diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/changelog.txt shorewall-5.0.13/changelog.txt
--- shorewall-5.0.12/changelog.txt 2016-10-01 14:48:18.456874042 -0700
+++ shorewall-5.0.13/changelog.txt 2016-10-17 09:39:17.301929984 -0700
@@ -1,3 +1,58 @@
+Changes in 5.0.13 Final
+
+1) Update release documents.
+
+2) Reverse ECN fix.
+
+3) Restrict hypen in port ranges to numberic ports.
+
+4) Correct typo in process_mangle_inline().
+
+Changes in 5.0.13 RC 2
+
+1) Update release documents.
+
+2) Accept '-' as a port-range separator.
+
+3) Correct shorewall6-masq examples.
+
+4) Add -exists to ADD command with timeout
+
+5) ECN fix.
+
+Changes in 5.0.13 RC 1
+
+1) Update release documents.
+
+2) Merge fix from 5.0.12.
+
+3) Make the output of 'blacklist' dependent on the verbosity and clean
+ up that output.
+
+4) Detect bad characters in interface names.
+
+Changes in 5.0.13 Beta 2
+
+1) Update release documents.
+
+2) Add 'timeout' DYNAMIC_BLACKLISTING option
+
+3) Add FIREWALL option in shorewall[6].conf.
+
+4) Remove restrictions on IPv6 'balance' and 'fallback'.
+
+Changes in 5.0.13 Beta 1
+
+1) Update release documents.
+
+2) Roberto's typo fix in the mangle manpages.
+
+3) Reorder the entries in the .conf files in ASCII collating sequence.
+
+4) Correct DYNAMIC_BLACKLIST documentation.
+
+4) Add 'disconnect' option to the DYNAMIC_BLACKLIST setting.
+
Changes in 5.0.12 Final
1) Update release documents.
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/configfiles/mangle.annotated shorewall-5.0.13/configfiles/mangle.annotated
--- shorewall-5.0.12/configfiles/mangle.annotated 2016-10-01 14:48:49.263650043 -0700
+++ shorewall-5.0.13/configfiles/mangle.annotated 2016-10-17 09:39:49.077929984 -0700
@@ -78,7 +78,7 @@
#
# Added in Shorewall 5.0.7. action must be an action declared with the
# mangle option in shorewall-actions(5). If the action accepts
-# paramaters, they are specified as a comma-separated list within
+# parameters, they are specified as a comma-separated list within
# parentheses following the action name.
#
# ADD(ipset:flags)
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/configfiles/rules.annotated shorewall-5.0.13/configfiles/rules.annotated
--- shorewall-5.0.12/configfiles/rules.annotated 2016-10-01 14:48:52.478862043 -0700
+++ shorewall-5.0.13/configfiles/rules.annotated 2016-10-17 09:39:52.173929984 -0700
@@ -373,10 +373,10 @@
# userspace program on queues x, x+1, .. x+n and use "x:x+n". Packets
# belonging to the same connection are put into the same nfqueue.
#
-# NFQUEUE[([queuenumber1[,queuenumber2][,bypass]]|bypass)]
+# NFQUEUE![([queuenumber1[,queuenumber2][,bypass]]|bypass)]
#
# like NFQUEUE but exempts the rule from being suppressed by OPTIMIZE=1
-# in shorewall6.conf(5).
+# in shorewall.conf(5).
#
# NONAT
#
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/configfiles/shorewall.conf shorewall-5.0.13/configfiles/shorewall.conf
--- shorewall-5.0.12/configfiles/shorewall.conf 2016-10-01 13:49:35.000000000 -0700
+++ shorewall-5.0.13/configfiles/shorewall.conf 2016-10-17 09:29:32.000000000 -0700
@@ -24,6 +24,12 @@
PAGER=
###############################################################################
+# F I R E W A L L
+###############################################################################
+
+FIREWALL=
+
+###############################################################################
# L O G G I N G
###############################################################################
@@ -128,16 +134,14 @@
ADMINISABSENTMINDED=Yes
-BASIC_FILTERS=No
-
-IGNOREUNKNOWNVARIABLES=No
-
AUTOCOMMENT=Yes
AUTOHELPERS=Yes
AUTOMAKE=No
+BASIC_FILTERS=No
+
BLACKLIST="NEW,INVALID,UNTRACKED"
CHAIN_SCRIPTS=Yes
@@ -172,6 +176,8 @@
HELPERS=
+IGNOREUNKNOWNVARIABLES=No
+
IMPLICIT_CONTINUE=No
INLINE_MATCHES=No
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/configfiles/shorewall.conf.annotated shorewall-5.0.13/configfiles/shorewall.conf.annotated
--- shorewall-5.0.12/configfiles/shorewall.conf.annotated 2016-10-01 14:48:53.407790043 -0700
+++ shorewall-5.0.13/configfiles/shorewall.conf.annotated 2016-10-17 09:39:52.865929984 -0700
@@ -95,6 +95,19 @@
# DEFAULT_PAGER setting in shorewallrc.
#
###############################################################################
+# F I R E W A L L
+###############################################################################
+FIREWALL=
+#
+# FIREWALL=[dnsname-or-ip-address]
+#
+# This option was added in Shorewall 5.0.13 and may be used on an
+# administrative system in directories containing the configurations of
+# remote firewalls. The contents of the variable are the default value for
+# the system parameter to the remote-start, remote-reload and remote-restart
+# commands.
+#
+###############################################################################
# L O G G I N G
###############################################################################
BLACKLIST_LOG_LEVEL=
@@ -692,32 +705,6 @@
# If this variable is not set or is given the empty value then
# ADMINISABSENTMINDED=No is assumed.
#
-BASIC_FILTERS=No
-#
-# BASIC_FILTERS=[Yes|No]
-#
-# Added in Shorewall-4.6.0. When set to Yes, causes entries in
-# shorewall-tcfilters(5) to generate a basic filter rather than a u32 filter.
-# This setting requires the Basic Ematch capability in your kernel and
-# iptables.
-#
-# Note
-#
-# One of the advantages of basic filters is that ipset matches are supported
-# in newer iproute2 and kernel versions. Because Shorewall cannot reliably
-# detect this capability, use of basic filters is controlled by this option.
-#
-# The default value is No which causes u32 filters to be generated.
-#
-IGNOREUNKNOWNVARIABLES=No
-#
-# IGNOREUNKNOWNVARIABLES=[Yes|No]
-#
-# Added in Shorewall 4.5.11. Normally, if an unknown shell variable is
-# encountered in a configuration file (except in ?IF and ?ELSIF directives),
-# the compiler raises a fatal error. If IGNOREUNKNOWNVARIABLES is set to Yes,
-# then such variables simply expand to an empty string. Default is No.
-#
AUTOCOMMENT=Yes
#
# AUTOCOMMENT=[Yes|No]
@@ -768,6 +755,23 @@
# restart command includes a directory name (e.g., shorewall restart /etc/
# shorewall.new).
#
+BASIC_FILTERS=No
+#
+# BASIC_FILTERS=[Yes|No]
+#
+# Added in Shorewall-4.6.0. When set to Yes, causes entries in
+# shorewall-tcfilters(5) to generate a basic filter rather than a u32 filter.
+# This setting requires the Basic Ematch capability in your kernel and
+# iptables.
+#
+# Note
+#
+# One of the advantages of basic filters is that ipset matches are supported
+# in newer iproute2 and kernel versions. Because Shorewall cannot reliably
+# detect this capability, use of basic filters is controlled by this option.
+#
+# The default value is No which causes u32 filters to be generated.
+#
BLACKLIST="NEW,INVALID,UNTRACKED"
#
# BLACKLIST=[{ALL|state[,...]}]
@@ -913,21 +917,51 @@
#
DYNAMIC_BLACKLIST=Yes
#
-# DYNAMIC_BLACKLIST={Yes|No||ipset[-only][,src-dst][:[setname][:log_level|:l
+# DYNAMIC_BLACKLIST={Yes|No||ipset[-only][,option[,...]][:[setname][:log_level|:l
# og_tag]]]}
#
# Added in Shorewall 4.4.7. When set to No or no, chain-based dynamic
-# blacklisting using the shorewall6 drop, shorewall6 reject, shorewall6
-# logdrop and shorewall6 logreject is disabled. Default is Yes. Beginning
-# with Shorewall 5.0.8, ipset-based dynamic blacklisting is also supported.
-# The name of the set (setname) and the level (log_level), if any, at which
-# blacklisted traffic is to be logged may also be specified. The default set
-# name is SW_DBL4 and the default log level is none (no logging). if
-# ipset-only is given, then chain-based dynamic blacklisting is disabled just
-# as if DYNAMIC_BLACKLISTING=No had been specified. Normally, only packets
-# whose source address matches an entry in the ipsec are dropped. If src-dst
-# is included, then packets whose destination address matches an entry in the
-# ipset are also dropped.
+# blacklisting using shorewall drop, shorewall reject, shorewall logdrop and
+# shorewall logreject is disabled. Default is Yes. Beginning with Shorewall
+# 5.0.8, ipset-based dynamic blacklisting using the shorewall blacklist
+# command is also supported. The name of the set (setname) and the level (
+# log_level), if any, at which blacklisted traffic is to be logged may also
+# be specified. The default set name is SW_DBL4 and the default log level is
+# none (no logging). If ipset-only is given, then chain-based dynamic
+# blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No had been
+# specified.
+#
+# Possible options are:
+#
+# src-dst
+#
+# Normally, only packets whose source address matches an entry in the
+# ipset are dropped. If src-dst is included, then packets whose
+# destination address matches an entry in the ipset are also dropped.
+#
+# disconnect
+#
+# The disconnect option was added in Shorewall 5.0.13 and requires that
+# the conntrack utility be installed on the firewall system. When an
+# address is blacklisted using the blacklist command, all connections
+# originating from that address are disconnected. if the src-dst option
+# was also specified, then all connections to that address are also
+# disconnected.
+#
+# timeout=seconds
+#
+# Added in Shorewall 5.0.13. Normally, Shorewall creates the dynamic
+# blacklisting ipset with timeout 0 which means that entries are
+# permanent. If you want entries in the set that are not accessed for a
+# period of time to be deleted from the set, you may specify that period
+# using this option. Note that the blacklist command can override the
+# ipset's timeout setting.
+#
+# Important
+#
+# Once the dynamic blacklisting ipset has been created, changing this
+# option setting requires a complete restart of the firewall; shorewall
+# restart if RESTART=restart, otherwise shorewall stop && shorewall start
#
# When ipset-based dynamic blacklisting is enabled, the contents of the
# blacklist will be preserved over stop/reboot/start sequences if SAVE_IPSETS
@@ -1033,6 +1067,15 @@
# When HELPERS is specified on a system running Kernel 3.5.0 or later,
# automatic association of helpers to connections is disabled.
#
+IGNOREUNKNOWNVARIABLES=No
+#
+# IGNOREUNKNOWNVARIABLES=[Yes|No]
+#
+# Added in Shorewall 4.5.11. Normally, if an unknown shell variable is
+# encountered in a configuration file (except in ?IF and ?ELSIF directives),
+# the compiler raises a fatal error. If IGNOREUNKNOWNVARIABLES is set to Yes,
+# then such variables simply expand to an empty string. Default is No.
+#
IMPLICIT_CONTINUE=No
#
# IMPLICIT_CONTINUE={Yes|No}
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/configure shorewall-5.0.13/configure
--- shorewall-5.0.12/configure 2016-10-01 14:48:18.456874042 -0700
+++ shorewall-5.0.13/configure 2016-10-17 09:39:17.305929984 -0700
@@ -28,7 +28,7 @@
#
# Build updates this
#
-VERSION=5.0.12
+VERSION=5.0.13
case "$BASH_VERSION" in
[4-9].*)
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/configure.pl shorewall-5.0.13/configure.pl
--- shorewall-5.0.12/configure.pl 2016-10-01 14:48:18.456874042 -0700
+++ shorewall-5.0.13/configure.pl 2016-10-17 09:39:17.305929984 -0700
@@ -31,7 +31,7 @@
# Build updates this
#
use constant {
- VERSION => '5.0.12'
+ VERSION => '5.0.13'
};
my %params;
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/install.sh shorewall-5.0.13/install.sh
--- shorewall-5.0.12/install.sh 2016-10-01 14:48:18.404822043 -0700
+++ shorewall-5.0.13/install.sh 2016-10-17 09:39:17.281929984 -0700
@@ -22,7 +22,7 @@
# along with this program; if not, see .
#
-VERSION=5.0.12
+VERSION=5.0.13
#
# Change to the directory containing this script
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/lib.cli-std shorewall-5.0.13/lib.cli-std
--- shorewall-5.0.12/lib.cli-std 2016-10-01 13:49:35.000000000 -0700
+++ shorewall-5.0.13/lib.cli-std 2016-10-17 09:29:32.000000000 -0700
@@ -336,35 +336,7 @@
fi
if [ -n "$DYNAMIC_BLACKLIST" ]; then
- case $DYNAMIC_BLACKLIST in
- [Nn]o)
- DYNAMIC_BLACKLIST='';
- ;;
- [Yy]es)
- ;;
- ipset|ipset::*|ipset-only|ipset-only::*|ipset,src-dst|ipset-only,src-dst::*)
- g_blacklistipset=SW_DBL$g_family
- ;;
- ipset:[a-zA-Z]*)
- g_blacklistipset=${DYNAMIC_BLACKLIST#ipset:}
- g_blacklistipset=${g_blacklistipset%%:*}
- ;;
- ipset,src-dst:[a-zA-Z]*)
- g_blacklistipset=${DYNAMIC_BLACKLIST#ipset,src-dst:}
- g_blacklistipset=${g_blacklistipset%%:*}
- ;;
- ipset-only:[a-zA-Z]*)
- g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only:}
- g_blacklistipset=${g_blacklistipset%%:*}
- ;;
- ipset-only,src-dst:[a-zA-Z]*)
- g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only,src-dst:}
- g_blacklistipset=${g_blacklistipset%%:*}
- ;;
- *)
- fatal_error "Invalid value ($DYNAMIC_BLACKLIST) for DYNAMIC_BLACKLIST"
- ;;
- esac
+ setup_dbl
fi
lib=$(find_file lib.cli-user)
@@ -1472,6 +1444,12 @@
option=
shift
;;
+ D)
+ [ $# -gt 1 ] || fatal_error "Missing directory name"
+ g_shorewalldir=$2
+ option=
+ shift
+ ;;
T*)
g_confess=Yes
option=${option#T}
@@ -1495,7 +1473,7 @@
case $# in
0)
- missing_argument
+ [ -n "$g_shorewalldir" ] || g_shorewalldir='.'
;;
1)
g_shorewalldir="."
@@ -1530,6 +1508,11 @@
get_config No
g_haveconfig=Yes
+
+ if [ -z "$system" ]; then
+ system=$FIREWALL
+ [ -n "$system" ] || fatal_error "No system name given and the FIREWALL option is not set"
+ fi
else
fatal_error "$g_shorewalldir/$g_program.conf does not exist"
fi
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/manpages/shorewall.8 shorewall-5.0.13/manpages/shorewall.8
--- shorewall-5.0.12/manpages/shorewall.8 2016-10-01 14:48:44.639030043 -0700
+++ shorewall-5.0.13/manpages/shorewall.8 2016-10-17 09:39:45.173929984 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Administrative Commands
.\" Source: Administrative Commands
.\" Language: English
.\"
-.TH "SHOREWALL" "8" "10/01/2016" "Administrative Commands" "Administrative Commands"
+.TH "SHOREWALL" "8" "10/17/2016" "Administrative Commands" "Administrative Commands"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -35,7 +35,7 @@
.HP \w'\fBshorewall\fR\ 'u
\fBshorewall\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBallow\fR \fIaddress\fR
.HP \w'\fBshorewall\fR\ 'u
-\fBshorewall\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBblacklist\fR \fIaddress\fR
+\fBshorewall\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBblacklist\fR \fIaddress\fR\ [\fIoption\fR\ \&.\&.\&.]
.HP \w'\fBshorewall\fR\ 'u
\fBshorewall\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBcall\fR \fIfunction\fR\ [\fIparameter\fR\ \&.\&.\&.]
.HP \w'\fBshorewall\fR\ 'u
@@ -87,11 +87,11 @@
.HP \w'\fBshorewall\fR\ 'u
\fBshorewall\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBreject\fR \fIaddress\fR
.HP \w'\fBshorewall\fR\ 'u
-\fBshorewall\fR [\fBtrace\fR|\fBdebug\fR] [\-\fIoptions\fR] \fBremote\-start\fR [\fB\-s\fR] [\fB\-c\fR] [\fB\-r\fR\ \fIroot\-user\-name\fR] [\fB\-T\fR] [\fB\-i\fR] [\fIdirectory\fR] \fIsystem\fR
+\fBshorewall\fR [\fBtrace\fR|\fBdebug\fR] [\-\fIoptions\fR] \fBremote\-start\fR [\fB\-s\fR] [\fB\-c\fR] [\fB\-r\fR\ \fIroot\-user\-name\fR] [\fB\-T\fR] [\fB\-i\fR] [[\fB\-D\fR]\fIdirectory\fR] [\fIsystem\fR]
.HP \w'\fBshorewall\fR\ 'u
-\fBshorewall\fR [\fBtrace\fR|\fBdebug\fR] [\-\fIoptions\fR] \fBremote\-reload\fR [\fB\-s\fR] [\fB\-c\fR] [\fB\-r\fR\ \fIroot\-user\-name\fR] [\fB\-T\fR] [\fB\-i\fR] [\fIdirectory\fR] \fIsystem\fR
+\fBshorewall\fR [\fBtrace\fR|\fBdebug\fR] [\-\fIoptions\fR] \fBremote\-reload\fR [\fB\-s\fR] [\fB\-c\fR] [\fB\-r\fR\ \fIroot\-user\-name\fR] [\fB\-T\fR] [\fB\-i\fR] [[\fB\-D\fR]\fIdirectory\fR] [\fIsystem\fR]
.HP \w'\fBshorewall\fR\ 'u
-\fBshorewall\fR [\fBtrace\fR|\fBdebug\fR] [\-\fIoptions\fR] \fBremote\-restart\fR [\fB\-s\fR] [\fB\-c\fR] [\fB\-r\fR\ \fIroot\-user\-name\fR] [\fB\-T\fR] [\fB\-i\fR] [\fIdirectory\fR] \fIsystem\fR
+\fBshorewall\fR [\fBtrace\fR|\fBdebug\fR] [\-\fIoptions\fR] \fBremote\-restart\fR [\fB\-s\fR] [\fB\-c\fR] [\fB\-r\fR\ \fIroot\-user\-name\fR] [\fB\-T\fR] [\fB\-i\fR] [[\fB\-D\fR]\fIdirectory\fR] [\fIsystem\fR]
.HP \w'\fBshorewall\fR\ 'u
\fBshorewall\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBreset\fR\ [\fIchain\fR\ \&.\&.\&.]
.HP \w'\fBshorewall\fR\ 'u
@@ -252,6 +252,32 @@
\fIoption\fRs are passed to the
\fBipset add\fR
command\&.
+.sp
+If the
+\fBdisconnect\fR
+option is specified in the DYNAMIC_BLACKLISTING setting, then the effective VERBOSITY determines the amount of information displayed:
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+If the effective verbosity is > 0, then a message giving the number of conntrack flows deleted by the command is displayed\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+If the effective verbosity is > 1, then the conntrack table entries deleted by the command are also displayed\&.
+.RE
.RE
.PP
\fBcall \fR\fB\fIfunction\fR\fR\fB [ \fR\fB\fIparameter\fR\fR\fB \&.\&.\&. ]\fR
@@ -783,7 +809,7 @@
\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[2]\d\s+2(5)\&. If an existing firewall script is used and if that script was the one that generated the current running configuration, then the running netfilter configuration will be reloaded as is so as to preserve the iptables packet and byte counters\&.
.RE
.PP
-\fBremote\-start\fR [\-\fBs\fR] [\-\fBc\fR] [\-\fBr\fR \fIroot\-user\-name\fR] [\-\fBT\fR] [\-\fBi\fR] [ \fIdirectory\fR ] \fIsystem\fR
+\fBremote\-start\fR [\-\fBs\fR] [\-\fBc\fR] [\-\fBr\fR \fIroot\-user\-name\fR] [\-\fBT\fR] [\-\fBi\fR] [ [ \-D ] \fIdirectory\fR ] [ \fIsystem\fR ]
.RS 4
This command was renamed from
\fBload\fR
@@ -809,7 +835,14 @@
\fIsystem\fR
using scp\&. If the copy succeeds, Shorewall Lite on
\fIsystem\fR
-is started via ssh\&.
+is started via ssh\&. Beginning with Shorewall 5\&.0\&.13, if
+\fIsystem\fR
+is omitted, then the FIREWALL option setting in
+\m[blue]\fBshorewall6\&.conf(5)\fR\m[]\&\s-2\u[7]\d\s+2
+is assumed\&. In that case, if you want to specify a
+\fIdirectory\fR, then the
+\fB\-D\fR
+option must be given\&.
.sp
If
\fB\-s\fR
@@ -845,7 +878,7 @@
\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[2]\d\s+2(5)\&.
.RE
.PP
-\fBremote\-reload \fR[\-\fBs\fR] [\-\fBc\fR] [\-\fBr\fR \fIroot\-user\-name\fR] [\-\fBT\fR] [\-\fBi\fR] [ \fIdirectory\fR ] \fIsystem\fR
+\fBremote\-reload \fR[\-\fBs\fR] [\-\fBc\fR] [\-\fBr\fR \fIroot\-user\-name\fR] [\-\fBT\fR] [\-\fBi\fR] [ [ \-D ] \fIdirectory\fR ] [ \fIsystem\fR ]
.RS 4
This command was added in Shorewall 5\&.0\&.0\&.
.sp
@@ -869,7 +902,14 @@
\fIsystem\fR
using scp\&. If the copy succeeds, Shorewall Lite on
\fIsystem\fR
-is restarted via ssh\&.
+is restarted via ssh\&. Beginning with Shorewall 5\&.0\&.13, if
+\fIsystem\fR
+is omitted, then the FIREWALL option setting in
+\m[blue]\fBshorewall6\&.conf(5)\fR\m[]\&\s-2\u[7]\d\s+2
+is assumed\&. In that case, if you want to specify a
+\fIdirectory\fR, then the
+\fB\-D\fR
+option must be given\&.
.sp
If
\fB\-s\fR
@@ -905,7 +945,7 @@
\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[2]\d\s+2(5)\&.
.RE
.PP
-\fBremote\-restart \fR[\-\fBs\fR] [\-\fBc\fR] [\-\fBr\fR \fIroot\-user\-name\fR] [\-\fBT\fR] [\-\fBi\fR] [ \fIdirectory\fR ] \fIsystem\fR
+\fBremote\-restart \fR[\-\fBs\fR] [\-\fBc\fR] [\-\fBr\fR \fIroot\-user\-name\fR] [\-\fBT\fR] [\-\fBi\fR] [ [ \-D ] \fIdirectory\fR ] [ \fIsystem\fR ]
.RS 4
This command was renamed from
\fBreload\fR
@@ -931,7 +971,14 @@
\fIsystem\fR
using scp\&. If the copy succeeds, Shorewall Lite on
\fIsystem\fR
-is restarted via ssh\&.
+is restarted via ssh\&. Beginning with Shorewall 5\&.0\&.13, if
+\fIsystem\fR
+is omitted, then the FIREWALL option setting in
+\m[blue]\fBshorewall6\&.conf(5)\fR\m[]\&\s-2\u[7]\d\s+2
+is assumed\&. In that case, if you want to specify a
+\fIdirectory\fR, then the
+\fB\-D\fR
+option must be given\&.
.sp
If
\fB\-s\fR
@@ -1281,7 +1328,7 @@
.PP
\fBipa\fR
.RS 4
-Added in Shorewall 4\&.4\&.17\&. Displays the per\-IP accounting counters (\m[blue]\fBshorewall\-accounting\fR\m[]\&\s-2\u[7]\d\s+2
+Added in Shorewall 4\&.4\&.17\&. Displays the per\-IP accounting counters (\m[blue]\fBshorewall\-accounting\fR\m[]\&\s-2\u[8]\d\s+2
(5))\&.
.RE
.PP
@@ -1421,9 +1468,9 @@
\fBstop\fR [\-\fBf\fR]
.RS 4
Stops the firewall\&. All existing connections, except those listed in
-\m[blue]\fBshorewall\-routestopped\fR\m[]\&\s-2\u[8]\d\s+2(5) or permitted by the ADMINISABSENTMINDED option in
+\m[blue]\fBshorewall\-routestopped\fR\m[]\&\s-2\u[9]\d\s+2(5) or permitted by the ADMINISABSENTMINDED option in
\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[2]\d\s+2(5), are taken down\&. The only new traffic permitted through the firewall is from systems listed in
-\m[blue]\fBshorewall\-routestopped\fR\m[]\&\s-2\u[8]\d\s+2(5) or by ADMINISABSENTMINDED\&.
+\m[blue]\fBshorewall\-routestopped\fR\m[]\&\s-2\u[9]\d\s+2(5) or by ADMINISABSENTMINDED\&.
.sp
If
\fB\-f\fR
@@ -1678,7 +1725,7 @@
SHOREWALL_INIT_SCRIPT
.RS 4
When set to 1, causes Std out to be redirected to the file specified in the STARTUP_LOG option in
-\m[blue]\fBshorewall\&.conf(5)\fR\m[]\&\s-2\u[9]\d\s+2\&.
+\m[blue]\fBshorewall\&.conf(5)\fR\m[]\&\s-2\u[10]\d\s+2\&.
.RE
.PP
SW_LOGGERTAG
@@ -1690,7 +1737,7 @@
/etc/shorewall/
.SH "SEE ALSO"
.PP
-\m[blue]\fBhttp://www\&.shorewall\&.net/starting_and_stopping_shorewall\&.htm\fR\m[]\&\s-2\u[10]\d\s+2
+\m[blue]\fBhttp://www\&.shorewall\&.net/starting_and_stopping_shorewall\&.htm\fR\m[]\&\s-2\u[11]\d\s+2
.PP
shorewall\-accounting(5), shorewall\-actions(5), shorewall\-blacklist(5), shorewall\-hosts(5), shorewall_interfaces(5), shorewall\-ipsets(5), shorewall\-maclist(5), shorewall\-masq(5), shorewall\-nat(5), shorewall\-netmap(5), shorewall\-params(5), shorewall\-policy(5), shorewall\-providers(5), shorewall\-proxyarp(5), shorewall\-rtrules(5), shorewall\-routestopped(5), shorewall\-rules(5), shorewall\&.conf(5), shorewall\-secmarks(5), shorewall\-tcclasses(5), shorewall\-tcdevices(5), shorewall\-tcrules(5), shorewall\-tos(5), shorewall\-tunnels(5), shorewall\-zones(5)
.SH "NOTES"
@@ -1725,21 +1772,26 @@
\%http://www.shorewall.net/shorewall_logging.html#Backends
.RE
.IP " 7." 4
+shorewall6.conf(5)
+.RS 4
+\%http://www.shorewall.netshorewall6.conf.html
+.RE
+.IP " 8." 4
shorewall-accounting
.RS 4
\%http://www.shorewall.net/manpages/shorewall-accounting.html
.RE
-.IP " 8." 4
+.IP " 9." 4
shorewall-routestopped
.RS 4
\%http://www.shorewall.net/manpages/shorewall-routestopped.html
.RE
-.IP " 9." 4
+.IP "10." 4
shorewall.conf(5)
.RS 4
\%http://www.shorewall.netshorewall.conf.html
.RE
-.IP "10." 4
+.IP "11." 4
http://www.shorewall.net/starting_and_stopping_shorewall.htm
.RS 4
\%http://www.shorewall.net/starting_and_stopping_shorewall.htm
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/manpages/shorewall-accounting.5 shorewall-5.0.13/manpages/shorewall-accounting.5
--- shorewall-5.0.12/manpages/shorewall-accounting.5 2016-10-01 14:48:19.766182043 -0700
+++ shorewall-5.0.13/manpages/shorewall-accounting.5 2016-10-17 09:39:18.425929984 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-accounting
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-ACCOUNTIN" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-ACCOUNTIN" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/manpages/shorewall-actions.5 shorewall-5.0.13/manpages/shorewall-actions.5
--- shorewall-5.0.12/manpages/shorewall-actions.5 2016-10-01 14:48:20.342758043 -0700
+++ shorewall-5.0.13/manpages/shorewall-actions.5 2016-10-17 09:39:19.057929984 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-actions
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-ACTIONS" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-ACTIONS" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/manpages/shorewall-arprules.5 shorewall-5.0.13/manpages/shorewall-arprules.5
--- shorewall-5.0.12/manpages/shorewall-arprules.5 2016-10-01 14:48:20.903318045 -0700
+++ shorewall-5.0.13/manpages/shorewall-arprules.5 2016-10-17 09:39:19.689929984 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-arprules
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-ARPRULES" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-ARPRULES" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/manpages/shorewall-blrules.5 shorewall-5.0.13/manpages/shorewall-blrules.5
--- shorewall-5.0.12/manpages/shorewall-blrules.5 2016-10-01 14:48:21.507922043 -0700
+++ shorewall-5.0.13/manpages/shorewall-blrules.5 2016-10-17 09:39:20.289929984 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-blrules
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-BLRULES" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-BLRULES" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/manpages/shorewall.conf.5 shorewall-5.0.13/manpages/shorewall.conf.5
--- shorewall-5.0.12/manpages/shorewall.conf.5 2016-10-01 14:48:24.110522043 -0700
+++ shorewall-5.0.13/manpages/shorewall.conf.5 2016-10-17 09:39:24.409929984 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall.conf
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\&.CONF" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\&.CONF" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -655,25 +655,71 @@
Causes Shorewall to not load the listed kernel modules\&.
.RE
.PP
-\fBDYNAMIC_BLACKLIST=\fR{\fBYes\fR|\fBNo\fR||\fBipset\fR[\fB\-only\fR][,\fBsrc\-dst\fR][:[\fIsetname\fR][:\fIlog_level\fR|:l\fIog_tag\fR]]]}
+\fBDYNAMIC_BLACKLIST=\fR{\fBYes\fR|\fBNo\fR||\fBipset\fR[\fB\-only\fR][\fI,option\fR[,\&.\&.\&.]][:[\fIsetname\fR][:\fIlog_level\fR|:l\fIog_tag\fR]]]}
.RS 4
Added in Shorewall 4\&.4\&.7\&. When set to
\fBNo\fR
or
-\fBno\fR, chain\-based dynamic blacklisting using the
-\fBshorewall6 drop\fR,
-\fBshorewall6 reject\fR,
-\fBshorewall6 logdrop\fR
+\fBno\fR, chain\-based dynamic blacklisting using
+\fBshorewall drop\fR,
+\fBshorewall reject\fR,
+\fBshorewall logdrop\fR
and
-\fBshorewall6 logreject\fR
+\fBshorewall logreject\fR
is disabled\&. Default is
-\fBYes\fR\&. Beginning with Shorewall 5\&.0\&.8, ipset\-based dynamic blacklisting is also supported\&. The name of the set (\fIsetname\fR) and the level (\fIlog_level\fR), if any, at which blacklisted traffic is to be logged may also be specified\&. The default set name is SW_DBL4 and the default log level is
+\fBYes\fR\&. Beginning with Shorewall 5\&.0\&.8, ipset\-based dynamic blacklisting using the
+\fBshorewall blacklist\fR
+command is also supported\&. The name of the set (\fIsetname\fR) and the level (\fIlog_level\fR), if any, at which blacklisted traffic is to be logged may also be specified\&. The default set name is SW_DBL4 and the default log level is
\fBnone\fR
-(no logging)\&. if
+(no logging)\&. If
\fBipset\-only\fR
-is given, then chain\-based dynamic blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No had been specified\&. Normally, only packets whose source address matches an entry in the ipsec are dropped\&. If
+is given, then chain\-based dynamic blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No had been specified\&.
+.sp
+Possible
+\fIoption\fRs are:
+.PP
+src\-dst
+.RS 4
+Normally, only packets whose source address matches an entry in the ipset are dropped\&. If
\fBsrc\-dst\fR
is included, then packets whose destination address matches an entry in the ipset are also dropped\&.
+.RE
+.PP
+\fBdisconnect\fR
+.RS 4
+The
+\fBdisconnect\fR
+option was added in Shorewall 5\&.0\&.13 and requires that the conntrack utility be installed on the firewall system\&. When an address is blacklisted using the
+\fBblacklist\fR
+command, all connections originating from that address are disconnected\&. if the
+\fBsrc\-dst\fR
+option was also specified, then all connections to that address are also disconnected\&.
+.RE
+.PP
+\fBtimeout\fR=\fIseconds\fR
+.RS 4
+Added in Shorewall 5\&.0\&.13\&. Normally, Shorewall creates the dynamic blacklisting ipset with timeout 0 which means that entries are permanent\&. If you want entries in the set that are not accessed for a period of time to be deleted from the set, you may specify that period using this option\&. Note that the
+\fBblacklist\fR
+command can override the ipset\*(Aqs timeout setting\&.
+.if n \{\
+.sp
+.\}
+.RS 4
+.it 1 an-trap
+.nr an-no-space-flag 1
+.nr an-break-flag 1
+.br
+.ps +1
+\fBImportant\fR
+.ps -1
+.br
+Once the dynamic blacklisting ipset has been created, changing this option setting requires a complete restart of the firewall;
+\fBshorewall restart\fR
+if RESTART=restart, otherwise
+\fBshorewall stop && shorewall start\fR
+.sp .5v
+.RE
+.RE
.sp
When ipset\-based dynamic blacklisting is enabled, the contents of the blacklist will be preserved over
\fBstop\fR/\fBreboot\fR/\fBstart\fR
@@ -721,6 +767,18 @@
\m[blue]\fBshorewall\-rules\fR\m[]\&\s-2\u[8]\d\s+2(5)\&.
.RE
.PP
+\fBFIREWALL\fR=[\fIdnsname\-or\-ip\-address\fR]
+.RS 4
+This option was added in Shorewall 5\&.0\&.13 and may be used on an administrative system in directories containing the configurations of remote firewalls\&. The contents of the variable are the default value for the
+\fIsystem\fR
+parameter to the
+\fBremote\-start\fR,
+\fBremote\-reload\fR
+and
+\fBremote\-restart\fR
+commands\&.
+.RE
+.PP
\fBFORWARD_CLEAR_MARK=\fR{\fBYes\fR|\fBNo\fR}
.RS 4
Added in Shorewall 4\&.4\&.11\&. Traditionally, Shorewall has cleared the packet mark in the first rule in the mangle FORWARD chain\&. This behavior is maintained with the default setting of this option (FORWARD_CLEAR_MARK=Yes)\&. If FORWARD_CLEAR_MARK is set to \*(AqNo\*(Aq, packet marks set in the mangle PREROUTING chain are retained in the FORWARD chains\&.
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/manpages/shorewall-conntrack.5 shorewall-5.0.13/manpages/shorewall-conntrack.5
--- shorewall-5.0.12/manpages/shorewall-conntrack.5 2016-10-01 14:48:24.775186043 -0700
+++ shorewall-5.0.13/manpages/shorewall-conntrack.5 2016-10-17 09:39:25.073929984 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-conntrack
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-CONNTRAC" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-CONNTRAC" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/manpages/shorewall-ecn.5 shorewall-5.0.13/manpages/shorewall-ecn.5
--- shorewall-5.0.12/manpages/shorewall-ecn.5 2016-10-01 14:48:25.315726042 -0700
+++ shorewall-5.0.13/manpages/shorewall-ecn.5 2016-10-17 09:39:25.625929984 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-ecn
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-ECN" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-ECN" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/manpages/shorewall-exclusion.5 shorewall-5.0.13/manpages/shorewall-exclusion.5
--- shorewall-5.0.12/manpages/shorewall-exclusion.5 2016-10-01 14:48:25.880290043 -0700
+++ shorewall-5.0.13/manpages/shorewall-exclusion.5 2016-10-17 09:39:26.181929984 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-exclusion
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-EXCLUSION" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-EXCLUSION" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/manpages/shorewall-hosts.5 shorewall-5.0.13/manpages/shorewall-hosts.5
--- shorewall-5.0.12/manpages/shorewall-hosts.5 2016-10-01 14:48:26.456866043 -0700
+++ shorewall-5.0.13/manpages/shorewall-hosts.5 2016-10-17 09:39:26.769929984 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-hosts
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-HOSTS" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-HOSTS" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/manpages/shorewall-init.8 shorewall-5.0.13/manpages/shorewall-init.8
--- shorewall-5.0.12/manpages/shorewall-init.8 2016-10-01 14:48:26.961370043 -0700
+++ shorewall-5.0.13/manpages/shorewall-init.8 2016-10-17 09:39:27.277929984 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-init
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Administrative Commands
.\" Source: Administrative Commands
.\" Language: English
.\"
-.TH "SHOREWALL\-INIT" "8" "10/01/2016" "Administrative Commands" "Administrative Commands"
+.TH "SHOREWALL\-INIT" "8" "10/17/2016" "Administrative Commands" "Administrative Commands"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/manpages/shorewall-interfaces.5 shorewall-5.0.13/manpages/shorewall-interfaces.5
--- shorewall-5.0.12/manpages/shorewall-interfaces.5 2016-10-01 14:48:27.786194043 -0700
+++ shorewall-5.0.13/manpages/shorewall-interfaces.5 2016-10-17 09:39:28.109929984 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-interfaces
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-INTERFACE" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-INTERFACE" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/manpages/shorewall-ipsets.5 shorewall-5.0.13/manpages/shorewall-ipsets.5
--- shorewall-5.0.12/manpages/shorewall-ipsets.5 2016-10-01 14:48:28.358766042 -0700
+++ shorewall-5.0.13/manpages/shorewall-ipsets.5 2016-10-17 09:39:28.693929984 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-ipsets
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-IPSETS" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-IPSETS" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/manpages/shorewall-maclist.5 shorewall-5.0.13/manpages/shorewall-maclist.5
--- shorewall-5.0.12/manpages/shorewall-maclist.5 2016-10-01 14:48:28.907314044 -0700
+++ shorewall-5.0.13/manpages/shorewall-maclist.5 2016-10-17 09:39:29.257929984 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-maclist
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-MACLIST" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-MACLIST" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/manpages/shorewall-mangle.5 shorewall-5.0.13/manpages/shorewall-mangle.5
--- shorewall-5.0.12/manpages/shorewall-mangle.5 2016-10-01 14:48:29.780186042 -0700
+++ shorewall-5.0.13/manpages/shorewall-mangle.5 2016-10-17 09:39:30.165929984 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-mangle
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-MANGLE" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-MANGLE" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -135,7 +135,7 @@
must be an action declared with the
\fBmangle\fR
option in
-\m[blue]\fBshorewall\-actions(5)\fR\m[]\&\s-2\u[6]\d\s+2\&. If the action accepts paramaters, they are specified as a comma\-separated list within parentheses following the
+\m[blue]\fBshorewall\-actions(5)\fR\m[]\&\s-2\u[6]\d\s+2\&. If the action accepts parameters, they are specified as a comma\-separated list within parentheses following the
\fIaction\fR
name\&.
.RE
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/manpages/shorewall-masq.5 shorewall-5.0.13/manpages/shorewall-masq.5
--- shorewall-5.0.12/manpages/shorewall-masq.5 2016-10-01 14:48:30.408814043 -0700
+++ shorewall-5.0.13/manpages/shorewall-masq.5 2016-10-17 09:39:30.849929984 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-masq
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-MASQ" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-MASQ" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/manpages/shorewall-modules.5 shorewall-5.0.13/manpages/shorewall-modules.5
--- shorewall-5.0.12/manpages/shorewall-modules.5 2016-10-01 14:48:30.977382043 -0700
+++ shorewall-5.0.13/manpages/shorewall-modules.5 2016-10-17 09:39:31.409929984 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-modules
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-MODULES" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-MODULES" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/manpages/shorewall-nat.5 shorewall-5.0.13/manpages/shorewall-nat.5
--- shorewall-5.0.12/manpages/shorewall-nat.5 2016-10-01 14:48:31.557962043 -0700
+++ shorewall-5.0.13/manpages/shorewall-nat.5 2016-10-17 09:39:32.105929984 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-nat
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-NAT" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-NAT" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/manpages/shorewall-nesting.5 shorewall-5.0.13/manpages/shorewall-nesting.5
--- shorewall-5.0.12/manpages/shorewall-nesting.5 2016-10-01 14:48:32.126530043 -0700
+++ shorewall-5.0.13/manpages/shorewall-nesting.5 2016-10-17 09:39:32.749929984 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-nesting
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-NESTING" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-NESTING" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/manpages/shorewall-netmap.5 shorewall-5.0.13/manpages/shorewall-netmap.5
--- shorewall-5.0.12/manpages/shorewall-netmap.5 2016-10-01 14:48:32.695098043 -0700
+++ shorewall-5.0.13/manpages/shorewall-netmap.5 2016-10-17 09:39:33.345929984 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-netmap
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-NETMAP" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-NETMAP" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/manpages/shorewall-params.5 shorewall-5.0.13/manpages/shorewall-params.5
--- shorewall-5.0.12/manpages/shorewall-params.5 2016-10-01 14:48:33.239642043 -0700
+++ shorewall-5.0.13/manpages/shorewall-params.5 2016-10-17 09:39:33.877929984 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-params
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-PARAMS" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-PARAMS" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/manpages/shorewall-policy.5 shorewall-5.0.13/manpages/shorewall-policy.5
--- shorewall-5.0.12/manpages/shorewall-policy.5 2016-10-01 14:48:33.856258043 -0700
+++ shorewall-5.0.13/manpages/shorewall-policy.5 2016-10-17 09:39:34.445929984 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-policy
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-POLICY" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-POLICY" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/manpages/shorewall-providers.5 shorewall-5.0.13/manpages/shorewall-providers.5
--- shorewall-5.0.12/manpages/shorewall-providers.5 2016-10-01 14:48:34.472874043 -0700
+++ shorewall-5.0.13/manpages/shorewall-providers.5 2016-10-17 09:39:35.045929984 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-providers
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-PROVIDERS" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-PROVIDERS" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/manpages/shorewall-proxyarp.5 shorewall-5.0.13/manpages/shorewall-proxyarp.5
--- shorewall-5.0.12/manpages/shorewall-proxyarp.5 2016-10-01 14:48:35.029430043 -0700
+++ shorewall-5.0.13/manpages/shorewall-proxyarp.5 2016-10-17 09:39:35.597929984 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-proxyarp
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-PROXYARP" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-PROXYARP" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/manpages/shorewall-routes.5 shorewall-5.0.13/manpages/shorewall-routes.5
--- shorewall-5.0.12/manpages/shorewall-routes.5 2016-10-01 14:48:35.585986043 -0700
+++ shorewall-5.0.13/manpages/shorewall-routes.5 2016-10-17 09:39:36.121929984 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-routes
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-ROUTES" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-ROUTES" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/manpages/shorewall-rtrules.5 shorewall-5.0.13/manpages/shorewall-rtrules.5
--- shorewall-5.0.12/manpages/shorewall-rtrules.5 2016-10-01 14:48:36.138538043 -0700
+++ shorewall-5.0.13/manpages/shorewall-rtrules.5 2016-10-17 09:39:36.669929984 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-rtrules
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-RTRULES" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-RTRULES" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/manpages/shorewall-rules.5 shorewall-5.0.13/manpages/shorewall-rules.5
--- shorewall-5.0.12/manpages/shorewall-rules.5 2016-10-01 14:48:37.608006043 -0700
+++ shorewall-5.0.13/manpages/shorewall-rules.5 2016-10-17 09:39:38.153929984 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-rules
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-RULES" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-RULES" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -492,10 +492,10 @@
can be given\&. By default, if no userspace program is listening on an NFQUEUE, then all packets that are to be queued are dropped\&. When this option is used, the NFQUEUE rule is silently bypassed instead\&. The packet will move on to the next rule\&. Also beginning in Shorewall 4\&.6\&.10, a second queue number (\fIqueuenumber2\fR) may be specified\&. This specifies a range of queues to use\&. Packets are then balanced across the given queues\&. This is useful for multicore systems: start multiple instances of the userspace program on queues x, x+1, \&.\&. x+n and use "x:x+n"\&. Packets belonging to the same connection are put into the same nfqueue\&.
.RE
.PP
-\fB\fBNFQUEUE\fR\fR\fB[([\fR\fB\fIqueuenumber1\fR\fR\fB[,\fR\fB\fIqueuenumber2\fR\fR\fB][,bypass]]|bypass)]\fR
+\fB\fBNFQUEUE!\fR\fR\fB[([\fR\fB\fIqueuenumber1\fR\fR\fB[,\fR\fB\fIqueuenumber2\fR\fR\fB][,bypass]]|bypass)]\fR
.RS 4
like NFQUEUE but exempts the rule from being suppressed by OPTIMIZE=1 in
-\m[blue]\fBshorewall6\&.conf\fR\m[]\&\s-2\u[7]\d\s+2(5)\&.
+\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[2]\d\s+2(5)\&.
.RE
.PP
\fBNONAT\fR
@@ -713,7 +713,7 @@
\fBDEST\fR
column intra\-zone traffic is not affected\&. When
\fBall+\fR[\fB\-\fR] is "used, intra\-zone traffic is affected\&. Beginning with Shorewall 4\&.4\&.13, exclusion is supported \-\- see see
-\m[blue]\fBshorewall\-exclusion\fR\m[]\&\s-2\u[8]\d\s+2(5)\&.
+\m[blue]\fBshorewall\-exclusion\fR\m[]\&\s-2\u[7]\d\s+2(5)\&.
.sp
Except when
\fBall\fR[\fB+\fR][\fB\-\fR] or
@@ -733,19 +733,19 @@
excludes all vserver zones, since those zones are nested within the firewall zone\&. Beginning with Shorewall 4\&.4\&.13, exclusion is supported with
\fBany\fR
\-\- see see
-\m[blue]\fBshorewall\-exclusion\fR\m[]\&\s-2\u[8]\d\s+2(5)\&.
+\m[blue]\fBshorewall\-exclusion\fR\m[]\&\s-2\u[7]\d\s+2(5)\&.
.sp
Hosts may also be specified as an IP address range using the syntax
\fIlowaddress\fR\-\fIhighaddress\fR\&. This requires that your kernel and iptables contain iprange match support\&. If your kernel and iptables have ipset match support then you may give the name of an ipset prefaced by "+"\&. The ipset name may be optionally followed by a number from 1 to 6 enclosed in square brackets ([]) to indicate the number of levels of source bindings to be matched\&.
.sp
Beginning with Shorewall 4\&.4\&.17, the primary IP address of a firewall interface can be specified by an ampersand (\*(Aq&\*(Aq) followed by the logical name of the interface as found in the INTERFACE column of
-\m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[9]\d\s+2
+\m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[8]\d\s+2
(5)\&.
.sp
Beginning with Shorewall 4\&.5\&.4, A
\fIcountrycode\-list\fR
may be specified\&. A countrycode\-list is a comma\-separated list of up to 15 two\-character ISO\-3661 country codes enclosed in square brackets (\*(Aq[\&.\&.\&.]\*(Aq) and preceded by a caret (\*(Aq^\*(Aq)\&. When a single country code is given, the square brackets may be omitted\&. A list of country codes supported by Shorewall may be found at
-\m[blue]\fBhttp://www\&.shorewall\&.net/ISO\-3661\&.html\fR\m[]\&\s-2\u[10]\d\s+2\&. Specifying a
+\m[blue]\fBhttp://www\&.shorewall\&.net/ISO\-3661\&.html\fR\m[]\&\s-2\u[9]\d\s+2\&. Specifying a
\fIcountrycode\-list\fR
requires
GeoIP Match
@@ -754,7 +754,7 @@
You may exclude certain hosts from the set already defined through use of an
\fIexclusion\fR
(see
-\m[blue]\fBshorewall\-exclusion\fR\m[]\&\s-2\u[8]\d\s+2(5))\&.
+\m[blue]\fBshorewall\-exclusion\fR\m[]\&\s-2\u[7]\d\s+2(5))\&.
.sp
Examples:
.PP
@@ -835,7 +835,7 @@
Beginning with Shorewall 4\&.5\&.4, A
\fIcountrycode\-list\fR
may be specified\&. A countrycode\-list is a comma\-separated list of up to 15 two\-character ISO\-3661 country codes enclosed in square brackets (\*(Aq[\&.\&.\&.]\*(Aq) and preceded by a caret (\*(Aq^\*(Aq)\&. When a single country code is given, the square brackets may be omitted\&. A list of country codes supported by Shorewall may be found at
-\m[blue]\fBhttp://www\&.shorewall\&.net/ISO\-3661\&.html\fR\m[]\&\s-2\u[10]\d\s+2\&. Specifying a
+\m[blue]\fBhttp://www\&.shorewall\&.net/ISO\-3661\&.html\fR\m[]\&\s-2\u[9]\d\s+2\&. Specifying a
\fIcountrycode\-list\fR
requires
GeoIP Match
@@ -859,7 +859,7 @@
\fBDEST\fR
column intra\-zone traffic is not affected\&. When
\fBall+\fR[\fB\-\fR] is "used, intra\-zone traffic is affected\&. Beginning with Shorewall 4\&.4\&.13, exclusion is supported \-\- see see
-\m[blue]\fBshorewall6\-exclusion\fR\m[]\&\s-2\u[11]\d\s+2(5)\&.
+\m[blue]\fBshorewall6\-exclusion\fR\m[]\&\s-2\u[10]\d\s+2(5)\&.
.sp
\fBany\fR
is equivalent to
@@ -883,7 +883,7 @@
column intra\-zone traffic is not affected\&. When
\fBall+\fR
is used, intra\-zone traffic is affected\&. Beginning with Shorewall 4\&.4\&.13, exclusion is supported \-\- see see
-\m[blue]\fBshorewall\-exclusion\fR\m[]\&\s-2\u[8]\d\s+2(5)\&.
+\m[blue]\fBshorewall\-exclusion\fR\m[]\&\s-2\u[7]\d\s+2(5)\&.
.sp
The
\fIzone\fR
@@ -939,7 +939,7 @@
You may exclude certain hosts from the set already defined through use of an
\fIexclusion\fR
(see
-\m[blue]\fBshorewall\-exclusion\fR\m[]\&\s-2\u[8]\d\s+2(5))\&.
+\m[blue]\fBshorewall\-exclusion\fR\m[]\&\s-2\u[7]\d\s+2(5))\&.
.sp
Restriction: MAC addresses are not allowed (this is a Netfilter restriction)\&.
.sp
@@ -960,7 +960,7 @@
columns may specify an ipset name\&.
.sp
Beginning with Shorewall 4\&.4\&.17, the primary IP address of a firewall interface can be specified by an ampersand (\*(Aq&\*(Aq) followed by the logical name of the interface as found in the INTERFACE column of
-\m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[9]\d\s+2
+\m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[8]\d\s+2
(5)\&.
.sp
The
@@ -1015,7 +1015,7 @@
.RS 4
Optional destination Ports\&. A comma\-separated list of Port names (from services(5)), port numbers or port ranges; if the protocol is
\fBicmp\fR, this column is interpreted as the destination icmp\-type(s)\&. ICMP types may be specified as a numeric type, a numeric type and code separated by a slash (e\&.g\&., 3/4), or a typename\&. See
-\m[blue]\fBhttp://www\&.shorewall\&.net/configuration_file_basics\&.htm#ICMP\fR\m[]\&\s-2\u[12]\d\s+2\&. Note that prior to Shorewall 4\&.4\&.19, only a single ICMP type may be listed\&.
+\m[blue]\fBhttp://www\&.shorewall\&.net/configuration_file_basics\&.htm#ICMP\fR\m[]\&\s-2\u[11]\d\s+2\&. Note that prior to Shorewall 4\&.4\&.19, only a single ICMP type may be listed\&.
.sp
If the protocol is
\fBipp2p\fR, this column is interpreted as an ipp2p option without the leading "\-\-" (example
@@ -1106,7 +1106,7 @@
target where you want to redirect traffic destined for particular set of hosts\&. Finally, if the list of addresses begins with "!" (\fIexclusion\fR) then the rule will be followed only if the original destination address in the connection request does not match any of the addresses listed\&.
.sp
Beginning with Shorewall 4\&.4\&.17, the primary IP address of a firewall interface can be specified by an ampersand (\*(Aq&\*(Aq) followed by the logical name of the interface as found in the INTERFACE column of
-\m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[9]\d\s+2
+\m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[8]\d\s+2
(5)\&.
.sp
For other actions, this column may be included and may contain one or more addresses (host or network) separated by commas\&. Address ranges are not allowed\&. When this column is supplied, rules are generated that require that the original destination address matches one of the listed addresses\&. This feature is most useful when you want to generate a filter rule that corresponds to a
@@ -1118,10 +1118,10 @@
It is also possible to specify a set of addresses then exclude part of those addresses\&. For example,
\fB192\&.168\&.1\&.0/24!192\&.168\&.1\&.16/28\fR
specifies the addresses 192\&.168\&.1\&.0\-182\&.168\&.1\&.15 and 192\&.168\&.1\&.32\-192\&.168\&.1\&.255\&. See
-\m[blue]\fBshorewall\-exclusion\fR\m[]\&\s-2\u[8]\d\s+2(5)\&.
+\m[blue]\fBshorewall\-exclusion\fR\m[]\&\s-2\u[7]\d\s+2(5)\&.
.sp
See
-\m[blue]\fBhttp://www\&.shorewall\&.net/PortKnocking\&.html\fR\m[]\&\s-2\u[13]\d\s+2
+\m[blue]\fBhttp://www\&.shorewall\&.net/PortKnocking\&.html\fR\m[]\&\s-2\u[12]\d\s+2
for an example of using an entry in this column with a user\-defined action rule\&.
.sp
This column was formerly labelled ORIGINAL DEST\&.
@@ -1575,7 +1575,7 @@
.RE
.\}
.sp
-\m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[9]\d\s+2(5):
+\m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[8]\d\s+2(5):
.sp
.if n \{\
.RS 4
@@ -1591,7 +1591,7 @@
.RE
.\}
.sp
-\m[blue]\fBshorewall\-host\fR\m[]\&\s-2\u[14]\d\s+2(5):
+\m[blue]\fBshorewall\-host\fR\m[]\&\s-2\u[13]\d\s+2(5):
.sp
.if n \{\
.RS 4
@@ -1751,11 +1751,11 @@
/etc/shorewall/rules
.SH "SEE ALSO"
.PP
-\m[blue]\fBhttp://www\&.shorewall\&.net/ipsets\&.html\fR\m[]\&\s-2\u[15]\d\s+2
+\m[blue]\fBhttp://www\&.shorewall\&.net/ipsets\&.html\fR\m[]\&\s-2\u[14]\d\s+2
.PP
-\m[blue]\fBhttp://www\&.shorewall\&.net/configuration_file_basics\&.htm#Pairs\fR\m[]\&\s-2\u[16]\d\s+2
+\m[blue]\fBhttp://www\&.shorewall\&.net/configuration_file_basics\&.htm#Pairs\fR\m[]\&\s-2\u[15]\d\s+2
.PP
-\m[blue]\fBhttp://www\&.shorewall\&.net/shorewall_logging\&.html\fR\m[]\&\s-2\u[17]\d\s+2
+\m[blue]\fBhttp://www\&.shorewall\&.net/shorewall_logging\&.html\fR\m[]\&\s-2\u[16]\d\s+2
.PP
shorewall(8), shorewall\-accounting(5), shorewall\-actions(5), shorewall\-blacklist(5), shorewall\-blrules(5), shorewall\-hosts(5), shorewall_interfaces(5), shorewall\-ipsets(5), shorewall\-maclist(5), shorewall\-masq(5), shorewall\-nat(5), shorewall\-netmap(5), shorewall\-params(5), shorewall\-policy(5), shorewall\-providers(5), shorewall\-proxyarp(5), shorewall\-rtrules(5), shorewall\-routestopped(5), shorewall\&.conf(5), shorewall\-secmarks(5), shorewall\-tcclasses(5), shorewall\-tcdevices(5), shorewall\-mangle(5), shorewall\-tos(5), shorewall\-tunnels(5), shorewall\-zones(5)
.SH "NOTES"
@@ -1790,56 +1790,51 @@
\%http://www.shorewall.net/shorewall.logging.html
.RE
.IP " 7." 4
-shorewall6.conf
-.RS 4
-\%http://www.shorewall.net/manpages6/shorewall6.conf.html
-.RE
-.IP " 8." 4
shorewall-exclusion
.RS 4
\%http://www.shorewall.net/manpages/shorewall-exclusion.html
.RE
-.IP " 9." 4
+.IP " 8." 4
shorewall-interfaces
.RS 4
\%http://www.shorewall.net/manpages/shorewall-interfaces.html
.RE
-.IP "10." 4
+.IP " 9." 4
http://www.shorewall.net/ISO-3661.html
.RS 4
\%http://www.shorewall.net/ISO-3661.html
.RE
-.IP "11." 4
+.IP "10." 4
shorewall6-exclusion
.RS 4
\%http://www.shorewall.net/manpages6/shorewall6-exclusion.html
.RE
-.IP "12." 4
+.IP "11." 4
http://www.shorewall.net/configuration_file_basics.htm#ICMP
.RS 4
\%http://www.shorewall.net/configuration_file_basics.htm#ICMP
.RE
-.IP "13." 4
+.IP "12." 4
http://www.shorewall.net/PortKnocking.html
.RS 4
\%http://www.shorewall.net/PortKnocking.html
.RE
-.IP "14." 4
+.IP "13." 4
shorewall-host
.RS 4
\%http://www.shorewall.net/manpages/shorewall-hosts.html
.RE
-.IP "15." 4
+.IP "14." 4
http://www.shorewall.net/ipsets.html
.RS 4
\%http://www.shorewall.net/ipsets.html
.RE
-.IP "16." 4
+.IP "15." 4
http://www.shorewall.net/configuration_file_basics.htm#Pairs
.RS 4
\%http://www.shorewall.net/configuration_file_basics.htm#Pairs
.RE
-.IP "17." 4
+.IP "16." 4
http://www.shorewall.net/shorewall_logging.html
.RS 4
\%http://www.shorewall.net/shorewall_logging.html
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/manpages/shorewall-secmarks.5 shorewall-5.0.13/manpages/shorewall-secmarks.5
--- shorewall-5.0.12/manpages/shorewall-secmarks.5 2016-10-01 14:48:38.228626043 -0700
+++ shorewall-5.0.13/manpages/shorewall-secmarks.5 2016-10-17 09:39:38.709929984 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-secmarks
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-SECMARKS" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-SECMARKS" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/manpages/shorewall-stoppedrules.5 shorewall-5.0.13/manpages/shorewall-stoppedrules.5
--- shorewall-5.0.12/manpages/shorewall-stoppedrules.5 2016-10-01 14:48:38.797194043 -0700
+++ shorewall-5.0.13/manpages/shorewall-stoppedrules.5 2016-10-17 09:39:39.261929984 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-stoppedrules
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-STOPPEDRU" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-STOPPEDRU" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/manpages/shorewall-tcclasses.5 shorewall-5.0.13/manpages/shorewall-tcclasses.5
--- shorewall-5.0.12/manpages/shorewall-tcclasses.5 2016-10-01 14:48:39.437834043 -0700
+++ shorewall-5.0.13/manpages/shorewall-tcclasses.5 2016-10-17 09:39:39.869929984 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-tcclasses
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-TCCLASSES" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-TCCLASSES" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/manpages/shorewall-tcdevices.5 shorewall-5.0.13/manpages/shorewall-tcdevices.5
--- shorewall-5.0.12/manpages/shorewall-tcdevices.5 2016-10-01 14:48:40.042438043 -0700
+++ shorewall-5.0.13/manpages/shorewall-tcdevices.5 2016-10-17 09:39:40.453929984 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-tcdevices
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-TCDEVICES" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-TCDEVICES" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/manpages/shorewall-tcfilters.5 shorewall-5.0.13/manpages/shorewall-tcfilters.5
--- shorewall-5.0.12/manpages/shorewall-tcfilters.5 2016-10-01 14:48:40.647042043 -0700
+++ shorewall-5.0.13/manpages/shorewall-tcfilters.5 2016-10-17 09:39:41.017929984 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-tcfilters
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-TCFILTERS" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-TCFILTERS" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/manpages/shorewall-tcinterfaces.5 shorewall-5.0.13/manpages/shorewall-tcinterfaces.5
--- shorewall-5.0.12/manpages/shorewall-tcinterfaces.5 2016-10-01 14:48:41.211606043 -0700
+++ shorewall-5.0.13/manpages/shorewall-tcinterfaces.5 2016-10-17 09:39:41.553929984 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-tcinterfaces
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-TCINTERFA" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-TCINTERFA" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/manpages/shorewall-tcpri.5 shorewall-5.0.13/manpages/shorewall-tcpri.5
--- shorewall-5.0.12/manpages/shorewall-tcpri.5 2016-10-01 14:48:41.784178043 -0700
+++ shorewall-5.0.13/manpages/shorewall-tcpri.5 2016-10-17 09:39:42.081929984 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-tcpri
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-TCPRI" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-TCPRI" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/manpages/shorewall-tunnels.5 shorewall-5.0.13/manpages/shorewall-tunnels.5
--- shorewall-5.0.12/manpages/shorewall-tunnels.5 2016-10-01 14:48:42.352746043 -0700
+++ shorewall-5.0.13/manpages/shorewall-tunnels.5 2016-10-17 09:39:42.709929984 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-tunnels
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-TUNNELS" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-TUNNELS" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/manpages/shorewall-vardir.5 shorewall-5.0.13/manpages/shorewall-vardir.5
--- shorewall-5.0.12/manpages/shorewall-vardir.5 2016-10-01 14:48:42.897290043 -0700
+++ shorewall-5.0.13/manpages/shorewall-vardir.5 2016-10-17 09:39:43.241929984 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-vardir
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-VARDIR" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-VARDIR" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/manpages/shorewall-zones.5 shorewall-5.0.13/manpages/shorewall-zones.5
--- shorewall-5.0.12/manpages/shorewall-zones.5 2016-10-01 14:48:45.267658043 -0700
+++ shorewall-5.0.13/manpages/shorewall-zones.5 2016-10-17 09:39:45.805929984 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-zones
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-ZONES" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-ZONES" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/Perl/lib.runtime shorewall-5.0.13/Perl/lib.runtime
--- shorewall-5.0.12/Perl/lib.runtime 2016-10-01 13:49:35.000000000 -0700
+++ shorewall-5.0.13/Perl/lib.runtime 2016-10-17 09:29:32.000000000 -0700
@@ -607,7 +607,7 @@
status=$(cat ${VARDIR}/${1}.status)
fi
- return status
+ return $status
}
distribute_load() {
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/Perl/Shorewall/Chains.pm shorewall-5.0.13/Perl/Shorewall/Chains.pm
--- shorewall-5.0.12/Perl/Shorewall/Chains.pm 2016-10-01 14:48:18.496914043 -0700
+++ shorewall-5.0.13/Perl/Shorewall/Chains.pm 2016-10-17 09:39:17.349929984 -0700
@@ -296,7 +296,7 @@
Exporter::export_ok_tags('internal');
-our $VERSION = '5.0_12';
+our $VERSION = '5.0_13';
#
# Chain Table
@@ -8266,6 +8266,32 @@
sub ensure_ipsets( @ ) {
my $set;
+ if ( $globals{DBL_TIMEOUT} ne '' && $_[0] eq $globals{DBL_IPSET} ) {
+ shift;
+
+ emit( qq( if ! qt \$IPSET list $globals{DBL_IPSET}; then));
+
+ push_indent;
+
+ if ( $family == F_IPV4 ) {
+ emit( q( #),
+ q( # Set the timeout for the dynamic blacklisting ipset),
+ q( #),
+ qq( \$IPSET -exist create $globals{DBL_IPSET} hash:net family inet timeout $globals{DBL_TIMEOUT} counters) );
+ } else {
+ emit( q( #),
+ q( # Set the timeout for the dynamic blacklisting ipset),
+ q( #),
+ qq( \$IPSET -exist create $globals{DBL_IPSET} hash:net family inet6 timeout $globals{DBL_TIMEOUT} counters) );
+ }
+
+ pop_indent;
+
+ emit( qq( fi\n) );
+
+ }
+
+ if ( @_ ) {
if ( @_ > 1 ) {
push_indent;
emit( "for set in @_; do" );
@@ -8276,9 +8302,9 @@
if ( $family == F_IPV4 ) {
if ( have_capability 'IPSET_V5' ) {
- emit ( qq( if ! qt \$IPSET -L $set -n; then) ,
+ emit ( qq( if ! qt \$IPSET list $set -n; then) ,
qq( error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") ,
- qq( \$IPSET -N $set hash:net family inet timeout 0 counters) ,
+ qq( \$IPSET create $set hash:net family inet timeout 0 counters) ,
qq( fi) );
} else {
emit ( qq( if ! qt \$IPSET -L $set -n; then) ,
@@ -8287,9 +8313,9 @@
qq( fi) );
}
} else {
- emit ( qq( if ! qt \$IPSET -L $set -n; then) ,
+ emit ( qq( if ! qt \$IPSET list $set -n; then) ,
qq( error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") ,
- qq( \$IPSET -N $set hash:net family inet6 timeout 0 counters) ,
+ qq( \$IPSET create $set hash:net family inet6 timeout 0 counters) ,
qq( fi) );
}
@@ -8298,6 +8324,7 @@
pop_indent;
}
}
+}
#
# Generate the save_ipsets() function
@@ -8473,11 +8500,22 @@
'if [ "$COMMAND" = start ]; then' ); ##################### Start Command ##################
if ( $config{SAVE_IPSETS} || @{$globals{SAVED_IPSETS}} ) {
- emit( ' if [ -f ${VARDIR}/ipsets.save ]; then',
+ emit( ' if [ -f ${VARDIR}/ipsets.save ]; then' );
+
+ if ( my $set = $globals{DBL_IPSET} ) {
+ emit( ' #',
+ ' # Update the dynamic blacklisting ipset timeout value',
+ ' #',
+ qq( awk '/create $set/ { sub( /timeout [0-9]+/, "timeout $globals{DBL_TIMEOUT}" ) }; {print};' \${VARDIR}/ipsets.save > \${VARDIR}/ipsets.temp),
' zap_ipsets',
+ ' $IPSET restore < ${VARDIR}/ipsets.temp',
+ ' fi' );
+ } else {
+ emit( ' zap_ipsets',
' $IPSET -R < ${VARDIR}/ipsets.save',
' fi' );
}
+ }
if ( @ipsets ) {
emit ( '' );
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/Perl/Shorewall/Config.pm shorewall-5.0.13/Perl/Shorewall/Config.pm
--- shorewall-5.0.12/Perl/Shorewall/Config.pm 2016-10-01 14:48:18.512930043 -0700
+++ shorewall-5.0.13/Perl/Shorewall/Config.pm 2016-10-17 09:39:17.369929984 -0700
@@ -241,7 +241,7 @@
Exporter::export_ok_tags('internal');
-our $VERSION = '5.0_12';
+our $VERSION = '5.0_13';
#
# describe the current command, it's present progressive, and it's completion.
@@ -744,7 +744,7 @@
TC_SCRIPT => '',
EXPORT => 0,
KLUDGEFREE => '',
- VERSION => "5.0.12",
+ VERSION => "5.0.13",
CAPVERSION => 50004 ,
BLACKLIST_LOG_TAG => '',
RELATED_LOG_TAG => '',
@@ -754,6 +754,8 @@
RPFILTER_LOG_TAG => '',
INVALID_LOG_TAG => '',
UNTRACKED_LOG_TAG => '',
+ DBL_IPSET => '',
+ DBL_TIMEOUT => 0,
POSTROUTING => 'POSTROUTING',
);
#
@@ -898,6 +900,7 @@
MINIUPNPD => undef ,
VERBOSE_MESSAGES => undef ,
ZERO_MARKS => undef ,
+ FIREWALL => undef ,
#
# Packet Disposition
#
@@ -6253,9 +6256,27 @@
if ( supplied( $val = $config{DYNAMIC_BLACKLIST} ) ) {
if ( $val =~ /^ipset/ ) {
+ my %simple_options = ( 'src-dst' => 1, 'disconnect' => 1 );
+
my ( $key, $set, $level, $tag, $rest ) = split( ':', $val , 5 );
- fatal_error "Invalid DYNAMIC_BLACKLIST setting ( $val )" if $key !~ /^ipset(?:-only)?(?:,src-dst)?$/ || defined $rest;
+ ( $key , my @options ) = split_list( $key, 'option' );
+
+ my $options = '';
+
+ for ( @options ) {
+ if ( $simple_options{$_} ) {
+ $options = join( ',' , $options, $_ );
+ } elsif ( $_ =~ s/^timeout=(\d+)$// ) {
+ $globals{DBL_TIMEOUT} = $1;
+ } else {
+ fatal_error "Invalid ipset option ($_)";
+ }
+ }
+
+ $globals{DBL_OPTIONS} = $options;
+
+ fatal_error "Invalid DYNAMIC_BLACKLIST setting ( $val )" if $key !~ /^ipset(?:-only)?$/ || defined $rest;
if ( supplied( $set ) ) {
fatal_error "Invalid DYNAMIC_BLACKLIST ipset name" unless $set =~ /^[A-Za-z][\w-]*/;
@@ -6263,7 +6284,7 @@
$set = 'SW_DBL' . $family;
}
- add_ipset( $set );
+ add_ipset( $globals{DBL_IPSET} = $set );
$level = validate_level( $level );
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/Perl/Shorewall/IPAddrs.pm shorewall-5.0.13/Perl/Shorewall/IPAddrs.pm
--- shorewall-5.0.12/Perl/Shorewall/IPAddrs.pm 2016-10-01 14:48:18.516934043 -0700
+++ shorewall-5.0.13/Perl/Shorewall/IPAddrs.pm 2016-10-17 09:39:17.373929984 -0700
@@ -82,7 +82,7 @@
validate_icmp6
) );
our @EXPORT_OK = qw( );
-our $VERSION = '4.6_13';
+our $VERSION = '5.0_13';
#
# Some IPv4/6 useful stuff
@@ -432,13 +432,18 @@
sub validate_portpair( $$ ) {
my ($proto, $portpair) = @_;
my $what;
+ my $pair = $portpair;
+ #
+ # Accept '-' as a port-range separator
+ #
+ $pair =~ tr/-/:/ if $pair =~ /^[-0-9]+$/;
- fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/:/:/ > 1;
+ fatal_error "Invalid port range ($portpair)" if $pair =~ tr/:/:/ > 1;
- $portpair = "0$portpair" if substr( $portpair, 0, 1 ) eq ':';
- $portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':';
+ $pair = "0$pair" if substr( $pair, 0, 1 ) eq ':';
+ $pair = "${pair}65535" if substr( $pair, -1, 1 ) eq ':';
- my @ports = split /:/, $portpair, 2;
+ my @ports = split /:/, $pair, 2;
my $protonum = resolve_proto( $proto ) || 0;
@@ -497,7 +502,7 @@
my ( $proto, $list ) = @_;
my @list = split_list( $list, 'port' );
- if ( @list > 1 && $list =~ /:/ ) {
+ if ( @list > 1 && $list =~ /[:-]/ ) {
require_capability( 'XMULTIPORT' , 'Port ranges in a port list', '' );
}
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/Perl/Shorewall/Misc.pm shorewall-5.0.13/Perl/Shorewall/Misc.pm
--- shorewall-5.0.12/Perl/Shorewall/Misc.pm 2016-10-01 14:48:18.524942043 -0700
+++ shorewall-5.0.13/Perl/Shorewall/Misc.pm 2016-10-17 09:39:17.377929984 -0700
@@ -48,7 +48,7 @@
generate_matrix
);
our @EXPORT_OK = qw( initialize );
-our $VERSION = '5.0_10';
+our $VERSION = '5.0_13';
our $family;
@@ -688,7 +688,8 @@
my $dbl_ipset;
my $dbl_level;
my $dbl_tag;
- my $dbl_target;
+ my $dbl_src_target;
+ my $dbl_dst_target;
if ( $config{REJECT_ACTION} ) {
process_reject_action;
@@ -749,8 +750,42 @@
}
if ( $dbl_ipset ) {
- if ( $dbl_level ) {
- my $chainref = set_optflags( new_standard_chain( $dbl_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );
+ if ( $val = $globals{DBL_TIMEOUT} ) {
+ $dbl_src_target = $globals{DBL_OPTIONS} =~ /src-dst/ ? 'dbl_src' : 'dbl_log';
+
+ my $chainref = set_optflags( new_standard_chain( $dbl_src_target ) , DONT_OPTIMIZE | DONT_DELETE );
+
+ log_rule_limit( $dbl_level,
+ $chainref,
+ 'dbl_log',
+ 'DROP',
+ $globals{LOGLIMIT},
+ $dbl_tag,
+ 'add',
+ '',
+ $origin{DYNAMIC_BLACKLIST} ) if $dbl_level;
+ add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset src --exist --timeout $val", $origin{DYNAMIC_BLACKLIST} );
+ add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
+
+ if ( $dbl_src_target eq 'dbl_src' ) {
+ $chainref = set_optflags( new_standard_chain( $dbl_dst_target = 'dbl_dst' ) , DONT_OPTIMIZE | DONT_DELETE );
+
+ log_rule_limit( $dbl_level,
+ $chainref,
+ 'dbl_log',
+ 'DROP',
+ $globals{LOGLIMIT},
+ $dbl_tag,
+ 'add',
+ '',
+ $origin{DYNAMIC_BLACKLIST} ) if $dbl_level;
+ add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset dst --exist --timeout $val", $origin{DYNAMIC_BLACKLIST} );
+ add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
+ } else {
+ $dbl_dst_target = $dbl_src_target;
+ }
+ } elsif ( $dbl_level ) {
+ my $chainref = set_optflags( new_standard_chain( $dbl_src_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );
log_rule_limit( $dbl_level,
$chainref,
@@ -763,7 +798,7 @@
$origin{DYNAMIC_BLACKLIST} );
add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
} else {
- $dbl_target = 'DROP';
+ $dbl_src_target = $dbl_dst_target = 'DROP';
}
}
}
@@ -877,17 +912,17 @@
#
# src
#
- add_ijump_extended( $filter_table->{input_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
- add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
+ add_ijump_extended( $filter_table->{input_option_chain($interface)}, j => $dbl_src_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
+ add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_src_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
} elsif ( $in == 2 ) {
- add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
+ add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_dst_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
}
if ( $out == 2 ) {
#
# dst
#
- add_ijump_extended( $filter_table->{output_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
+ add_ijump_extended( $filter_table->{output_option_chain($interface)}, j => $dbl_dst_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
}
}
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/Perl/Shorewall/Providers.pm shorewall-5.0.13/Perl/Shorewall/Providers.pm
--- shorewall-5.0.12/Perl/Shorewall/Providers.pm 2016-10-01 14:48:18.536954043 -0700
+++ shorewall-5.0.13/Perl/Shorewall/Providers.pm 2016-10-17 09:39:17.385929984 -0700
@@ -47,7 +47,7 @@
map_provider_to_interface
);
our @EXPORT_OK = qw( initialize provider_realm );
-our $VERSION = '5.0_12';
+our $VERSION = '5.0_13';
use constant { LOCAL_TABLE => 255,
MAIN_TABLE => 254,
@@ -309,27 +309,14 @@
emit '';
if ( $first_default_route ) {
- if ( $family == F_IPV4 ) {
if ( $gateway ) {
emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
} else {
emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
}
- } else {
- #
- # IPv6 doesn't support multi-hop routes
- #
- if ( $gateway ) {
- emit "DEFAULT_ROUTE=\"via $gateway dev $interface $realm\"";
- } else {
- emit "DEFAULT_ROUTE=\"dev $interface $realm\"";
- }
- }
$first_default_route = 0;
} else {
- fatal_error "Only one 'balance' provider is allowed with IPv6" if $family == F_IPV6;
-
if ( $gateway ) {
emit "DEFAULT_ROUTE=\"\$DEFAULT_ROUTE nexthop via $gateway dev $interface weight $weight $realm\"";
} else {
@@ -346,27 +333,14 @@
emit '';
if ( $first_fallback_route ) {
- if ( $family == F_IPV4 ) {
if ( $gateway ) {
emit "FALLBACK_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
} else {
emit "FALLBACK_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
}
- } else {
- #
- # IPv6 doesn't support multi-hop routes
- #
- if ( $gateway ) {
- emit "FALLBACK_ROUTE=\"via $gateway dev $interface $realm\"";
- } else {
- emit "FALLBACK_ROUTE=\"dev $interface $realm\"";
- }
- }
$first_fallback_route = 0;
} else {
- fatal_error "Only one 'fallback' provider is allowed with IPv6" if $family == F_IPV6;
-
if ( $gateway ) {
emit "FALLBACK_ROUTE=\"\$FALLBACK_ROUTE nexthop via $gateway dev $interface weight $weight $realm\"";
} else {
@@ -542,7 +516,6 @@
$track = 0;
} elsif ( $option =~ /^balance=(\d+)$/ ) {
fatal_error q('balance' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
- fatal_error q('balance=' is not available in IPv6) if $family == F_IPV6;
fatal_error 'The balance setting must be non-zero' unless $1;
$balance = $1;
} elsif ( $option eq 'balance' || $option eq 'primary') {
@@ -565,7 +538,6 @@
$mtu = "mtu $1 ";
} elsif ( $option =~ /^fallback=(\d+)$/ ) {
fatal_error q('fallback' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
- fatal_error q('fallback=' is not available in IPv6) if $family == F_IPV6;
$default = $1;
$default_balance = 0;
fatal_error 'fallback must be non-zero' unless $default;
@@ -827,18 +799,10 @@
emit( qq([ -z "$address" ] && return\n) );
if ( $hostroute ) {
- if ( $family == F_IPV4 ) {
emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
emit qq(echo "\$IP route del $gateway src $address dev $physical ${mtu} > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
emit qq(echo "\$IP route del $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
- } else {
- emit qq(qt \$IP -6 route add $gateway src $address dev $physical ${mtu});
- emit qq(qt \$IP -6 route del $gateway src $address dev $physical ${mtu}table $id $realm);
- emit qq(run_ip route add $gateway src $address dev $physical ${mtu}table $id $realm);
- emit qq(echo "\$IP -6 route del $gateway src $address dev $physical ${mtu} > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing );
- emit qq(echo "\$IP -6 route del $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
- }
}
emit( "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm" );
@@ -959,14 +923,8 @@
$address = get_interface_address $interface unless $address;
if ( $hostroute ) {
- if ( $family == F_IPV4 ) {
emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
- } else {
- emit qq(qt \$IP -6 route add $gateway src $address dev $physical ${mtu});
- emit qq(qt \$IP -6 route del $gateway src $address dev $physical ${mtu}table $id $realm);
- emit qq(run_ip route add $gateway src $address dev $physical ${mtu}table $id $realm);
- }
}
emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm";
@@ -980,13 +938,8 @@
my $id = $providers{default}->{id};
emit '';
if ( $gateway ) {
- if ( $family == F_IPV4 ) {
emit qq(run_ip route replace $gateway/32 dev $physical table $id) if $hostroute;
emit qq(run_ip route add default via $gateway src $address dev $physical table $id metric $number);
- } else {
- emit qq(qt \$IP -6 route del default via $gateway src $address dev $physical table $id metric $number);
- emit qq(run_ip route add default via $gateway src $address dev $physical table $id metric $number);
- }
emit qq(echo "\$IP -$family route del default via $gateway table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
emit qq(echo "\$IP -4 route del $gateway/32 dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing) if $family == F_IPV4;
} else {
@@ -1062,23 +1015,12 @@
$tbl = $providers{$default ? 'default' : $config{USE_DEFAULT_RT} ? 'balance' : 'main'}->{id};
$weight = $balance ? $balance : $default;
- if ( $family == F_IPV4 ) {
if ( $gateway ) {
emit qq(add_gateway "nexthop via $gateway dev $physical weight $weight $realm" ) . $tbl;
} else {
emit qq(add_gateway "nexthop dev $physical weight $weight $realm" ) . $tbl;
}
} else {
- #
- # IPv6 doesn't support multi-hop routes
- #
- if ( $gateway ) {
- emit qq(add_gateway "via $gateway dev $physical $realm" ) . $tbl;
- } else {
- emit qq(add_gateway "dev $physical $realm" ) . $tbl;
- }
- }
- } else {
$weight = 1;
}
@@ -1168,7 +1110,7 @@
$via = "dev $physical";
}
- $via .= " weight $weight" unless $weight < 0 or $family == F_IPV6; # IPv6 doesn't support route weights
+ $via .= " weight $weight" unless $weight < 0;
$via .= " $realm" if $realm;
emit( qq(delete_gateway "$via" $tbl $physical) );
@@ -1517,12 +1459,7 @@
if ( $balancing ) {
emit ( 'if [ -n "$DEFAULT_ROUTE" ]; then' );
- if ( $family == F_IPV4 ) {
emit ( " run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
- } else {
- emit ( " qt \$IP -6 route del default scope global table $table \$DEFAULT_ROUTE" );
- emit ( " run_ip route add default scope global table $table \$DEFAULT_ROUTE" );
- }
if ( $config{USE_DEFAULT_RT} ) {
emit ( " while qt \$IP -$family route del default table $main; do",
@@ -1575,12 +1512,7 @@
if ( $fallback ) {
emit ( 'if [ -n "$FALLBACK_ROUTE" ]; then' );
- if ( $family == F_IPV4 ) {
emit( " run_ip route replace default scope global table $default \$FALLBACK_ROUTE" );
- } else {
- emit( " qt \$IP -6 route del default scope global table $default \$FALLBACK_ROUTE" );
- emit( " run_ip route add default scope global table $default \$FALLBACK_ROUTE" );
- }
emit( " progress_message \"Fallback route '\$(echo \$FALLBACK_ROUTE | sed 's/\$\\s*//')' Added\"",
'else',
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/Perl/Shorewall/Rules.pm shorewall-5.0.13/Perl/Shorewall/Rules.pm
--- shorewall-5.0.12/Perl/Shorewall/Rules.pm 2016-10-01 14:48:18.552970043 -0700
+++ shorewall-5.0.13/Perl/Shorewall/Rules.pm 2016-10-17 09:39:17.397929984 -0700
@@ -2891,7 +2891,7 @@
fatal_error "A timeout may only be supplied in an ADD rule" unless $basictarget eq 'ADD';
fatal_error "Invalid Timeout ($timeout)" unless $timeout && $timeout =~ /^\d+$/;
- $action .= " --timeout $timeout";
+ $action .= " --timeout $timeout --exist";
}
}
}
@@ -3965,7 +3965,7 @@
process_mangle_rule1( $chainref,
$moriginalmark,
$msource,
- $dest,
+ $mdest,
$proto,
merge_macro_column( $mports, $ports ),
merge_macro_column( $msports, $sports ),
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/Perl/Shorewall/Zones.pm shorewall-5.0.13/Perl/Shorewall/Zones.pm
--- shorewall-5.0.12/Perl/Shorewall/Zones.pm 2016-10-01 14:48:18.568986043 -0700
+++ shorewall-5.0.13/Perl/Shorewall/Zones.pm 2016-10-17 09:39:17.413929984 -0700
@@ -108,7 +108,7 @@
);
our @EXPORT_OK = qw( initialize );
-our $VERSION = '5.0_10';
+our $VERSION = '5.0_13';
#
# IPSEC Option types
@@ -1119,6 +1119,8 @@
my ($interface, $port, $extra) = split /:/ , $originalinterface, 3;
+ fatal_error "Invalid interface name ($interface)" if $interface =~ /[()\[\]\*\?%]/;
+
fatal_error "Invalid INTERFACE ($originalinterface)" if ! $interface || defined $extra;
if ( supplied $port ) {
@@ -1193,7 +1195,7 @@
my %options;
$options{port} = 1 if $port;
- $options{dbl} = $config{DYNAMIC_BLACKLIST} =~ /^ipset(-only)?,src-dst/ ? '1:2' : $config{DYNAMIC_BLACKLIST} ? '1:0' : '0:0';
+ $options{dbl} = $config{DYNAMIC_BLACKLIST} =~ /^ipset(-only)?.*,src-dst/ ? '1:2' : $config{DYNAMIC_BLACKLIST} ? '1:0' : '0:0';
my $hostoptionsref = {};
@@ -1316,7 +1318,7 @@
fatal_error "The '$option' option requires a value" unless defined $value;
if ( $option eq 'physical' ) {
- fatal_error "Invalid Physical interface name ($value)" unless $value && $value !~ /%/;
+ fatal_error "Invalid interface name ($interface)" if $interface =~ /[()\[\]\*\?%]/;
fatal_error "Virtual interfaces ($value) are not supported" if $value =~ /:\d+$/;
fatal_error "Duplicate physical interface name ($value)" if ( $interfaces{$value} && ! $port );
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/releasenotes.txt shorewall-5.0.13/releasenotes.txt
--- shorewall-5.0.12/releasenotes.txt 2016-10-01 14:48:18.456874042 -0700
+++ shorewall-5.0.13/releasenotes.txt 2016-10-17 09:39:17.301929984 -0700
@@ -1,7 +1,7 @@
----------------------------------------------------------------------------
- S H O R E W A L L 5 . 0 . 1 2
+ S H O R E W A L L 5 . 0 . 1 3
----------------------------
- O c t o b e r 0 3 , 2 0 1 6
+ O c t o b e r 1 8, 2 0 1 6
----------------------------------------------------------------------------
I. PROBLEMS CORRECTED IN THIS RELEASE
@@ -14,48 +14,15 @@
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
-1) Minor cleanup, mostly commentary, in the Rules.pm module.
-
-2) In Shorewall 5.0.7, The assumed 'use Shorewall::Config(shorewall)'
- statement in ?PERL and ?BEGIN PERL...?END PERL handling was
- inadvertently removed. This results in Perl compilation errors if
- the 'shorewall' function is invoked. The statement has now been
- restored.
-
-3) Previously, the firewall would fail to start if the configuration
- contained a CHECKSUM rule without a chain designator and
- MARK_IN_FORWARD_CHAIN=No. Now, the compiler defaults these rules to
- the POSTROUTING chain and forbids them in the PREROUTING chain.
-
-4) Recently, a case was observed where certain incoming packets had a
- non-zero packet mark in the raw PREROUTING chain, causing them to
- be misrouted. To guard against this issue, packet marks are now
- cleared at the top of the PREROUTING and OUTPUT mangle chains when
- the new ZERO_MARKS option is set to yes. Note that ZERO_MARKS=Yes
- can break IPSEC in multi-ISP configurations.
-
-5) Two distinct problems have been corrected in the 'disable'
- command logic:
-
- a) If a balanced or fallback interface was down or had been
- deleted, then the 'disable' command could fail.
-
- b) If a persistent optional interface was down, then the
- generated script would fail when it attempted to add routes out
- of the interface.
-
-6) Previously, the generated script would attempt to reenable a
- disabled persistent provider at each 'start', 'reload' or
- 'restart'. Now, disabled persistent providers are handled the same
- as other providers and require the 'enable' or 'reenable' command
- to enable them.
+1) This release contains defect repair from 5.0.12.1.
-7) Previously, the generated script assumed that all
- probability-balanced providers (those with the 'load' option
- specified) were optional. That assumption has been removed.
+2) The compiler now detects shell metacharacters in interface names
+ defined in /etc/shorewall[6]/interfaces. Previously, such
+ characters could cause runtime failures in the generated script.
-8) Previously, the permissions of files created by the 'save' command
- were more relaxed than necessary. This has been corrected.
+3) Previously, the compiler ignored DEST column entries in inline
+ mangle action bodies. That value is now used unless it is '-', in
+ which case the DEST column value in the action invocation is used.
----------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G
@@ -72,69 +39,42 @@
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
-1) You may now place comma-separated zone lists in the SOURCE and DEST
- columns in /etc/shorewall[6]/policy.
-
- Example:
-
- #SOURCE DEST POLICY ...
- loc,dmz net REJECT
-
- That line is equivalent to:
-
- #SOURCE DEST POLICY ...
- loc net REJECT
- loc dmz REJECT
-
- If the same zone appears in both columns, the default ACCEPT
- intrazone policy is not overridden unless the list is followed
- immediately by '+'.
-
- Example:
-
- #SOURCE DEST POLICY ...
- dmz,loc loc,dmz+ REJECT
-
- That line is equivalent to:
-
- #SOURCE DEST POLICY ...
- dmz loc REJECT
- dmz dmz REJECT
- loc loc REJECT
- loc dmz REJECT
-
- Without the plus sine, it would be equivalent to
-
- #SOURCE DEST POLICY ...
- dmz loc REJECT
- loc dmz REJECT
-
-2) Distribution maintainers may now set a default pager via the
- configure and configure.pl programs in Shorewall-core to set
- DEFAULT_PAGER in the generated shorewallrc file. The
- Shorewall-provided shorewallrc files for Debian currently specify
- 'less' for DEFAULT_PAGER. The other shorewallrc files do not
- specify DEFAULT_PAGER.
+1) A 'disconnect' option has been added to the DYNAMIC_BLACKLIST
+ setting. The option is only accepted for ipset-based dynamic
+ blacklisting and requires that the 'conntrack' utility be
+ installed. See shorewall[6].conf(5) for details.
- If shorewall[6].conf does not specify PAGER then the DEFAULT_PAGER
- setting is used.
+ With this option, when an address is blackliseted using the
+ 'blacklist' command, the conntrack utility is used to break all
+ connections from that address. If the 'src-dst' option is also
+ specified in the BLACKLIST setting, then all connections to the
+ address are also broken. If the effective VERBOSITY is greater than
+ 0, then a messages is displayed that indicated the number of flows
+ deleted by the command. If the effective VERBOSITY is 2, the
+ conntrack entries delected by the command are also displayed.
-3) The 'contiguous' option is now supported in TIME columns. When the
- 'timestop' value is smaller than the 'timestart' value, match this
- as a single time period instead distinct intervals.
+ This option is more efficient for packet processing than including
+ the ESTABLISHED state in the BLACKLIST setting.
- Example:
+2) A 'timeout' option has been added to the DYNAMIC_BLACKLIST setting.
+ The option is only accepted for ipset-based dynamic blacklisting
+ and causes entries in the blacklist ipset to be automatically
+ deleted if they are not matched within a specified time. See
+ shorewall[6].conf(5) for details.
- weekdays=Mo×tart=23:00×top=01:00
+3) A new FIREWALL option has been added to shorewall[6].conf. This
+ option is intended to be used on an admisitrative system in
+ configurations of remote firewalls. It defines the DNS name or IP
+ address of the remote system so that the system name does not have
+ to be given in the remote-start, remote-reload and remote-restart
+ commmands. See shorewall[6](8) for details.
- Will match Monday, for one hour from midnight to 1 a.m., and
- then again for another hour from 23:00 onwards. If this is
- unwanted, e.g. if you would like 'match for two hours from
- Monday 23:00 onwards' you need to also specify the 'contiguous'
- option in the example above.
+4) Shorewall6 now allows more that one provider to specify the
+ 'balance' or 'fallback' options.
- See http://www.shorewall.org/configuration_file_basics.htm#TIME for
- additional TIME column examples.
+5) When using port numbers (as opposed to service names), the hyphen
+ ("-") is now accepted as the separator in port ranges. When service
+ names are used, the colon (":") must still be used.
----------------------------------------------------------------------------
I V. M I G R A T I O N I S S U E S
@@ -297,6 +237,120 @@
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 5 . 0 . 1 1
----------------------------------------------------------------------------
+1) Minor cleanup, mostly commentary, in the Rules.pm module.
+
+2) In Shorewall 5.0.7, The assumed 'use Shorewall::Config(shorewall)'
+ statement in ?PERL and ?BEGIN PERL...?END PERL handling was
+ inadvertently removed. This results in Perl compilation errors if
+ the 'shorewall' function is invoked. The statement has now been
+ restored.
+
+3) Previously, the firewall would fail to start if the configuration
+ contained a CHECKSUM rule without a chain designator and
+ MARK_IN_FORWARD_CHAIN=No. Now, the compiler defaults these rules to
+ the POSTROUTING chain and forbids them in the PREROUTING chain.
+
+4) Recently, a case was observed where certain incoming packets had a
+ non-zero packet mark in the raw PREROUTING chain, causing them to
+ be misrouted. To guard against this issue, packet marks are now
+ cleared at the top of the PREROUTING and OUTPUT mangle chains when
+ the new ZERO_MARKS option is set to yes. Note that ZERO_MARKS=Yes
+ can break IPSEC in multi-ISP configurations.
+
+5) Two distinct problems have been corrected in the 'disable'
+ command logic:
+
+ a) If a balanced or fallback interface was down or had been
+ deleted, then the 'disable' command could fail.
+
+ b) If a persistent optional interface was down, then the
+ generated script would fail when it attempted to add routes out
+ of the interface.
+
+6) Previously, the generated script would attempt to reenable a
+ disabled persistent provider at each 'start', 'reload' or
+ 'restart'. Now, disabled persistent providers are handled the same
+ as other providers and require the 'enable' or 'reenable' command
+ to enable them.
+
+7) Previously, the generated script assumed that all
+ probability-balanced providers (those with the 'load' option
+ specified) were optional. That assumption has been removed.
+
+8) Previously, the permissions of files created by the 'save' command
+ were more relaxed than necessary. This has been corrected.
+
+----------------------------------------------------------------------------
+ N E W F E A T U R E S I N 5 . 0 . 1 2
+----------------------------------------------------------------------------
+
+1) You may now place comma-separated zone lists in the SOURCE and DEST
+ columns in /etc/shorewall[6]/policy.
+
+ Example:
+
+ #SOURCE DEST POLICY ...
+ loc,dmz net REJECT
+
+ That line is equivalent to:
+
+ #SOURCE DEST POLICY ...
+ loc net REJECT
+ dmz net REJECT
+
+ If the same zone appears in both columns, the default ACCEPT
+ intrazone policy is not overridden unless the list is followed
+ immediately by '+'.
+
+ Example:
+
+ #SOURCE DEST POLICY ...
+ dmz,loc loc,dmz+ REJECT
+
+ That line is equivalent to:
+
+ #SOURCE DEST POLICY ...
+ dmz loc REJECT
+ dmz dmz REJECT
+ loc loc REJECT
+ loc dmz REJECT
+
+ Without the plus sine, it would be equivalent to
+
+ #SOURCE DEST POLICY ...
+ dmz loc REJECT
+ loc dmz REJECT
+
+2) Distribution maintainers may now set a default pager via the
+ configure and configure.pl programs in Shorewall-core to set
+ DEFAULT_PAGER in the generated shorewallrc file. The
+ Shorewall-provided shorewallrc files for Debian currently specify
+ 'less' for DEFAULT_PAGER. The other shorewallrc files do not
+ specify DEFAULT_PAGER.
+
+ If shorewall[6].conf does not specify PAGER then the DEFAULT_PAGER
+ setting is used.
+
+3) The 'contiguous' option is now supported in TIME columns. When the
+ 'timestop' value is smaller than the 'timestart' value, match this
+ as a single time period instead distinct intervals.
+
+ Example:
+
+ weekdays=Mo×tart=23:00×top=01:00
+
+ Will match Monday, for one hour from midnight to 1 a.m., and
+ then again for another hour from 23:00 onwards. If this is
+ unwanted, e.g. if you would like 'match for two hours from
+ Monday 23:00 onwards' you need to also specify the 'contiguous'
+ option in the example above.
+
+ See http://www.shorewall.org/configuration_file_basics.htm#TIME for
+ additional TIME column examples.
+
+----------------------------------------------------------------------------
+ P R O B L E M S C O R R E C T E D I N 5 . 0 . 1 1
+----------------------------------------------------------------------------
1) This release contains defect repair through Shorewall 5.0.10.1.
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/Samples/one-interface/rules.annotated shorewall-5.0.13/Samples/one-interface/rules.annotated
--- shorewall-5.0.12/Samples/one-interface/rules.annotated 2016-10-01 14:48:56.871250043 -0700
+++ shorewall-5.0.13/Samples/one-interface/rules.annotated 2016-10-17 09:39:56.273929984 -0700
@@ -377,10 +377,10 @@
# userspace program on queues x, x+1, .. x+n and use "x:x+n". Packets
# belonging to the same connection are put into the same nfqueue.
#
-# NFQUEUE[([queuenumber1[,queuenumber2][,bypass]]|bypass)]
+# NFQUEUE![([queuenumber1[,queuenumber2][,bypass]]|bypass)]
#
# like NFQUEUE but exempts the rule from being suppressed by OPTIMIZE=1
-# in shorewall6.conf(5).
+# in shorewall.conf(5).
#
# NONAT
#
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/Samples/one-interface/shorewall.conf shorewall-5.0.13/Samples/one-interface/shorewall.conf
--- shorewall-5.0.12/Samples/one-interface/shorewall.conf 2016-10-01 13:49:35.000000000 -0700
+++ shorewall-5.0.13/Samples/one-interface/shorewall.conf 2016-10-17 09:29:32.000000000 -0700
@@ -35,6 +35,12 @@
PAGER=
###############################################################################
+# F I R E W A L L
+###############################################################################
+
+FIREWALL=
+
+###############################################################################
# L O G G I N G
###############################################################################
@@ -139,16 +145,14 @@
ADMINISABSENTMINDED=Yes
-BASIC_FILTERS=No
-
-IGNOREUNKNOWNVARIABLES=No
-
AUTOCOMMENT=Yes
AUTOHELPERS=Yes
AUTOMAKE=Yes
+BASIC_FILTERS=No
+
BLACKLIST="NEW,INVALID,UNTRACKED"
CHAIN_SCRIPTS=No
@@ -183,6 +187,8 @@
HELPERS=
+IGNOREUNKNOWNVARIABLES=No
+
IMPLICIT_CONTINUE=No
INLINE_MATCHES=Yes
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/Samples/one-interface/shorewall.conf.annotated shorewall-5.0.13/Samples/one-interface/shorewall.conf.annotated
--- shorewall-5.0.12/Samples/one-interface/shorewall.conf.annotated 2016-10-01 14:48:57.299678044 -0700
+++ shorewall-5.0.13/Samples/one-interface/shorewall.conf.annotated 2016-10-17 09:39:56.685929984 -0700
@@ -106,6 +106,19 @@
# DEFAULT_PAGER setting in shorewallrc.
#
###############################################################################
+# F I R E W A L L
+###############################################################################
+FIREWALL=
+#
+# FIREWALL=[dnsname-or-ip-address]
+#
+# This option was added in Shorewall 5.0.13 and may be used on an
+# administrative system in directories containing the configurations of
+# remote firewalls. The contents of the variable are the default value for
+# the system parameter to the remote-start, remote-reload and remote-restart
+# commands.
+#
+###############################################################################
# L O G G I N G
###############################################################################
BLACKLIST_LOG_LEVEL=
@@ -703,32 +716,6 @@
# If this variable is not set or is given the empty value then
# ADMINISABSENTMINDED=No is assumed.
#
-BASIC_FILTERS=No
-#
-# BASIC_FILTERS=[Yes|No]
-#
-# Added in Shorewall-4.6.0. When set to Yes, causes entries in
-# shorewall-tcfilters(5) to generate a basic filter rather than a u32 filter.
-# This setting requires the Basic Ematch capability in your kernel and
-# iptables.
-#
-# Note
-#
-# One of the advantages of basic filters is that ipset matches are supported
-# in newer iproute2 and kernel versions. Because Shorewall cannot reliably
-# detect this capability, use of basic filters is controlled by this option.
-#
-# The default value is No which causes u32 filters to be generated.
-#
-IGNOREUNKNOWNVARIABLES=No
-#
-# IGNOREUNKNOWNVARIABLES=[Yes|No]
-#
-# Added in Shorewall 4.5.11. Normally, if an unknown shell variable is
-# encountered in a configuration file (except in ?IF and ?ELSIF directives),
-# the compiler raises a fatal error. If IGNOREUNKNOWNVARIABLES is set to Yes,
-# then such variables simply expand to an empty string. Default is No.
-#
AUTOCOMMENT=Yes
#
# AUTOCOMMENT=[Yes|No]
@@ -779,6 +766,23 @@
# restart command includes a directory name (e.g., shorewall restart /etc/
# shorewall.new).
#
+BASIC_FILTERS=No
+#
+# BASIC_FILTERS=[Yes|No]
+#
+# Added in Shorewall-4.6.0. When set to Yes, causes entries in
+# shorewall-tcfilters(5) to generate a basic filter rather than a u32 filter.
+# This setting requires the Basic Ematch capability in your kernel and
+# iptables.
+#
+# Note
+#
+# One of the advantages of basic filters is that ipset matches are supported
+# in newer iproute2 and kernel versions. Because Shorewall cannot reliably
+# detect this capability, use of basic filters is controlled by this option.
+#
+# The default value is No which causes u32 filters to be generated.
+#
BLACKLIST="NEW,INVALID,UNTRACKED"
#
# BLACKLIST=[{ALL|state[,...]}]
@@ -924,21 +928,51 @@
#
DYNAMIC_BLACKLIST=Yes
#
-# DYNAMIC_BLACKLIST={Yes|No||ipset[-only][,src-dst][:[setname][:log_level|:l
+# DYNAMIC_BLACKLIST={Yes|No||ipset[-only][,option[,...]][:[setname][:log_level|:l
# og_tag]]]}
#
# Added in Shorewall 4.4.7. When set to No or no, chain-based dynamic
-# blacklisting using the shorewall6 drop, shorewall6 reject, shorewall6
-# logdrop and shorewall6 logreject is disabled. Default is Yes. Beginning
-# with Shorewall 5.0.8, ipset-based dynamic blacklisting is also supported.
-# The name of the set (setname) and the level (log_level), if any, at which
-# blacklisted traffic is to be logged may also be specified. The default set
-# name is SW_DBL4 and the default log level is none (no logging). if
-# ipset-only is given, then chain-based dynamic blacklisting is disabled just
-# as if DYNAMIC_BLACKLISTING=No had been specified. Normally, only packets
-# whose source address matches an entry in the ipsec are dropped. If src-dst
-# is included, then packets whose destination address matches an entry in the
-# ipset are also dropped.
+# blacklisting using shorewall drop, shorewall reject, shorewall logdrop and
+# shorewall logreject is disabled. Default is Yes. Beginning with Shorewall
+# 5.0.8, ipset-based dynamic blacklisting using the shorewall blacklist
+# command is also supported. The name of the set (setname) and the level (
+# log_level), if any, at which blacklisted traffic is to be logged may also
+# be specified. The default set name is SW_DBL4 and the default log level is
+# none (no logging). If ipset-only is given, then chain-based dynamic
+# blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No had been
+# specified.
+#
+# Possible options are:
+#
+# src-dst
+#
+# Normally, only packets whose source address matches an entry in the
+# ipset are dropped. If src-dst is included, then packets whose
+# destination address matches an entry in the ipset are also dropped.
+#
+# disconnect
+#
+# The disconnect option was added in Shorewall 5.0.13 and requires that
+# the conntrack utility be installed on the firewall system. When an
+# address is blacklisted using the blacklist command, all connections
+# originating from that address are disconnected. if the src-dst option
+# was also specified, then all connections to that address are also
+# disconnected.
+#
+# timeout=seconds
+#
+# Added in Shorewall 5.0.13. Normally, Shorewall creates the dynamic
+# blacklisting ipset with timeout 0 which means that entries are
+# permanent. If you want entries in the set that are not accessed for a
+# period of time to be deleted from the set, you may specify that period
+# using this option. Note that the blacklist command can override the
+# ipset's timeout setting.
+#
+# Important
+#
+# Once the dynamic blacklisting ipset has been created, changing this
+# option setting requires a complete restart of the firewall; shorewall
+# restart if RESTART=restart, otherwise shorewall stop && shorewall start
#
# When ipset-based dynamic blacklisting is enabled, the contents of the
# blacklist will be preserved over stop/reboot/start sequences if SAVE_IPSETS
@@ -1044,6 +1078,15 @@
# When HELPERS is specified on a system running Kernel 3.5.0 or later,
# automatic association of helpers to connections is disabled.
#
+IGNOREUNKNOWNVARIABLES=No
+#
+# IGNOREUNKNOWNVARIABLES=[Yes|No]
+#
+# Added in Shorewall 4.5.11. Normally, if an unknown shell variable is
+# encountered in a configuration file (except in ?IF and ?ELSIF directives),
+# the compiler raises a fatal error. If IGNOREUNKNOWNVARIABLES is set to Yes,
+# then such variables simply expand to an empty string. Default is No.
+#
IMPLICIT_CONTINUE=No
#
# IMPLICIT_CONTINUE={Yes|No}
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/Samples/three-interfaces/rules.annotated shorewall-5.0.13/Samples/three-interfaces/rules.annotated
--- shorewall-5.0.12/Samples/three-interfaces/rules.annotated 2016-10-01 14:48:58.973350043 -0700
+++ shorewall-5.0.13/Samples/three-interfaces/rules.annotated 2016-10-17 09:39:58.245929984 -0700
@@ -377,10 +377,10 @@
# userspace program on queues x, x+1, .. x+n and use "x:x+n". Packets
# belonging to the same connection are put into the same nfqueue.
#
-# NFQUEUE[([queuenumber1[,queuenumber2][,bypass]]|bypass)]
+# NFQUEUE![([queuenumber1[,queuenumber2][,bypass]]|bypass)]
#
# like NFQUEUE but exempts the rule from being suppressed by OPTIMIZE=1
-# in shorewall6.conf(5).
+# in shorewall.conf(5).
#
# NONAT
#
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/Samples/three-interfaces/shorewall.conf shorewall-5.0.13/Samples/three-interfaces/shorewall.conf
--- shorewall-5.0.12/Samples/three-interfaces/shorewall.conf 2016-10-01 13:49:35.000000000 -0700
+++ shorewall-5.0.13/Samples/three-interfaces/shorewall.conf 2016-10-17 09:29:32.000000000 -0700
@@ -32,6 +32,12 @@
PAGER=
###############################################################################
+# F I R E W A L L
+###############################################################################
+
+FIREWALL=
+
+###############################################################################
# L O G G I N G
###############################################################################
@@ -136,16 +142,14 @@
ADMINISABSENTMINDED=Yes
-BASIC_FILTERS=No
-
-IGNOREUNKNOWNVARIABLES=No
-
AUTOCOMMENT=Yes
AUTOHELPERS=Yes
AUTOMAKE=Yes
+BASIC_FILTERS=No
+
BLACKLIST="NEW,INVALID,UNTRACKED"
CHAIN_SCRIPTS=No
@@ -180,6 +184,8 @@
HELPERS=
+IGNOREUNKNOWNVARIABLES=No
+
IMPLICIT_CONTINUE=No
INLINE_MATCHES=Yes
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/Samples/three-interfaces/shorewall.conf.annotated shorewall-5.0.13/Samples/three-interfaces/shorewall.conf.annotated
--- shorewall-5.0.12/Samples/three-interfaces/shorewall.conf.annotated 2016-10-01 14:48:59.397774043 -0700
+++ shorewall-5.0.13/Samples/three-interfaces/shorewall.conf.annotated 2016-10-17 09:39:58.657929984 -0700
@@ -104,6 +104,19 @@
# DEFAULT_PAGER setting in shorewallrc.
#
###############################################################################
+# F I R E W A L L
+###############################################################################
+FIREWALL=
+#
+# FIREWALL=[dnsname-or-ip-address]
+#
+# This option was added in Shorewall 5.0.13 and may be used on an
+# administrative system in directories containing the configurations of
+# remote firewalls. The contents of the variable are the default value for
+# the system parameter to the remote-start, remote-reload and remote-restart
+# commands.
+#
+###############################################################################
# L O G G I N G
###############################################################################
BLACKLIST_LOG_LEVEL=
@@ -701,32 +714,6 @@
# If this variable is not set or is given the empty value then
# ADMINISABSENTMINDED=No is assumed.
#
-BASIC_FILTERS=No
-#
-# BASIC_FILTERS=[Yes|No]
-#
-# Added in Shorewall-4.6.0. When set to Yes, causes entries in
-# shorewall-tcfilters(5) to generate a basic filter rather than a u32 filter.
-# This setting requires the Basic Ematch capability in your kernel and
-# iptables.
-#
-# Note
-#
-# One of the advantages of basic filters is that ipset matches are supported
-# in newer iproute2 and kernel versions. Because Shorewall cannot reliably
-# detect this capability, use of basic filters is controlled by this option.
-#
-# The default value is No which causes u32 filters to be generated.
-#
-IGNOREUNKNOWNVARIABLES=No
-#
-# IGNOREUNKNOWNVARIABLES=[Yes|No]
-#
-# Added in Shorewall 4.5.11. Normally, if an unknown shell variable is
-# encountered in a configuration file (except in ?IF and ?ELSIF directives),
-# the compiler raises a fatal error. If IGNOREUNKNOWNVARIABLES is set to Yes,
-# then such variables simply expand to an empty string. Default is No.
-#
AUTOCOMMENT=Yes
#
# AUTOCOMMENT=[Yes|No]
@@ -777,6 +764,23 @@
# restart command includes a directory name (e.g., shorewall restart /etc/
# shorewall.new).
#
+BASIC_FILTERS=No
+#
+# BASIC_FILTERS=[Yes|No]
+#
+# Added in Shorewall-4.6.0. When set to Yes, causes entries in
+# shorewall-tcfilters(5) to generate a basic filter rather than a u32 filter.
+# This setting requires the Basic Ematch capability in your kernel and
+# iptables.
+#
+# Note
+#
+# One of the advantages of basic filters is that ipset matches are supported
+# in newer iproute2 and kernel versions. Because Shorewall cannot reliably
+# detect this capability, use of basic filters is controlled by this option.
+#
+# The default value is No which causes u32 filters to be generated.
+#
BLACKLIST="NEW,INVALID,UNTRACKED"
#
# BLACKLIST=[{ALL|state[,...]}]
@@ -922,21 +926,51 @@
#
DYNAMIC_BLACKLIST=Yes
#
-# DYNAMIC_BLACKLIST={Yes|No||ipset[-only][,src-dst][:[setname][:log_level|:l
+# DYNAMIC_BLACKLIST={Yes|No||ipset[-only][,option[,...]][:[setname][:log_level|:l
# og_tag]]]}
#
# Added in Shorewall 4.4.7. When set to No or no, chain-based dynamic
-# blacklisting using the shorewall6 drop, shorewall6 reject, shorewall6
-# logdrop and shorewall6 logreject is disabled. Default is Yes. Beginning
-# with Shorewall 5.0.8, ipset-based dynamic blacklisting is also supported.
-# The name of the set (setname) and the level (log_level), if any, at which
-# blacklisted traffic is to be logged may also be specified. The default set
-# name is SW_DBL4 and the default log level is none (no logging). if
-# ipset-only is given, then chain-based dynamic blacklisting is disabled just
-# as if DYNAMIC_BLACKLISTING=No had been specified. Normally, only packets
-# whose source address matches an entry in the ipsec are dropped. If src-dst
-# is included, then packets whose destination address matches an entry in the
-# ipset are also dropped.
+# blacklisting using shorewall drop, shorewall reject, shorewall logdrop and
+# shorewall logreject is disabled. Default is Yes. Beginning with Shorewall
+# 5.0.8, ipset-based dynamic blacklisting using the shorewall blacklist
+# command is also supported. The name of the set (setname) and the level (
+# log_level), if any, at which blacklisted traffic is to be logged may also
+# be specified. The default set name is SW_DBL4 and the default log level is
+# none (no logging). If ipset-only is given, then chain-based dynamic
+# blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No had been
+# specified.
+#
+# Possible options are:
+#
+# src-dst
+#
+# Normally, only packets whose source address matches an entry in the
+# ipset are dropped. If src-dst is included, then packets whose
+# destination address matches an entry in the ipset are also dropped.
+#
+# disconnect
+#
+# The disconnect option was added in Shorewall 5.0.13 and requires that
+# the conntrack utility be installed on the firewall system. When an
+# address is blacklisted using the blacklist command, all connections
+# originating from that address are disconnected. if the src-dst option
+# was also specified, then all connections to that address are also
+# disconnected.
+#
+# timeout=seconds
+#
+# Added in Shorewall 5.0.13. Normally, Shorewall creates the dynamic
+# blacklisting ipset with timeout 0 which means that entries are
+# permanent. If you want entries in the set that are not accessed for a
+# period of time to be deleted from the set, you may specify that period
+# using this option. Note that the blacklist command can override the
+# ipset's timeout setting.
+#
+# Important
+#
+# Once the dynamic blacklisting ipset has been created, changing this
+# option setting requires a complete restart of the firewall; shorewall
+# restart if RESTART=restart, otherwise shorewall stop && shorewall start
#
# When ipset-based dynamic blacklisting is enabled, the contents of the
# blacklist will be preserved over stop/reboot/start sequences if SAVE_IPSETS
@@ -1042,6 +1076,15 @@
# When HELPERS is specified on a system running Kernel 3.5.0 or later,
# automatic association of helpers to connections is disabled.
#
+IGNOREUNKNOWNVARIABLES=No
+#
+# IGNOREUNKNOWNVARIABLES=[Yes|No]
+#
+# Added in Shorewall 4.5.11. Normally, if an unknown shell variable is
+# encountered in a configuration file (except in ?IF and ?ELSIF directives),
+# the compiler raises a fatal error. If IGNOREUNKNOWNVARIABLES is set to Yes,
+# then such variables simply expand to an empty string. Default is No.
+#
IMPLICIT_CONTINUE=No
#
# IMPLICIT_CONTINUE={Yes|No}
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/Samples/two-interfaces/rules.annotated shorewall-5.0.13/Samples/two-interfaces/rules.annotated
--- shorewall-5.0.12/Samples/two-interfaces/rules.annotated 2016-10-01 14:49:01.748122042 -0700
+++ shorewall-5.0.13/Samples/two-interfaces/rules.annotated 2016-10-17 09:40:00.523449984 -0700
@@ -377,10 +377,10 @@
# userspace program on queues x, x+1, .. x+n and use "x:x+n". Packets
# belonging to the same connection are put into the same nfqueue.
#
-# NFQUEUE[([queuenumber1[,queuenumber2][,bypass]]|bypass)]
+# NFQUEUE![([queuenumber1[,queuenumber2][,bypass]]|bypass)]
#
# like NFQUEUE but exempts the rule from being suppressed by OPTIMIZE=1
-# in shorewall6.conf(5).
+# in shorewall.conf(5).
#
# NONAT
#
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/Samples/two-interfaces/shorewall.conf shorewall-5.0.13/Samples/two-interfaces/shorewall.conf
--- shorewall-5.0.12/Samples/two-interfaces/shorewall.conf 2016-10-01 13:49:35.000000000 -0700
+++ shorewall-5.0.13/Samples/two-interfaces/shorewall.conf 2016-10-17 09:29:32.000000000 -0700
@@ -35,6 +35,12 @@
PAGER=
###############################################################################
+# F I R E W A L L
+###############################################################################
+
+FIREWALL=
+
+###############################################################################
# L O G G I N G
###############################################################################
@@ -139,16 +145,14 @@
ADMINISABSENTMINDED=Yes
-BASIC_FILTERS=No
-
-IGNOREUNKNOWNVARIABLES=No
-
AUTOCOMMENT=Yes
AUTOHELPERS=Yes
AUTOMAKE=Yes
+BASIC_FILTERS=No
+
BLACKLIST="NEW,INVALID,UNTRACKED"
CHAIN_SCRIPTS=No
@@ -183,6 +187,8 @@
HELPERS=
+IGNOREUNKNOWNVARIABLES=No
+
IMPLICIT_CONTINUE=No
INLINE_MATCHES=Yes
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/Samples/two-interfaces/shorewall.conf.annotated shorewall-5.0.13/Samples/two-interfaces/shorewall.conf.annotated
--- shorewall-5.0.12/Samples/two-interfaces/shorewall.conf.annotated 2016-10-01 14:49:02.172546043 -0700
+++ shorewall-5.0.13/Samples/two-interfaces/shorewall.conf.annotated 2016-10-17 09:40:00.927853985 -0700
@@ -106,6 +106,19 @@
# DEFAULT_PAGER setting in shorewallrc.
#
###############################################################################
+# F I R E W A L L
+###############################################################################
+FIREWALL=
+#
+# FIREWALL=[dnsname-or-ip-address]
+#
+# This option was added in Shorewall 5.0.13 and may be used on an
+# administrative system in directories containing the configurations of
+# remote firewalls. The contents of the variable are the default value for
+# the system parameter to the remote-start, remote-reload and remote-restart
+# commands.
+#
+###############################################################################
# L O G G I N G
###############################################################################
BLACKLIST_LOG_LEVEL=
@@ -703,32 +716,6 @@
# If this variable is not set or is given the empty value then
# ADMINISABSENTMINDED=No is assumed.
#
-BASIC_FILTERS=No
-#
-# BASIC_FILTERS=[Yes|No]
-#
-# Added in Shorewall-4.6.0. When set to Yes, causes entries in
-# shorewall-tcfilters(5) to generate a basic filter rather than a u32 filter.
-# This setting requires the Basic Ematch capability in your kernel and
-# iptables.
-#
-# Note
-#
-# One of the advantages of basic filters is that ipset matches are supported
-# in newer iproute2 and kernel versions. Because Shorewall cannot reliably
-# detect this capability, use of basic filters is controlled by this option.
-#
-# The default value is No which causes u32 filters to be generated.
-#
-IGNOREUNKNOWNVARIABLES=No
-#
-# IGNOREUNKNOWNVARIABLES=[Yes|No]
-#
-# Added in Shorewall 4.5.11. Normally, if an unknown shell variable is
-# encountered in a configuration file (except in ?IF and ?ELSIF directives),
-# the compiler raises a fatal error. If IGNOREUNKNOWNVARIABLES is set to Yes,
-# then such variables simply expand to an empty string. Default is No.
-#
AUTOCOMMENT=Yes
#
# AUTOCOMMENT=[Yes|No]
@@ -779,6 +766,23 @@
# restart command includes a directory name (e.g., shorewall restart /etc/
# shorewall.new).
#
+BASIC_FILTERS=No
+#
+# BASIC_FILTERS=[Yes|No]
+#
+# Added in Shorewall-4.6.0. When set to Yes, causes entries in
+# shorewall-tcfilters(5) to generate a basic filter rather than a u32 filter.
+# This setting requires the Basic Ematch capability in your kernel and
+# iptables.
+#
+# Note
+#
+# One of the advantages of basic filters is that ipset matches are supported
+# in newer iproute2 and kernel versions. Because Shorewall cannot reliably
+# detect this capability, use of basic filters is controlled by this option.
+#
+# The default value is No which causes u32 filters to be generated.
+#
BLACKLIST="NEW,INVALID,UNTRACKED"
#
# BLACKLIST=[{ALL|state[,...]}]
@@ -924,21 +928,51 @@
#
DYNAMIC_BLACKLIST=Yes
#
-# DYNAMIC_BLACKLIST={Yes|No||ipset[-only][,src-dst][:[setname][:log_level|:l
+# DYNAMIC_BLACKLIST={Yes|No||ipset[-only][,option[,...]][:[setname][:log_level|:l
# og_tag]]]}
#
# Added in Shorewall 4.4.7. When set to No or no, chain-based dynamic
-# blacklisting using the shorewall6 drop, shorewall6 reject, shorewall6
-# logdrop and shorewall6 logreject is disabled. Default is Yes. Beginning
-# with Shorewall 5.0.8, ipset-based dynamic blacklisting is also supported.
-# The name of the set (setname) and the level (log_level), if any, at which
-# blacklisted traffic is to be logged may also be specified. The default set
-# name is SW_DBL4 and the default log level is none (no logging). if
-# ipset-only is given, then chain-based dynamic blacklisting is disabled just
-# as if DYNAMIC_BLACKLISTING=No had been specified. Normally, only packets
-# whose source address matches an entry in the ipsec are dropped. If src-dst
-# is included, then packets whose destination address matches an entry in the
-# ipset are also dropped.
+# blacklisting using shorewall drop, shorewall reject, shorewall logdrop and
+# shorewall logreject is disabled. Default is Yes. Beginning with Shorewall
+# 5.0.8, ipset-based dynamic blacklisting using the shorewall blacklist
+# command is also supported. The name of the set (setname) and the level (
+# log_level), if any, at which blacklisted traffic is to be logged may also
+# be specified. The default set name is SW_DBL4 and the default log level is
+# none (no logging). If ipset-only is given, then chain-based dynamic
+# blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No had been
+# specified.
+#
+# Possible options are:
+#
+# src-dst
+#
+# Normally, only packets whose source address matches an entry in the
+# ipset are dropped. If src-dst is included, then packets whose
+# destination address matches an entry in the ipset are also dropped.
+#
+# disconnect
+#
+# The disconnect option was added in Shorewall 5.0.13 and requires that
+# the conntrack utility be installed on the firewall system. When an
+# address is blacklisted using the blacklist command, all connections
+# originating from that address are disconnected. if the src-dst option
+# was also specified, then all connections to that address are also
+# disconnected.
+#
+# timeout=seconds
+#
+# Added in Shorewall 5.0.13. Normally, Shorewall creates the dynamic
+# blacklisting ipset with timeout 0 which means that entries are
+# permanent. If you want entries in the set that are not accessed for a
+# period of time to be deleted from the set, you may specify that period
+# using this option. Note that the blacklist command can override the
+# ipset's timeout setting.
+#
+# Important
+#
+# Once the dynamic blacklisting ipset has been created, changing this
+# option setting requires a complete restart of the firewall; shorewall
+# restart if RESTART=restart, otherwise shorewall stop && shorewall start
#
# When ipset-based dynamic blacklisting is enabled, the contents of the
# blacklist will be preserved over stop/reboot/start sequences if SAVE_IPSETS
@@ -1044,6 +1078,15 @@
# When HELPERS is specified on a system running Kernel 3.5.0 or later,
# automatic association of helpers to connections is disabled.
#
+IGNOREUNKNOWNVARIABLES=No
+#
+# IGNOREUNKNOWNVARIABLES=[Yes|No]
+#
+# Added in Shorewall 4.5.11. Normally, if an unknown shell variable is
+# encountered in a configuration file (except in ?IF and ?ELSIF directives),
+# the compiler raises a fatal error. If IGNOREUNKNOWNVARIABLES is set to Yes,
+# then such variables simply expand to an empty string. Default is No.
+#
IMPLICIT_CONTINUE=No
#
# IMPLICIT_CONTINUE={Yes|No}
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/Samples/Universal/rules.annotated shorewall-5.0.13/Samples/Universal/rules.annotated
--- shorewall-5.0.12/Samples/Universal/rules.annotated 2016-10-01 14:49:03.794166043 -0700
+++ shorewall-5.0.13/Samples/Universal/rules.annotated 2016-10-17 09:40:02.481405984 -0700
@@ -373,10 +373,10 @@
# userspace program on queues x, x+1, .. x+n and use "x:x+n". Packets
# belonging to the same connection are put into the same nfqueue.
#
-# NFQUEUE[([queuenumber1[,queuenumber2][,bypass]]|bypass)]
+# NFQUEUE![([queuenumber1[,queuenumber2][,bypass]]|bypass)]
#
# like NFQUEUE but exempts the rule from being suppressed by OPTIMIZE=1
-# in shorewall6.conf(5).
+# in shorewall.conf(5).
#
# NONAT
#
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/Samples/Universal/shorewall.conf shorewall-5.0.13/Samples/Universal/shorewall.conf
--- shorewall-5.0.12/Samples/Universal/shorewall.conf 2016-10-01 13:49:35.000000000 -0700
+++ shorewall-5.0.13/Samples/Universal/shorewall.conf 2016-10-17 09:29:32.000000000 -0700
@@ -24,6 +24,12 @@
PAGER=
###############################################################################
+# F I R E W A L L
+###############################################################################
+
+FIREWALL=
+
+###############################################################################
# L O G G I N G
###############################################################################
@@ -128,16 +134,14 @@
ADMINISABSENTMINDED=Yes
-BASIC_FILTERS=No
-
-IGNOREUNKNOWNVARIABLES=No
-
AUTOCOMMENT=Yes
AUTOHELPERS=Yes
AUTOMAKE=Yes
+BASIC_FILTERS=No
+
BLACKLIST="NEW,INVALID,UNTRACKED"
CHAIN_SCRIPTS=No
@@ -172,6 +176,8 @@
HELPERS=
+IGNOREUNKNOWNVARIABLES=No
+
IMPLICIT_CONTINUE=No
INLINE_MATCHES=Yes
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/Samples/Universal/shorewall.conf.annotated shorewall-5.0.13/Samples/Universal/shorewall.conf.annotated
--- shorewall-5.0.12/Samples/Universal/shorewall.conf.annotated 2016-10-01 14:49:04.238610043 -0700
+++ shorewall-5.0.13/Samples/Universal/shorewall.conf.annotated 2016-10-17 09:40:02.881805984 -0700
@@ -95,6 +95,19 @@
# DEFAULT_PAGER setting in shorewallrc.
#
###############################################################################
+# F I R E W A L L
+###############################################################################
+FIREWALL=
+#
+# FIREWALL=[dnsname-or-ip-address]
+#
+# This option was added in Shorewall 5.0.13 and may be used on an
+# administrative system in directories containing the configurations of
+# remote firewalls. The contents of the variable are the default value for
+# the system parameter to the remote-start, remote-reload and remote-restart
+# commands.
+#
+###############################################################################
# L O G G I N G
###############################################################################
BLACKLIST_LOG_LEVEL=
@@ -692,32 +705,6 @@
# If this variable is not set or is given the empty value then
# ADMINISABSENTMINDED=No is assumed.
#
-BASIC_FILTERS=No
-#
-# BASIC_FILTERS=[Yes|No]
-#
-# Added in Shorewall-4.6.0. When set to Yes, causes entries in
-# shorewall-tcfilters(5) to generate a basic filter rather than a u32 filter.
-# This setting requires the Basic Ematch capability in your kernel and
-# iptables.
-#
-# Note
-#
-# One of the advantages of basic filters is that ipset matches are supported
-# in newer iproute2 and kernel versions. Because Shorewall cannot reliably
-# detect this capability, use of basic filters is controlled by this option.
-#
-# The default value is No which causes u32 filters to be generated.
-#
-IGNOREUNKNOWNVARIABLES=No
-#
-# IGNOREUNKNOWNVARIABLES=[Yes|No]
-#
-# Added in Shorewall 4.5.11. Normally, if an unknown shell variable is
-# encountered in a configuration file (except in ?IF and ?ELSIF directives),
-# the compiler raises a fatal error. If IGNOREUNKNOWNVARIABLES is set to Yes,
-# then such variables simply expand to an empty string. Default is No.
-#
AUTOCOMMENT=Yes
#
# AUTOCOMMENT=[Yes|No]
@@ -768,6 +755,23 @@
# restart command includes a directory name (e.g., shorewall restart /etc/
# shorewall.new).
#
+BASIC_FILTERS=No
+#
+# BASIC_FILTERS=[Yes|No]
+#
+# Added in Shorewall-4.6.0. When set to Yes, causes entries in
+# shorewall-tcfilters(5) to generate a basic filter rather than a u32 filter.
+# This setting requires the Basic Ematch capability in your kernel and
+# iptables.
+#
+# Note
+#
+# One of the advantages of basic filters is that ipset matches are supported
+# in newer iproute2 and kernel versions. Because Shorewall cannot reliably
+# detect this capability, use of basic filters is controlled by this option.
+#
+# The default value is No which causes u32 filters to be generated.
+#
BLACKLIST="NEW,INVALID,UNTRACKED"
#
# BLACKLIST=[{ALL|state[,...]}]
@@ -913,21 +917,51 @@
#
DYNAMIC_BLACKLIST=Yes
#
-# DYNAMIC_BLACKLIST={Yes|No||ipset[-only][,src-dst][:[setname][:log_level|:l
+# DYNAMIC_BLACKLIST={Yes|No||ipset[-only][,option[,...]][:[setname][:log_level|:l
# og_tag]]]}
#
# Added in Shorewall 4.4.7. When set to No or no, chain-based dynamic
-# blacklisting using the shorewall6 drop, shorewall6 reject, shorewall6
-# logdrop and shorewall6 logreject is disabled. Default is Yes. Beginning
-# with Shorewall 5.0.8, ipset-based dynamic blacklisting is also supported.
-# The name of the set (setname) and the level (log_level), if any, at which
-# blacklisted traffic is to be logged may also be specified. The default set
-# name is SW_DBL4 and the default log level is none (no logging). if
-# ipset-only is given, then chain-based dynamic blacklisting is disabled just
-# as if DYNAMIC_BLACKLISTING=No had been specified. Normally, only packets
-# whose source address matches an entry in the ipsec are dropped. If src-dst
-# is included, then packets whose destination address matches an entry in the
-# ipset are also dropped.
+# blacklisting using shorewall drop, shorewall reject, shorewall logdrop and
+# shorewall logreject is disabled. Default is Yes. Beginning with Shorewall
+# 5.0.8, ipset-based dynamic blacklisting using the shorewall blacklist
+# command is also supported. The name of the set (setname) and the level (
+# log_level), if any, at which blacklisted traffic is to be logged may also
+# be specified. The default set name is SW_DBL4 and the default log level is
+# none (no logging). If ipset-only is given, then chain-based dynamic
+# blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No had been
+# specified.
+#
+# Possible options are:
+#
+# src-dst
+#
+# Normally, only packets whose source address matches an entry in the
+# ipset are dropped. If src-dst is included, then packets whose
+# destination address matches an entry in the ipset are also dropped.
+#
+# disconnect
+#
+# The disconnect option was added in Shorewall 5.0.13 and requires that
+# the conntrack utility be installed on the firewall system. When an
+# address is blacklisted using the blacklist command, all connections
+# originating from that address are disconnected. if the src-dst option
+# was also specified, then all connections to that address are also
+# disconnected.
+#
+# timeout=seconds
+#
+# Added in Shorewall 5.0.13. Normally, Shorewall creates the dynamic
+# blacklisting ipset with timeout 0 which means that entries are
+# permanent. If you want entries in the set that are not accessed for a
+# period of time to be deleted from the set, you may specify that period
+# using this option. Note that the blacklist command can override the
+# ipset's timeout setting.
+#
+# Important
+#
+# Once the dynamic blacklisting ipset has been created, changing this
+# option setting requires a complete restart of the firewall; shorewall
+# restart if RESTART=restart, otherwise shorewall stop && shorewall start
#
# When ipset-based dynamic blacklisting is enabled, the contents of the
# blacklist will be preserved over stop/reboot/start sequences if SAVE_IPSETS
@@ -1033,6 +1067,15 @@
# When HELPERS is specified on a system running Kernel 3.5.0 or later,
# automatic association of helpers to connections is disabled.
#
+IGNOREUNKNOWNVARIABLES=No
+#
+# IGNOREUNKNOWNVARIABLES=[Yes|No]
+#
+# Added in Shorewall 4.5.11. Normally, if an unknown shell variable is
+# encountered in a configuration file (except in ?IF and ?ELSIF directives),
+# the compiler raises a fatal error. If IGNOREUNKNOWNVARIABLES is set to Yes,
+# then such variables simply expand to an empty string. Default is No.
+#
IMPLICIT_CONTINUE=No
#
# IMPLICIT_CONTINUE={Yes|No}
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/shorewall.spec shorewall-5.0.13/shorewall.spec
--- shorewall-5.0.12/shorewall.spec 2016-10-01 14:48:18.456874042 -0700
+++ shorewall-5.0.13/shorewall.spec 2016-10-17 09:39:17.301929984 -0700
@@ -1,5 +1,5 @@
%define name shorewall
-%define version 5.0.12
+%define version 5.0.13
%define release 0base
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@@ -86,7 +86,7 @@
%attr(644,root,root) /usr/lib/systemd/system/shorewall.service
%attr(0755,root,root) %dir /etc/shorewall
%ghost %attr(0644,root,root) /etc/shorewall/isusable
-%ghost %attr(0644,root,root) /etc/shorewall/notrack
+%ghost %attr(0644,root,root) /etc/shorewall/masq
%attr(0755,root,root) %dir /usr/share/shorewall/configfiles
%attr(0755,root,root) %dir /usr/share/shorewall/deprecated
%attr(0700,root,root) %dir /var/lib/shorewall
@@ -149,6 +149,16 @@
%doc COPYING INSTALL changelog.txt releasenotes.txt Samples
%changelog
+* Sun Oct 16 2016 Tom Eastep tom@shorewall.net
+- Updated to 5.0.13-0base
+* Sun Oct 16 2016 Tom Eastep tom@shorewall.net
+- Updated to 5.0.13-0RC2
+* Sun Oct 09 2016 Tom Eastep tom@shorewall.net
+- Updated to 5.0.13-0RC1
+* Tue Oct 04 2016 Tom Eastep tom@shorewall.net
+- Updated to 5.0.13-0Beta2
+* Sun Oct 02 2016 Tom Eastep tom@shorewall.net
+- Updated to 5.0.13-0Beta1
* Sat Oct 01 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.12-0base
* Sat Oct 01 2016 Tom Eastep tom@shorewall.net
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.12/uninstall.sh shorewall-5.0.13/uninstall.sh
--- shorewall-5.0.12/uninstall.sh 2016-10-01 14:48:18.408826043 -0700
+++ shorewall-5.0.13/uninstall.sh 2016-10-17 09:39:17.285929984 -0700
@@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
-VERSION=5.0.12
+VERSION=5.0.13
PRODUCT=shorewall
usage() # $1 = exit status