diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-init-5.0.12/changelog.txt shorewall-init-5.0.13/changelog.txt --- shorewall-init-5.0.12/changelog.txt 2016-10-01 14:48:18.641058043 -0700 +++ shorewall-init-5.0.13/changelog.txt 2016-10-17 09:39:17.493929984 -0700 @@ -1,3 +1,58 @@ +Changes in 5.0.13 Final + +1) Update release documents. + +2) Reverse ECN fix. + +3) Restrict hypen in port ranges to numberic ports. + +4) Correct typo in process_mangle_inline(). + +Changes in 5.0.13 RC 2 + +1) Update release documents. + +2) Accept '-' as a port-range separator. + +3) Correct shorewall6-masq examples. + +4) Add -exists to ADD command with timeout + +5) ECN fix. + +Changes in 5.0.13 RC 1 + +1) Update release documents. + +2) Merge fix from 5.0.12. + +3) Make the output of 'blacklist' dependent on the verbosity and clean + up that output. + +4) Detect bad characters in interface names. + +Changes in 5.0.13 Beta 2 + +1) Update release documents. + +2) Add 'timeout' DYNAMIC_BLACKLISTING option + +3) Add FIREWALL option in shorewall[6].conf. + +4) Remove restrictions on IPv6 'balance' and 'fallback'. + +Changes in 5.0.13 Beta 1 + +1) Update release documents. + +2) Roberto's typo fix in the mangle manpages. + +3) Reorder the entries in the .conf files in ASCII collating sequence. + +4) Correct DYNAMIC_BLACKLIST documentation. + +4) Add 'disconnect' option to the DYNAMIC_BLACKLIST setting. + Changes in 5.0.12 Final 1) Update release documents. diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-init-5.0.12/configure shorewall-init-5.0.13/configure --- shorewall-init-5.0.12/configure 2016-10-01 14:48:18.629046043 -0700 +++ shorewall-init-5.0.13/configure 2016-10-17 09:39:17.489929984 -0700 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=5.0.12 +VERSION=5.0.13 case "$BASH_VERSION" in [4-9].*) diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-init-5.0.12/configure.pl shorewall-init-5.0.13/configure.pl --- shorewall-init-5.0.12/configure.pl 2016-10-01 14:48:18.633050043 -0700 +++ shorewall-init-5.0.13/configure.pl 2016-10-17 09:39:17.493929984 -0700 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '5.0.12' + VERSION => '5.0.13' }; my %params; diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-init-5.0.12/install.sh shorewall-init-5.0.13/install.sh --- shorewall-init-5.0.12/install.sh 2016-10-01 14:48:18.625042043 -0700 +++ shorewall-init-5.0.13/install.sh 2016-10-17 09:39:17.481929984 -0700 @@ -27,7 +27,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=5.0.12 +VERSION=5.0.13 PRODUCT=shorewall-init Product="Shorewall Init" diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-init-5.0.12/releasenotes.txt shorewall-init-5.0.13/releasenotes.txt --- shorewall-init-5.0.12/releasenotes.txt 2016-10-01 14:48:18.641058043 -0700 +++ shorewall-init-5.0.13/releasenotes.txt 2016-10-17 09:39:17.493929984 -0700 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 5 . 0 . 1 2 + S H O R E W A L L 5 . 0 . 1 3 ---------------------------- - O c t o b e r 0 3 , 2 0 1 6 + O c t o b e r 1 8, 2 0 1 6 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,48 +14,15 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) Minor cleanup, mostly commentary, in the Rules.pm module. - -2) In Shorewall 5.0.7, The assumed 'use Shorewall::Config(shorewall)' - statement in ?PERL and ?BEGIN PERL...?END PERL handling was - inadvertently removed. This results in Perl compilation errors if - the 'shorewall' function is invoked. The statement has now been - restored. - -3) Previously, the firewall would fail to start if the configuration - contained a CHECKSUM rule without a chain designator and - MARK_IN_FORWARD_CHAIN=No. Now, the compiler defaults these rules to - the POSTROUTING chain and forbids them in the PREROUTING chain. - -4) Recently, a case was observed where certain incoming packets had a - non-zero packet mark in the raw PREROUTING chain, causing them to - be misrouted. To guard against this issue, packet marks are now - cleared at the top of the PREROUTING and OUTPUT mangle chains when - the new ZERO_MARKS option is set to yes. Note that ZERO_MARKS=Yes - can break IPSEC in multi-ISP configurations. - -5) Two distinct problems have been corrected in the 'disable' - command logic: - - a) If a balanced or fallback interface was down or had been - deleted, then the 'disable' command could fail. - - b) If a persistent optional interface was down, then the - generated script would fail when it attempted to add routes out - of the interface. - -6) Previously, the generated script would attempt to reenable a - disabled persistent provider at each 'start', 'reload' or - 'restart'. Now, disabled persistent providers are handled the same - as other providers and require the 'enable' or 'reenable' command - to enable them. +1) This release contains defect repair from 5.0.12.1. -7) Previously, the generated script assumed that all - probability-balanced providers (those with the 'load' option - specified) were optional. That assumption has been removed. +2) The compiler now detects shell metacharacters in interface names + defined in /etc/shorewall[6]/interfaces. Previously, such + characters could cause runtime failures in the generated script. -8) Previously, the permissions of files created by the 'save' command - were more relaxed than necessary. This has been corrected. +3) Previously, the compiler ignored DEST column entries in inline + mangle action bodies. That value is now used unless it is '-', in + which case the DEST column value in the action invocation is used. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -72,69 +39,42 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) You may now place comma-separated zone lists in the SOURCE and DEST - columns in /etc/shorewall[6]/policy. - - Example: - - #SOURCE DEST POLICY ... - loc,dmz net REJECT - - That line is equivalent to: - - #SOURCE DEST POLICY ... - loc net REJECT - loc dmz REJECT - - If the same zone appears in both columns, the default ACCEPT - intrazone policy is not overridden unless the list is followed - immediately by '+'. - - Example: - - #SOURCE DEST POLICY ... - dmz,loc loc,dmz+ REJECT - - That line is equivalent to: - - #SOURCE DEST POLICY ... - dmz loc REJECT - dmz dmz REJECT - loc loc REJECT - loc dmz REJECT - - Without the plus sine, it would be equivalent to - - #SOURCE DEST POLICY ... - dmz loc REJECT - loc dmz REJECT - -2) Distribution maintainers may now set a default pager via the - configure and configure.pl programs in Shorewall-core to set - DEFAULT_PAGER in the generated shorewallrc file. The - Shorewall-provided shorewallrc files for Debian currently specify - 'less' for DEFAULT_PAGER. The other shorewallrc files do not - specify DEFAULT_PAGER. +1) A 'disconnect' option has been added to the DYNAMIC_BLACKLIST + setting. The option is only accepted for ipset-based dynamic + blacklisting and requires that the 'conntrack' utility be + installed. See shorewall[6].conf(5) for details. - If shorewall[6].conf does not specify PAGER then the DEFAULT_PAGER - setting is used. + With this option, when an address is blackliseted using the + 'blacklist' command, the conntrack utility is used to break all + connections from that address. If the 'src-dst' option is also + specified in the BLACKLIST setting, then all connections to the + address are also broken. If the effective VERBOSITY is greater than + 0, then a messages is displayed that indicated the number of flows + deleted by the command. If the effective VERBOSITY is 2, the + conntrack entries delected by the command are also displayed. -3) The 'contiguous' option is now supported in TIME columns. When the - 'timestop' value is smaller than the 'timestart' value, match this - as a single time period instead distinct intervals. + This option is more efficient for packet processing than including + the ESTABLISHED state in the BLACKLIST setting. - Example: +2) A 'timeout' option has been added to the DYNAMIC_BLACKLIST setting. + The option is only accepted for ipset-based dynamic blacklisting + and causes entries in the blacklist ipset to be automatically + deleted if they are not matched within a specified time. See + shorewall[6].conf(5) for details. - weekdays=Mo×tart=23:00×top=01:00 +3) A new FIREWALL option has been added to shorewall[6].conf. This + option is intended to be used on an admisitrative system in + configurations of remote firewalls. It defines the DNS name or IP + address of the remote system so that the system name does not have + to be given in the remote-start, remote-reload and remote-restart + commmands. See shorewall[6](8) for details. - Will match Monday, for one hour from midnight to 1 a.m., and - then again for another hour from 23:00 onwards. If this is - unwanted, e.g. if you would like 'match for two hours from - Monday 23:00 onwards' you need to also specify the 'contiguous' - option in the example above. +4) Shorewall6 now allows more that one provider to specify the + 'balance' or 'fallback' options. - See http://www.shorewall.org/configuration_file_basics.htm#TIME for - additional TIME column examples. +5) When using port numbers (as opposed to service names), the hyphen + ("-") is now accepted as the separator in port ranges. When service + names are used, the colon (":") must still be used. ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -297,6 +237,120 @@ ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 5 . 0 . 1 1 ---------------------------------------------------------------------------- +1) Minor cleanup, mostly commentary, in the Rules.pm module. + +2) In Shorewall 5.0.7, The assumed 'use Shorewall::Config(shorewall)' + statement in ?PERL and ?BEGIN PERL...?END PERL handling was + inadvertently removed. This results in Perl compilation errors if + the 'shorewall' function is invoked. The statement has now been + restored. + +3) Previously, the firewall would fail to start if the configuration + contained a CHECKSUM rule without a chain designator and + MARK_IN_FORWARD_CHAIN=No. Now, the compiler defaults these rules to + the POSTROUTING chain and forbids them in the PREROUTING chain. + +4) Recently, a case was observed where certain incoming packets had a + non-zero packet mark in the raw PREROUTING chain, causing them to + be misrouted. To guard against this issue, packet marks are now + cleared at the top of the PREROUTING and OUTPUT mangle chains when + the new ZERO_MARKS option is set to yes. Note that ZERO_MARKS=Yes + can break IPSEC in multi-ISP configurations. + +5) Two distinct problems have been corrected in the 'disable' + command logic: + + a) If a balanced or fallback interface was down or had been + deleted, then the 'disable' command could fail. + + b) If a persistent optional interface was down, then the + generated script would fail when it attempted to add routes out + of the interface. + +6) Previously, the generated script would attempt to reenable a + disabled persistent provider at each 'start', 'reload' or + 'restart'. Now, disabled persistent providers are handled the same + as other providers and require the 'enable' or 'reenable' command + to enable them. + +7) Previously, the generated script assumed that all + probability-balanced providers (those with the 'load' option + specified) were optional. That assumption has been removed. + +8) Previously, the permissions of files created by the 'save' command + were more relaxed than necessary. This has been corrected. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 5 . 0 . 1 2 +---------------------------------------------------------------------------- + +1) You may now place comma-separated zone lists in the SOURCE and DEST + columns in /etc/shorewall[6]/policy. + + Example: + + #SOURCE DEST POLICY ... + loc,dmz net REJECT + + That line is equivalent to: + + #SOURCE DEST POLICY ... + loc net REJECT + dmz net REJECT + + If the same zone appears in both columns, the default ACCEPT + intrazone policy is not overridden unless the list is followed + immediately by '+'. + + Example: + + #SOURCE DEST POLICY ... + dmz,loc loc,dmz+ REJECT + + That line is equivalent to: + + #SOURCE DEST POLICY ... + dmz loc REJECT + dmz dmz REJECT + loc loc REJECT + loc dmz REJECT + + Without the plus sine, it would be equivalent to + + #SOURCE DEST POLICY ... + dmz loc REJECT + loc dmz REJECT + +2) Distribution maintainers may now set a default pager via the + configure and configure.pl programs in Shorewall-core to set + DEFAULT_PAGER in the generated shorewallrc file. The + Shorewall-provided shorewallrc files for Debian currently specify + 'less' for DEFAULT_PAGER. The other shorewallrc files do not + specify DEFAULT_PAGER. + + If shorewall[6].conf does not specify PAGER then the DEFAULT_PAGER + setting is used. + +3) The 'contiguous' option is now supported in TIME columns. When the + 'timestop' value is smaller than the 'timestart' value, match this + as a single time period instead distinct intervals. + + Example: + + weekdays=Mo×tart=23:00×top=01:00 + + Will match Monday, for one hour from midnight to 1 a.m., and + then again for another hour from 23:00 onwards. If this is + unwanted, e.g. if you would like 'match for two hours from + Monday 23:00 onwards' you need to also specify the 'contiguous' + option in the example above. + + See http://www.shorewall.org/configuration_file_basics.htm#TIME for + additional TIME column examples. + +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 5 . 0 . 1 1 +---------------------------------------------------------------------------- 1) This release contains defect repair through Shorewall 5.0.10.1. diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-init-5.0.12/shorewall-init.spec shorewall-init-5.0.13/shorewall-init.spec --- shorewall-init-5.0.12/shorewall-init.spec 2016-10-01 14:48:18.629046043 -0700 +++ shorewall-init-5.0.13/shorewall-init.spec 2016-10-17 09:39:17.489929984 -0700 @@ -1,5 +1,5 @@ %define name shorewall-init -%define version 5.0.12 +%define version 5.0.13 %define release 0base Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall). @@ -135,6 +135,16 @@ %doc COPYING changelog.txt releasenotes.txt %changelog +* Sun Oct 16 2016 Tom Eastep tom@shorewall.net +- Updated to 5.0.13-0base +* Sun Oct 16 2016 Tom Eastep tom@shorewall.net +- Updated to 5.0.13-0RC2 +* Sun Oct 09 2016 Tom Eastep tom@shorewall.net +- Updated to 5.0.13-0RC1 +* Tue Oct 04 2016 Tom Eastep tom@shorewall.net +- Updated to 5.0.13-0Beta2 +* Sun Oct 02 2016 Tom Eastep tom@shorewall.net +- Updated to 5.0.13-0Beta1 * Sat Oct 01 2016 Tom Eastep tom@shorewall.net - Updated to 5.0.12-0base * Sat Oct 01 2016 Tom Eastep tom@shorewall.net diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-init-5.0.12/uninstall.sh shorewall-init-5.0.13/uninstall.sh --- shorewall-init-5.0.12/uninstall.sh 2016-10-01 14:48:18.629046043 -0700 +++ shorewall-init-5.0.13/uninstall.sh 2016-10-17 09:39:17.489929984 -0700 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=5.0.12 +VERSION=5.0.13 PRODUCT=shorewall-init Product="Shorewall Init"