+ cleared at the top of the PREROUTING and OUTPUT mangle chains when
+ the new ZERO_MARKS option is set to yes. Note that ZERO_MARKS=Yes
+ can break IPSEC in multi-ISP configurations.
-4) Previously, if a provider interface matched only a wildcard entry
- (one whose physical interface name ended in '+'), then the
- generated script would always find the interface to be
- unusable. That has been corrected.
+5) Two distinct problems have been corrected in the 'disable'
+ command logic:
-5) A change released in 5.0.9.1 and that allowed simple traffic
- shaping to support more than 9 interfaces prevented some users'
- configurations from starting. That has been corrected.
+ a) If a balanced or fallback interface was down or had been
+ deleted, then the 'disable' command could fail.
+
+ b) If a persistent optional interface was down, then the
+ generated script would fail when it attempted to add routes out
+ of the interface.
+
+6) Previously, the generated script would attempt to reenable a
+ disabled persistent provider at each 'start', 'reload' or
+ 'restart'. Now, disabled persistent providers are handled the same
+ as other providers and require the 'enable' or 'reenable' command
+ to enable them.
+
+7) Previously, the generated script assumed that all
+ probability-balanced providers (those with the 'load' option
+ specified) were optional. That assumption has been removed.
+
+8) Previously, the permissions of files created by the 'save' command
+ were more relaxed than necessary. This has been corrected.
----------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G
@@ -51,21 +72,69 @@
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
-1) When using the alternate input form, it is now possible to specify
- a comment to be attached to the generated ip[6]tables rule. Simply
- use the 'comment' keyword. If the comment contains embedded white
- space, then it must be enclosed in double quotes. Any double
- quotes embedded in the comment must be escaped using a backslash.
+1) You may now place comma-separated zone lists in the SOURCE and DEST
+ columns in /etc/shorewall[6]/policy.
Example:
- ACCEPT net $FW { proto=tcp, dport=22, comment="Accept \"SSH\"" }
+ #SOURCE DEST POLICY ...
+ loc,dmz net REJECT
-2) OPTIMIZE level 16 no longer deletes duplicate COUNT rules, allowing
- multiple similar COUNT rules in a chain.
+ That line is equivalent to:
-3) Beginning with this release, source RPMs are available on the
- download sites.
+ #SOURCE DEST POLICY ...
+ loc net REJECT
+ loc dmz REJECT
+
+ If the same zone appears in both columns, the default ACCEPT
+ intrazone policy is not overridden unless the list is followed
+ immediately by '+'.
+
+ Example:
+
+ #SOURCE DEST POLICY ...
+ dmz,loc loc,dmz+ REJECT
+
+ That line is equivalent to:
+
+ #SOURCE DEST POLICY ...
+ dmz loc REJECT
+ dmz dmz REJECT
+ loc loc REJECT
+ loc dmz REJECT
+
+ Without the plus sine, it would be equivalent to
+
+ #SOURCE DEST POLICY ...
+ dmz loc REJECT
+ loc dmz REJECT
+
+2) Distribution maintainers may now set a default pager via the
+ configure and configure.pl programs in Shorewall-core to set
+ DEFAULT_PAGER in the generated shorewallrc file. The
+ Shorewall-provided shorewallrc files for Debian currently specify
+ 'less' for DEFAULT_PAGER. The other shorewallrc files do not
+ specify DEFAULT_PAGER.
+
+ If shorewall[6].conf does not specify PAGER then the DEFAULT_PAGER
+ setting is used.
+
+3) The 'contiguous' option is now supported in TIME columns. When the
+ 'timestop' value is smaller than the 'timestart' value, match this
+ as a single time period instead distinct intervals.
+
+ Example:
+
+ weekdays=Mo×tart=23:00×top=01:00
+
+ Will match Monday, for one hour from midnight to 1 a.m., and
+ then again for another hour from 23:00 onwards. If this is
+ unwanted, e.g. if you would like 'match for two hours from
+ Monday 23:00 onwards' you need to also specify the 'contiguous'
+ option in the example above.
+
+ See http://www.shorewall.org/configuration_file_basics.htm#TIME for
+ additional TIME column examples.
----------------------------------------------------------------------------
I V. M I G R A T I O N I S S U E S
@@ -214,7 +283,7 @@
these requests, so they are simply logged and dropped.
IMPORTANT: If you want to continue to reject Auth requests, you
- can do so by chaning your DROP_DEFAULT setting to make the second
+ can do so by changing your DROP_DEFAULT setting to make the second
parameter REJECT. For example, if you currently have:
DROP_DEFAULT=Drop
@@ -226,6 +295,52 @@
----------------------------------------------------------------------------
V. N O T E S F R O M O T H E R 5 . 0 R E L E A S E S
----------------------------------------------------------------------------
+ P R O B L E M S C O R R E C T E D I N 5 . 0 . 1 1
+----------------------------------------------------------------------------
+
+1) This release contains defect repair through Shorewall 5.0.10.1.
+
+2) In Shorewall 5.0, the default chain for DSCP rules was
+ inadvertently chained to PREROUTING (FORWARD, if
+ MARK_IN_FORWARD_CHAIN=Yes).
+
+ The default is now restored to POSTROUTING, its earlier value.
+
+3) When 'trace' was specified, previously the output of ip[6]tables
+ rules containing a comment were displayed incorrectly. The "-m
+ comment --comment" specification was missing and the comment was
+ not enclosed in double quotes. This has been corrected.
+
+4) Previously, if a provider interface matched only a wildcard entry
+ (one whose physical interface name ended in '+'), then the
+ generated script would always find the interface to be
+ unusable. That has been corrected.
+
+5) A change released in 5.0.9.1 and that allowed simple traffic
+ shaping to support more than 9 interfaces prevented some users'
+ configurations from starting. That has been corrected.
+
+----------------------------------------------------------------------------
+ N E W F E A T U R E S I N 5 . 0 . 1 1
+----------------------------------------------------------------------------
+
+1) When using the alternate input form, it is now possible to specify
+ a comment to be attached to the generated ip[6]tables rule. Simply
+ use the 'comment' keyword. If the comment contains embedded white
+ space, then it must be enclosed in double quotes. Any double
+ quotes embedded in the comment must be escaped using a backslash.
+
+ Example:
+
+ ACCEPT net $FW { proto=tcp, dport=22, comment="Accept \"SSH\"" }
+
+2) OPTIMIZE level 16 no longer deletes duplicate COUNT rules, allowing
+ multiple similar COUNT rules in a chain.
+
+3) Beginning with this release, source RPMs are available on the
+ download sites.
+
+----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 5 . 0 . 1 0
----------------------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/Samples/one-interface/policy.annotated shorewall-5.0.12/Samples/one-interface/policy.annotated
--- shorewall-5.0.11/Samples/one-interface/policy.annotated 2016-08-06 07:58:28.040967483 -0700
+++ shorewall-5.0.12/Samples/one-interface/policy.annotated 2016-10-01 14:48:56.470850042 -0700
@@ -22,7 +22,7 @@
# This file determines what to do with a new connection request if we don't get a
# match from the /etc/shorewall/rules file . For each source/destination pair,
# the file is processed in order until a match is found ("all" will match any
-# client or server).
+# source or destination).
#
# Important
#
@@ -42,7 +42,7 @@
# different name in parentheses, the different name is used in the alternate
# specification syntax).
#
-# SOURCE - zone|$FW|all|all+
+# SOURCE - zone[,...[+]]|$FW|all|all+
#
# Source zone. Must be the name of a zone defined in shorewall-zones(5), $FW,
# "all" or "all+".
@@ -50,7 +50,12 @@
# Support for "all+" was added in Shorewall 4.5.17. "all" does not override
# the implicit intra-zone ACCEPT policy while "all+" does.
#
-# DEST - zone|$FW|all|all+
+# Beginning with Shorewall 5.0.12, multiple zones may be listed separated by
+# commas. As above, if '+' is specified after two or more zone names, then
+# the policy overrides the implicit intra-zone ACCEPT policy if the same zone
+# appears in both the SOURCE and DEST columns.
+#
+# DEST - zone[,...[+]]|$FW|all|all+
#
# Destination zone. Must be the name of a zone defined in shorewall-zones(5),
# $FW, "all" or "all+". If the DEST is a bport zone, then the SOURCE must be
@@ -60,6 +65,11 @@
# Support for "all+" was added in Shorewall 4.5.17. "all" does not override
# the implicit intra-zone ACCEPT policy while "all+" does.
#
+# Beginning with Shorewall 5.0.12, multiple zones may be listed separated by
+# commas. As above, if '+' is specified after two or more zone names, then
+# the policy overrides the implicit intra-zone ACCEPT policy if the same zone
+# appears in both the SOURCE and DEST columns.
+#
# POLICY - {ACCEPT|DROP|REJECT|CONTINUE|QUEUE|NFQUEUE[(queuenumber1[:queuenumber2
# ])]|NONE}[:{default-action-or-macro[:level]|None}]
#
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/Samples/one-interface/rules.annotated shorewall-5.0.12/Samples/one-interface/rules.annotated
--- shorewall-5.0.11/Samples/one-interface/rules.annotated 2016-08-06 07:58:28.444964772 -0700
+++ shorewall-5.0.12/Samples/one-interface/rules.annotated 2016-10-01 14:48:56.871250043 -0700
@@ -960,6 +960,12 @@
#
# Defines the ending time of day.
#
+# contiguous
+#
+# Added in Shoreawll 5.0.12. When timestop is smaller than timestart
+# value, match this as a single time period instead of distinct
+# intervals.
+#
# utc
#
# Times are expressed in Greenwich Mean Time.
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/Samples/one-interface/shorewall.conf shorewall-5.0.12/Samples/one-interface/shorewall.conf
--- shorewall-5.0.11/Samples/one-interface/shorewall.conf 2016-08-04 11:03:36.000000000 -0700
+++ shorewall-5.0.12/Samples/one-interface/shorewall.conf 2016-10-01 13:49:35.000000000 -0700
@@ -259,6 +259,8 @@
WORKAROUNDS=No
+ZERO_MARKS=No
+
ZONE2ZONE=-
###############################################################################
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/Samples/one-interface/shorewall.conf.annotated shorewall-5.0.12/Samples/one-interface/shorewall.conf.annotated
--- shorewall-5.0.11/Samples/one-interface/shorewall.conf.annotated 2016-08-06 07:58:28.916961603 -0700
+++ shorewall-5.0.12/Samples/one-interface/shorewall.conf.annotated 2016-10-01 14:48:57.299678044 -0700
@@ -102,6 +102,9 @@
# and the dump command are piped through the named program when the output
# file is a terminal.
#
+# Beginning with Shorewall 5.0.12, the default value of this option is the
+# DEFAULT_PAGER setting in shorewallrc.
+#
###############################################################################
# L O G G I N G
###############################################################################
@@ -487,10 +490,10 @@
#
# SHOREWALL_SHELL=[pathname]
#
-# This option is used to specify the shell program to be used to run the
-# Shorewall compiler and to interpret the compiled script. If not specified
-# or specified as a null value, /bin/sh is assumed. Using a light-weight
-# shell such as ash or dash can significantly improve performance.
+# This option is used to specify the shell program to be used to interpret
+# the compiled script. If not specified or specified as a null value, /bin/sh
+# is assumed. Using a light-weight shell such as ash or dash can
+# significantly improve performance.
#
SUBSYSLOCK=
#
@@ -678,6 +681,9 @@
# continue to work and all new connections from the firewall system
# itself are allowed.
#
+# Note that the routestopped file is not supported in Shorewall 5.0 and
+# later versions.
+#
# stoppedrules
#
# All existing connections continue to work. To sever all existing
@@ -786,7 +792,7 @@
#
# ALL sends all packets through the blacklist chains.
#
-# Note: The ESTABLISHED state may not be specified if FASTACCEPT is
+# Note: The ESTABLISHED state may not be specified if FASTACCEPT=Yes is
# specified.
#
CHAIN_SCRIPTS=No
@@ -822,13 +828,13 @@
# CLEAR_TC=[Yes|No]
#
# If this option is set to No then Shorewall won't clear the current traffic
-# control rules during [re]start. This setting is intended for use by people
-# who prefer to configure traffic shaping when the network interfaces come up
-# rather than when the firewall is started. If that is what you want to do,
-# set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an /etc/shorewall/
-# tcstart file. That way, your traffic shaping rules can still use the
-# “fwmark” classifier based on packet marking defined in shorewall-tcrules
-# (5). If not specified, CLEAR_TC=Yes is assumed.
+# control rules during [re]start or reload. This setting is intended for use
+# by people who prefer to configure traffic shaping when the network
+# interfaces come up rather than when the firewall is started. If that is
+# what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do not supply
+# an /etc/shorewall/tcstart file. That way, your traffic shaping rules can
+# still use the “fwmark” classifier based on packet marking defined in
+# shorewall-tcrules(5). If not specified, CLEAR_TC=Yes is assumed.
#
COMPLETE=No
#
@@ -895,10 +901,10 @@
#
# DELETE_THEN_ADD={Yes|No}
#
-# If set to Yes (the default value), entries in the /etc/shorewall/
-# route_stopped files cause an 'ip rule del' command to be generated in
-# addition to an 'ip rule add' command. Setting this option to No, causes the
-# 'ip rule del' command to be omitted.
+# If set to Yes (the default value), entries in the /etc/shorewall/rtrules
+# files cause an 'ip rule del' command to be generated in addition to an 'ip
+# rule add' command. Setting this option to No, causes the 'ip rule del'
+# command to be omitted.
#
DETECT_DNAT_IPADDRS=No
#
@@ -968,7 +974,7 @@
# commands), the compiler will copy the modules or helpers file from the
# administrative system into the script. When set to No or not specified, the
# compiler will not copy the modules or helpers file from /usr/share/
-# shorewall but will copy the found in another location on the CONFIG_PATH.
+# shorewall but will copy those found in another location on the CONFIG_PATH.
#
# When compiling for direct use by Shorewall, causes the contents of the
# local module or helpers file to be copied into the compiled script. When
@@ -993,8 +999,8 @@
#
# FORWARD_CLEAR_MARK={Yes|No}
#
-# Added in Shorewall 4.4.11 Beta 3. Traditionally, Shorewall has cleared the
-# packet mark in the first rule in the mangle FORWARD chain. This behavior is
+# Added in Shorewall 4.4.11. Traditionally, Shorewall has cleared the packet
+# mark in the first rule in the mangle FORWARD chain. This behavior is
# maintained with the default setting of this option (FORWARD_CLEAR_MARK=
# Yes). If FORWARD_CLEAR_MARK is set to 'No', packet marks set in the mangle
# PREROUTING chain are retained in the FORWARD chains.
@@ -1431,18 +1437,18 @@
# #TARGET SOURCE DEST PROTO
# Broadcast(DROP) - - -
# DROP - - 2
-# INLINE - - 6 ; -j REJECT --reject-with tcp-reset
+# INLINE - - 6 ;; -j REJECT --reject-with tcp-reset
# ?if __ENHANCED_REJECT
-# INLINE - - 17 ; -j REJECT
+# INLINE - - 17 ;; -j REJECT
# ?if __IPV4
-# INLINE - - 1 ; -j REJECT --reject-with icmp-host-unreachable
-# INLINE - - - ; -j REJECT --reject-with icmp-host-prohibited
+# INLINE - - 1 ;; -j REJECT --reject-with icmp-host-unreachable
+# INLINE - - - ;; -j REJECT --reject-with icmp-host-prohibited
# ?else
-# INLINE - - 58 ; -j REJECT --reject-with icmp6-addr-unreachable
-# INLINE - - - ; -j REJECT --reject-with icmp6-adm-prohibited
+# INLINE - - 58 ;; -j REJECT --reject-with icmp6-addr-unreachable
+# INLINE - - - ;; -j REJECT --reject-with icmp6-adm-prohibited
# ?endif
# ?else
-# INLINE - - - ; -j REJECT
+# INLINE - - - ;; -j REJECT
# ?endif
#
REQUIRE_INTERFACE=No
@@ -1488,9 +1494,9 @@
# Added in Shorewall 4.5.9. When set to Yes (the default), provider marks are
# restored unconditionally at the top of the mangle OUTPUT and PREROUTING
# chains, even if the saved mark is zero. When this option is set to No, the
-# mark is restored even when it is zero. If you have problems with IPSEC ESP
-# packets not being routed correctly on output, try setting this option to No
-# .
+# mark is restored only if it is non-zero. If you have problems with IPSEC
+# ESP packets not being routed correctly on output, try setting this option
+# to No.
#
RETAIN_ALIASES=No
#
@@ -1752,6 +1758,20 @@
# Shorewall-generated scripts (such as created by the save command) built by
# Shorewall 4.4.7 or older.
#
+ZERO_MARKS=No
+#
+# ZERO_MARKS=[Yes|No]
+#
+# Added in Shorewall 5.0.12, this is a workaround for an issue where packet
+# marks are not zeroed by the kernel. It should be set to No (the default)
+# unless you find that incoming packets are being mis-routed for no apparent
+# reasons.
+#
+# Caution
+#
+# Do not set this option to Yes if you have IPSEC software running on the
+# firewall system.
+#
ZONE2ZONE=-
#
# ZONE2ZONE=[2|-]
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/Samples/three-interfaces/policy.annotated shorewall-5.0.12/Samples/three-interfaces/policy.annotated
--- shorewall-5.0.11/Samples/three-interfaces/policy.annotated 2016-08-06 07:58:30.316952205 -0700
+++ shorewall-5.0.12/Samples/three-interfaces/policy.annotated 2016-10-01 14:48:58.612990043 -0700
@@ -22,7 +22,7 @@
# This file determines what to do with a new connection request if we don't get a
# match from the /etc/shorewall/rules file . For each source/destination pair,
# the file is processed in order until a match is found ("all" will match any
-# client or server).
+# source or destination).
#
# Important
#
@@ -42,7 +42,7 @@
# different name in parentheses, the different name is used in the alternate
# specification syntax).
#
-# SOURCE - zone|$FW|all|all+
+# SOURCE - zone[,...[+]]|$FW|all|all+
#
# Source zone. Must be the name of a zone defined in shorewall-zones(5), $FW,
# "all" or "all+".
@@ -50,7 +50,12 @@
# Support for "all+" was added in Shorewall 4.5.17. "all" does not override
# the implicit intra-zone ACCEPT policy while "all+" does.
#
-# DEST - zone|$FW|all|all+
+# Beginning with Shorewall 5.0.12, multiple zones may be listed separated by
+# commas. As above, if '+' is specified after two or more zone names, then
+# the policy overrides the implicit intra-zone ACCEPT policy if the same zone
+# appears in both the SOURCE and DEST columns.
+#
+# DEST - zone[,...[+]]|$FW|all|all+
#
# Destination zone. Must be the name of a zone defined in shorewall-zones(5),
# $FW, "all" or "all+". If the DEST is a bport zone, then the SOURCE must be
@@ -60,6 +65,11 @@
# Support for "all+" was added in Shorewall 4.5.17. "all" does not override
# the implicit intra-zone ACCEPT policy while "all+" does.
#
+# Beginning with Shorewall 5.0.12, multiple zones may be listed separated by
+# commas. As above, if '+' is specified after two or more zone names, then
+# the policy overrides the implicit intra-zone ACCEPT policy if the same zone
+# appears in both the SOURCE and DEST columns.
+#
# POLICY - {ACCEPT|DROP|REJECT|CONTINUE|QUEUE|NFQUEUE[(queuenumber1[:queuenumber2
# ])]|NONE}[:{default-action-or-macro[:level]|None}]
#
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/Samples/three-interfaces/rules.annotated shorewall-5.0.12/Samples/three-interfaces/rules.annotated
--- shorewall-5.0.11/Samples/three-interfaces/rules.annotated 2016-08-06 07:58:30.716949520 -0700
+++ shorewall-5.0.12/Samples/three-interfaces/rules.annotated 2016-10-01 14:48:58.973350043 -0700
@@ -960,6 +960,12 @@
#
# Defines the ending time of day.
#
+# contiguous
+#
+# Added in Shoreawll 5.0.12. When timestop is smaller than timestart
+# value, match this as a single time period instead of distinct
+# intervals.
+#
# utc
#
# Times are expressed in Greenwich Mean Time.
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/Samples/three-interfaces/shorewall.conf shorewall-5.0.12/Samples/three-interfaces/shorewall.conf
--- shorewall-5.0.11/Samples/three-interfaces/shorewall.conf 2016-08-04 11:03:36.000000000 -0700
+++ shorewall-5.0.12/Samples/three-interfaces/shorewall.conf 2016-10-01 13:49:35.000000000 -0700
@@ -256,6 +256,8 @@
WORKAROUNDS=No
+ZERO_MARKS=No
+
ZONE2ZONE=-
###############################################################################
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/Samples/three-interfaces/shorewall.conf.annotated shorewall-5.0.12/Samples/three-interfaces/shorewall.conf.annotated
--- shorewall-5.0.11/Samples/three-interfaces/shorewall.conf.annotated 2016-08-06 07:58:31.160946539 -0700
+++ shorewall-5.0.12/Samples/three-interfaces/shorewall.conf.annotated 2016-10-01 14:48:59.397774043 -0700
@@ -100,6 +100,9 @@
# and the dump command are piped through the named program when the output
# file is a terminal.
#
+# Beginning with Shorewall 5.0.12, the default value of this option is the
+# DEFAULT_PAGER setting in shorewallrc.
+#
###############################################################################
# L O G G I N G
###############################################################################
@@ -485,10 +488,10 @@
#
# SHOREWALL_SHELL=[pathname]
#
-# This option is used to specify the shell program to be used to run the
-# Shorewall compiler and to interpret the compiled script. If not specified
-# or specified as a null value, /bin/sh is assumed. Using a light-weight
-# shell such as ash or dash can significantly improve performance.
+# This option is used to specify the shell program to be used to interpret
+# the compiled script. If not specified or specified as a null value, /bin/sh
+# is assumed. Using a light-weight shell such as ash or dash can
+# significantly improve performance.
#
SUBSYSLOCK=
#
@@ -676,6 +679,9 @@
# continue to work and all new connections from the firewall system
# itself are allowed.
#
+# Note that the routestopped file is not supported in Shorewall 5.0 and
+# later versions.
+#
# stoppedrules
#
# All existing connections continue to work. To sever all existing
@@ -784,7 +790,7 @@
#
# ALL sends all packets through the blacklist chains.
#
-# Note: The ESTABLISHED state may not be specified if FASTACCEPT is
+# Note: The ESTABLISHED state may not be specified if FASTACCEPT=Yes is
# specified.
#
CHAIN_SCRIPTS=No
@@ -820,13 +826,13 @@
# CLEAR_TC=[Yes|No]
#
# If this option is set to No then Shorewall won't clear the current traffic
-# control rules during [re]start. This setting is intended for use by people
-# who prefer to configure traffic shaping when the network interfaces come up
-# rather than when the firewall is started. If that is what you want to do,
-# set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an /etc/shorewall/
-# tcstart file. That way, your traffic shaping rules can still use the
-# “fwmark” classifier based on packet marking defined in shorewall-tcrules
-# (5). If not specified, CLEAR_TC=Yes is assumed.
+# control rules during [re]start or reload. This setting is intended for use
+# by people who prefer to configure traffic shaping when the network
+# interfaces come up rather than when the firewall is started. If that is
+# what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do not supply
+# an /etc/shorewall/tcstart file. That way, your traffic shaping rules can
+# still use the “fwmark” classifier based on packet marking defined in
+# shorewall-tcrules(5). If not specified, CLEAR_TC=Yes is assumed.
#
COMPLETE=No
#
@@ -893,10 +899,10 @@
#
# DELETE_THEN_ADD={Yes|No}
#
-# If set to Yes (the default value), entries in the /etc/shorewall/
-# route_stopped files cause an 'ip rule del' command to be generated in
-# addition to an 'ip rule add' command. Setting this option to No, causes the
-# 'ip rule del' command to be omitted.
+# If set to Yes (the default value), entries in the /etc/shorewall/rtrules
+# files cause an 'ip rule del' command to be generated in addition to an 'ip
+# rule add' command. Setting this option to No, causes the 'ip rule del'
+# command to be omitted.
#
DETECT_DNAT_IPADDRS=No
#
@@ -966,7 +972,7 @@
# commands), the compiler will copy the modules or helpers file from the
# administrative system into the script. When set to No or not specified, the
# compiler will not copy the modules or helpers file from /usr/share/
-# shorewall but will copy the found in another location on the CONFIG_PATH.
+# shorewall but will copy those found in another location on the CONFIG_PATH.
#
# When compiling for direct use by Shorewall, causes the contents of the
# local module or helpers file to be copied into the compiled script. When
@@ -991,8 +997,8 @@
#
# FORWARD_CLEAR_MARK={Yes|No}
#
-# Added in Shorewall 4.4.11 Beta 3. Traditionally, Shorewall has cleared the
-# packet mark in the first rule in the mangle FORWARD chain. This behavior is
+# Added in Shorewall 4.4.11. Traditionally, Shorewall has cleared the packet
+# mark in the first rule in the mangle FORWARD chain. This behavior is
# maintained with the default setting of this option (FORWARD_CLEAR_MARK=
# Yes). If FORWARD_CLEAR_MARK is set to 'No', packet marks set in the mangle
# PREROUTING chain are retained in the FORWARD chains.
@@ -1429,18 +1435,18 @@
# #TARGET SOURCE DEST PROTO
# Broadcast(DROP) - - -
# DROP - - 2
-# INLINE - - 6 ; -j REJECT --reject-with tcp-reset
+# INLINE - - 6 ;; -j REJECT --reject-with tcp-reset
# ?if __ENHANCED_REJECT
-# INLINE - - 17 ; -j REJECT
+# INLINE - - 17 ;; -j REJECT
# ?if __IPV4
-# INLINE - - 1 ; -j REJECT --reject-with icmp-host-unreachable
-# INLINE - - - ; -j REJECT --reject-with icmp-host-prohibited
+# INLINE - - 1 ;; -j REJECT --reject-with icmp-host-unreachable
+# INLINE - - - ;; -j REJECT --reject-with icmp-host-prohibited
# ?else
-# INLINE - - 58 ; -j REJECT --reject-with icmp6-addr-unreachable
-# INLINE - - - ; -j REJECT --reject-with icmp6-adm-prohibited
+# INLINE - - 58 ;; -j REJECT --reject-with icmp6-addr-unreachable
+# INLINE - - - ;; -j REJECT --reject-with icmp6-adm-prohibited
# ?endif
# ?else
-# INLINE - - - ; -j REJECT
+# INLINE - - - ;; -j REJECT
# ?endif
#
REQUIRE_INTERFACE=No
@@ -1486,9 +1492,9 @@
# Added in Shorewall 4.5.9. When set to Yes (the default), provider marks are
# restored unconditionally at the top of the mangle OUTPUT and PREROUTING
# chains, even if the saved mark is zero. When this option is set to No, the
-# mark is restored even when it is zero. If you have problems with IPSEC ESP
-# packets not being routed correctly on output, try setting this option to No
-# .
+# mark is restored only if it is non-zero. If you have problems with IPSEC
+# ESP packets not being routed correctly on output, try setting this option
+# to No.
#
RETAIN_ALIASES=No
#
@@ -1750,6 +1756,20 @@
# Shorewall-generated scripts (such as created by the save command) built by
# Shorewall 4.4.7 or older.
#
+ZERO_MARKS=No
+#
+# ZERO_MARKS=[Yes|No]
+#
+# Added in Shorewall 5.0.12, this is a workaround for an issue where packet
+# marks are not zeroed by the kernel. It should be set to No (the default)
+# unless you find that incoming packets are being mis-routed for no apparent
+# reasons.
+#
+# Caution
+#
+# Do not set this option to Yes if you have IPSEC software running on the
+# firewall system.
+#
ZONE2ZONE=-
#
# ZONE2ZONE=[2|-]
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/Samples/two-interfaces/policy.annotated shorewall-5.0.12/Samples/two-interfaces/policy.annotated
--- shorewall-5.0.11/Samples/two-interfaces/policy.annotated 2016-08-06 07:58:32.868935074 -0700
+++ shorewall-5.0.12/Samples/two-interfaces/policy.annotated 2016-10-01 14:49:01.363738043 -0700
@@ -22,7 +22,7 @@
# This file determines what to do with a new connection request if we don't get a
# match from the /etc/shorewall/rules file . For each source/destination pair,
# the file is processed in order until a match is found ("all" will match any
-# client or server).
+# source or destination).
#
# Important
#
@@ -42,7 +42,7 @@
# different name in parentheses, the different name is used in the alternate
# specification syntax).
#
-# SOURCE - zone|$FW|all|all+
+# SOURCE - zone[,...[+]]|$FW|all|all+
#
# Source zone. Must be the name of a zone defined in shorewall-zones(5), $FW,
# "all" or "all+".
@@ -50,7 +50,12 @@
# Support for "all+" was added in Shorewall 4.5.17. "all" does not override
# the implicit intra-zone ACCEPT policy while "all+" does.
#
-# DEST - zone|$FW|all|all+
+# Beginning with Shorewall 5.0.12, multiple zones may be listed separated by
+# commas. As above, if '+' is specified after two or more zone names, then
+# the policy overrides the implicit intra-zone ACCEPT policy if the same zone
+# appears in both the SOURCE and DEST columns.
+#
+# DEST - zone[,...[+]]|$FW|all|all+
#
# Destination zone. Must be the name of a zone defined in shorewall-zones(5),
# $FW, "all" or "all+". If the DEST is a bport zone, then the SOURCE must be
@@ -60,6 +65,11 @@
# Support for "all+" was added in Shorewall 4.5.17. "all" does not override
# the implicit intra-zone ACCEPT policy while "all+" does.
#
+# Beginning with Shorewall 5.0.12, multiple zones may be listed separated by
+# commas. As above, if '+' is specified after two or more zone names, then
+# the policy overrides the implicit intra-zone ACCEPT policy if the same zone
+# appears in both the SOURCE and DEST columns.
+#
# POLICY - {ACCEPT|DROP|REJECT|CONTINUE|QUEUE|NFQUEUE[(queuenumber1[:queuenumber2
# ])]|NONE}[:{default-action-or-macro[:level]|None}]
#
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/Samples/two-interfaces/rules.annotated shorewall-5.0.12/Samples/two-interfaces/rules.annotated
--- shorewall-5.0.11/Samples/two-interfaces/rules.annotated 2016-08-06 07:58:33.264932417 -0700
+++ shorewall-5.0.12/Samples/two-interfaces/rules.annotated 2016-10-01 14:49:01.748122042 -0700
@@ -960,6 +960,12 @@
#
# Defines the ending time of day.
#
+# contiguous
+#
+# Added in Shoreawll 5.0.12. When timestop is smaller than timestart
+# value, match this as a single time period instead of distinct
+# intervals.
+#
# utc
#
# Times are expressed in Greenwich Mean Time.
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/Samples/two-interfaces/shorewall.conf shorewall-5.0.12/Samples/two-interfaces/shorewall.conf
--- shorewall-5.0.11/Samples/two-interfaces/shorewall.conf 2016-08-04 11:03:36.000000000 -0700
+++ shorewall-5.0.12/Samples/two-interfaces/shorewall.conf 2016-10-01 13:49:35.000000000 -0700
@@ -259,6 +259,8 @@
WORKAROUNDS=No
+ZERO_MARKS=No
+
ZONE2ZONE=-
###############################################################################
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/Samples/two-interfaces/shorewall.conf.annotated shorewall-5.0.12/Samples/two-interfaces/shorewall.conf.annotated
--- shorewall-5.0.11/Samples/two-interfaces/shorewall.conf.annotated 2016-08-06 07:58:33.700929489 -0700
+++ shorewall-5.0.12/Samples/two-interfaces/shorewall.conf.annotated 2016-10-01 14:49:02.172546043 -0700
@@ -102,6 +102,9 @@
# and the dump command are piped through the named program when the output
# file is a terminal.
#
+# Beginning with Shorewall 5.0.12, the default value of this option is the
+# DEFAULT_PAGER setting in shorewallrc.
+#
###############################################################################
# L O G G I N G
###############################################################################
@@ -487,10 +490,10 @@
#
# SHOREWALL_SHELL=[pathname]
#
-# This option is used to specify the shell program to be used to run the
-# Shorewall compiler and to interpret the compiled script. If not specified
-# or specified as a null value, /bin/sh is assumed. Using a light-weight
-# shell such as ash or dash can significantly improve performance.
+# This option is used to specify the shell program to be used to interpret
+# the compiled script. If not specified or specified as a null value, /bin/sh
+# is assumed. Using a light-weight shell such as ash or dash can
+# significantly improve performance.
#
SUBSYSLOCK=
#
@@ -678,6 +681,9 @@
# continue to work and all new connections from the firewall system
# itself are allowed.
#
+# Note that the routestopped file is not supported in Shorewall 5.0 and
+# later versions.
+#
# stoppedrules
#
# All existing connections continue to work. To sever all existing
@@ -786,7 +792,7 @@
#
# ALL sends all packets through the blacklist chains.
#
-# Note: The ESTABLISHED state may not be specified if FASTACCEPT is
+# Note: The ESTABLISHED state may not be specified if FASTACCEPT=Yes is
# specified.
#
CHAIN_SCRIPTS=No
@@ -822,13 +828,13 @@
# CLEAR_TC=[Yes|No]
#
# If this option is set to No then Shorewall won't clear the current traffic
-# control rules during [re]start. This setting is intended for use by people
-# who prefer to configure traffic shaping when the network interfaces come up
-# rather than when the firewall is started. If that is what you want to do,
-# set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an /etc/shorewall/
-# tcstart file. That way, your traffic shaping rules can still use the
-# “fwmark” classifier based on packet marking defined in shorewall-tcrules
-# (5). If not specified, CLEAR_TC=Yes is assumed.
+# control rules during [re]start or reload. This setting is intended for use
+# by people who prefer to configure traffic shaping when the network
+# interfaces come up rather than when the firewall is started. If that is
+# what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do not supply
+# an /etc/shorewall/tcstart file. That way, your traffic shaping rules can
+# still use the “fwmark” classifier based on packet marking defined in
+# shorewall-tcrules(5). If not specified, CLEAR_TC=Yes is assumed.
#
COMPLETE=No
#
@@ -895,10 +901,10 @@
#
# DELETE_THEN_ADD={Yes|No}
#
-# If set to Yes (the default value), entries in the /etc/shorewall/
-# route_stopped files cause an 'ip rule del' command to be generated in
-# addition to an 'ip rule add' command. Setting this option to No, causes the
-# 'ip rule del' command to be omitted.
+# If set to Yes (the default value), entries in the /etc/shorewall/rtrules
+# files cause an 'ip rule del' command to be generated in addition to an 'ip
+# rule add' command. Setting this option to No, causes the 'ip rule del'
+# command to be omitted.
#
DETECT_DNAT_IPADDRS=No
#
@@ -968,7 +974,7 @@
# commands), the compiler will copy the modules or helpers file from the
# administrative system into the script. When set to No or not specified, the
# compiler will not copy the modules or helpers file from /usr/share/
-# shorewall but will copy the found in another location on the CONFIG_PATH.
+# shorewall but will copy those found in another location on the CONFIG_PATH.
#
# When compiling for direct use by Shorewall, causes the contents of the
# local module or helpers file to be copied into the compiled script. When
@@ -993,8 +999,8 @@
#
# FORWARD_CLEAR_MARK={Yes|No}
#
-# Added in Shorewall 4.4.11 Beta 3. Traditionally, Shorewall has cleared the
-# packet mark in the first rule in the mangle FORWARD chain. This behavior is
+# Added in Shorewall 4.4.11. Traditionally, Shorewall has cleared the packet
+# mark in the first rule in the mangle FORWARD chain. This behavior is
# maintained with the default setting of this option (FORWARD_CLEAR_MARK=
# Yes). If FORWARD_CLEAR_MARK is set to 'No', packet marks set in the mangle
# PREROUTING chain are retained in the FORWARD chains.
@@ -1431,18 +1437,18 @@
# #TARGET SOURCE DEST PROTO
# Broadcast(DROP) - - -
# DROP - - 2
-# INLINE - - 6 ; -j REJECT --reject-with tcp-reset
+# INLINE - - 6 ;; -j REJECT --reject-with tcp-reset
# ?if __ENHANCED_REJECT
-# INLINE - - 17 ; -j REJECT
+# INLINE - - 17 ;; -j REJECT
# ?if __IPV4
-# INLINE - - 1 ; -j REJECT --reject-with icmp-host-unreachable
-# INLINE - - - ; -j REJECT --reject-with icmp-host-prohibited
+# INLINE - - 1 ;; -j REJECT --reject-with icmp-host-unreachable
+# INLINE - - - ;; -j REJECT --reject-with icmp-host-prohibited
# ?else
-# INLINE - - 58 ; -j REJECT --reject-with icmp6-addr-unreachable
-# INLINE - - - ; -j REJECT --reject-with icmp6-adm-prohibited
+# INLINE - - 58 ;; -j REJECT --reject-with icmp6-addr-unreachable
+# INLINE - - - ;; -j REJECT --reject-with icmp6-adm-prohibited
# ?endif
# ?else
-# INLINE - - - ; -j REJECT
+# INLINE - - - ;; -j REJECT
# ?endif
#
REQUIRE_INTERFACE=No
@@ -1488,9 +1494,9 @@
# Added in Shorewall 4.5.9. When set to Yes (the default), provider marks are
# restored unconditionally at the top of the mangle OUTPUT and PREROUTING
# chains, even if the saved mark is zero. When this option is set to No, the
-# mark is restored even when it is zero. If you have problems with IPSEC ESP
-# packets not being routed correctly on output, try setting this option to No
-# .
+# mark is restored only if it is non-zero. If you have problems with IPSEC
+# ESP packets not being routed correctly on output, try setting this option
+# to No.
#
RETAIN_ALIASES=No
#
@@ -1752,6 +1758,20 @@
# Shorewall-generated scripts (such as created by the save command) built by
# Shorewall 4.4.7 or older.
#
+ZERO_MARKS=No
+#
+# ZERO_MARKS=[Yes|No]
+#
+# Added in Shorewall 5.0.12, this is a workaround for an issue where packet
+# marks are not zeroed by the kernel. It should be set to No (the default)
+# unless you find that incoming packets are being mis-routed for no apparent
+# reasons.
+#
+# Caution
+#
+# Do not set this option to Yes if you have IPSEC software running on the
+# firewall system.
+#
ZONE2ZONE=-
#
# ZONE2ZONE=[2|-]
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/Samples/Universal/policy.annotated shorewall-5.0.12/Samples/Universal/policy.annotated
--- shorewall-5.0.11/Samples/Universal/policy.annotated 2016-08-06 07:58:34.960921031 -0700
+++ shorewall-5.0.12/Samples/Universal/policy.annotated 2016-10-01 14:49:03.397770043 -0700
@@ -18,7 +18,7 @@
# This file determines what to do with a new connection request if we don't get a
# match from the /etc/shorewall/rules file . For each source/destination pair,
# the file is processed in order until a match is found ("all" will match any
-# client or server).
+# source or destination).
#
# Important
#
@@ -38,7 +38,7 @@
# different name in parentheses, the different name is used in the alternate
# specification syntax).
#
-# SOURCE - zone|$FW|all|all+
+# SOURCE - zone[,...[+]]|$FW|all|all+
#
# Source zone. Must be the name of a zone defined in shorewall-zones(5), $FW,
# "all" or "all+".
@@ -46,7 +46,12 @@
# Support for "all+" was added in Shorewall 4.5.17. "all" does not override
# the implicit intra-zone ACCEPT policy while "all+" does.
#
-# DEST - zone|$FW|all|all+
+# Beginning with Shorewall 5.0.12, multiple zones may be listed separated by
+# commas. As above, if '+' is specified after two or more zone names, then
+# the policy overrides the implicit intra-zone ACCEPT policy if the same zone
+# appears in both the SOURCE and DEST columns.
+#
+# DEST - zone[,...[+]]|$FW|all|all+
#
# Destination zone. Must be the name of a zone defined in shorewall-zones(5),
# $FW, "all" or "all+". If the DEST is a bport zone, then the SOURCE must be
@@ -56,6 +61,11 @@
# Support for "all+" was added in Shorewall 4.5.17. "all" does not override
# the implicit intra-zone ACCEPT policy while "all+" does.
#
+# Beginning with Shorewall 5.0.12, multiple zones may be listed separated by
+# commas. As above, if '+' is specified after two or more zone names, then
+# the policy overrides the implicit intra-zone ACCEPT policy if the same zone
+# appears in both the SOURCE and DEST columns.
+#
# POLICY - {ACCEPT|DROP|REJECT|CONTINUE|QUEUE|NFQUEUE[(queuenumber1[:queuenumber2
# ])]|NONE}[:{default-action-or-macro[:level]|None}]
#
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/Samples/Universal/rules.annotated shorewall-5.0.12/Samples/Universal/rules.annotated
--- shorewall-5.0.11/Samples/Universal/rules.annotated 2016-08-06 07:58:35.372918266 -0700
+++ shorewall-5.0.12/Samples/Universal/rules.annotated 2016-10-01 14:49:03.794166043 -0700
@@ -956,6 +956,12 @@
#
# Defines the ending time of day.
#
+# contiguous
+#
+# Added in Shoreawll 5.0.12. When timestop is smaller than timestart
+# value, match this as a single time period instead of distinct
+# intervals.
+#
# utc
#
# Times are expressed in Greenwich Mean Time.
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/Samples/Universal/shorewall.conf shorewall-5.0.12/Samples/Universal/shorewall.conf
--- shorewall-5.0.11/Samples/Universal/shorewall.conf 2016-08-04 11:03:36.000000000 -0700
+++ shorewall-5.0.12/Samples/Universal/shorewall.conf 2016-10-01 13:49:35.000000000 -0700
@@ -248,6 +248,8 @@
WORKAROUNDS=No
+ZERO_MARKS=No
+
ZONE2ZONE=-
###############################################################################
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/Samples/Universal/shorewall.conf.annotated shorewall-5.0.12/Samples/Universal/shorewall.conf.annotated
--- shorewall-5.0.11/Samples/Universal/shorewall.conf.annotated 2016-08-06 07:58:35.808915339 -0700
+++ shorewall-5.0.12/Samples/Universal/shorewall.conf.annotated 2016-10-01 14:49:04.238610043 -0700
@@ -91,6 +91,9 @@
# and the dump command are piped through the named program when the output
# file is a terminal.
#
+# Beginning with Shorewall 5.0.12, the default value of this option is the
+# DEFAULT_PAGER setting in shorewallrc.
+#
###############################################################################
# L O G G I N G
###############################################################################
@@ -476,10 +479,10 @@
#
# SHOREWALL_SHELL=[pathname]
#
-# This option is used to specify the shell program to be used to run the
-# Shorewall compiler and to interpret the compiled script. If not specified
-# or specified as a null value, /bin/sh is assumed. Using a light-weight
-# shell such as ash or dash can significantly improve performance.
+# This option is used to specify the shell program to be used to interpret
+# the compiled script. If not specified or specified as a null value, /bin/sh
+# is assumed. Using a light-weight shell such as ash or dash can
+# significantly improve performance.
#
SUBSYSLOCK=
#
@@ -667,6 +670,9 @@
# continue to work and all new connections from the firewall system
# itself are allowed.
#
+# Note that the routestopped file is not supported in Shorewall 5.0 and
+# later versions.
+#
# stoppedrules
#
# All existing connections continue to work. To sever all existing
@@ -775,7 +781,7 @@
#
# ALL sends all packets through the blacklist chains.
#
-# Note: The ESTABLISHED state may not be specified if FASTACCEPT is
+# Note: The ESTABLISHED state may not be specified if FASTACCEPT=Yes is
# specified.
#
CHAIN_SCRIPTS=No
@@ -811,13 +817,13 @@
# CLEAR_TC=[Yes|No]
#
# If this option is set to No then Shorewall won't clear the current traffic
-# control rules during [re]start. This setting is intended for use by people
-# who prefer to configure traffic shaping when the network interfaces come up
-# rather than when the firewall is started. If that is what you want to do,
-# set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an /etc/shorewall/
-# tcstart file. That way, your traffic shaping rules can still use the
-# “fwmark” classifier based on packet marking defined in shorewall-tcrules
-# (5). If not specified, CLEAR_TC=Yes is assumed.
+# control rules during [re]start or reload. This setting is intended for use
+# by people who prefer to configure traffic shaping when the network
+# interfaces come up rather than when the firewall is started. If that is
+# what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do not supply
+# an /etc/shorewall/tcstart file. That way, your traffic shaping rules can
+# still use the “fwmark” classifier based on packet marking defined in
+# shorewall-tcrules(5). If not specified, CLEAR_TC=Yes is assumed.
#
COMPLETE=Yes
#
@@ -884,10 +890,10 @@
#
# DELETE_THEN_ADD={Yes|No}
#
-# If set to Yes (the default value), entries in the /etc/shorewall/
-# route_stopped files cause an 'ip rule del' command to be generated in
-# addition to an 'ip rule add' command. Setting this option to No, causes the
-# 'ip rule del' command to be omitted.
+# If set to Yes (the default value), entries in the /etc/shorewall/rtrules
+# files cause an 'ip rule del' command to be generated in addition to an 'ip
+# rule add' command. Setting this option to No, causes the 'ip rule del'
+# command to be omitted.
#
DETECT_DNAT_IPADDRS=No
#
@@ -957,7 +963,7 @@
# commands), the compiler will copy the modules or helpers file from the
# administrative system into the script. When set to No or not specified, the
# compiler will not copy the modules or helpers file from /usr/share/
-# shorewall but will copy the found in another location on the CONFIG_PATH.
+# shorewall but will copy those found in another location on the CONFIG_PATH.
#
# When compiling for direct use by Shorewall, causes the contents of the
# local module or helpers file to be copied into the compiled script. When
@@ -982,8 +988,8 @@
#
# FORWARD_CLEAR_MARK={Yes|No}
#
-# Added in Shorewall 4.4.11 Beta 3. Traditionally, Shorewall has cleared the
-# packet mark in the first rule in the mangle FORWARD chain. This behavior is
+# Added in Shorewall 4.4.11. Traditionally, Shorewall has cleared the packet
+# mark in the first rule in the mangle FORWARD chain. This behavior is
# maintained with the default setting of this option (FORWARD_CLEAR_MARK=
# Yes). If FORWARD_CLEAR_MARK is set to 'No', packet marks set in the mangle
# PREROUTING chain are retained in the FORWARD chains.
@@ -1420,18 +1426,18 @@
# #TARGET SOURCE DEST PROTO
# Broadcast(DROP) - - -
# DROP - - 2
-# INLINE - - 6 ; -j REJECT --reject-with tcp-reset
+# INLINE - - 6 ;; -j REJECT --reject-with tcp-reset
# ?if __ENHANCED_REJECT
-# INLINE - - 17 ; -j REJECT
+# INLINE - - 17 ;; -j REJECT
# ?if __IPV4
-# INLINE - - 1 ; -j REJECT --reject-with icmp-host-unreachable
-# INLINE - - - ; -j REJECT --reject-with icmp-host-prohibited
+# INLINE - - 1 ;; -j REJECT --reject-with icmp-host-unreachable
+# INLINE - - - ;; -j REJECT --reject-with icmp-host-prohibited
# ?else
-# INLINE - - 58 ; -j REJECT --reject-with icmp6-addr-unreachable
-# INLINE - - - ; -j REJECT --reject-with icmp6-adm-prohibited
+# INLINE - - 58 ;; -j REJECT --reject-with icmp6-addr-unreachable
+# INLINE - - - ;; -j REJECT --reject-with icmp6-adm-prohibited
# ?endif
# ?else
-# INLINE - - - ; -j REJECT
+# INLINE - - - ;; -j REJECT
# ?endif
#
REQUIRE_INTERFACE=Yes
@@ -1477,9 +1483,9 @@
# Added in Shorewall 4.5.9. When set to Yes (the default), provider marks are
# restored unconditionally at the top of the mangle OUTPUT and PREROUTING
# chains, even if the saved mark is zero. When this option is set to No, the
-# mark is restored even when it is zero. If you have problems with IPSEC ESP
-# packets not being routed correctly on output, try setting this option to No
-# .
+# mark is restored only if it is non-zero. If you have problems with IPSEC
+# ESP packets not being routed correctly on output, try setting this option
+# to No.
#
RETAIN_ALIASES=No
#
@@ -1741,6 +1747,20 @@
# Shorewall-generated scripts (such as created by the save command) built by
# Shorewall 4.4.7 or older.
#
+ZERO_MARKS=No
+#
+# ZERO_MARKS=[Yes|No]
+#
+# Added in Shorewall 5.0.12, this is a workaround for an issue where packet
+# marks are not zeroed by the kernel. It should be set to No (the default)
+# unless you find that incoming packets are being mis-routed for no apparent
+# reasons.
+#
+# Caution
+#
+# Do not set this option to Yes if you have IPSEC software running on the
+# firewall system.
+#
ZONE2ZONE=-
#
# ZONE2ZONE=[2|-]
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/shorewallrc.apple shorewall-5.0.12/shorewallrc.apple
--- shorewall-5.0.11/shorewallrc.apple 2016-08-06 07:57:47.021242844 -0700
+++ shorewall-5.0.12/shorewallrc.apple 2016-10-01 14:48:18.456874042 -0700
@@ -19,3 +19,4 @@
SYSCONFDIR= #Unused on OS X
SPARSE=Yes #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
VARLIB=/var/lib #Unused on OS X
+DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/shorewallrc.archlinux shorewall-5.0.12/shorewallrc.archlinux
--- shorewall-5.0.11/shorewallrc.archlinux 2016-08-06 07:57:47.021242844 -0700
+++ shorewall-5.0.12/shorewallrc.archlinux 2016-10-01 14:48:18.456874042 -0700
@@ -20,3 +20,4 @@
SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
VARLIB=/var/lib #Directory where product variable data is stored.
VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
+DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/shorewallrc.cygwin shorewall-5.0.12/shorewallrc.cygwin
--- shorewall-5.0.11/shorewallrc.cygwin 2016-08-06 07:57:47.021242844 -0700
+++ shorewall-5.0.12/shorewallrc.cygwin 2016-10-01 14:48:18.456874042 -0700
@@ -19,3 +19,4 @@
SYSCONFDIR= #Unused on Cygwin
SPARSE=Yes #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
VARLIB=/var/lib #Unused on Cygwin
+DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/shorewallrc.debian.systemd shorewall-5.0.12/shorewallrc.debian.systemd
--- shorewall-5.0.11/shorewallrc.debian.systemd 2016-08-06 07:57:47.021242844 -0700
+++ shorewall-5.0.12/shorewallrc.debian.systemd 2016-10-01 14:48:18.456874042 -0700
@@ -21,3 +21,4 @@
SPARSE=Yes #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
VARLIB=/var/lib #Directory where product variable data is stored.
VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
+DEFAULT_PAGER=/usr/bin/less #Pager to use if none specified in shorewall[6].conf
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/shorewallrc.debian.sysvinit shorewall-5.0.12/shorewallrc.debian.sysvinit
--- shorewall-5.0.11/shorewallrc.debian.sysvinit 2016-08-06 07:57:47.021242844 -0700
+++ shorewall-5.0.12/shorewallrc.debian.sysvinit 2016-10-01 14:48:18.456874042 -0700
@@ -21,3 +21,4 @@
SPARSE=Yes #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
VARLIB=/var/lib #Directory where product variable data is stored.
VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
+DEFAULT_PAGER=/usr/bin/less #Pager to use if none specified in shorewall[6].conf
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/shorewallrc.default shorewall-5.0.12/shorewallrc.default
--- shorewall-5.0.11/shorewallrc.default 2016-08-06 07:57:47.021242844 -0700
+++ shorewall-5.0.12/shorewallrc.default 2016-10-01 14:48:18.456874042 -0700
@@ -21,3 +21,4 @@
SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
VARLIB=/var/lib #Directory where product variable data is stored.
VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
+DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/shorewallrc.openwrt shorewall-5.0.12/shorewallrc.openwrt
--- shorewall-5.0.11/shorewallrc.openwrt 2016-08-06 07:57:47.021242844 -0700
+++ shorewall-5.0.12/shorewallrc.openwrt 2016-10-01 14:48:18.456874042 -0700
@@ -21,3 +21,4 @@
SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
VARLIB=/lib #Directory where product variable data is stored.
VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
+DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/shorewallrc.redhat shorewall-5.0.12/shorewallrc.redhat
--- shorewall-5.0.11/shorewallrc.redhat 2016-08-06 07:57:47.021242844 -0700
+++ shorewall-5.0.12/shorewallrc.redhat 2016-10-01 14:48:18.456874042 -0700
@@ -21,3 +21,4 @@
SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
VARLIB=/var/lib #Directory where product variable data is stored.
VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
+DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/shorewallrc.slackware shorewall-5.0.12/shorewallrc.slackware
--- shorewall-5.0.11/shorewallrc.slackware 2016-08-06 07:57:47.021242844 -0700
+++ shorewall-5.0.12/shorewallrc.slackware 2016-10-01 14:48:18.456874042 -0700
@@ -22,3 +22,4 @@
ANNOTATED= #If non-empty, install annotated configuration files
VARLIB=/var/lib #Directory where product variable data is stored.
VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
+DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/shorewallrc.suse shorewall-5.0.12/shorewallrc.suse
--- shorewall-5.0.11/shorewallrc.suse 2016-08-06 07:57:47.021242844 -0700
+++ shorewall-5.0.12/shorewallrc.suse 2016-10-01 14:48:18.456874042 -0700
@@ -21,3 +21,4 @@
SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
VARLIB=/var/lib #Directory where persistent product data is stored.
VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
+DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/shorewall.spec shorewall-5.0.12/shorewall.spec
--- shorewall-5.0.11/shorewall.spec 2016-08-06 07:57:47.021242844 -0700
+++ shorewall-5.0.12/shorewall.spec 2016-10-01 14:48:18.456874042 -0700
@@ -1,5 +1,5 @@
%define name shorewall
-%define version 5.0.11
+%define version 5.0.12
%define release 0base
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@@ -149,6 +149,18 @@
%doc COPYING INSTALL changelog.txt releasenotes.txt Samples
%changelog
+* Sat Oct 01 2016 Tom Eastep tom@shorewall.net
+- Updated to 5.0.12-0base
+* Sat Oct 01 2016 Tom Eastep tom@shorewall.net
+- Updated to 5.0.12-0RC3
+* Tue Sep 27 2016 Tom Eastep tom@shorewall.net
+- Updated to 5.0.12-0RC2
+* Tue Sep 20 2016 Tom Eastep tom@shorewall.net
+- Updated to 5.0.12-0RC1
+* Tue Sep 13 2016 Tom Eastep tom@shorewall.net
+- Updated to 5.0.12-0Beta2
+* Sat Aug 13 2016 Tom Eastep tom@shorewall.net
+- Updated to 5.0.12-0Beta1
* Sat Aug 06 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.11-0base
* Sat Jul 30 2016 Tom Eastep tom@shorewall.net
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.11/uninstall.sh shorewall-5.0.12/uninstall.sh
--- shorewall-5.0.11/uninstall.sh 2016-08-06 07:57:46.997243004 -0700
+++ shorewall-5.0.12/uninstall.sh 2016-10-01 14:48:18.408826043 -0700
@@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
-VERSION=5.0.11
+VERSION=5.0.12
PRODUCT=shorewall
usage() # $1 = exit status