diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-lite-5.0.12/changelog.txt shorewall-lite-5.0.13/changelog.txt
--- shorewall-lite-5.0.12/changelog.txt 2016-10-01 14:48:18.689106042 -0700
+++ shorewall-lite-5.0.13/changelog.txt 2016-10-17 09:39:17.533929984 -0700
@@ -1,3 +1,58 @@
+Changes in 5.0.13 Final
+
+1) Update release documents.
+
+2) Reverse ECN fix.
+
+3) Restrict hypen in port ranges to numberic ports.
+
+4) Correct typo in process_mangle_inline().
+
+Changes in 5.0.13 RC 2
+
+1) Update release documents.
+
+2) Accept '-' as a port-range separator.
+
+3) Correct shorewall6-masq examples.
+
+4) Add -exists to ADD command with timeout
+
+5) ECN fix.
+
+Changes in 5.0.13 RC 1
+
+1) Update release documents.
+
+2) Merge fix from 5.0.12.
+
+3) Make the output of 'blacklist' dependent on the verbosity and clean
+ up that output.
+
+4) Detect bad characters in interface names.
+
+Changes in 5.0.13 Beta 2
+
+1) Update release documents.
+
+2) Add 'timeout' DYNAMIC_BLACKLISTING option
+
+3) Add FIREWALL option in shorewall[6].conf.
+
+4) Remove restrictions on IPv6 'balance' and 'fallback'.
+
+Changes in 5.0.13 Beta 1
+
+1) Update release documents.
+
+2) Roberto's typo fix in the mangle manpages.
+
+3) Reorder the entries in the .conf files in ASCII collating sequence.
+
+4) Correct DYNAMIC_BLACKLIST documentation.
+
+4) Add 'disconnect' option to the DYNAMIC_BLACKLIST setting.
+
Changes in 5.0.12 Final
1) Update release documents.
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-lite-5.0.12/configure shorewall-lite-5.0.13/configure
--- shorewall-lite-5.0.12/configure 2016-10-01 14:48:18.689106042 -0700
+++ shorewall-lite-5.0.13/configure 2016-10-17 09:39:17.537929984 -0700
@@ -28,7 +28,7 @@
#
# Build updates this
#
-VERSION=5.0.12
+VERSION=5.0.13
case "$BASH_VERSION" in
[4-9].*)
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-lite-5.0.12/configure.pl shorewall-lite-5.0.13/configure.pl
--- shorewall-lite-5.0.12/configure.pl 2016-10-01 14:48:18.689106042 -0700
+++ shorewall-lite-5.0.13/configure.pl 2016-10-17 09:39:17.541929984 -0700
@@ -31,7 +31,7 @@
# Build updates this
#
use constant {
- VERSION => '5.0.12'
+ VERSION => '5.0.13'
};
my %params;
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-lite-5.0.12/install.sh shorewall-lite-5.0.13/install.sh
--- shorewall-lite-5.0.12/install.sh 2016-10-01 14:48:18.677094043 -0700
+++ shorewall-lite-5.0.13/install.sh 2016-10-17 09:39:17.525929984 -0700
@@ -22,7 +22,7 @@
# along with this program; if not, see .
#
-VERSION=5.0.12
+VERSION=5.0.13
usage() # $1 = exit status
{
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-lite-5.0.12/manpages/shorewall-lite.8 shorewall-lite-5.0.13/manpages/shorewall-lite.8
--- shorewall-lite-5.0.12/manpages/shorewall-lite.8 2016-10-01 14:49:46.084414043 -0700
+++ shorewall-lite-5.0.13/manpages/shorewall-lite.8 2016-10-17 09:40:43.151925983 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-lite
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Administrative Commands
.\" Source: Administrative Commands
.\" Language: English
.\"
-.TH "SHOREWALL\-LITE" "8" "10/01/2016" "Administrative Commands" "Administrative Commands"
+.TH "SHOREWALL\-LITE" "8" "10/17/2016" "Administrative Commands" "Administrative Commands"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -222,6 +222,32 @@
\fIoption\fRs are passed to the
\fBipset add\fR
command\&.
+.sp
+If the
+\fBdisconnect\fR
+option is specified in the DYNAMIC_BLACKLISTING setting, then the effective VERBOSITY determines the amount of information displayed:
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+If the effective verbosity is > 0, then a message giving the number of conntrack flows deleted by the command is displayed\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+If the effective verbosity is > 1, then the conntrack table entries deleted by the command are also displayed\&.
+.RE
.RE
.PP
\fBcall \fR\fB\fIfunction\fR\fR\fB [ \fR\fB\fIparameter\fR\fR\fB \&.\&.\&. ]\fR
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-lite-5.0.12/manpages/shorewall-lite.conf.5 shorewall-lite-5.0.13/manpages/shorewall-lite.conf.5
--- shorewall-lite-5.0.12/manpages/shorewall-lite.conf.5 2016-10-01 14:49:44.590922043 -0700
+++ shorewall-lite-5.0.13/manpages/shorewall-lite.conf.5 2016-10-17 09:40:41.715925983 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-lite.conf
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-LITE\&.CO" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-LITE\&.CO" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-lite-5.0.12/manpages/shorewall-lite-vardir.5 shorewall-lite-5.0.13/manpages/shorewall-lite-vardir.5
--- shorewall-lite-5.0.12/manpages/shorewall-lite-vardir.5 2016-10-01 14:49:45.191522042 -0700
+++ shorewall-lite-5.0.13/manpages/shorewall-lite-vardir.5 2016-10-17 09:40:42.295925983 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-lite-vardir
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 10/01/2016
+.\" Date: 10/17/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-LITE\-VAR" "5" "10/01/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-LITE\-VAR" "5" "10/17/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-lite-5.0.12/manpages/shorewall-lite.xml shorewall-lite-5.0.13/manpages/shorewall-lite.xml
--- shorewall-lite-5.0.12/manpages/shorewall-lite.xml 2016-10-01 14:49:46.132462043 -0700
+++ shorewall-lite-5.0.13/manpages/shorewall-lite.xml 2016-10-17 09:40:43.203925983 -0700
@@ -724,6 +724,23 @@
address along with any
options are passed to the ipset
add command.
+
+ If the option is specified in the
+ DYNAMIC_BLACKLISTING setting, then the effective VERBOSITY
+ determines the amount of information displayed:
+
+
+
+ If the effective verbosity is > 0, then a message
+ giving the number of conntrack flows deleted by the command is
+ displayed.
+
+
+
+ If the effective verbosity is > 1, then the conntrack
+ table entries deleted by the command are also displayed.
+
+
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-lite-5.0.12/releasenotes.txt shorewall-lite-5.0.13/releasenotes.txt
--- shorewall-lite-5.0.12/releasenotes.txt 2016-10-01 14:48:18.689106042 -0700
+++ shorewall-lite-5.0.13/releasenotes.txt 2016-10-17 09:39:17.533929984 -0700
@@ -1,7 +1,7 @@
----------------------------------------------------------------------------
- S H O R E W A L L 5 . 0 . 1 2
+ S H O R E W A L L 5 . 0 . 1 3
----------------------------
- O c t o b e r 0 3 , 2 0 1 6
+ O c t o b e r 1 8, 2 0 1 6
----------------------------------------------------------------------------
I. PROBLEMS CORRECTED IN THIS RELEASE
@@ -14,48 +14,15 @@
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
-1) Minor cleanup, mostly commentary, in the Rules.pm module.
-
-2) In Shorewall 5.0.7, The assumed 'use Shorewall::Config(shorewall)'
- statement in ?PERL and ?BEGIN PERL...?END PERL handling was
- inadvertently removed. This results in Perl compilation errors if
- the 'shorewall' function is invoked. The statement has now been
- restored.
-
-3) Previously, the firewall would fail to start if the configuration
- contained a CHECKSUM rule without a chain designator and
- MARK_IN_FORWARD_CHAIN=No. Now, the compiler defaults these rules to
- the POSTROUTING chain and forbids them in the PREROUTING chain.
-
-4) Recently, a case was observed where certain incoming packets had a
- non-zero packet mark in the raw PREROUTING chain, causing them to
- be misrouted. To guard against this issue, packet marks are now
- cleared at the top of the PREROUTING and OUTPUT mangle chains when
- the new ZERO_MARKS option is set to yes. Note that ZERO_MARKS=Yes
- can break IPSEC in multi-ISP configurations.
-
-5) Two distinct problems have been corrected in the 'disable'
- command logic:
-
- a) If a balanced or fallback interface was down or had been
- deleted, then the 'disable' command could fail.
-
- b) If a persistent optional interface was down, then the
- generated script would fail when it attempted to add routes out
- of the interface.
-
-6) Previously, the generated script would attempt to reenable a
- disabled persistent provider at each 'start', 'reload' or
- 'restart'. Now, disabled persistent providers are handled the same
- as other providers and require the 'enable' or 'reenable' command
- to enable them.
+1) This release contains defect repair from 5.0.12.1.
-7) Previously, the generated script assumed that all
- probability-balanced providers (those with the 'load' option
- specified) were optional. That assumption has been removed.
+2) The compiler now detects shell metacharacters in interface names
+ defined in /etc/shorewall[6]/interfaces. Previously, such
+ characters could cause runtime failures in the generated script.
-8) Previously, the permissions of files created by the 'save' command
- were more relaxed than necessary. This has been corrected.
+3) Previously, the compiler ignored DEST column entries in inline
+ mangle action bodies. That value is now used unless it is '-', in
+ which case the DEST column value in the action invocation is used.
----------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G
@@ -72,69 +39,42 @@
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
-1) You may now place comma-separated zone lists in the SOURCE and DEST
- columns in /etc/shorewall[6]/policy.
-
- Example:
-
- #SOURCE DEST POLICY ...
- loc,dmz net REJECT
-
- That line is equivalent to:
-
- #SOURCE DEST POLICY ...
- loc net REJECT
- loc dmz REJECT
-
- If the same zone appears in both columns, the default ACCEPT
- intrazone policy is not overridden unless the list is followed
- immediately by '+'.
-
- Example:
-
- #SOURCE DEST POLICY ...
- dmz,loc loc,dmz+ REJECT
-
- That line is equivalent to:
-
- #SOURCE DEST POLICY ...
- dmz loc REJECT
- dmz dmz REJECT
- loc loc REJECT
- loc dmz REJECT
-
- Without the plus sine, it would be equivalent to
-
- #SOURCE DEST POLICY ...
- dmz loc REJECT
- loc dmz REJECT
-
-2) Distribution maintainers may now set a default pager via the
- configure and configure.pl programs in Shorewall-core to set
- DEFAULT_PAGER in the generated shorewallrc file. The
- Shorewall-provided shorewallrc files for Debian currently specify
- 'less' for DEFAULT_PAGER. The other shorewallrc files do not
- specify DEFAULT_PAGER.
+1) A 'disconnect' option has been added to the DYNAMIC_BLACKLIST
+ setting. The option is only accepted for ipset-based dynamic
+ blacklisting and requires that the 'conntrack' utility be
+ installed. See shorewall[6].conf(5) for details.
- If shorewall[6].conf does not specify PAGER then the DEFAULT_PAGER
- setting is used.
+ With this option, when an address is blackliseted using the
+ 'blacklist' command, the conntrack utility is used to break all
+ connections from that address. If the 'src-dst' option is also
+ specified in the BLACKLIST setting, then all connections to the
+ address are also broken. If the effective VERBOSITY is greater than
+ 0, then a messages is displayed that indicated the number of flows
+ deleted by the command. If the effective VERBOSITY is 2, the
+ conntrack entries delected by the command are also displayed.
-3) The 'contiguous' option is now supported in TIME columns. When the
- 'timestop' value is smaller than the 'timestart' value, match this
- as a single time period instead distinct intervals.
+ This option is more efficient for packet processing than including
+ the ESTABLISHED state in the BLACKLIST setting.
- Example:
+2) A 'timeout' option has been added to the DYNAMIC_BLACKLIST setting.
+ The option is only accepted for ipset-based dynamic blacklisting
+ and causes entries in the blacklist ipset to be automatically
+ deleted if they are not matched within a specified time. See
+ shorewall[6].conf(5) for details.
- weekdays=Mo×tart=23:00×top=01:00
+3) A new FIREWALL option has been added to shorewall[6].conf. This
+ option is intended to be used on an admisitrative system in
+ configurations of remote firewalls. It defines the DNS name or IP
+ address of the remote system so that the system name does not have
+ to be given in the remote-start, remote-reload and remote-restart
+ commmands. See shorewall[6](8) for details.
- Will match Monday, for one hour from midnight to 1 a.m., and
- then again for another hour from 23:00 onwards. If this is
- unwanted, e.g. if you would like 'match for two hours from
- Monday 23:00 onwards' you need to also specify the 'contiguous'
- option in the example above.
+4) Shorewall6 now allows more that one provider to specify the
+ 'balance' or 'fallback' options.
- See http://www.shorewall.org/configuration_file_basics.htm#TIME for
- additional TIME column examples.
+5) When using port numbers (as opposed to service names), the hyphen
+ ("-") is now accepted as the separator in port ranges. When service
+ names are used, the colon (":") must still be used.
----------------------------------------------------------------------------
I V. M I G R A T I O N I S S U E S
@@ -297,6 +237,120 @@
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 5 . 0 . 1 1
----------------------------------------------------------------------------
+1) Minor cleanup, mostly commentary, in the Rules.pm module.
+
+2) In Shorewall 5.0.7, The assumed 'use Shorewall::Config(shorewall)'
+ statement in ?PERL and ?BEGIN PERL...?END PERL handling was
+ inadvertently removed. This results in Perl compilation errors if
+ the 'shorewall' function is invoked. The statement has now been
+ restored.
+
+3) Previously, the firewall would fail to start if the configuration
+ contained a CHECKSUM rule without a chain designator and
+ MARK_IN_FORWARD_CHAIN=No. Now, the compiler defaults these rules to
+ the POSTROUTING chain and forbids them in the PREROUTING chain.
+
+4) Recently, a case was observed where certain incoming packets had a
+ non-zero packet mark in the raw PREROUTING chain, causing them to
+ be misrouted. To guard against this issue, packet marks are now
+ cleared at the top of the PREROUTING and OUTPUT mangle chains when
+ the new ZERO_MARKS option is set to yes. Note that ZERO_MARKS=Yes
+ can break IPSEC in multi-ISP configurations.
+
+5) Two distinct problems have been corrected in the 'disable'
+ command logic:
+
+ a) If a balanced or fallback interface was down or had been
+ deleted, then the 'disable' command could fail.
+
+ b) If a persistent optional interface was down, then the
+ generated script would fail when it attempted to add routes out
+ of the interface.
+
+6) Previously, the generated script would attempt to reenable a
+ disabled persistent provider at each 'start', 'reload' or
+ 'restart'. Now, disabled persistent providers are handled the same
+ as other providers and require the 'enable' or 'reenable' command
+ to enable them.
+
+7) Previously, the generated script assumed that all
+ probability-balanced providers (those with the 'load' option
+ specified) were optional. That assumption has been removed.
+
+8) Previously, the permissions of files created by the 'save' command
+ were more relaxed than necessary. This has been corrected.
+
+----------------------------------------------------------------------------
+ N E W F E A T U R E S I N 5 . 0 . 1 2
+----------------------------------------------------------------------------
+
+1) You may now place comma-separated zone lists in the SOURCE and DEST
+ columns in /etc/shorewall[6]/policy.
+
+ Example:
+
+ #SOURCE DEST POLICY ...
+ loc,dmz net REJECT
+
+ That line is equivalent to:
+
+ #SOURCE DEST POLICY ...
+ loc net REJECT
+ dmz net REJECT
+
+ If the same zone appears in both columns, the default ACCEPT
+ intrazone policy is not overridden unless the list is followed
+ immediately by '+'.
+
+ Example:
+
+ #SOURCE DEST POLICY ...
+ dmz,loc loc,dmz+ REJECT
+
+ That line is equivalent to:
+
+ #SOURCE DEST POLICY ...
+ dmz loc REJECT
+ dmz dmz REJECT
+ loc loc REJECT
+ loc dmz REJECT
+
+ Without the plus sine, it would be equivalent to
+
+ #SOURCE DEST POLICY ...
+ dmz loc REJECT
+ loc dmz REJECT
+
+2) Distribution maintainers may now set a default pager via the
+ configure and configure.pl programs in Shorewall-core to set
+ DEFAULT_PAGER in the generated shorewallrc file. The
+ Shorewall-provided shorewallrc files for Debian currently specify
+ 'less' for DEFAULT_PAGER. The other shorewallrc files do not
+ specify DEFAULT_PAGER.
+
+ If shorewall[6].conf does not specify PAGER then the DEFAULT_PAGER
+ setting is used.
+
+3) The 'contiguous' option is now supported in TIME columns. When the
+ 'timestop' value is smaller than the 'timestart' value, match this
+ as a single time period instead distinct intervals.
+
+ Example:
+
+ weekdays=Mo×tart=23:00×top=01:00
+
+ Will match Monday, for one hour from midnight to 1 a.m., and
+ then again for another hour from 23:00 onwards. If this is
+ unwanted, e.g. if you would like 'match for two hours from
+ Monday 23:00 onwards' you need to also specify the 'contiguous'
+ option in the example above.
+
+ See http://www.shorewall.org/configuration_file_basics.htm#TIME for
+ additional TIME column examples.
+
+----------------------------------------------------------------------------
+ P R O B L E M S C O R R E C T E D I N 5 . 0 . 1 1
+----------------------------------------------------------------------------
1) This release contains defect repair through Shorewall 5.0.10.1.
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-lite-5.0.12/shorewall-lite.spec shorewall-lite-5.0.13/shorewall-lite.spec
--- shorewall-lite-5.0.12/shorewall-lite.spec 2016-10-01 14:48:18.681098043 -0700
+++ shorewall-lite-5.0.13/shorewall-lite.spec 2016-10-17 09:39:17.529929984 -0700
@@ -1,5 +1,5 @@
%define name shorewall-lite
-%define version 5.0.12
+%define version 5.0.13
%define release 0base
%define initdir /etc/init.d
@@ -117,6 +117,16 @@
%doc COPYING changelog.txt releasenotes.txt
%changelog
+* Sun Oct 16 2016 Tom Eastep tom@shorewall.net
+- Updated to 5.0.13-0base
+* Sun Oct 16 2016 Tom Eastep tom@shorewall.net
+- Updated to 5.0.13-0RC2
+* Sun Oct 09 2016 Tom Eastep tom@shorewall.net
+- Updated to 5.0.13-0RC1
+* Tue Oct 04 2016 Tom Eastep tom@shorewall.net
+- Updated to 5.0.13-0Beta2
+* Sun Oct 02 2016 Tom Eastep tom@shorewall.net
+- Updated to 5.0.13-0Beta1
* Sat Oct 01 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.12-0base
* Sat Oct 01 2016 Tom Eastep tom@shorewall.net
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-lite-5.0.12/uninstall.sh shorewall-lite-5.0.13/uninstall.sh
--- shorewall-lite-5.0.12/uninstall.sh 2016-10-01 14:48:18.677094043 -0700
+++ shorewall-lite-5.0.13/uninstall.sh 2016-10-17 09:39:17.529929984 -0700
@@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
-VERSION=5.0.12
+VERSION=5.0.13
PRODUCT=shorewall-lite
Product="Shorewall Lite"