diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.12/changelog.txt shorewall6-5.0.13/changelog.txt
--- shorewall6-5.0.12/changelog.txt 2016-10-01 14:48:18.609026043 -0700
+++ shorewall6-5.0.13/changelog.txt 2016-10-17 09:39:17.457929984 -0700
@@ -1,3 +1,58 @@
+Changes in 5.0.13 Final
+
+1) Update release documents.
+
+2) Reverse ECN fix.
+
+3) Restrict hypen in port ranges to numberic ports.
+
+4) Correct typo in process_mangle_inline().
+
+Changes in 5.0.13 RC 2
+
+1) Update release documents.
+
+2) Accept '-' as a port-range separator.
+
+3) Correct shorewall6-masq examples.
+
+4) Add -exists to ADD command with timeout
+
+5) ECN fix.
+
+Changes in 5.0.13 RC 1
+
+1) Update release documents.
+
+2) Merge fix from 5.0.12.
+
+3) Make the output of 'blacklist' dependent on the verbosity and clean
+ up that output.
+
+4) Detect bad characters in interface names.
+
+Changes in 5.0.13 Beta 2
+
+1) Update release documents.
+
+2) Add 'timeout' DYNAMIC_BLACKLISTING option
+
+3) Add FIREWALL option in shorewall[6].conf.
+
+4) Remove restrictions on IPv6 'balance' and 'fallback'.
+
+Changes in 5.0.13 Beta 1
+
+1) Update release documents.
+
+2) Roberto's typo fix in the mangle manpages.
+
+3) Reorder the entries in the .conf files in ASCII collating sequence.
+
+4) Correct DYNAMIC_BLACKLIST documentation.
+
+4) Add 'disconnect' option to the DYNAMIC_BLACKLIST setting.
+
Changes in 5.0.12 Final
1) Update release documents.
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.12/configfiles/mangle.annotated shorewall6-5.0.13/configfiles/mangle.annotated
--- shorewall6-5.0.12/configfiles/mangle.annotated 2016-10-01 14:49:30.140486042 -0700
+++ shorewall6-5.0.13/configfiles/mangle.annotated 2016-10-17 09:40:28.191925983 -0700
@@ -78,7 +78,7 @@
#
# Added in Shorewall 5.0.7. action must be an action declared with the
# mangle option in shorewall6-actions(5). If the action accepts
-# paramaters, they are specified as a comma-separated list within
+# parameters, they are specified as a comma-separated list within
# parentheses following the action name.
#
# ADD(ipset:flags)
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.12/configfiles/masq.annotated shorewall6-5.0.13/configfiles/masq.annotated
--- shorewall6-5.0.12/configfiles/masq.annotated 2016-10-01 14:49:30.452798043 -0700
+++ shorewall6-5.0.13/configfiles/masq.annotated 2016-10-17 09:40:28.519925983 -0700
@@ -317,8 +317,8 @@
# /etc/shorewall/masq:
#
# #INTERFACE SOURCE ADDRESS
-# INLINE(sit1) 0.0.0.0/0 2001:470:a:227::1 ; -m statistic --mode random --probability 0.50
-# sit1 0.0.0.0/0 2001:470:a:227::2
+# INLINE(sit1) ::/0 2001:470:a:227::1 ; -m statistic --mode random --probability 0.50
+# sit1 ::/0 2001:470:a:227::2
#
# If INLINE_MATCHES=Yes in shorewall6.conf(5), then these rules may be
# specified as follows:
@@ -326,8 +326,8 @@
# /etc/shorewall/masq:
#
# #INTERFACE SOURCE ADDRESS
-# sit1 0.0.0.0/0 2001:470:a:227::1 ; -m statistic --mode random --probability 0.50
-# sit1 0.0.0.0/0 2001:470:a:227::2
+# sit1 ::/0 2001:470:a:227::1 ; -m statistic --mode random --probability 0.50
+# sit1 ::/0 2001:470:a:227::2
#
######################################################################################################
#INTERFACE SOURCE ADDRESS PROTO PORT IPSEC MARK USER SWITCH
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.12/configfiles/providers.annotated shorewall6-5.0.13/configfiles/providers.annotated
--- shorewall6-5.0.12/configfiles/providers.annotated 2016-10-01 14:49:31.978322043 -0700
+++ shorewall6-5.0.13/configfiles/providers.annotated 2016-10-17 09:40:29.951925983 -0700
@@ -82,18 +82,26 @@
# gateway router to be added to the provider's routing table. This is the
# default behavior unless overridden by a following noautosrc option.
#
-# balance
+# balance[=weight]
#
-# Added in Shorewall 4.4.25. Causes a default route to this provider's
-# gateway to be added to the main routing table (USE_DEFAULT_RT=No) or to
-# the balance routing table (USE_DEFAULT_RT=Yes). Only one provider can
-# specify this option.
+# Added in Shorewall 4.4.25. The providers that have balance specified
+# will get outbound traffic load-balanced among them. By default, all
+# interfaces with balance specified will have the same weight (1).
+# Beginning with Shorewall 5.0.13, you can change the weight of an
+# interface by specifying balance=weight where weight is the weight of
+# the route out of this interface. Prior to Shorewall 5.0.13, only one
+# provider can specify this option.
#
-# fallback
+# fallback[=weight]
#
-# Added in Shorewall 4.4.25. Causes a default route to this provider's
-# gateway to be added to the default routing table.At most one provider
-# can specify this option.
+# Added in Shorewall 4.4.25. Indicates that a default route through the
+# provider should be added to the default routing table (table 253). If a
+# weight is given, a balanced route is added with the weight of this
+# provider equal to the specified weight. If the option is given without
+# a weight, an separate default route is added through the provider's
+# gateway; the route has a metric equal to the provider's NUMBER. Prior
+# to Shorewall 5.0.13, at most one provider can specify this option and a
+# weight may not be given.
#
# track
#
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.12/configfiles/rules.annotated shorewall6-5.0.13/configfiles/rules.annotated
--- shorewall6-5.0.12/configfiles/rules.annotated 2016-10-01 14:49:33.231574043 -0700
+++ shorewall6-5.0.13/configfiles/rules.annotated 2016-10-17 09:40:31.143925983 -0700
@@ -359,7 +359,7 @@
# userspace program on queues x, x+1, .. x+n and use "x:x+n". Packets
# belonging to the same connection are put into the same nfqueue.
#
-# NFQUEUE[([queuenumber1[,queuenumber2][,bypass]]|bypass)]
+# NFQUEUE![([queuenumber1[,queuenumber2][,bypass]]|bypass)]
#
# like NFQUEUE but exempts the rule from being suppressed by OPTIMIZE=1
# in shorewall6.conf(5).
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.12/configfiles/shorewall6.conf shorewall6-5.0.13/configfiles/shorewall6.conf
--- shorewall6-5.0.12/configfiles/shorewall6.conf 2016-10-01 13:49:35.000000000 -0700
+++ shorewall6-5.0.13/configfiles/shorewall6.conf 2016-10-17 09:29:32.000000000 -0700
@@ -25,6 +25,12 @@
PAGER=
###############################################################################
+# F I R E W A L L
+###############################################################################
+
+FIREWALL=
+
+###############################################################################
# L O G G I N G
###############################################################################
@@ -121,16 +127,14 @@
ADMINISABSENTMINDED=Yes
-BASIC_FILTERS=No
-
-IGNOREUNKNOWNVARIABLES=No
-
AUTOCOMMENT=Yes
AUTOHELPERS=Yes
AUTOMAKE=No
+BASIC_FILTERS=No
+
BLACKLIST="NEW,INVALID,UNTRACKED"
CHAIN_SCRIPTS=Yes
@@ -159,6 +163,8 @@
HELPERS=
+IGNOREUNKNOWNVARIABLES=No
+
IMPLICIT_CONTINUE=No
INLINE_MATCHES=No
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.12/configfiles/shorewall6.conf.annotated shorewall6-5.0.13/configfiles/shorewall6.conf.annotated
--- shorewall6-5.0.12/configfiles/shorewall6.conf.annotated 2016-10-01 14:49:33.956298043 -0700
+++ shorewall6-5.0.13/configfiles/shorewall6.conf.annotated 2016-10-17 09:40:31.851925983 -0700
@@ -95,6 +95,19 @@
# DEFAULT_PAGER setting in shorewallrc.
#
###############################################################################
+# F I R E W A L L
+###############################################################################
+FIREWALL=
+#
+# FIREWALL=[dnsname-or-ip-address]
+#
+# This option was added in Shorewall 5.0.13 and may be used on an
+# administrative system in directories containing the configurations of
+# remote firewalls. The contents of the variable are the default value for
+# the system parameter to the remote-start, remote-reload and remote-restart
+# commands.
+#
+###############################################################################
# L O G G I N G
###############################################################################
BLACKLIST_LOG_LEVEL=
@@ -621,32 +634,6 @@
# If this variable is not set or is given the empty value then
# ADMINISABSENTMINDED=No is assumed.
#
-BASIC_FILTERS=No
-#
-# BASIC_FILTERS=[Yes|No]
-#
-# Added in Shorewall-4.6.0. When set to Yes, causes entries in
-# shorewall6-tcfilters(5) to generate a basic filter rather than a u32
-# filter. This setting requires the Basic Ematch capability in your kernel
-# and iptables.
-#
-# Note
-#
-# One of the advantages of basic filters is that ipset matches are supported
-# in newer iproute2 and kernel versions. Because Shorewall6 cannot reliably
-# detect this capability, use of basic filters is controlled by this option.
-#
-# The default value is No which causes u32 filters to be generated.
-#
-IGNOREUNKNOWNVARIABLES=No
-#
-# IGNOREUNKNOWNVARIABLES=[Yes|No]
-#
-# Added in Shorewall 4.5.11. Normally, if an unknown shell variable is
-# encountered in a configuration file (except in ?IF and ?ELSIF directives),
-# the compiler raises a fatal error. If IGNOREUNKNOWNVARIABLES is set to Yes,
-# then such variables simply expand to an empty string. Default is No.
-#
AUTOCOMMENT=Yes
#
# AUTOCOMMENT=[Yes|No]
@@ -697,6 +684,23 @@
# restart command includes a directory name (e.g., shorewall6 restart /etc/
# shorewall.new).
#
+BASIC_FILTERS=No
+#
+# BASIC_FILTERS=[Yes|No]
+#
+# Added in Shorewall-4.6.0. When set to Yes, causes entries in
+# shorewall6-tcfilters(5) to generate a basic filter rather than a u32
+# filter. This setting requires the Basic Ematch capability in your kernel
+# and iptables.
+#
+# Note
+#
+# One of the advantages of basic filters is that ipset matches are supported
+# in newer iproute2 and kernel versions. Because Shorewall6 cannot reliably
+# detect this capability, use of basic filters is controlled by this option.
+#
+# The default value is No which causes u32 filters to be generated.
+#
BLACKLIST="NEW,INVALID,UNTRACKED"
#
# BLACKLIST=[{ALL|state[,...]}]
@@ -805,21 +809,52 @@
#
DYNAMIC_BLACKLIST=Yes
#
-# DYNAMIC_BLACKLIST={Yes|No||ipset[-only][,src-dst][:[setname][:log_level|:l
+# DYNAMIC_BLACKLIST={Yes|No||ipset[-only][,option[,...]][:[setname][:log_level|:l
# og_tag]]]}
#
# Added in Shorewall 4.4.7. When set to No or no, chain-based dynamic
-# blacklisting using the shorewall6 drop, shorewall6 reject, shorewall6
-# logdrop and shorewall6 logreject is disabled. Default is Yes. Beginning
-# with Shorewall 5.0.8, ipset-based dynamic blacklisting is also supported.
-# The name of the set (setname) and the level (log_level), if any, at which
-# blacklisted traffic is to be logged may also be specified. The default set
-# name is SW_DBL6 and the default log level is none (no logging). if
-# ipset-only is given, then chain-based dynamic blacklisting is disabled just
-# as if DYNAMIC_BLACKLISTING=No had been specified. Normally, only packets
-# whose source address matches an entry in the ipsec are dropped. If src-dst
-# is included, then packets whose destination address matches an entry in the
-# ipset are also dropped.
+# blacklisting using shorewall6 drop, shorewall6 reject, shorewall6 logdrop
+# and shorewall6 logreject is disabled. Default is Yes. Beginning with
+# Shorewall 5.0.8, ipset-based dynamic blacklisting using shorewall6
+# blacklist is also supported. The name of the set (setname) and the level (
+# log_level), if any, at which blacklisted traffic is to be logged may also
+# be specified. The default set name is SW_DBL6 and the default log level is
+# none (no logging). if ipset-only is given, then chain-based dynamic
+# blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No had been
+# specified.
+#
+# Possible options are:
+#
+# src-dst
+#
+# Normally, only packets whose source address matches an entry in the
+# ipset are dropped. If src-dst is included, then packets whose
+# destination address matches an entry in the ipset are also dropped.
+#
+# disconnect
+#
+# The disconnect option was added in Shorewall 5.0.13 and requires that
+# the conntrack utility be installed on the firewall system. When an
+# address is blacklisted using the blacklist command, all connections
+# originating from that address are disconnected. if the src-dst option
+# was also specified, then all connections to that address are also
+# disconnected.
+#
+# timeout=seconds
+#
+# Added in Shorewall 5.0.13. Normally, Shorewall creates the dynamic
+# blacklisting ipset with timeout 0 which means that entries are
+# permanent. If you want entries in the set that are not accessed for a
+# period of time to be deleted from the set, you may specify that period
+# using this option. Note that the blacklist command can override the
+# ipset's timeout setting.
+#
+# Important
+#
+# Once the dynamic blacklisting ipset has been created, changing this
+# option setting requires a complete restart of the firewall; shorewall6
+# restart if RESTART=restart, otherwise shorewall6 stop && shorewall6
+# start
#
# When ipset-based dynamic blacklisting is enabled, the contents of the
# blacklist will be preserved over stop/reboot/start sequences if SAVE_IPSETS
@@ -926,6 +961,15 @@
# When HELPERS is specified on a system running Kernel 3.5.0 or later,
# automatic association of helpers to connections is disabled.
#
+IGNOREUNKNOWNVARIABLES=No
+#
+# IGNOREUNKNOWNVARIABLES=[Yes|No]
+#
+# Added in Shorewall 4.5.11. Normally, if an unknown shell variable is
+# encountered in a configuration file (except in ?IF and ?ELSIF directives),
+# the compiler raises a fatal error. If IGNOREUNKNOWNVARIABLES is set to Yes,
+# then such variables simply expand to an empty string. Default is No.
+#
IMPLICIT_CONTINUE=No
#
# IMPLICIT_CONTINUE={Yes|No}
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.12/configure shorewall6-5.0.13/configure
--- shorewall6-5.0.12/configure 2016-10-01 14:48:18.609026043 -0700
+++ shorewall6-5.0.13/configure 2016-10-17 09:39:17.445929984 -0700
@@ -28,7 +28,7 @@
#
# Build updates this
#
-VERSION=5.0.12
+VERSION=5.0.13
case "$BASH_VERSION" in
[4-9].*)
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.12/configure.pl shorewall6-5.0.13/configure.pl
--- shorewall6-5.0.12/configure.pl 2016-10-01 14:48:18.609026043 -0700
+++ shorewall6-5.0.13/configure.pl 2016-10-17 09:39:17.453929984 -0700
@@ -31,7 +31,7 @@
# Build updates this
#
use constant {
- VERSION => '5.0.12'
+ VERSION => '5.0.13'
};
my %params;
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.12/install.sh shorewall6-5.0.13/install.sh
--- shorewall6-5.0.12/install.sh 2016-10-01 14:48:18.609026043 -0700
+++ shorewall6-5.0.13/install.sh 2016-10-17 09:39:17.457929984 -0700
@@ -22,7 +22,7 @@
# along with this program; if not, see .
#
-VERSION=5.0.12
+VERSION=5.0.13
#
# Change to the directory containing this script
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.12/manpages/shorewall6.8 shorewall6-5.0.13/manpages/shorewall6.8
--- shorewall6-5.0.12/manpages/shorewall6.8 2016-10-01 14:49:26.965314042 -0700
+++ shorewall6-5.0.13/manpages/shorewall6.8 2016-10-17 09:40:25.083925983 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Administrative Commands
.\" Source: Administrative Commands
.\" Language: English
.\"
-.TH "SHOREWALL6" "8" "10/01/2016" "Administrative Commands" "Administrative Commands"
+.TH "SHOREWALL6" "8" "10/17/2016" "Administrative Commands" "Administrative Commands"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -33,9 +33,9 @@
.HP \w'\fBshorewall6\fR\ 'u
\fBshorewall6\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBadd\ {\fR \fIinterface\fR[:\fIhost\-list\fR]... \fIzone\ |\ zone\ host\-list\ \fR\fB}\fR
.HP \w'\fBshorewall6\fR\ 'u
-\fBshorewall6\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBallow\fR \fIaddress\fR
+\fBshorewall6\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBallow\fR
.HP \w'\fBshorewall6\fR\ 'u
-\fBshorewall6\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBblacklist\fR \fIaddress\fR
+\fBshorewall6\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBblacklist\fR \fIaddress\fR\ [\fIoption\ \&.\&.\&.\fR]
.HP \w'\fBshorewall6\fR\ 'u
\fBshorewall6\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBcall\fR \fIfunction\fR\ [\fIparameter\fR\ \&.\&.\&.]
.HP \w'\fBshorewall6\fR\ 'u
@@ -81,11 +81,11 @@
.HP \w'\fBshorewall6\fR\ 'u
\fBshorewall6\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBreject\fR \fIaddress\fR
.HP \w'\fBshorewall6\fR\ 'u
-\fBshorewall6\fR [\fBtrace\fR|\fBdebug\fR] [\-\fIoptions\fR] \fBremote\-start\fR [\fB\-s\fR] [\fB\-c\fR] [\fB\-r\fR\ \fIroot\-user\-name\fR] [\fB\-T\fR] [\fB\-i\fR] [\fIdirectory\fR] \fIsystem\fR
+\fBshorewall6\fR [\fBtrace\fR|\fBdebug\fR] [\-\fIoptions\fR] \fBremote\-start\fR [\fB\-s\fR] [\fB\-c\fR] [\fB\-r\fR\ \fIroot\-user\-name\fR] [\fB\-T\fR] [\fB\-i\fR] [[\fB\-D\fR]\fIdirectory\fR] [\fIsystem\fR]
.HP \w'\fBshorewall6\fR\ 'u
-\fBshorewall6\fR [\fBtrace\fR|\fBdebug\fR] [\-\fIoptions\fR] \fBremote\-reload\fR [\fB\-s\fR] [\fB\-c\fR] [\fB\-r\fR\ \fIroot\-user\-name\fR] [\fB\-T\fR] [\fB\-i\fR] [\fIdirectory\fR] \fIsystem\fR
+\fBshorewall6\fR [\fBtrace\fR|\fBdebug\fR] [\-\fIoptions\fR] \fBremote\-reload\fR [\fB\-s\fR] [\fB\-c\fR] [\fB\-r\fR\ \fIroot\-user\-name\fR] [\fB\-T\fR] [\fB\-i\fR] [[\fB\-D\fR]\fIdirectory\fR] [\fIsystem\fR]
.HP \w'\fBshorewall6\fR\ 'u
-\fBshorewall6\fR [\fBtrace\fR|\fBdebug\fR] [\-\fIoptions\fR] \fBremote\-restart\fR [\fB\-s\fR] [\fB\-c\fR] [\fB\-r\fR\ \fIroot\-user\-name\fR] [\fB\-T\fR] [\fB\-i\fR] [\fIdirectory\fR] \fIsystem\fR
+\fBshorewall6\fR [\fBtrace\fR|\fBdebug\fR] [\-\fIoptions\fR] \fBremote\-restart\fR [\fB\-s\fR] [\fB\-c\fR] [\fB\-r\fR\ \fIroot\-user\-name\fR] [\fB\-T\fR] [\fB\-i\fR] [[\fB\-D\fR]\fIdirectory\fR] [\fIsystem\fR]
.HP \w'\fBshorewall6\fR\ 'u
\fBshorewall6\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBreset\fR\ [\fIchain\fR\ \&.\&.\&.]
.HP \w'\fBshorewall6\fR\ 'u
@@ -248,6 +248,32 @@
\fIoption\fRs are passed to the
\fBipset add\fR
command\&.
+.sp
+If the
+\fBdisconnect\fR
+option is specified in the DYNAMIC_BLACKLISTING setting, then the effective VERBOSITY determines the amount of information displayed:
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+If the effective verbosity is > 0, then a message giving the number of conntrack flows deleted by the command is displayed\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+If the effective verbosity is > 1, then the conntrack table entries deleted by the command are also displayed\&.
+.RE
.RE
.PP
\fBcall \fR\fB\fIfunction\fR\fR\fB [ \fR\fB\fIparameter\fR\fR\fB \&.\&.\&. ]\fR
@@ -747,7 +773,7 @@
\m[blue]\fBshorewall6\&.conf\fR\m[]\&\s-2\u[2]\d\s+2(5)\&. If an existing firewall script is used and if that script was the one that generated the current running configuration, then the running netfilter configuration will be reloaded as is so as to preserve the iptables packet and byte counters\&.
.RE
.PP
-\fBremote\-reload \fR[\-\fBs\fR] [\-\fBc\fR] [\-\fBr\fR \fIroot\-user\-name\fR] [\-\fBT\fR] [\-\fBi\fR] [ \fIdirectory\fR ] \fIsystem\fR
+\fBremote\-reload \fR[\-\fBs\fR] [\-\fBc\fR] [\-\fBr\fR \fIroot\-user\-name\fR] [\-\fBT\fR] [\-\fBi\fR] [ [ \-D ] \fIdirectory\fR ] [ \fIsystem\fR ],
.RS 4
This command was added in Shorewall 5\&.0\&.0\&.
.sp
@@ -771,7 +797,14 @@
\fIsystem\fR
using scp\&. If the copy succeeds, Shorewall6 Lite on
\fIsystem\fR
-is restarted via ssh\&.
+is restarted via ssh\&. Beginning with Shorewall 5\&.0\&.13, if
+\fIsystem\fR
+is omitted, then the FIREWALL option setting in
+\m[blue]\fBshorewall6\&.conf(5)\fR\m[]\&\s-2\u[7]\d\s+2
+is assumed\&. In that case, if you want to specify a
+\fIdirectory\fR, then the
+\fB\-D\fR
+option must be given\&.
.sp
If
\fB\-s\fR
@@ -807,7 +840,7 @@
\m[blue]\fBshorewall6\&.conf\fR\m[]\&\s-2\u[2]\d\s+2(5)\&.
.RE
.PP
-\fBremote\- restart \fR[\-\fBs\fR] [\-\fBc\fR] [\-\fBr\fR \fIroot\-user\-name\fR] [\-\fBT\fR] [\-\fBi\fR] [ \fIdirectory\fR ] \fIsystem\fR
+\fBremote\- restart \fR[\-\fBs\fR] [\-\fBc\fR] [\-\fBr\fR \fIroot\-user\-name\fR] [\-\fBT\fR] [\-\fBi\fR] [ [ \-D ] \fIdirectory\fR ] [ \fIsystem\fR ]
.RS 4
This command was renamed from
\fBreload\fR
@@ -835,6 +868,15 @@
\fIsystem\fR
is restarted via ssh\&.
.sp
+Beginning with Shorewall 5\&.0\&.13, if
+\fIsystem\fR
+is omitted, then the FIREWALL option setting in
+\m[blue]\fBshorewall6\&.conf(5)\fR\m[]\&\s-2\u[7]\d\s+2
+is assumed\&. In that case, if you want to specify a
+\fIdirectory\fR, then the
+\fB\-D\fR
+option must be given\&.
+.sp
If
\fB\-s\fR
is specified and the
@@ -869,7 +911,7 @@
\m[blue]\fBshorewall6\&.conf\fR\m[]\&\s-2\u[2]\d\s+2(5)\&.
.RE
.PP
-\fBremote\-start \fR [\-\fBs\fR] [\-\fBc\fR] [\-\fBr\fR \fIroot\-user\-name\fR] [\-\fBT\fR] [\-\fBi\fR] [ \fIdirectory\fR ] \fIsystem\fR
+\fBremote\-start \fR [\-\fBs\fR] [\-\fBc\fR] [\-\fBr\fR \fIroot\-user\-name\fR] [\-\fBT\fR] [\-\fBi\fR] [ [\-D ] \fIdirectory\fR ] [ \fIsystem\fR ]
.RS 4
This command was added in Shorewall 5\&.0\&.0\&.
.sp
@@ -893,7 +935,14 @@
\fIsystem\fR
using scp\&. If the copy succeeds, Shorewall6 Lite on
\fIsystem\fR
-is started via ssh\&.
+is started via ssh\&. Beginning with Shorewall 5\&.0\&.13, if
+\fIsystem\fR
+is omitted, then the FIREWALL option setting in
+\m[blue]\fBshorewall6\&.conf(5)\fR\m[]\&\s-2\u[7]\d\s+2
+is assumed\&. In that case, if you want to specify a
+\fIdirectory\fR, then the
+\fB\-D\fR
+option must be given\&.
.sp
If
\fB\-s\fR
@@ -1362,9 +1411,9 @@
\fBstop \fR[\-\fBf\fR]
.RS 4
Stops the firewall\&. All existing connections, except those listed in
-\m[blue]\fBshorewall6\-routestopped\fR\m[]\&\s-2\u[7]\d\s+2(5) or permitted by the ADMINISABSENTMINDED option in
+\m[blue]\fBshorewall6\-routestopped\fR\m[]\&\s-2\u[8]\d\s+2(5) or permitted by the ADMINISABSENTMINDED option in
\m[blue]\fBshorewall6\&.conf\fR\m[]\&\s-2\u[2]\d\s+2(5), are taken down\&. The only new traffic permitted through the firewall is from systems listed in
-\m[blue]\fBshorewall6\-routestopped\fR\m[]\&\s-2\u[7]\d\s+2(5) or by ADMINISABSENTMINDED\&.
+\m[blue]\fBshorewall6\-routestopped\fR\m[]\&\s-2\u[8]\d\s+2(5) or by ADMINISABSENTMINDED\&.
.sp
If
\fB\-f\fR
@@ -1582,7 +1631,7 @@
The
\fB\-i\fR
option was added in Shorewall 4\&.6\&.0 and causes a warning message to be issued if the current line contains alternative input specifications following a semicolon (";")\&. Such lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
-\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[8]\d\s+2(5)\&.
+\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[9]\d\s+2(5)\&.
.sp
The
\fB\-A\fR
@@ -1621,7 +1670,7 @@
SHOREWALL_INIT_SCRIPT
.RS 4
When set to 1, causes Std out to be redirected to the file specified in the STARTUP_LOG option in
-\m[blue]\fBshorewall6\&.conf(5)\fR\m[]\&\s-2\u[9]\d\s+2\&.
+\m[blue]\fBshorewall6\&.conf(5)\fR\m[]\&\s-2\u[7]\d\s+2\&.
.RE
.PP
SW_LOGGERTAG
@@ -1665,19 +1714,19 @@
\%http://www.shorewall.net/shorewall_logging.html#Backends
.RE
.IP " 7." 4
-shorewall6-routestopped
+shorewall6.conf(5)
.RS 4
-\%http://www.shorewall.net/manpages6/shorewall6-routestopped.html
+\%http://www.shorewall.netshorewall6.conf.html
.RE
.IP " 8." 4
-shorewall.conf
+shorewall6-routestopped
.RS 4
-\%http://www.shorewall.net/manpages/shorewall.conf.html
+\%http://www.shorewall.net/manpages6/shorewall6-routestopped.html
.RE
.IP " 9." 4
-shorewall6.conf(5)
+shorewall.conf
.RS 4
-\%http://www.shorewall.netshorewall6.conf.html
+\%http://www.shorewall.net/manpages/shorewall.conf.html
.RE
.IP "10." 4
http://www.shorewall.net/starting_and_stopping_shorewall.htm
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.12/manpages/shorewall6-accounting.5 shorewall6-5.0.13/manpages/shorewall6-accounting.5
--- shorewall6-5.0.12/manpages/shorewall6-accounting.5 2016-10-01 14:49:05.175546042 -0700
+++ shorewall6-5.0.13/manpages/shorewall6-accounting.5 2016-10-17 09:40:03.782705983 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-accounting
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-ACCOUNTI" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-ACCOUNTI" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.12/manpages/shorewall6-actions.5 shorewall6-5.0.13/manpages/shorewall6-actions.5
--- shorewall6-5.0.12/manpages/shorewall6-actions.5 2016-10-01 14:49:05.748118043 -0700
+++ shorewall6-5.0.13/manpages/shorewall6-actions.5 2016-10-17 09:40:04.339261983 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-actions
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-ACTIONS" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-ACTIONS" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.12/manpages/shorewall6-blrules.5 shorewall6-5.0.13/manpages/shorewall6-blrules.5
--- shorewall6-5.0.12/manpages/shorewall6-blrules.5 2016-10-01 14:49:06.328698043 -0700
+++ shorewall6-5.0.13/manpages/shorewall6-blrules.5 2016-10-17 09:40:04.911833984 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-blrules
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-BLRULES" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-BLRULES" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.12/manpages/shorewall6.conf.5 shorewall6-5.0.13/manpages/shorewall6.conf.5
--- shorewall6-5.0.12/manpages/shorewall6.conf.5 2016-10-01 14:49:08.310678043 -0700
+++ shorewall6-5.0.13/manpages/shorewall6.conf.5 2016-10-17 09:40:06.887925984 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6.conf
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\&.CONF" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\&.CONF" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -518,25 +518,71 @@
Causes Shorewall6 to not load the listed kernel modules\&.
.RE
.PP
-\fBDYNAMIC_BLACKLIST=\fR{\fBYes\fR|\fBNo\fR||\fBipset\fR[\fB\-only\fR][,\fBsrc\-dst\fR][:[\fIsetname\fR][:\fIlog_level\fR|:l\fIog_tag\fR]]]}
+\fBDYNAMIC_BLACKLIST=\fR{\fBYes\fR|\fBNo\fR||\fBipset\fR[\fB\-only\fR][\fI,option\fR[,\&.\&.\&.]][:[\fIsetname\fR][:\fIlog_level\fR|:l\fIog_tag\fR]]]}
.RS 4
Added in Shorewall 4\&.4\&.7\&. When set to
\fBNo\fR
or
-\fBno\fR, chain\-based dynamic blacklisting using the
+\fBno\fR, chain\-based dynamic blacklisting using
\fBshorewall6 drop\fR,
\fBshorewall6 reject\fR,
\fBshorewall6 logdrop\fR
and
\fBshorewall6 logreject\fR
is disabled\&. Default is
-\fBYes\fR\&. Beginning with Shorewall 5\&.0\&.8, ipset\-based dynamic blacklisting is also supported\&. The name of the set (\fIsetname\fR) and the level (\fIlog_level\fR), if any, at which blacklisted traffic is to be logged may also be specified\&. The default set name is SW_DBL6 and the default log level is
+\fBYes\fR\&. Beginning with Shorewall 5\&.0\&.8, ipset\-based dynamic blacklisting using
+\fBshorewall6 blacklist\fR
+is also supported\&. The name of the set (\fIsetname\fR) and the level (\fIlog_level\fR), if any, at which blacklisted traffic is to be logged may also be specified\&. The default set name is SW_DBL6 and the default log level is
\fBnone\fR
(no logging)\&. if
\fBipset\-only\fR
-is given, then chain\-based dynamic blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No had been specified\&. Normally, only packets whose source address matches an entry in the ipsec are dropped\&. If
+is given, then chain\-based dynamic blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No had been specified\&.
+.sp
+Possible
+\fIoption\fRs are:
+.PP
+src\-dst
+.RS 4
+Normally, only packets whose source address matches an entry in the ipset are dropped\&. If
\fBsrc\-dst\fR
is included, then packets whose destination address matches an entry in the ipset are also dropped\&.
+.RE
+.PP
+\fBdisconnect\fR
+.RS 4
+The
+\fBdisconnect\fR
+option was added in Shorewall 5\&.0\&.13 and requires that the conntrack utility be installed on the firewall system\&. When an address is blacklisted using the
+\fBblacklist\fR
+command, all connections originating from that address are disconnected\&. if the
+\fBsrc\-dst\fR
+option was also specified, then all connections to that address are also disconnected\&.
+.RE
+.PP
+\fBtimeout\fR=\fIseconds\fR
+.RS 4
+Added in Shorewall 5\&.0\&.13\&. Normally, Shorewall creates the dynamic blacklisting ipset with timeout 0 which means that entries are permanent\&. If you want entries in the set that are not accessed for a period of time to be deleted from the set, you may specify that period using this option\&. Note that the
+\fBblacklist\fR
+command can override the ipset\*(Aqs timeout setting\&.
+.if n \{\
+.sp
+.\}
+.RS 4
+.it 1 an-trap
+.nr an-no-space-flag 1
+.nr an-break-flag 1
+.br
+.ps +1
+\fBImportant\fR
+.ps -1
+.br
+Once the dynamic blacklisting ipset has been created, changing this option setting requires a complete restart of the firewall;
+\fBshorewall6 restart\fR
+if RESTART=restart, otherwise
+\fBshorewall6 stop && shorewall6 start\fR
+.sp .5v
+.RE
+.RE
.sp
When ipset\-based dynamic blacklisting is enabled, the contents of the blacklist will be preserved over
\fBstop\fR/\fBreboot\fR/\fBstart\fR
@@ -584,6 +630,18 @@
\m[blue]\fBshorewall6\-rules\fR\m[]\&\s-2\u[6]\d\s+2(5)\&.
.RE
.PP
+\fBFIREWALL\fR=[\fIdnsname\-or\-ip\-address\fR]
+.RS 4
+This option was added in Shorewall 5\&.0\&.13 and may be used on an administrative system in directories containing the configurations of remote firewalls\&. The contents of the variable are the default value for the
+\fIsystem\fR
+parameter to the
+\fBremote\-start\fR,
+\fBremote\-reload\fR
+and
+\fBremote\-restart\fR
+commands\&.
+.RE
+.PP
\fBFORWARD_CLEAR_MARK=\fR{\fBYes\fR|\fBNo\fR}
.RS 4
Added in Shorewall 4\&.4\&.11\&. Traditionally, Shorewall has cleared the packet mark in the first rule in the mangle FORWARD chain\&. This behavior is maintained with the default setting of this option (FORWARD_CLEAR_MARK=Yes)\&. If FORWARD_CLEAR_MARK is set to \*(AqNo\*(Aq, packet marks set in the mangle PREROUTING chain are retained in the FORWARD chains\&.
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.12/manpages/shorewall6-conntrack.5 shorewall6-5.0.13/manpages/shorewall6-conntrack.5
--- shorewall6-5.0.12/manpages/shorewall6-conntrack.5 2016-10-01 14:49:08.963330043 -0700
+++ shorewall6-5.0.13/manpages/shorewall6-conntrack.5 2016-10-17 09:40:07.583925983 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-conntrack
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-CONNTRAC" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-CONNTRAC" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.12/manpages/shorewall6-exclusion.5 shorewall6-5.0.13/manpages/shorewall6-exclusion.5
--- shorewall6-5.0.12/manpages/shorewall6-exclusion.5 2016-10-01 14:49:09.531898043 -0700
+++ shorewall6-5.0.13/manpages/shorewall6-exclusion.5 2016-10-17 09:40:08.107925983 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-exclusion
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-EXCLUSIO" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-EXCLUSIO" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.12/manpages/shorewall6-hosts.5 shorewall6-5.0.13/manpages/shorewall6-hosts.5
--- shorewall6-5.0.12/manpages/shorewall6-hosts.5 2016-10-01 14:49:10.092458043 -0700
+++ shorewall6-5.0.13/manpages/shorewall6-hosts.5 2016-10-17 09:40:08.699925983 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-hosts
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-HOSTS" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-HOSTS" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.12/manpages/shorewall6-interfaces.5 shorewall6-5.0.13/manpages/shorewall6-interfaces.5
--- shorewall6-5.0.12/manpages/shorewall6-interfaces.5 2016-10-01 14:49:10.745110043 -0700
+++ shorewall6-5.0.13/manpages/shorewall6-interfaces.5 2016-10-17 09:40:09.323925983 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-interfaces
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-INTERFAC" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-INTERFAC" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.12/manpages/shorewall6-ipsets.5 shorewall6-5.0.13/manpages/shorewall6-ipsets.5
--- shorewall6-5.0.12/manpages/shorewall6-ipsets.5 2016-10-01 14:49:11.313678042 -0700
+++ shorewall6-5.0.13/manpages/shorewall6-ipsets.5 2016-10-17 09:40:09.855925983 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-ipsets
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-IPSETS" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-IPSETS" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.12/manpages/shorewall6-maclist.5 shorewall6-5.0.13/manpages/shorewall6-maclist.5
--- shorewall6-5.0.12/manpages/shorewall6-maclist.5 2016-10-01 14:49:11.902266043 -0700
+++ shorewall6-5.0.13/manpages/shorewall6-maclist.5 2016-10-17 09:40:10.407925983 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-maclist
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-MACLIST" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-MACLIST" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.12/manpages/shorewall6-mangle.5 shorewall6-5.0.13/manpages/shorewall6-mangle.5
--- shorewall6-5.0.12/manpages/shorewall6-mangle.5 2016-10-01 14:49:12.759122043 -0700
+++ shorewall6-5.0.13/manpages/shorewall6-mangle.5 2016-10-17 09:40:11.223925983 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-mangle
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-MANGLE" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-MANGLE" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -136,7 +136,7 @@
must be an action declared with the
\fBmangle\fR
option in
-\m[blue]\fBshorewall6\-actions(5)\fR\m[]\&\s-2\u[6]\d\s+2\&. If the action accepts paramaters, they are specified as a comma\-separated list within parentheses following the
+\m[blue]\fBshorewall6\-actions(5)\fR\m[]\&\s-2\u[6]\d\s+2\&. If the action accepts parameters, they are specified as a comma\-separated list within parentheses following the
\fIaction\fR
name\&.
.RE
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.12/manpages/shorewall6-masq.5 shorewall6-5.0.13/manpages/shorewall6-masq.5
--- shorewall6-5.0.12/manpages/shorewall6-masq.5 2016-10-01 14:49:13.375738043 -0700
+++ shorewall6-5.0.13/manpages/shorewall6-masq.5 2016-10-17 09:40:11.795925983 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-masq
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-MASQ" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-MASQ" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -428,8 +428,8 @@
/etc/shorewall/masq:
#INTERFACE SOURCE ADDRESS
- INLINE(sit1) 0\&.0\&.0\&.0/0 2001:470:a:227::1 ; \-m statistic \-\-mode random \-\-probability 0\&.50
- sit1 0\&.0\&.0\&.0/0 2001:470:a:227::2
+ INLINE(sit1) ::/0 2001:470:a:227::1 ; \-m statistic \-\-mode random \-\-probability 0\&.50
+ sit1 ::/0 2001:470:a:227::2
.fi
.if n \{\
.RE
@@ -445,8 +445,8 @@
/etc/shorewall/masq:
#INTERFACE SOURCE ADDRESS
- sit1 0\&.0\&.0\&.0/0 2001:470:a:227::1 ; \-m statistic \-\-mode random \-\-probability 0\&.50
- sit1 0\&.0\&.0\&.0/0 2001:470:a:227::2
+ sit1 ::/0 2001:470:a:227::1 ; \-m statistic \-\-mode random \-\-probability 0\&.50
+ sit1 ::/0 2001:470:a:227::2
.fi
.if n \{\
.RE
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.12/manpages/shorewall6-modules.5 shorewall6-5.0.13/manpages/shorewall6-modules.5
--- shorewall6-5.0.12/manpages/shorewall6-modules.5 2016-10-01 14:49:13.928290042 -0700
+++ shorewall6-5.0.13/manpages/shorewall6-modules.5 2016-10-17 09:40:12.359925983 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-modules
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-MODULES" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-MODULES" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.12/manpages/shorewall6-nat.5 shorewall6-5.0.13/manpages/shorewall6-nat.5
--- shorewall6-5.0.12/manpages/shorewall6-nat.5 2016-10-01 14:49:14.476838042 -0700
+++ shorewall6-5.0.13/manpages/shorewall6-nat.5 2016-10-17 09:40:12.943925983 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-nat
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-NAT" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-NAT" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.12/manpages/shorewall6-nesting.5 shorewall6-5.0.13/manpages/shorewall6-nesting.5
--- shorewall6-5.0.12/manpages/shorewall6-nesting.5 2016-10-01 14:49:15.025386043 -0700
+++ shorewall6-5.0.13/manpages/shorewall6-nesting.5 2016-10-17 09:40:13.495925983 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-nesting
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-NESTING" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-NESTING" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.12/manpages/shorewall6-netmap.5 shorewall6-5.0.13/manpages/shorewall6-netmap.5
--- shorewall6-5.0.12/manpages/shorewall6-netmap.5 2016-10-01 14:49:15.597958043 -0700
+++ shorewall6-5.0.13/manpages/shorewall6-netmap.5 2016-10-17 09:40:14.031925983 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-netmap
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-NETMAP" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-NETMAP" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.12/manpages/shorewall6-params.5 shorewall6-5.0.13/manpages/shorewall6-params.5
--- shorewall6-5.0.12/manpages/shorewall6-params.5 2016-10-01 14:49:16.138498043 -0700
+++ shorewall6-5.0.13/manpages/shorewall6-params.5 2016-10-17 09:40:14.559925983 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-params
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-PARAMS" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-PARAMS" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.12/manpages/shorewall6-policy.5 shorewall6-5.0.13/manpages/shorewall6-policy.5
--- shorewall6-5.0.12/manpages/shorewall6-policy.5 2016-10-01 14:49:16.719078042 -0700
+++ shorewall6-5.0.13/manpages/shorewall6-policy.5 2016-10-17 09:40:15.131925983 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-policy
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-POLICY" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-POLICY" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.12/manpages/shorewall6-providers.5 shorewall6-5.0.13/manpages/shorewall6-providers.5
--- shorewall6-5.0.12/manpages/shorewall6-providers.5 2016-10-01 14:49:17.327686043 -0700
+++ shorewall6-5.0.13/manpages/shorewall6-providers.5 2016-10-17 09:40:15.763925983 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-providers
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-PROVIDER" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-PROVIDER" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -135,20 +135,28 @@
option\&.
.RE
.PP
-\fBbalance\fR
+\fBbalance[=\fR\fB\fIweight\fR\fR\fB]\fR
.RS 4
-Added in Shorewall 4\&.4\&.25\&. Causes a default route to this provider\*(Aqs gateway to be added to the
-\fBmain\fR
-routing table (USE_DEFAULT_RT=No) or to the
+Added in Shorewall 4\&.4\&.25\&. The providers that have
\fBbalance\fR
-routing table (USE_DEFAULT_RT=Yes)\&. Only one provider can specify this option\&.
+specified will get outbound traffic load\-balanced among them\&. By default, all interfaces with
+\fBbalance\fR
+specified will have the same weight (1)\&. Beginning with Shorewall 5\&.0\&.13, you can change the weight of an interface by specifying
+\fBbalance=\fR\fIweight\fR
+where
+\fIweight\fR
+is the weight of the route out of this interface\&. Prior to Shorewall 5\&.0\&.13, only one provider can specify this option\&.
.RE
.PP
-\fBfallback\fR
+\fBfallback[=\fR\fB\fIweight\fR\fR\fB]\fR
.RS 4
-Added in Shorewall 4\&.4\&.25\&. Causes a default route to this provider\*(Aqs gateway to be added to the
-\fBdefault\fR
-routing table\&.At most one provider can specify this option\&.
+Added in Shorewall 4\&.4\&.25\&. Indicates that a default route through the provider should be added to the default routing table (table 253)\&. If a
+\fIweight\fR
+is given, a balanced route is added with the weight of this provider equal to the specified
+\fIweight\fR\&. If the option is given without a
+\fIweight\fR, an separate default route is added through the provider\*(Aqs gateway; the route has a metric equal to the provider\*(Aqs NUMBER\&. Prior to Shorewall 5\&.0\&.13, at most one provider can specify this option and a
+\fIweight\fR
+may not be given\&.
.RE
.PP
\fBtrack\fR
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.12/manpages/shorewall6-proxyndp.5 shorewall6-5.0.13/manpages/shorewall6-proxyndp.5
--- shorewall6-5.0.12/manpages/shorewall6-proxyndp.5 2016-10-01 14:49:17.876234042 -0700
+++ shorewall6-5.0.13/manpages/shorewall6-proxyndp.5 2016-10-17 09:40:16.287925983 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-proxyndp
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-PROXYNDP" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-PROXYNDP" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.12/manpages/shorewall6-routes.5 shorewall6-5.0.13/manpages/shorewall6-routes.5
--- shorewall6-5.0.12/manpages/shorewall6-routes.5 2016-10-01 14:49:18.420778043 -0700
+++ shorewall6-5.0.13/manpages/shorewall6-routes.5 2016-10-17 09:40:16.831925983 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-routes
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-ROUTES" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-ROUTES" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.12/manpages/shorewall6-rtrules.5 shorewall6-5.0.13/manpages/shorewall6-rtrules.5
--- shorewall6-5.0.12/manpages/shorewall6-rtrules.5 2016-10-01 14:49:18.985342043 -0700
+++ shorewall6-5.0.13/manpages/shorewall6-rtrules.5 2016-10-17 09:40:17.379925983 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-rtrules
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-RTRULES" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-RTRULES" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.12/manpages/shorewall6-rules.5 shorewall6-5.0.13/manpages/shorewall6-rules.5
--- shorewall6-5.0.12/manpages/shorewall6-rules.5 2016-10-01 14:49:20.086442043 -0700
+++ shorewall6-5.0.13/manpages/shorewall6-rules.5 2016-10-17 09:40:18.451925983 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-rules
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-RULES" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-RULES" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -464,7 +464,7 @@
can be given\&. By default, if no userspace program is listening on an NFQUEUE, then all packets that are to be queued are dropped\&. When this option is used, the NFQUEUE rule is silently bypassed instead\&. The packet will move on to the next rule\&. Also beginning in Shorewall 4\&.6\&.10, a second queue number (\fIqueuenumber2\fR) may be specified\&. This specifies a range of queues to use\&. Packets are then balanced across the given queues\&. This is useful for multicore systems: start multiple instances of the userspace program on queues x, x+1, \&.\&. x+n and use "x:x+n"\&. Packets belonging to the same connection are put into the same nfqueue\&.
.RE
.PP
-\fB\fBNFQUEUE\fR\fR\fB[([\fR\fB\fIqueuenumber1\fR\fR\fB[,\fR\fB\fIqueuenumber2\fR\fR\fB][,bypass]]|bypass)]\fR
+\fB\fBNFQUEUE!\fR\fR\fB[([\fR\fB\fIqueuenumber1\fR\fR\fB[,\fR\fB\fIqueuenumber2\fR\fR\fB][,bypass]]|bypass)]\fR
.RS 4
like NFQUEUE but exempts the rule from being suppressed by OPTIMIZE=1 in
\m[blue]\fBshorewall6\&.conf\fR\m[]\&\s-2\u[2]\d\s+2(5)\&.
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.12/manpages/shorewall6-secmarks.5 shorewall6-5.0.13/manpages/shorewall6-secmarks.5
--- shorewall6-5.0.12/manpages/shorewall6-secmarks.5 2016-10-01 14:49:20.699054043 -0700
+++ shorewall6-5.0.13/manpages/shorewall6-secmarks.5 2016-10-17 09:40:19.015925983 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-secmarks
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-SECMARKS" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-SECMARKS" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.12/manpages/shorewall6-stoppedrules.5 shorewall6-5.0.13/manpages/shorewall6-stoppedrules.5
--- shorewall6-5.0.12/manpages/shorewall6-stoppedrules.5 2016-10-01 14:49:21.267622043 -0700
+++ shorewall6-5.0.13/manpages/shorewall6-stoppedrules.5 2016-10-17 09:40:19.551925983 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-stoppedrules
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-STOPPEDR" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-STOPPEDR" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.12/manpages/shorewall6-tcclasses.5 shorewall6-5.0.13/manpages/shorewall6-tcclasses.5
--- shorewall6-5.0.12/manpages/shorewall6-tcclasses.5 2016-10-01 14:49:21.888242042 -0700
+++ shorewall6-5.0.13/manpages/shorewall6-tcclasses.5 2016-10-17 09:40:20.151925983 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-tcclasses
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-TCCLASSE" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-TCCLASSE" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.12/manpages/shorewall6-tcdevices.5 shorewall6-5.0.13/manpages/shorewall6-tcdevices.5
--- shorewall6-5.0.12/manpages/shorewall6-tcdevices.5 2016-10-01 14:49:22.464818043 -0700
+++ shorewall6-5.0.13/manpages/shorewall6-tcdevices.5 2016-10-17 09:40:20.691925983 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-tcdevices
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-TCDEVICE" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-TCDEVICE" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.12/manpages/shorewall6-tcfilters.5 shorewall6-5.0.13/manpages/shorewall6-tcfilters.5
--- shorewall6-5.0.12/manpages/shorewall6-tcfilters.5 2016-10-01 14:49:23.057410043 -0700
+++ shorewall6-5.0.13/manpages/shorewall6-tcfilters.5 2016-10-17 09:40:21.239925983 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-tcfilters
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-TCFILTER" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-TCFILTER" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.12/manpages/shorewall6-tcinterfaces.5 shorewall6-5.0.13/manpages/shorewall6-tcinterfaces.5
--- shorewall6-5.0.12/manpages/shorewall6-tcinterfaces.5 2016-10-01 14:49:23.625978043 -0700
+++ shorewall6-5.0.13/manpages/shorewall6-tcinterfaces.5 2016-10-17 09:40:21.771925983 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-tcinterfaces
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-TCINTERF" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-TCINTERF" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.12/manpages/shorewall6-tcpri.5 shorewall6-5.0.13/manpages/shorewall6-tcpri.5
--- shorewall6-5.0.12/manpages/shorewall6-tcpri.5 2016-10-01 14:49:24.186538043 -0700
+++ shorewall6-5.0.13/manpages/shorewall6-tcpri.5 2016-10-17 09:40:22.295925983 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-tcpri
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-TCPRI" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-TCPRI" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.12/manpages/shorewall6-tunnels.5 shorewall6-5.0.13/manpages/shorewall6-tunnels.5
--- shorewall6-5.0.12/manpages/shorewall6-tunnels.5 2016-10-01 14:49:24.763114043 -0700
+++ shorewall6-5.0.13/manpages/shorewall6-tunnels.5 2016-10-17 09:40:22.843925983 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-tunnels
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-TUNNELS" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-TUNNELS" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.12/manpages/shorewall6-vardir.5 shorewall6-5.0.13/manpages/shorewall6-vardir.5
--- shorewall6-5.0.12/manpages/shorewall6-vardir.5 2016-10-01 14:49:25.303654043 -0700
+++ shorewall6-5.0.13/manpages/shorewall6-vardir.5 2016-10-17 09:40:23.371925983 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-vardir
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-VARDIR" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-VARDIR" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.12/manpages/shorewall6-zones.5 shorewall6-5.0.13/manpages/shorewall6-zones.5
--- shorewall6-5.0.12/manpages/shorewall6-zones.5 2016-10-01 14:49:27.625974043 -0700
+++ shorewall6-5.0.13/manpages/shorewall6-zones.5 2016-10-17 09:40:25.719925983 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-zones
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-ZONES" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-ZONES" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.12/releasenotes.txt shorewall6-5.0.13/releasenotes.txt
--- shorewall6-5.0.12/releasenotes.txt 2016-10-01 14:48:18.609026043 -0700
+++ shorewall6-5.0.13/releasenotes.txt 2016-10-17 09:39:17.457929984 -0700
@@ -1,7 +1,7 @@
----------------------------------------------------------------------------
- S H O R E W A L L 5 . 0 . 1 2
+ S H O R E W A L L 5 . 0 . 1 3
----------------------------
- O c t o b e r 0 3 , 2 0 1 6
+ O c t o b e r 1 8, 2 0 1 6
----------------------------------------------------------------------------
I. PROBLEMS CORRECTED IN THIS RELEASE
@@ -14,48 +14,15 @@
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
-1) Minor cleanup, mostly commentary, in the Rules.pm module.
-
-2) In Shorewall 5.0.7, The assumed 'use Shorewall::Config(shorewall)'
- statement in ?PERL and ?BEGIN PERL...?END PERL handling was
- inadvertently removed. This results in Perl compilation errors if
- the 'shorewall' function is invoked. The statement has now been
- restored.
-
-3) Previously, the firewall would fail to start if the configuration
- contained a CHECKSUM rule without a chain designator and
- MARK_IN_FORWARD_CHAIN=No. Now, the compiler defaults these rules to
- the POSTROUTING chain and forbids them in the PREROUTING chain.
-
-4) Recently, a case was observed where certain incoming packets had a
- non-zero packet mark in the raw PREROUTING chain, causing them to
- be misrouted. To guard against this issue, packet marks are now
- cleared at the top of the PREROUTING and OUTPUT mangle chains when
- the new ZERO_MARKS option is set to yes. Note that ZERO_MARKS=Yes
- can break IPSEC in multi-ISP configurations.
-
-5) Two distinct problems have been corrected in the 'disable'
- command logic:
-
- a) If a balanced or fallback interface was down or had been
- deleted, then the 'disable' command could fail.
-
- b) If a persistent optional interface was down, then the
- generated script would fail when it attempted to add routes out
- of the interface.
-
-6) Previously, the generated script would attempt to reenable a
- disabled persistent provider at each 'start', 'reload' or
- 'restart'. Now, disabled persistent providers are handled the same
- as other providers and require the 'enable' or 'reenable' command
- to enable them.
+1) This release contains defect repair from 5.0.12.1.
-7) Previously, the generated script assumed that all
- probability-balanced providers (those with the 'load' option
- specified) were optional. That assumption has been removed.
+2) The compiler now detects shell metacharacters in interface names
+ defined in /etc/shorewall[6]/interfaces. Previously, such
+ characters could cause runtime failures in the generated script.
-8) Previously, the permissions of files created by the 'save' command
- were more relaxed than necessary. This has been corrected.
+3) Previously, the compiler ignored DEST column entries in inline
+ mangle action bodies. That value is now used unless it is '-', in
+ which case the DEST column value in the action invocation is used.
----------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G
@@ -72,69 +39,42 @@
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
-1) You may now place comma-separated zone lists in the SOURCE and DEST
- columns in /etc/shorewall[6]/policy.
-
- Example:
-
- #SOURCE DEST POLICY ...
- loc,dmz net REJECT
-
- That line is equivalent to:
-
- #SOURCE DEST POLICY ...
- loc net REJECT
- loc dmz REJECT
-
- If the same zone appears in both columns, the default ACCEPT
- intrazone policy is not overridden unless the list is followed
- immediately by '+'.
-
- Example:
-
- #SOURCE DEST POLICY ...
- dmz,loc loc,dmz+ REJECT
-
- That line is equivalent to:
-
- #SOURCE DEST POLICY ...
- dmz loc REJECT
- dmz dmz REJECT
- loc loc REJECT
- loc dmz REJECT
-
- Without the plus sine, it would be equivalent to
-
- #SOURCE DEST POLICY ...
- dmz loc REJECT
- loc dmz REJECT
-
-2) Distribution maintainers may now set a default pager via the
- configure and configure.pl programs in Shorewall-core to set
- DEFAULT_PAGER in the generated shorewallrc file. The
- Shorewall-provided shorewallrc files for Debian currently specify
- 'less' for DEFAULT_PAGER. The other shorewallrc files do not
- specify DEFAULT_PAGER.
+1) A 'disconnect' option has been added to the DYNAMIC_BLACKLIST
+ setting. The option is only accepted for ipset-based dynamic
+ blacklisting and requires that the 'conntrack' utility be
+ installed. See shorewall[6].conf(5) for details.
- If shorewall[6].conf does not specify PAGER then the DEFAULT_PAGER
- setting is used.
+ With this option, when an address is blackliseted using the
+ 'blacklist' command, the conntrack utility is used to break all
+ connections from that address. If the 'src-dst' option is also
+ specified in the BLACKLIST setting, then all connections to the
+ address are also broken. If the effective VERBOSITY is greater than
+ 0, then a messages is displayed that indicated the number of flows
+ deleted by the command. If the effective VERBOSITY is 2, the
+ conntrack entries delected by the command are also displayed.
-3) The 'contiguous' option is now supported in TIME columns. When the
- 'timestop' value is smaller than the 'timestart' value, match this
- as a single time period instead distinct intervals.
+ This option is more efficient for packet processing than including
+ the ESTABLISHED state in the BLACKLIST setting.
- Example:
+2) A 'timeout' option has been added to the DYNAMIC_BLACKLIST setting.
+ The option is only accepted for ipset-based dynamic blacklisting
+ and causes entries in the blacklist ipset to be automatically
+ deleted if they are not matched within a specified time. See
+ shorewall[6].conf(5) for details.
- weekdays=Mo×tart=23:00×top=01:00
+3) A new FIREWALL option has been added to shorewall[6].conf. This
+ option is intended to be used on an admisitrative system in
+ configurations of remote firewalls. It defines the DNS name or IP
+ address of the remote system so that the system name does not have
+ to be given in the remote-start, remote-reload and remote-restart
+ commmands. See shorewall[6](8) for details.
- Will match Monday, for one hour from midnight to 1 a.m., and
- then again for another hour from 23:00 onwards. If this is
- unwanted, e.g. if you would like 'match for two hours from
- Monday 23:00 onwards' you need to also specify the 'contiguous'
- option in the example above.
+4) Shorewall6 now allows more that one provider to specify the
+ 'balance' or 'fallback' options.
- See http://www.shorewall.org/configuration_file_basics.htm#TIME for
- additional TIME column examples.
+5) When using port numbers (as opposed to service names), the hyphen
+ ("-") is now accepted as the separator in port ranges. When service
+ names are used, the colon (":") must still be used.
----------------------------------------------------------------------------
I V. M I G R A T I O N I S S U E S
@@ -297,6 +237,120 @@
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 5 . 0 . 1 1
----------------------------------------------------------------------------
+1) Minor cleanup, mostly commentary, in the Rules.pm module.
+
+2) In Shorewall 5.0.7, The assumed 'use Shorewall::Config(shorewall)'
+ statement in ?PERL and ?BEGIN PERL...?END PERL handling was
+ inadvertently removed. This results in Perl compilation errors if
+ the 'shorewall' function is invoked. The statement has now been
+ restored.
+
+3) Previously, the firewall would fail to start if the configuration
+ contained a CHECKSUM rule without a chain designator and
+ MARK_IN_FORWARD_CHAIN=No. Now, the compiler defaults these rules to
+ the POSTROUTING chain and forbids them in the PREROUTING chain.
+
+4) Recently, a case was observed where certain incoming packets had a
+ non-zero packet mark in the raw PREROUTING chain, causing them to
+ be misrouted. To guard against this issue, packet marks are now
+ cleared at the top of the PREROUTING and OUTPUT mangle chains when
+ the new ZERO_MARKS option is set to yes. Note that ZERO_MARKS=Yes
+ can break IPSEC in multi-ISP configurations.
+
+5) Two distinct problems have been corrected in the 'disable'
+ command logic:
+
+ a) If a balanced or fallback interface was down or had been
+ deleted, then the 'disable' command could fail.
+
+ b) If a persistent optional interface was down, then the
+ generated script would fail when it attempted to add routes out
+ of the interface.
+
+6) Previously, the generated script would attempt to reenable a
+ disabled persistent provider at each 'start', 'reload' or
+ 'restart'. Now, disabled persistent providers are handled the same
+ as other providers and require the 'enable' or 'reenable' command
+ to enable them.
+
+7) Previously, the generated script assumed that all
+ probability-balanced providers (those with the 'load' option
+ specified) were optional. That assumption has been removed.
+
+8) Previously, the permissions of files created by the 'save' command
+ were more relaxed than necessary. This has been corrected.
+
+----------------------------------------------------------------------------
+ N E W F E A T U R E S I N 5 . 0 . 1 2
+----------------------------------------------------------------------------
+
+1) You may now place comma-separated zone lists in the SOURCE and DEST
+ columns in /etc/shorewall[6]/policy.
+
+ Example:
+
+ #SOURCE DEST POLICY ...
+ loc,dmz net REJECT
+
+ That line is equivalent to:
+
+ #SOURCE DEST POLICY ...
+ loc net REJECT
+ dmz net REJECT
+
+ If the same zone appears in both columns, the default ACCEPT
+ intrazone policy is not overridden unless the list is followed
+ immediately by '+'.
+
+ Example:
+
+ #SOURCE DEST POLICY ...
+ dmz,loc loc,dmz+ REJECT
+
+ That line is equivalent to:
+
+ #SOURCE DEST POLICY ...
+ dmz loc REJECT
+ dmz dmz REJECT
+ loc loc REJECT
+ loc dmz REJECT
+
+ Without the plus sine, it would be equivalent to
+
+ #SOURCE DEST POLICY ...
+ dmz loc REJECT
+ loc dmz REJECT
+
+2) Distribution maintainers may now set a default pager via the
+ configure and configure.pl programs in Shorewall-core to set
+ DEFAULT_PAGER in the generated shorewallrc file. The
+ Shorewall-provided shorewallrc files for Debian currently specify
+ 'less' for DEFAULT_PAGER. The other shorewallrc files do not
+ specify DEFAULT_PAGER.
+
+ If shorewall[6].conf does not specify PAGER then the DEFAULT_PAGER
+ setting is used.
+
+3) The 'contiguous' option is now supported in TIME columns. When the
+ 'timestop' value is smaller than the 'timestart' value, match this
+ as a single time period instead distinct intervals.
+
+ Example:
+
+ weekdays=Mo×tart=23:00×top=01:00
+
+ Will match Monday, for one hour from midnight to 1 a.m., and
+ then again for another hour from 23:00 onwards. If this is
+ unwanted, e.g. if you would like 'match for two hours from
+ Monday 23:00 onwards' you need to also specify the 'contiguous'
+ option in the example above.
+
+ See http://www.shorewall.org/configuration_file_basics.htm#TIME for
+ additional TIME column examples.
+
+----------------------------------------------------------------------------
+ P R O B L E M S C O R R E C T E D I N 5 . 0 . 1 1
+----------------------------------------------------------------------------
1) This release contains defect repair through Shorewall 5.0.10.1.
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.12/Samples6/one-interface/rules.annotated shorewall6-5.0.13/Samples6/one-interface/rules.annotated
--- shorewall6-5.0.12/Samples6/one-interface/rules.annotated 2016-10-01 14:49:37.547886043 -0700
+++ shorewall6-5.0.13/Samples6/one-interface/rules.annotated 2016-10-17 09:40:35.131925983 -0700
@@ -363,7 +363,7 @@
# userspace program on queues x, x+1, .. x+n and use "x:x+n". Packets
# belonging to the same connection are put into the same nfqueue.
#
-# NFQUEUE[([queuenumber1[,queuenumber2][,bypass]]|bypass)]
+# NFQUEUE![([queuenumber1[,queuenumber2][,bypass]]|bypass)]
#
# like NFQUEUE but exempts the rule from being suppressed by OPTIMIZE=1
# in shorewall6.conf(5).
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.12/Samples6/one-interface/shorewall6.conf shorewall6-5.0.13/Samples6/one-interface/shorewall6.conf
--- shorewall6-5.0.12/Samples6/one-interface/shorewall6.conf 2016-10-01 13:49:35.000000000 -0700
+++ shorewall6-5.0.13/Samples6/one-interface/shorewall6.conf 2016-10-17 09:29:32.000000000 -0700
@@ -26,6 +26,12 @@
PAGER=
###############################################################################
+# F I R E W A L L
+###############################################################################
+
+FIREWALL=
+
+###############################################################################
# L O G G I N G
###############################################################################
@@ -122,16 +128,14 @@
ADMINISABSENTMINDED=Yes
-BASIC_FILTERS=No
-
-IGNOREUNKNOWNVARIABLES=No
-
AUTOCOMMENT=Yes
AUTOHELPERS=Yes
AUTOMAKE=Yes
+BASIC_FILTERS=No
+
BLACKLIST="NEW,INVALID,UNTRACKED"
CHAIN_SCRIPTS=No
@@ -160,6 +164,8 @@
HELPERS=
+IGNOREUNKNOWNVARIABLES=No
+
IMPLICIT_CONTINUE=No
INLINE_MATCHES=Yes
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.12/Samples6/one-interface/shorewall6.conf.annotated shorewall6-5.0.13/Samples6/one-interface/shorewall6.conf.annotated
--- shorewall6-5.0.12/Samples6/one-interface/shorewall6.conf.annotated 2016-10-01 14:49:37.952290043 -0700
+++ shorewall6-5.0.13/Samples6/one-interface/shorewall6.conf.annotated 2016-10-17 09:40:35.527925983 -0700
@@ -96,6 +96,19 @@
# DEFAULT_PAGER setting in shorewallrc.
#
###############################################################################
+# F I R E W A L L
+###############################################################################
+FIREWALL=
+#
+# FIREWALL=[dnsname-or-ip-address]
+#
+# This option was added in Shorewall 5.0.13 and may be used on an
+# administrative system in directories containing the configurations of
+# remote firewalls. The contents of the variable are the default value for
+# the system parameter to the remote-start, remote-reload and remote-restart
+# commands.
+#
+###############################################################################
# L O G G I N G
###############################################################################
BLACKLIST_LOG_LEVEL=
@@ -622,32 +635,6 @@
# If this variable is not set or is given the empty value then
# ADMINISABSENTMINDED=No is assumed.
#
-BASIC_FILTERS=No
-#
-# BASIC_FILTERS=[Yes|No]
-#
-# Added in Shorewall-4.6.0. When set to Yes, causes entries in
-# shorewall6-tcfilters(5) to generate a basic filter rather than a u32
-# filter. This setting requires the Basic Ematch capability in your kernel
-# and iptables.
-#
-# Note
-#
-# One of the advantages of basic filters is that ipset matches are supported
-# in newer iproute2 and kernel versions. Because Shorewall6 cannot reliably
-# detect this capability, use of basic filters is controlled by this option.
-#
-# The default value is No which causes u32 filters to be generated.
-#
-IGNOREUNKNOWNVARIABLES=No
-#
-# IGNOREUNKNOWNVARIABLES=[Yes|No]
-#
-# Added in Shorewall 4.5.11. Normally, if an unknown shell variable is
-# encountered in a configuration file (except in ?IF and ?ELSIF directives),
-# the compiler raises a fatal error. If IGNOREUNKNOWNVARIABLES is set to Yes,
-# then such variables simply expand to an empty string. Default is No.
-#
AUTOCOMMENT=Yes
#
# AUTOCOMMENT=[Yes|No]
@@ -698,6 +685,23 @@
# restart command includes a directory name (e.g., shorewall6 restart /etc/
# shorewall.new).
#
+BASIC_FILTERS=No
+#
+# BASIC_FILTERS=[Yes|No]
+#
+# Added in Shorewall-4.6.0. When set to Yes, causes entries in
+# shorewall6-tcfilters(5) to generate a basic filter rather than a u32
+# filter. This setting requires the Basic Ematch capability in your kernel
+# and iptables.
+#
+# Note
+#
+# One of the advantages of basic filters is that ipset matches are supported
+# in newer iproute2 and kernel versions. Because Shorewall6 cannot reliably
+# detect this capability, use of basic filters is controlled by this option.
+#
+# The default value is No which causes u32 filters to be generated.
+#
BLACKLIST="NEW,INVALID,UNTRACKED"
#
# BLACKLIST=[{ALL|state[,...]}]
@@ -806,21 +810,52 @@
#
DYNAMIC_BLACKLIST=Yes
#
-# DYNAMIC_BLACKLIST={Yes|No||ipset[-only][,src-dst][:[setname][:log_level|:l
+# DYNAMIC_BLACKLIST={Yes|No||ipset[-only][,option[,...]][:[setname][:log_level|:l
# og_tag]]]}
#
# Added in Shorewall 4.4.7. When set to No or no, chain-based dynamic
-# blacklisting using the shorewall6 drop, shorewall6 reject, shorewall6
-# logdrop and shorewall6 logreject is disabled. Default is Yes. Beginning
-# with Shorewall 5.0.8, ipset-based dynamic blacklisting is also supported.
-# The name of the set (setname) and the level (log_level), if any, at which
-# blacklisted traffic is to be logged may also be specified. The default set
-# name is SW_DBL6 and the default log level is none (no logging). if
-# ipset-only is given, then chain-based dynamic blacklisting is disabled just
-# as if DYNAMIC_BLACKLISTING=No had been specified. Normally, only packets
-# whose source address matches an entry in the ipsec are dropped. If src-dst
-# is included, then packets whose destination address matches an entry in the
-# ipset are also dropped.
+# blacklisting using shorewall6 drop, shorewall6 reject, shorewall6 logdrop
+# and shorewall6 logreject is disabled. Default is Yes. Beginning with
+# Shorewall 5.0.8, ipset-based dynamic blacklisting using shorewall6
+# blacklist is also supported. The name of the set (setname) and the level (
+# log_level), if any, at which blacklisted traffic is to be logged may also
+# be specified. The default set name is SW_DBL6 and the default log level is
+# none (no logging). if ipset-only is given, then chain-based dynamic
+# blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No had been
+# specified.
+#
+# Possible options are:
+#
+# src-dst
+#
+# Normally, only packets whose source address matches an entry in the
+# ipset are dropped. If src-dst is included, then packets whose
+# destination address matches an entry in the ipset are also dropped.
+#
+# disconnect
+#
+# The disconnect option was added in Shorewall 5.0.13 and requires that
+# the conntrack utility be installed on the firewall system. When an
+# address is blacklisted using the blacklist command, all connections
+# originating from that address are disconnected. if the src-dst option
+# was also specified, then all connections to that address are also
+# disconnected.
+#
+# timeout=seconds
+#
+# Added in Shorewall 5.0.13. Normally, Shorewall creates the dynamic
+# blacklisting ipset with timeout 0 which means that entries are
+# permanent. If you want entries in the set that are not accessed for a
+# period of time to be deleted from the set, you may specify that period
+# using this option. Note that the blacklist command can override the
+# ipset's timeout setting.
+#
+# Important
+#
+# Once the dynamic blacklisting ipset has been created, changing this
+# option setting requires a complete restart of the firewall; shorewall6
+# restart if RESTART=restart, otherwise shorewall6 stop && shorewall6
+# start
#
# When ipset-based dynamic blacklisting is enabled, the contents of the
# blacklist will be preserved over stop/reboot/start sequences if SAVE_IPSETS
@@ -927,6 +962,15 @@
# When HELPERS is specified on a system running Kernel 3.5.0 or later,
# automatic association of helpers to connections is disabled.
#
+IGNOREUNKNOWNVARIABLES=No
+#
+# IGNOREUNKNOWNVARIABLES=[Yes|No]
+#
+# Added in Shorewall 4.5.11. Normally, if an unknown shell variable is
+# encountered in a configuration file (except in ?IF and ?ELSIF directives),
+# the compiler raises a fatal error. If IGNOREUNKNOWNVARIABLES is set to Yes,
+# then such variables simply expand to an empty string. Default is No.
+#
IMPLICIT_CONTINUE=No
#
# IMPLICIT_CONTINUE={Yes|No}
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.12/Samples6/three-interfaces/rules.annotated shorewall6-5.0.13/Samples6/three-interfaces/rules.annotated
--- shorewall6-5.0.12/Samples6/three-interfaces/rules.annotated 2016-10-01 14:49:39.289626043 -0700
+++ shorewall6-5.0.13/Samples6/three-interfaces/rules.annotated 2016-10-17 09:40:36.759925983 -0700
@@ -363,7 +363,7 @@
# userspace program on queues x, x+1, .. x+n and use "x:x+n". Packets
# belonging to the same connection are put into the same nfqueue.
#
-# NFQUEUE[([queuenumber1[,queuenumber2][,bypass]]|bypass)]
+# NFQUEUE![([queuenumber1[,queuenumber2][,bypass]]|bypass)]
#
# like NFQUEUE but exempts the rule from being suppressed by OPTIMIZE=1
# in shorewall6.conf(5).
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.12/Samples6/three-interfaces/shorewall6.conf shorewall6-5.0.13/Samples6/three-interfaces/shorewall6.conf
--- shorewall6-5.0.12/Samples6/three-interfaces/shorewall6.conf 2016-10-01 13:49:35.000000000 -0700
+++ shorewall6-5.0.13/Samples6/three-interfaces/shorewall6.conf 2016-10-17 09:29:32.000000000 -0700
@@ -25,6 +25,12 @@
PAGER=
###############################################################################
+# F I R E W A L L
+###############################################################################
+
+FIREWALL=
+
+###############################################################################
# L O G G I N G
###############################################################################
@@ -121,16 +127,14 @@
ADMINISABSENTMINDED=Yes
-BASIC_FILTERS=No
-
-IGNOREUNKNOWNVARIABLES=No
-
AUTOCOMMENT=Yes
AUTOHELPERS=Yes
AUTOMAKE=Yes
+BASIC_FILTERS=No
+
BLACKLIST="NEW,INVALID,UNTRACKED"
CHAIN_SCRIPTS=No
@@ -159,6 +163,8 @@
HELPERS=
+IGNOREUNKNOWNVARIABLES=No
+
IMPLICIT_CONTINUE=No
INLINE_MATCHES=Yes
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.12/Samples6/three-interfaces/shorewall6.conf.annotated shorewall6-5.0.13/Samples6/three-interfaces/shorewall6.conf.annotated
--- shorewall6-5.0.12/Samples6/three-interfaces/shorewall6.conf.annotated 2016-10-01 14:49:39.698034043 -0700
+++ shorewall6-5.0.13/Samples6/three-interfaces/shorewall6.conf.annotated 2016-10-17 09:40:37.147925983 -0700
@@ -95,6 +95,19 @@
# DEFAULT_PAGER setting in shorewallrc.
#
###############################################################################
+# F I R E W A L L
+###############################################################################
+FIREWALL=
+#
+# FIREWALL=[dnsname-or-ip-address]
+#
+# This option was added in Shorewall 5.0.13 and may be used on an
+# administrative system in directories containing the configurations of
+# remote firewalls. The contents of the variable are the default value for
+# the system parameter to the remote-start, remote-reload and remote-restart
+# commands.
+#
+###############################################################################
# L O G G I N G
###############################################################################
BLACKLIST_LOG_LEVEL=
@@ -621,32 +634,6 @@
# If this variable is not set or is given the empty value then
# ADMINISABSENTMINDED=No is assumed.
#
-BASIC_FILTERS=No
-#
-# BASIC_FILTERS=[Yes|No]
-#
-# Added in Shorewall-4.6.0. When set to Yes, causes entries in
-# shorewall6-tcfilters(5) to generate a basic filter rather than a u32
-# filter. This setting requires the Basic Ematch capability in your kernel
-# and iptables.
-#
-# Note
-#
-# One of the advantages of basic filters is that ipset matches are supported
-# in newer iproute2 and kernel versions. Because Shorewall6 cannot reliably
-# detect this capability, use of basic filters is controlled by this option.
-#
-# The default value is No which causes u32 filters to be generated.
-#
-IGNOREUNKNOWNVARIABLES=No
-#
-# IGNOREUNKNOWNVARIABLES=[Yes|No]
-#
-# Added in Shorewall 4.5.11. Normally, if an unknown shell variable is
-# encountered in a configuration file (except in ?IF and ?ELSIF directives),
-# the compiler raises a fatal error. If IGNOREUNKNOWNVARIABLES is set to Yes,
-# then such variables simply expand to an empty string. Default is No.
-#
AUTOCOMMENT=Yes
#
# AUTOCOMMENT=[Yes|No]
@@ -697,6 +684,23 @@
# restart command includes a directory name (e.g., shorewall6 restart /etc/
# shorewall.new).
#
+BASIC_FILTERS=No
+#
+# BASIC_FILTERS=[Yes|No]
+#
+# Added in Shorewall-4.6.0. When set to Yes, causes entries in
+# shorewall6-tcfilters(5) to generate a basic filter rather than a u32
+# filter. This setting requires the Basic Ematch capability in your kernel
+# and iptables.
+#
+# Note
+#
+# One of the advantages of basic filters is that ipset matches are supported
+# in newer iproute2 and kernel versions. Because Shorewall6 cannot reliably
+# detect this capability, use of basic filters is controlled by this option.
+#
+# The default value is No which causes u32 filters to be generated.
+#
BLACKLIST="NEW,INVALID,UNTRACKED"
#
# BLACKLIST=[{ALL|state[,...]}]
@@ -805,21 +809,52 @@
#
DYNAMIC_BLACKLIST=Yes
#
-# DYNAMIC_BLACKLIST={Yes|No||ipset[-only][,src-dst][:[setname][:log_level|:l
+# DYNAMIC_BLACKLIST={Yes|No||ipset[-only][,option[,...]][:[setname][:log_level|:l
# og_tag]]]}
#
# Added in Shorewall 4.4.7. When set to No or no, chain-based dynamic
-# blacklisting using the shorewall6 drop, shorewall6 reject, shorewall6
-# logdrop and shorewall6 logreject is disabled. Default is Yes. Beginning
-# with Shorewall 5.0.8, ipset-based dynamic blacklisting is also supported.
-# The name of the set (setname) and the level (log_level), if any, at which
-# blacklisted traffic is to be logged may also be specified. The default set
-# name is SW_DBL6 and the default log level is none (no logging). if
-# ipset-only is given, then chain-based dynamic blacklisting is disabled just
-# as if DYNAMIC_BLACKLISTING=No had been specified. Normally, only packets
-# whose source address matches an entry in the ipsec are dropped. If src-dst
-# is included, then packets whose destination address matches an entry in the
-# ipset are also dropped.
+# blacklisting using shorewall6 drop, shorewall6 reject, shorewall6 logdrop
+# and shorewall6 logreject is disabled. Default is Yes. Beginning with
+# Shorewall 5.0.8, ipset-based dynamic blacklisting using shorewall6
+# blacklist is also supported. The name of the set (setname) and the level (
+# log_level), if any, at which blacklisted traffic is to be logged may also
+# be specified. The default set name is SW_DBL6 and the default log level is
+# none (no logging). if ipset-only is given, then chain-based dynamic
+# blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No had been
+# specified.
+#
+# Possible options are:
+#
+# src-dst
+#
+# Normally, only packets whose source address matches an entry in the
+# ipset are dropped. If src-dst is included, then packets whose
+# destination address matches an entry in the ipset are also dropped.
+#
+# disconnect
+#
+# The disconnect option was added in Shorewall 5.0.13 and requires that
+# the conntrack utility be installed on the firewall system. When an
+# address is blacklisted using the blacklist command, all connections
+# originating from that address are disconnected. if the src-dst option
+# was also specified, then all connections to that address are also
+# disconnected.
+#
+# timeout=seconds
+#
+# Added in Shorewall 5.0.13. Normally, Shorewall creates the dynamic
+# blacklisting ipset with timeout 0 which means that entries are
+# permanent. If you want entries in the set that are not accessed for a
+# period of time to be deleted from the set, you may specify that period
+# using this option. Note that the blacklist command can override the
+# ipset's timeout setting.
+#
+# Important
+#
+# Once the dynamic blacklisting ipset has been created, changing this
+# option setting requires a complete restart of the firewall; shorewall6
+# restart if RESTART=restart, otherwise shorewall6 stop && shorewall6
+# start
#
# When ipset-based dynamic blacklisting is enabled, the contents of the
# blacklist will be preserved over stop/reboot/start sequences if SAVE_IPSETS
@@ -926,6 +961,15 @@
# When HELPERS is specified on a system running Kernel 3.5.0 or later,
# automatic association of helpers to connections is disabled.
#
+IGNOREUNKNOWNVARIABLES=No
+#
+# IGNOREUNKNOWNVARIABLES=[Yes|No]
+#
+# Added in Shorewall 4.5.11. Normally, if an unknown shell variable is
+# encountered in a configuration file (except in ?IF and ?ELSIF directives),
+# the compiler raises a fatal error. If IGNOREUNKNOWNVARIABLES is set to Yes,
+# then such variables simply expand to an empty string. Default is No.
+#
IMPLICIT_CONTINUE=No
#
# IMPLICIT_CONTINUE={Yes|No}
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.12/Samples6/two-interfaces/rules.annotated shorewall6-5.0.13/Samples6/two-interfaces/rules.annotated
--- shorewall6-5.0.12/Samples6/two-interfaces/rules.annotated 2016-10-01 14:49:41.315650043 -0700
+++ shorewall6-5.0.13/Samples6/two-interfaces/rules.annotated 2016-10-17 09:40:38.663925983 -0700
@@ -363,7 +363,7 @@
# userspace program on queues x, x+1, .. x+n and use "x:x+n". Packets
# belonging to the same connection are put into the same nfqueue.
#
-# NFQUEUE[([queuenumber1[,queuenumber2][,bypass]]|bypass)]
+# NFQUEUE![([queuenumber1[,queuenumber2][,bypass]]|bypass)]
#
# like NFQUEUE but exempts the rule from being suppressed by OPTIMIZE=1
# in shorewall6.conf(5).
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.12/Samples6/two-interfaces/shorewall6.conf shorewall6-5.0.13/Samples6/two-interfaces/shorewall6.conf
--- shorewall6-5.0.12/Samples6/two-interfaces/shorewall6.conf 2016-10-01 13:49:35.000000000 -0700
+++ shorewall6-5.0.13/Samples6/two-interfaces/shorewall6.conf 2016-10-17 09:29:32.000000000 -0700
@@ -25,6 +25,12 @@
PAGER=
###############################################################################
+# F I R E W A L L
+###############################################################################
+
+FIREWALL=
+
+###############################################################################
# L O G G I N G
###############################################################################
@@ -121,16 +127,14 @@
ADMINISABSENTMINDED=Yes
-BASIC_FILTERS=No
-
-IGNOREUNKNOWNVARIABLES=No
-
AUTOCOMMENT=Yes
AUTOHELPERS=Yes
AUTOMAKE=Yes
+BASIC_FILTERS=No
+
BLACKLIST="NEW,INVALID,UNTRACKED"
CHAIN_SCRIPTS=No
@@ -159,6 +163,8 @@
HELPERS=
+IGNOREUNKNOWNVARIABLES=No
+
IMPLICIT_CONTINUE=No
INLINE_MATCHES=Yes
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.12/Samples6/two-interfaces/shorewall6.conf.annotated shorewall6-5.0.13/Samples6/two-interfaces/shorewall6.conf.annotated
--- shorewall6-5.0.12/Samples6/two-interfaces/shorewall6.conf.annotated 2016-10-01 14:49:41.724058043 -0700
+++ shorewall6-5.0.13/Samples6/two-interfaces/shorewall6.conf.annotated 2016-10-17 09:40:39.051925983 -0700
@@ -95,6 +95,19 @@
# DEFAULT_PAGER setting in shorewallrc.
#
###############################################################################
+# F I R E W A L L
+###############################################################################
+FIREWALL=
+#
+# FIREWALL=[dnsname-or-ip-address]
+#
+# This option was added in Shorewall 5.0.13 and may be used on an
+# administrative system in directories containing the configurations of
+# remote firewalls. The contents of the variable are the default value for
+# the system parameter to the remote-start, remote-reload and remote-restart
+# commands.
+#
+###############################################################################
# L O G G I N G
###############################################################################
BLACKLIST_LOG_LEVEL=
@@ -621,32 +634,6 @@
# If this variable is not set or is given the empty value then
# ADMINISABSENTMINDED=No is assumed.
#
-BASIC_FILTERS=No
-#
-# BASIC_FILTERS=[Yes|No]
-#
-# Added in Shorewall-4.6.0. When set to Yes, causes entries in
-# shorewall6-tcfilters(5) to generate a basic filter rather than a u32
-# filter. This setting requires the Basic Ematch capability in your kernel
-# and iptables.
-#
-# Note
-#
-# One of the advantages of basic filters is that ipset matches are supported
-# in newer iproute2 and kernel versions. Because Shorewall6 cannot reliably
-# detect this capability, use of basic filters is controlled by this option.
-#
-# The default value is No which causes u32 filters to be generated.
-#
-IGNOREUNKNOWNVARIABLES=No
-#
-# IGNOREUNKNOWNVARIABLES=[Yes|No]
-#
-# Added in Shorewall 4.5.11. Normally, if an unknown shell variable is
-# encountered in a configuration file (except in ?IF and ?ELSIF directives),
-# the compiler raises a fatal error. If IGNOREUNKNOWNVARIABLES is set to Yes,
-# then such variables simply expand to an empty string. Default is No.
-#
AUTOCOMMENT=Yes
#
# AUTOCOMMENT=[Yes|No]
@@ -697,6 +684,23 @@
# restart command includes a directory name (e.g., shorewall6 restart /etc/
# shorewall.new).
#
+BASIC_FILTERS=No
+#
+# BASIC_FILTERS=[Yes|No]
+#
+# Added in Shorewall-4.6.0. When set to Yes, causes entries in
+# shorewall6-tcfilters(5) to generate a basic filter rather than a u32
+# filter. This setting requires the Basic Ematch capability in your kernel
+# and iptables.
+#
+# Note
+#
+# One of the advantages of basic filters is that ipset matches are supported
+# in newer iproute2 and kernel versions. Because Shorewall6 cannot reliably
+# detect this capability, use of basic filters is controlled by this option.
+#
+# The default value is No which causes u32 filters to be generated.
+#
BLACKLIST="NEW,INVALID,UNTRACKED"
#
# BLACKLIST=[{ALL|state[,...]}]
@@ -805,21 +809,52 @@
#
DYNAMIC_BLACKLIST=Yes
#
-# DYNAMIC_BLACKLIST={Yes|No||ipset[-only][,src-dst][:[setname][:log_level|:l
+# DYNAMIC_BLACKLIST={Yes|No||ipset[-only][,option[,...]][:[setname][:log_level|:l
# og_tag]]]}
#
# Added in Shorewall 4.4.7. When set to No or no, chain-based dynamic
-# blacklisting using the shorewall6 drop, shorewall6 reject, shorewall6
-# logdrop and shorewall6 logreject is disabled. Default is Yes. Beginning
-# with Shorewall 5.0.8, ipset-based dynamic blacklisting is also supported.
-# The name of the set (setname) and the level (log_level), if any, at which
-# blacklisted traffic is to be logged may also be specified. The default set
-# name is SW_DBL6 and the default log level is none (no logging). if
-# ipset-only is given, then chain-based dynamic blacklisting is disabled just
-# as if DYNAMIC_BLACKLISTING=No had been specified. Normally, only packets
-# whose source address matches an entry in the ipsec are dropped. If src-dst
-# is included, then packets whose destination address matches an entry in the
-# ipset are also dropped.
+# blacklisting using shorewall6 drop, shorewall6 reject, shorewall6 logdrop
+# and shorewall6 logreject is disabled. Default is Yes. Beginning with
+# Shorewall 5.0.8, ipset-based dynamic blacklisting using shorewall6
+# blacklist is also supported. The name of the set (setname) and the level (
+# log_level), if any, at which blacklisted traffic is to be logged may also
+# be specified. The default set name is SW_DBL6 and the default log level is
+# none (no logging). if ipset-only is given, then chain-based dynamic
+# blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No had been
+# specified.
+#
+# Possible options are:
+#
+# src-dst
+#
+# Normally, only packets whose source address matches an entry in the
+# ipset are dropped. If src-dst is included, then packets whose
+# destination address matches an entry in the ipset are also dropped.
+#
+# disconnect
+#
+# The disconnect option was added in Shorewall 5.0.13 and requires that
+# the conntrack utility be installed on the firewall system. When an
+# address is blacklisted using the blacklist command, all connections
+# originating from that address are disconnected. if the src-dst option
+# was also specified, then all connections to that address are also
+# disconnected.
+#
+# timeout=seconds
+#
+# Added in Shorewall 5.0.13. Normally, Shorewall creates the dynamic
+# blacklisting ipset with timeout 0 which means that entries are
+# permanent. If you want entries in the set that are not accessed for a
+# period of time to be deleted from the set, you may specify that period
+# using this option. Note that the blacklist command can override the
+# ipset's timeout setting.
+#
+# Important
+#
+# Once the dynamic blacklisting ipset has been created, changing this
+# option setting requires a complete restart of the firewall; shorewall6
+# restart if RESTART=restart, otherwise shorewall6 stop && shorewall6
+# start
#
# When ipset-based dynamic blacklisting is enabled, the contents of the
# blacklist will be preserved over stop/reboot/start sequences if SAVE_IPSETS
@@ -926,6 +961,15 @@
# When HELPERS is specified on a system running Kernel 3.5.0 or later,
# automatic association of helpers to connections is disabled.
#
+IGNOREUNKNOWNVARIABLES=No
+#
+# IGNOREUNKNOWNVARIABLES=[Yes|No]
+#
+# Added in Shorewall 4.5.11. Normally, if an unknown shell variable is
+# encountered in a configuration file (except in ?IF and ?ELSIF directives),
+# the compiler raises a fatal error. If IGNOREUNKNOWNVARIABLES is set to Yes,
+# then such variables simply expand to an empty string. Default is No.
+#
IMPLICIT_CONTINUE=No
#
# IMPLICIT_CONTINUE={Yes|No}
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.12/Samples6/Universal/rules.annotated shorewall6-5.0.13/Samples6/Universal/rules.annotated
--- shorewall6-5.0.12/Samples6/Universal/rules.annotated 2016-10-01 14:49:43.337670043 -0700
+++ shorewall6-5.0.13/Samples6/Universal/rules.annotated 2016-10-17 09:40:40.571925983 -0700
@@ -359,7 +359,7 @@
# userspace program on queues x, x+1, .. x+n and use "x:x+n". Packets
# belonging to the same connection are put into the same nfqueue.
#
-# NFQUEUE[([queuenumber1[,queuenumber2][,bypass]]|bypass)]
+# NFQUEUE![([queuenumber1[,queuenumber2][,bypass]]|bypass)]
#
# like NFQUEUE but exempts the rule from being suppressed by OPTIMIZE=1
# in shorewall6.conf(5).
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.12/Samples6/Universal/shorewall6.conf shorewall6-5.0.13/Samples6/Universal/shorewall6.conf
--- shorewall6-5.0.12/Samples6/Universal/shorewall6.conf 2016-10-01 13:49:35.000000000 -0700
+++ shorewall6-5.0.13/Samples6/Universal/shorewall6.conf 2016-10-17 09:29:32.000000000 -0700
@@ -25,6 +25,12 @@
PAGER=
###############################################################################
+# F I R E W A L L
+###############################################################################
+
+FIREWALL=
+
+###############################################################################
# L O G G I N G
###############################################################################
@@ -121,16 +127,14 @@
ADMINISABSENTMINDED=Yes
-BASIC_FILTERS=No
-
-IGNOREUNKNOWNVARIABLES=No
-
AUTOCOMMENT=Yes
AUTOHELPERS=Yes
AUTOMAKE=Yes
+BASIC_FILTERS=No
+
BLACKLIST="NEW,INVALID,UNTRACKED"
CHAIN_SCRIPTS=No
@@ -159,6 +163,8 @@
HELPERS=
+IGNOREUNKNOWNVARIABLES=No
+
IMPLICIT_CONTINUE=No
INLINE_MATCHES=Yes
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.12/Samples6/Universal/shorewall6.conf.annotated shorewall6-5.0.13/Samples6/Universal/shorewall6.conf.annotated
--- shorewall6-5.0.12/Samples6/Universal/shorewall6.conf.annotated 2016-10-01 14:49:43.762094043 -0700
+++ shorewall6-5.0.13/Samples6/Universal/shorewall6.conf.annotated 2016-10-17 09:40:40.939925983 -0700
@@ -95,6 +95,19 @@
# DEFAULT_PAGER setting in shorewallrc.
#
###############################################################################
+# F I R E W A L L
+###############################################################################
+FIREWALL=
+#
+# FIREWALL=[dnsname-or-ip-address]
+#
+# This option was added in Shorewall 5.0.13 and may be used on an
+# administrative system in directories containing the configurations of
+# remote firewalls. The contents of the variable are the default value for
+# the system parameter to the remote-start, remote-reload and remote-restart
+# commands.
+#
+###############################################################################
# L O G G I N G
###############################################################################
BLACKLIST_LOG_LEVEL=
@@ -621,32 +634,6 @@
# If this variable is not set or is given the empty value then
# ADMINISABSENTMINDED=No is assumed.
#
-BASIC_FILTERS=No
-#
-# BASIC_FILTERS=[Yes|No]
-#
-# Added in Shorewall-4.6.0. When set to Yes, causes entries in
-# shorewall6-tcfilters(5) to generate a basic filter rather than a u32
-# filter. This setting requires the Basic Ematch capability in your kernel
-# and iptables.
-#
-# Note
-#
-# One of the advantages of basic filters is that ipset matches are supported
-# in newer iproute2 and kernel versions. Because Shorewall6 cannot reliably
-# detect this capability, use of basic filters is controlled by this option.
-#
-# The default value is No which causes u32 filters to be generated.
-#
-IGNOREUNKNOWNVARIABLES=No
-#
-# IGNOREUNKNOWNVARIABLES=[Yes|No]
-#
-# Added in Shorewall 4.5.11. Normally, if an unknown shell variable is
-# encountered in a configuration file (except in ?IF and ?ELSIF directives),
-# the compiler raises a fatal error. If IGNOREUNKNOWNVARIABLES is set to Yes,
-# then such variables simply expand to an empty string. Default is No.
-#
AUTOCOMMENT=Yes
#
# AUTOCOMMENT=[Yes|No]
@@ -697,6 +684,23 @@
# restart command includes a directory name (e.g., shorewall6 restart /etc/
# shorewall.new).
#
+BASIC_FILTERS=No
+#
+# BASIC_FILTERS=[Yes|No]
+#
+# Added in Shorewall-4.6.0. When set to Yes, causes entries in
+# shorewall6-tcfilters(5) to generate a basic filter rather than a u32
+# filter. This setting requires the Basic Ematch capability in your kernel
+# and iptables.
+#
+# Note
+#
+# One of the advantages of basic filters is that ipset matches are supported
+# in newer iproute2 and kernel versions. Because Shorewall6 cannot reliably
+# detect this capability, use of basic filters is controlled by this option.
+#
+# The default value is No which causes u32 filters to be generated.
+#
BLACKLIST="NEW,INVALID,UNTRACKED"
#
# BLACKLIST=[{ALL|state[,...]}]
@@ -805,21 +809,52 @@
#
DYNAMIC_BLACKLIST=Yes
#
-# DYNAMIC_BLACKLIST={Yes|No||ipset[-only][,src-dst][:[setname][:log_level|:l
+# DYNAMIC_BLACKLIST={Yes|No||ipset[-only][,option[,...]][:[setname][:log_level|:l
# og_tag]]]}
#
# Added in Shorewall 4.4.7. When set to No or no, chain-based dynamic
-# blacklisting using the shorewall6 drop, shorewall6 reject, shorewall6
-# logdrop and shorewall6 logreject is disabled. Default is Yes. Beginning
-# with Shorewall 5.0.8, ipset-based dynamic blacklisting is also supported.
-# The name of the set (setname) and the level (log_level), if any, at which
-# blacklisted traffic is to be logged may also be specified. The default set
-# name is SW_DBL6 and the default log level is none (no logging). if
-# ipset-only is given, then chain-based dynamic blacklisting is disabled just
-# as if DYNAMIC_BLACKLISTING=No had been specified. Normally, only packets
-# whose source address matches an entry in the ipsec are dropped. If src-dst
-# is included, then packets whose destination address matches an entry in the
-# ipset are also dropped.
+# blacklisting using shorewall6 drop, shorewall6 reject, shorewall6 logdrop
+# and shorewall6 logreject is disabled. Default is Yes. Beginning with
+# Shorewall 5.0.8, ipset-based dynamic blacklisting using shorewall6
+# blacklist is also supported. The name of the set (setname) and the level (
+# log_level), if any, at which blacklisted traffic is to be logged may also
+# be specified. The default set name is SW_DBL6 and the default log level is
+# none (no logging). if ipset-only is given, then chain-based dynamic
+# blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No had been
+# specified.
+#
+# Possible options are:
+#
+# src-dst
+#
+# Normally, only packets whose source address matches an entry in the
+# ipset are dropped. If src-dst is included, then packets whose
+# destination address matches an entry in the ipset are also dropped.
+#
+# disconnect
+#
+# The disconnect option was added in Shorewall 5.0.13 and requires that
+# the conntrack utility be installed on the firewall system. When an
+# address is blacklisted using the blacklist command, all connections
+# originating from that address are disconnected. if the src-dst option
+# was also specified, then all connections to that address are also
+# disconnected.
+#
+# timeout=seconds
+#
+# Added in Shorewall 5.0.13. Normally, Shorewall creates the dynamic
+# blacklisting ipset with timeout 0 which means that entries are
+# permanent. If you want entries in the set that are not accessed for a
+# period of time to be deleted from the set, you may specify that period
+# using this option. Note that the blacklist command can override the
+# ipset's timeout setting.
+#
+# Important
+#
+# Once the dynamic blacklisting ipset has been created, changing this
+# option setting requires a complete restart of the firewall; shorewall6
+# restart if RESTART=restart, otherwise shorewall6 stop && shorewall6
+# start
#
# When ipset-based dynamic blacklisting is enabled, the contents of the
# blacklist will be preserved over stop/reboot/start sequences if SAVE_IPSETS
@@ -926,6 +961,15 @@
# When HELPERS is specified on a system running Kernel 3.5.0 or later,
# automatic association of helpers to connections is disabled.
#
+IGNOREUNKNOWNVARIABLES=No
+#
+# IGNOREUNKNOWNVARIABLES=[Yes|No]
+#
+# Added in Shorewall 4.5.11. Normally, if an unknown shell variable is
+# encountered in a configuration file (except in ?IF and ?ELSIF directives),
+# the compiler raises a fatal error. If IGNOREUNKNOWNVARIABLES is set to Yes,
+# then such variables simply expand to an empty string. Default is No.
+#
IMPLICIT_CONTINUE=No
#
# IMPLICIT_CONTINUE={Yes|No}
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.12/shorewall6.spec shorewall6-5.0.13/shorewall6.spec
--- shorewall6-5.0.12/shorewall6.spec 2016-10-01 14:48:18.601018043 -0700
+++ shorewall6-5.0.13/shorewall6.spec 2016-10-17 09:39:17.441929984 -0700
@@ -1,5 +1,5 @@
%define name shorewall6
-%define version 5.0.12
+%define version 5.0.13
%define release 0base
Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
@@ -81,7 +81,7 @@
%attr(0644,root,root) /usr/lib/systemd/system/shorewall6.service
%attr(0755,root,root) %dir /etc/shorewall6
%ghost %(attr 0644,root,root) /etc/shorewall6/isusable
-%ghost %(attr 0644,root,root) /etc/shorewall6/notrack
+%ghost %(attr 0644,root,root) /etc/shorewall6/masq
%attr(0755,root,root) %dir /usr/share/shorewall6
%attr(0755,root,root) %dir /usr/share/shorewall6/configfiles
%attr(0755,root,root) %dir /usr/share/shorewall6/deprecated
@@ -119,6 +119,16 @@
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
%changelog
+* Sun Oct 16 2016 Tom Eastep tom@shorewall.net
+- Updated to 5.0.13-0base
+* Sun Oct 16 2016 Tom Eastep tom@shorewall.net
+- Updated to 5.0.13-0RC2
+* Sun Oct 09 2016 Tom Eastep tom@shorewall.net
+- Updated to 5.0.13-0RC1
+* Tue Oct 04 2016 Tom Eastep tom@shorewall.net
+- Updated to 5.0.13-0Beta2
+* Sun Oct 02 2016 Tom Eastep tom@shorewall.net
+- Updated to 5.0.13-0Beta1
* Sat Oct 01 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.12-0base
* Sat Oct 01 2016 Tom Eastep tom@shorewall.net
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.12/uninstall.sh shorewall6-5.0.13/uninstall.sh
--- shorewall6-5.0.12/uninstall.sh 2016-10-01 14:48:18.601018043 -0700
+++ shorewall6-5.0.13/uninstall.sh 2016-10-17 09:39:17.441929984 -0700
@@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
-VERSION=5.0.12
+VERSION=5.0.13
PRODUCT=shorewall6
Product=Shorewall6