diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-core-5.0.8/changelog.txt shorewall-core-5.0.9/changelog.txt
--- shorewall-core-5.0.8/changelog.txt 2016-04-23 06:42:06.523009000 -0700
+++ shorewall-core-5.0.9/changelog.txt 2016-06-04 14:49:09.383267082 -0700
@@ -1,3 +1,49 @@
+Changes in 5.0.9 Final
+
+1) Update release documents
+
+2) Document DOCKER fix.
+
+Changes in 5.0.9 RC 1
+
+1) Update release documents
+
+2) Cross-check core version during compilation.
+
+3) Cross-check Shorewall6 version during IPv6 compilation.
+
+4) Turn on AUTOMAKE in the sample configurations.
+
+5) Date/time in 'date' format.
+
+Changes in 5.0.9 Beta 2
+
+1) Update release documents
+
+2) Improve compile date/time implementation
+
+3) Add VERBOSE_MESSAGES option.
+
+4) Allow NFLOG in the mangle file
+
+Changes in 5.0.9 Beta 1
+
+1) Update release documents
+
+2) Fix handling of optional provider with no IP address
+
+3) Correct typos in the Events article
+
+4) Implement standard error messages in the CLI
+
+5) Include compile time and date in the output of 'status'
+
+6) Apply Matt Darfeuille's patch set.
+
+Changes in 5.0.8 Final
+
+1) Update release documents
+
Changes in 5.0.8 RC 2
1) Update release documents.
@@ -16,9 +62,7 @@
8) Add an ESTABLISHED,RELATED rule for o => docker0
-9) ?WARNING and ?INFO
-
-10) Warning on optional provider in the DUPLICATE column
+9) Add ?WARNING and ?INFO directives.
Changes in 5.0.8 RC 1
@@ -28,7 +72,7 @@
3) Correct many issues with save/restore of ipsets.
-4) Update DHCP article (refresh -> restart)
+4) Update DHCP article (refresh -> reload)
5) Correct start command's handling of AUTOMAKE.
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-core-5.0.8/configure shorewall-core-5.0.9/configure
--- shorewall-core-5.0.8/configure 2016-04-23 06:42:05.919009000 -0700
+++ shorewall-core-5.0.9/configure 2016-06-04 14:49:08.742743974 -0700
@@ -28,7 +28,7 @@
#
# Build updates this
#
-VERSION=5.0.8
+VERSION=5.0.9
case "$BASH_VERSION" in
[4-9].*)
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-core-5.0.8/configure.pl shorewall-core-5.0.9/configure.pl
--- shorewall-core-5.0.8/configure.pl 2016-04-23 06:42:05.923009000 -0700
+++ shorewall-core-5.0.9/configure.pl 2016-06-04 14:49:08.746747243 -0700
@@ -31,7 +31,7 @@
# Build updates this
#
use constant {
- VERSION => '5.0.8'
+ VERSION => '5.0.9'
};
my %params;
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-core-5.0.8/install.sh shorewall-core-5.0.9/install.sh
--- shorewall-core-5.0.8/install.sh 2016-04-23 06:42:05.915009000 -0700
+++ shorewall-core-5.0.9/install.sh 2016-06-04 14:49:08.738740705 -0700
@@ -22,7 +22,7 @@
# along with this program; if not, see .
#
-VERSION=5.0.8
+VERSION=5.0.9
PRODUCT=shorewall-core
Product="Shorewall Core"
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-core-5.0.8/lib.cli shorewall-core-5.0.9/lib.cli
--- shorewall-core-5.0.8/lib.cli 2016-04-19 10:42:50.000000000 -0700
+++ shorewall-core-5.0.9/lib.cli 2016-05-22 17:50:51.000000000 -0700
@@ -731,12 +731,29 @@
done
}
+option_error() {
+ fatal_error "The $COMMAND command does not accept this option: -$1"
+}
+
+too_many_arguments() {
+ fatal_error "Too many arguments: $1"
+}
+
+missing_argument() {
+ fatal_error "Missing argument"
+}
+
+missing_option_value() {
+ fatal_error "The $1 option requires a value"
+}
+
version_command() {
local finished
finished=0
local all
all=
local product
+ local compiletime
while [ $finished -eq 0 -a $# -gt 0 ]; do
option=$1
@@ -755,7 +772,7 @@
option=${option#a}
;;
*)
- usage 1
+ option_error $option
;;
esac
done
@@ -767,7 +784,7 @@
esac
done
- [ $# -gt 0 ] && usage 1
+ [ $# -gt 0 ] && too_many_arguments
if [ -n "$all" ]; then
echo "shorewall-core: $(cat ${SHAREDIR}/shorewall/coreversion)"
@@ -779,8 +796,16 @@
done
if [ "$(id -u)" -eq 0 -a -f $g_firewall ]; then
- echo $g_echo_n "$g_firewall was compiled by Shorewall version "
- $g_firewall version
+ compiletime=$(run_it $g_firewall info 2>/dev/null)
+
+ case $compiletime in
+ compiled\ *)
+ echo "$g_firewall was $compiletime"
+ ;;
+ *)
+ echo "$g_firewall was compiled by Shorewall version $(run_it $g_firewall version))"
+ ;;
+ esac
fi
else
echo $SHOREWALL_VERSION
@@ -1065,7 +1090,7 @@
shift
conntrack -f ipv4 -L $@ | show_connections_filter
else
- [ $# -gt 1 ] && usage 1
+ [ $# -gt 1 ] && too_many_arguments
if [ -f /proc/net/ip_conntrack ]; then
cat /proc/net/ip_conntrack | show_connections_filter
else
@@ -1078,7 +1103,7 @@
echo
conntrack -f ipv6 -L $@ | show_connections_filter
else
- [ $# -gt 1 ] && usage 1
+ [ $# -gt 1 ] && too_many_arguments
if [ -f /proc/sys/net/netfilter/nf_conntrack_count -a -f /proc/sys/net/nf_conntrack ]; then
local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
@@ -1199,7 +1224,7 @@
option=${option#f}
;;
t)
- [ $# -eq 1 ] && usage 1
+ [ $# -eq 1 ] && missing_option_value -t
case $2 in
mangle|nat|filter|raw|rawpost)
@@ -1227,7 +1252,7 @@
option=${option#b}
;;
*)
- usage 1
+ option_error $option
;;
esac
done
@@ -1249,37 +1274,37 @@
eval show_connections $@ $g_pager
;;
nat)
- [ $# -gt 1 ] && usage 1
+ [ $# -gt 1 ] && too_many_arguments $2
eval show_nat $g_pager
;;
raw)
- [ $# -gt 1 ] && usage 1
+ [ $# -gt 1 ] && too_many_arguments $2
eval show_raw $g_pager
;;
rawpost)
- [ $# -gt 1 ] && usage 1
+ [ $# -gt 1 ] && too_many_arguments $2
eval show_rawpost $g_pager
;;
tos|mangle)
- [ $# -gt 1 ] && usage 1
+ [ $# -gt 1 ] && too_many_arguments $2
eval show_mangle $g_pager
;;
log)
- [ $# -gt 2 ] && usage 1
+ [ $# -gt 2 ] && too_many_arguments $2
setup_logread
eval show_log $g_pager
;;
tc)
- [ $# -gt 2 ] && usage 1
+ [ $# -gt 2 ] && too_many_arguments $2
eval show_tc $@ $g_pager
;;
classifiers|filters)
- [ $# -gt 1 ] && usage 1
+ [ $# -gt 1 ] && too_many_arguments $2
eval show_classifiers_command $g_pager
;;
zones)
- [ $# -gt 1 ] && usage 1
+ [ $# -gt 1 ] && too_many_arguments $2
if [ -f ${VARDIR}/zones ]; then
echo "$g_product $SHOREWALL_VERSION Zones at $g_hostname - $(date)"
echo
@@ -1302,7 +1327,7 @@
fi
;;
capabilities)
- [ $# -gt 1 ] && usage 1
+ [ $# -gt 1 ] && too_many_arguments $2
determine_capabilities
VERBOSITY=2
if [ -n "$g_filemode" ]; then
@@ -1312,11 +1337,11 @@
fi
;;
ip)
- [ $# -gt 1 ] && usage 1
+ [ $# -gt 1 ] && too_many_arguments $2
eval show_ip_addresses $g_pager
;;
routing)
- [ $# -gt 1 ] && usage 1
+ [ $# -gt 1 ] && too_many_arguments $2
eval show_routing_command $g_pager
;;
config)
@@ -1345,26 +1370,26 @@
echo $VARDIR;
;;
policies)
- [ $# -gt 1 ] && usage 1
+ [ $# -gt 1 ] && too_many_arguments $2
eval show_policies $g_pager
;;
ipa)
- [ $g_family -eq 4 ] || usage 1
- [ $# -gt 1 ] && usage 1
+ [ $g_family -eq 4 ] || fatal_error "'show ipa' is now available in $g_product"
+ [ $# -gt 1 ] && too_many_arguments $2
eval show_ipa $g_pager
;;
marks)
- [ $# -gt 1 ] && usage 1
+ [ $# -gt 1 ] && too_many_arguments $2
echo "$g_product $SHOREWALL_VERSION Mark Layout at $g_hostname - $(date)"
echo
[ -f ${VARDIR}/marks ] && cat ${VARDIR}/marks;
;;
nfacct)
- [ $# -gt 1 ] && usage 1
+ [ $# -gt 1 ] && too_many_arguments $2
eval show_nfacct_command $g_pager
;;
arptables)
- [ $# -gt 1 ] && usage 1
+ [ $# -gt 1 ] && too_many_arguments $2
resolve_arptables
if [ -n "$arptables" -a -x $arptables ]; then
eval show_arptables $g_pager
@@ -1373,22 +1398,22 @@
fi
;;
event)
- [ $# -gt 1 ] || usage 1
+ [ $# -gt 1 ] || too_many_arguments $2
echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)"
echo
shift
show_events $@
;;
events)
- [ $# -gt 1 ] && usage 1
+ [ $# -gt 1 ] && too_many_arguments $2
eval show_events_command $g_pager
;;
bl|blacklists)
- [ $# -gt 1 ] && usage 1
+ [ $# -gt 1 ] && too_many_arguments $2
eval show_blacklists $g_pager
;;
opens)
- [ $# -gt 1 ] && usage 1
+ [ $# -gt 1 ] && too_many_arguments $2
echo "$g_product $SHOREWALL_VERSION Temporarily opened connections at $g_hostname - $(date)"
if chain_exists dynamic; then
@@ -1404,12 +1429,12 @@
*)
case $1 in
actions)
- [ $# -gt 1 ] && usage 1
+ [ $# -gt 1 ] && too_many_arguments $2
eval show_actions_sorted $g_pager
return
;;
macro)
- [ $# -ne 2 ] && usage 1
+ [ $# -ne 2 ] && too_many_arguments $2
for directory in $(split $CONFIG_PATH); do
if [ -f ${directory}/macro.$2 ]; then
echo "Shorewall $SHOREWALL_VERSION Macro $2 at $g_hostname - $(date)"
@@ -1421,7 +1446,7 @@
return
;;
macros)
- [ $# -gt 1 ] && usage 1
+ [ $# -gt 1 ] && too_many_arguments $2
eval show_macros $g_pager
return
;;
@@ -1432,7 +1457,7 @@
if [ $# -gt 0 ]; then
if [ $1 = dynamic -a $# -gt 1 ]; then
shift
- [ $# -eq 1 ] || usage 1
+ [ $# -eq 1 ] || too_many_arguments $2
list_zone $1
return;
fi
@@ -1507,6 +1532,49 @@
eval dump_filter $g_pager
}
+show_status() {
+ local compiletime
+ local state
+
+ if product_is_started ; then
+ [ $VERBOSITY -ge 1 ] && echo "$g_product is running"
+ status=0
+ else
+ [ $VERBOSITY -ge 1 ] && echo "$g_product is stopped"
+ status=4
+ fi
+
+ if [ -f ${VARDIR}/state ]; then
+ state="$(cat ${VARDIR}/state)"
+ case $state in
+ Stopped*|Closed*|Clear*)
+ status=3
+ ;;
+ esac
+ else
+ state=Unknown
+ fi
+
+ if [ $VERBOSITY -ge 1 ]; then
+ if [ -f $g_firewall ]; then
+ compiletime=$(run_it $g_firewall info 2>/dev/null)
+
+ case $compiletime in
+ compiled\ *)
+ state="$state ($g_firewall $compiletime)"
+ ;;
+ *)
+ state="$state ($g_firewall compiled by Shorewall version $(run_it $g_firewall version))"
+ ;;
+ esac
+ fi
+
+ echo "State:$state"
+ echo
+ fi
+
+}
+
#
# Dump Command Executor
#
@@ -1546,7 +1614,7 @@
option=${option#c}
;;
*)
- usage 1
+ option_error $option
;;
esac
done
@@ -1565,7 +1633,7 @@
[ $VERBOSITY -lt 2 ] && VERBOSITY=2
[ -n "$g_debugging" ] && set -x
- [ $# -eq 0 ] || usage 1
+ [ $# -eq 0 ] || too_many_arguments $1
clear_term
echo "$g_product $SHOREWALL_VERSION Dump at $g_hostname - $(date)"
echo
@@ -1760,7 +1828,7 @@
option=${option#C}
;;
*)
- usage 1
+ option_error
;;
esac
done
@@ -1780,7 +1848,7 @@
validate_restorefile ''
;;
*)
- usage 1
+ too_many_arguments $2
;;
esac
@@ -2386,7 +2454,7 @@
option=${option#t}
;;
*)
- usage 1
+ option_error $option
;;
esac
done
@@ -2398,7 +2466,7 @@
esac
done
- [ $# -eq 0 ] || usage 1
+ [ $# -eq 0 ] || too_many_arguments $1
clear_term
echo "$g_product $SHOREWALL_VERSION Hits at $g_hostname - $(date)"
@@ -2455,7 +2523,7 @@
#
allow_command() {
[ -n "$g_debugging" ] && set -x
- [ $# -eq 1 ] && usage 1
+ [ $# -eq 1 ] && missing_argument
if product_is_started ; then
local which
which='-s'
@@ -2525,8 +2593,6 @@
-*)
option=${option#-}
- [ -z "$option" ] && usage 1
-
while [ -n "$option" ]; do
case $option in
v*)
@@ -2546,7 +2612,7 @@
option=
;;
*)
- usage 1
+ option_error $option
;;
esac
done
@@ -2565,7 +2631,7 @@
elif [ $# -eq 0 ]; then
logwatch 30
else
- usage 1
+ too_many_arguments $2
fi
}
@@ -3309,36 +3375,6 @@
report_capabilities_unsorted1 | sort
}
-show_status() {
- if product_is_started ; then
- [ $VERBOSITY -ge 1 ] && echo "$g_product is running"
- status=0
- else
- [ $VERBOSITY -ge 1 ] && echo "$g_product is stopped"
- status=4
- fi
-
- if [ -f ${VARDIR}/state ]; then
- state="$(cat ${VARDIR}/state)"
- case $state in
- Stopped*|Closed*|Clear*)
- status=3
- ;;
- esac
- else
- state=Unknown
- fi
-
- if [ $VERBOSITY -ge 1 ]; then
- if [ -f $g_firewall ]; then
- state="$state ($g_firewall compiled by Shorewall version $($g_firewall version))"
- fi
- echo "State:$state"
- echo
- fi
-
-}
-
interface_status() {
case $(cat $1) in
0)
@@ -3392,7 +3428,7 @@
option=${option#i}
;;
*)
- usage 1
+ option_error $option
;;
esac
done
@@ -3404,7 +3440,7 @@
esac
done
- [ $# -eq 0 ] || usage 1
+ [ $# -eq 0 ] || missing_argument
[ $VERBOSITY -ge 1 ] && echo "${g_product}-$SHOREWALL_VERSION Status at $g_hostname - $(date)" && echo
show_status
@@ -3498,7 +3534,7 @@
option=${option#C}
;;
*)
- usage 1
+ option_error $option
;;
esac
done
@@ -3518,7 +3554,7 @@
validate_restorefile ''
;;
*)
- usage 1
+ too_many_arguments $2
;;
esac
@@ -3537,6 +3573,9 @@
forget_command() {
case $# in
+ 0)
+ missing_argument
+ ;;
1)
;;
2)
@@ -3544,7 +3583,7 @@
validate_restorefile ''
;;
*)
- usage 1
+ too_many_arguments $3
;;
esac
@@ -3566,7 +3605,7 @@
local address
local vlsm
- [ $g_family -eq 6 ] && usage 1
+ [ $g_family -eq 6 ] && fatal_error "$g_product does not support the ipcalc command"
if [ $# -eq 2 ]; then
address=${2%/*}
@@ -3574,13 +3613,15 @@
elif [ $# -eq 3 ]; then
address=$2
vlsm=$(ip_vlsm $3)
+ elif [ $# -eq 0 ]; then
+ missing_argument
else
- usage 1
+ too_many_arguments $4
fi
valid_address $address || fatal_error "Invalid IP address: $address"
- [ -z "$vlsm" ] && usage 2
- [ "x$address" = "x$vlsm" ] && usage 2
+ [ -z "$vlsm" ] && fatal_error "Missing VLSM"
+ [ "x$address" = "x$vlsm" ] && "Invalid VLSM"
[ $vlsm -gt 32 ] && fatal_error "Invalid VLSM: /$vlsm"
address=$address/$vlsm
@@ -3594,7 +3635,7 @@
iprange_command() {
local range
- [ $g_family -eq 6 ] && usage 1
+ [ $g_family -eq 6 ] && fatal_error "$g_product does not support the iprange command"
range=''
@@ -3612,15 +3653,19 @@
ip_range $range
;;
*)
- usage 1
+ fatal_error "Invalid ip range: $range"
;;
esac
}
ipdecimal_command() {
- [ $# -eq 2 ] || usage 1
+ if [ $# eq 1 ]; then
+ missing_argument
+ else
+ [ $# -eq 2 ] || too_many_arguments $3
+ fi
- [ $g_family -eq 6 ] && usage 1
+ [ $g_family -eq 6 ] && fatal_error "$g_product does not support the iprange command"
case $2 in
*.*.*.*)
@@ -3928,7 +3973,7 @@
option=${option%p}
;;
*)
- usage 1
+ option_error $option
;;
esac
done
@@ -3944,7 +3989,7 @@
0)
;;
*)
- usage 1
+ too_many_arguments $1
;;
esac
@@ -3988,7 +4033,7 @@
option=${option#C}
;;
*)
- usage 1
+ option_error $option
;;
esac
done
@@ -4004,7 +4049,7 @@
0)
;;
*)
- usage 1
+ too_many_arguments $1
;;
esac
@@ -4220,7 +4265,8 @@
while [ -n "$option" ]; do
case $option in
c)
- [ $# -eq 1 -o -n "$g_lite" ] && usage 1
+ [ $# -eq 1 ] && missing_option_value -c
+ [ -n "$g_lite" ] && fatal_error "$g_product does not support the -c option"
if [ ! -d $2 ]; then
if [ -e $2 ]; then
@@ -4235,7 +4281,7 @@
shift
;;
e*)
- [ -n "$g_lite" ] && usage 1
+ [ -n "$g_lite" ] && fatal_error "$g_product does not support the -e option"
g_export=Yes
option=${option#e}
;;
@@ -4297,7 +4343,7 @@
option=
;;
*)
- usage 1
+ option_error $option
;;
esac
done
@@ -4362,7 +4408,7 @@
start_command $@
;;
stop|clear)
- [ $# -ne 1 ] && usage 1
+ [ $# -ne 1 ] && too_many_arguments $2
get_config
[ -x $g_firewall ] || fatal_error "$g_product has never been started"
[ -n "$g_nolock" ] || mutex_on
@@ -4419,7 +4465,7 @@
dump_command $@
;;
hits)
- [ $g_family -eq 6 ] && usage 1
+ [ $g_family -eq 6 ] && fatal_error "$g_product does not support the hits command"
get_config Yes No Yes
[ -n "$g_debugging" ] && set -x
shift
@@ -4437,19 +4483,19 @@
drop)
get_config
[ -n "$g_debugging" ] && set -x
- [ $# -eq 1 ] && usage 1
+ [ $# -eq 1 ] && missing_argument
drop_command $@
;;
logdrop)
get_config
[ -n "$g_debugging" ] && set -x
- [ $# -eq 1 ] && usage 1
+ [ $# -eq 1 ] && missing_argument
logdrop_command $@
;;
reject|logreject)
get_config
[ -n "$g_debugging" ] && set -x
- [ $# -eq 1 ] && usage 1
+ [ $# -eq 1 ] && missing_argument
reject_command $@
;;
open|close)
@@ -4522,7 +4568,7 @@
run_it $g_firewall $g_debugging call $@
fi
else
- usage 1
+ missing_argument
fi
;;
help)
@@ -4540,7 +4586,7 @@
noiptrace_command $@
;;
savesets)
- [ $# -eq 1 ] || usage 1
+ [ $# -eq 1 ] || too_many_arguments $2
get_config
[ -n "$g_debugging" ] && set -x
savesets1
@@ -4549,7 +4595,7 @@
if [ -z "$g_lite" ]; then
compiler_command $@
else
- usage 1
+ fatal_error "Invalid command: $COMMAND"
fi
;;
esac
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-core-5.0.8/lib.common shorewall-core-5.0.9/lib.common
--- shorewall-core-5.0.8/lib.common 2016-04-19 10:42:50.000000000 -0700
+++ shorewall-core-5.0.9/lib.common 2016-05-22 17:50:51.000000000 -0700
@@ -712,9 +712,9 @@
set_state () # $1 = state
{
if [ $# -gt 1 ]; then
- echo "$1 ($(date)) from $2" > ${VARDIR}/state
+ echo "$1 $(date) from $2" > ${VARDIR}/state
else
- echo "$1 ($(date))" > ${VARDIR}/state
+ echo "$1 $(date)" > ${VARDIR}/state
fi
}
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-core-5.0.8/releasenotes.txt shorewall-core-5.0.9/releasenotes.txt
--- shorewall-core-5.0.8/releasenotes.txt 2016-04-23 06:42:06.523009000 -0700
+++ shorewall-core-5.0.9/releasenotes.txt 2016-06-04 14:49:09.383267082 -0700
@@ -1,7 +1,7 @@
----------------------------------------------------------------------------
- S H O R E W A L L 5 . 0 . 8
+ S H O R E W A L L 5 . 0 . 9
----------------------------
- A p r i l 2 4 , 2 0 1 6
+ J u n e 0 4 , 2 0 1 6
----------------------------------------------------------------------------
I. PROBLEMS CORRECTED IN THIS RELEASE
@@ -14,7 +14,265 @@
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
-1) This release includes defect repair through Shorewall 5.0.7.2.
+1) This release contains defect repair through Shorewall 5.0.8.2.
+
+----------------------------------------------------------------------------
+ I I. K N O W N P R O B L E M S R E M A I N I N G
+----------------------------------------------------------------------------
+
+1) On systems running Upstart, shorewall-init cannot reliably secure
+ the firewall before interfaces are brought up.
+
+2) The 'enable', 'reenable' and 'disable' commands do not work
+ correctly in configurations with USE_DEFAULT_RT=No and optional
+ providers listed in the DUPLICATE column.
+
+3) Previously, if:
+
+ - DOCKER=Yes
+ - docker0 was defined in /etc/shorewall/interfaces
+ - Docker was not running
+
+ then Shorewall would fail to start with an error similar to this
+
+ iptables-restore v1.4.21: Couldn't load target `DOCKER':
+ No such file or directory
+ Error occurred at line: 29
+ Try `iptables-restore -h' or
+ 'iptables-restore --help' for more information.
+ ERROR: /sbin/iptables-restore Failed.
+
+ This has been corrected such that Shorewall starts correctly under
+ these conditions.
+
+----------------------------------------------------------------------------
+ I I I. N E W F E A T U R E S I N T H I S R E L E A S E
+----------------------------------------------------------------------------
+
+1) The file 'lib.core' has been renamed 'lib.runtime' to more
+ accurately reflect the file's role.
+
+2) The CLI now produces helpful error messages rather than simply
+ dumping out the complete usage syntax.
+
+3) The 'status' and 'version -a" command outputs now include the time
+ and date when the current firewall script was compiled.
+
+ This feature implements a new 'info' command that is recognized by
+ the compiled script. That command produces output similar to the
+ following:
+
+ compiled Thu Apr 28 14:18:58 2016 by Shorewall version 5.0.9
+
+ Note 1: The time and date of compilation will only be displayed
+ after the firewall script has been compiled using this or a later
+ Shorewall release.
+
+ Note 2: Information about the current firewall script is only
+ displayed by the 'version -a' command when the command is executed
+ by root.
+
+ Caution: If you execute 'shorewall compile', a subsequent 'status'
+ command will display the compilation information for the newly
+ compiled script and not for the one that was used to instantiate
+ the running firewall configuration. Note that the compilation
+ date/time, in this case, will be later than the started date/time:
+
+ Example:
+
+ State:Started Sun Apr 24 12:22:18 PDT 2016 from /etc/shorewall/
+ (/var/lib/shorewall/firewall compiled Thu Apr 28 14:18:58 2016
+ by Shorewall version 5.0.9)
+
+4) The ?INFO and ?WARNING directives added in Shorewall 5.0.8 include
+ the current filename and line number in the generated message. That
+ behavior can be suppressed by using ?INFO! AND ?WARNING!
+ instead. Additionally, the default behavior can be changed by
+ setting VERBOSE_MESSAGES=No in shorewall[6].conf. In that case,
+ including the exclaimation point causes the filename and line
+ number to be included.
+
+5) NFLOG(...) is now supported in the mangle files.
+
+6) The compiler now checks the version of the installed Shorewall-core
+ and issues a warning message if there is a mis-match.
+
+ Example (folded to fit within 72 columns):
+
+ WARNING: Version Mismatch: Shorewall-core is version 5.0.8.2,
+ while the Shorewall version is 5.0.9-Beta2
+
+ When compiling for IPv6, the Shorewall6 version is also verified
+ and a similar warning is issued in the case of a mismatch.
+
+7) The sample configurations now have AUTOMAKE enabled.
+
+8) Full date and time strings generated by the compiler are now in
+ 'date' format rather than Perl's 'localtime' format.
+
+----------------------------------------------------------------------------
+ I V. M I G R A T I O N I S S U E S
+----------------------------------------------------------------------------
+
+1) If you are migrating from Shorewall 4.4.x or earlier, please see
+ http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.21/releasenotes.txt
+
+2) It is strongly recommended that you first upgrade your installation
+ to a 4.6 release >= 4.6.12 prior to upgrading to Shorewall 5.0.
+
+ Once you are on the Shorewall 4.6 release:
+
+ - shorewall update -A
+
+ If you also run Shorewall6:
+
+ - shorewall6 update -A
+
+ These steps are necessary because Shorewall 5.0:
+
+ - Does not contain support for the 'tcrules' and 'tos' files --
+ existing 'tcrules' and 'tos' files must be converted to an
+ equivalent set of 'mangle' file entries.
+
+ - Does not contain support for the 'blacklist' file -- it must
+ be converted to an equivalent 'blrules' file.
+
+ - Does not contain support for the 'notrack' file -- it must be
+ converted to an equivalent 'conntrack' file.
+
+ - Does not contain support for the 'routestopped' file -- it must
+ be converted to an equivalent 'stoppedrules' file.
+
+ Note that you can run the update command(s) after you upgrade to
+ Shorewall 5 but your firewall will not work correctly until
+ you do those update(s).
+
+3) The following configuration options have been eliminated:
+
+ - EXPORTPARAMS
+ - IPSECFILE
+ - LEGACY_FASTSTART
+ - LOGRATE *
+ - LOGBURST *
+ - WIDE_TC_MARKS *
+ - HIGH_ROUTE_MARKS *
+ - BLACKLISTNEWONLY *
+
+ A fatal error results if those flagged with an asterisk ("*")
+ appear in the .conf file -- run the 'shorewall[6] update' command
+ to convert their settings to use supported options.
+
+ A warning is issued if any of the rest appear in the .conf file.
+ 'shorewall[6] update' will drop them from the file.
+
+4) To make the command names more accurately reflect what they do,
+ several changes have been included:
+
+ a) Beginning with this release, the 'restart' command now does a
+ true restart and is equivalent to a 'stop' followed by a
+ 'start'.
+
+ b) The pre-5.0.0 'load' command has been renamed 'remote_start'.
+
+ c) The pre-5.0.0 'reload' command has been renamed 'remote_reload'.
+
+ c) The 'reload' command now performs the same function as the
+ pre-5.0.0 'restart' command.
+
+ d) A 'remote_restart' command has been added to Shorewall and
+ Shorewall6 to allow a remote 'restart' after updating the
+ remote firewall system's compiled script.
+
+ For those that can't get used to the idea of using 'reload' in
+ place of 'restart', a RESTART option has been added. The
+ option defaults to 'reload' for compatibility with earlier
+ releases. If set to 'restart', then the 'restart' command
+ does a true restart (stop followed by start)
+
+5) While the WORKAROUNDS setting is still present in the
+ shorewall[6].conf file:
+
+ a) It's default setting has been changed to No.
+
+ b) All workarounds for old distributions have been eliminated.
+
+6) Beginning with Shorewall 5.0.0, all macros and actions are assumed
+ to be FORMAT-2. FORMAT-1 macros and actions are no longer supported
+ and will be silently processed as if they were FORMAT-2. For most
+ macros and actions, this change will be of no concern, but may cause
+ compilation errors in rare cases.
+
+ To review, FORMAT-1 actions have the following columns:
+
+ TARGET
+ SOURCE
+ DEST
+ PROTO
+ DEST PORT(S)
+ SOURCE PORT(S)
+ RATE
+ USER/GROUP
+ MARK
+
+ FORMAT-1 macros have these columns:
+
+ TARGET
+ SOURCE
+ DEST
+ PROTO
+ DEST PORT(S)
+ SOURCE PORT(S)
+ RATE
+ USER/GROUP
+
+ FORMAT-2 actions and macros, on the other hand, have:
+
+ TARGET
+ SOURCE
+ DEST
+ PROTO
+ DEST PORT(S)
+ SOURCE PORT(S)
+ ORIGINAL DEST
+ RATE
+ USER/GROUP
+ MARK
+ CONNLIMIT
+ TIME
+ HEADERS (Only valid for IPv6)
+ SWITCH
+ HELPER
+
+ To summarize, if your action or macro only uses the first 6
+ columns (which most do), then it will process fine as
+ FORMAT-2. Otherwise, it must be modified to place specifications in
+ the proper columns.
+
+7) COMMENT, FORMAT and SECTION lines must now begin with a question
+ mark ("?"). The 'update' command will change all bare COMMENT,
+ FORMAT and SECTION lines to include the question mark.
+
+8) Beginning with Shorewall 5.0.8, the IPv6 default treatment of Auth
+ (TCP 113) is now consistent with IPv4; nothing special is done with
+ these requests, so they are simply logged and dropped.
+
+ IMPORTANT: If you want to continue to reject Auth requests, you
+ can do so by chaning your DROP_DEFAULT setting to make the second
+ parameter REJECT. For example, if you currently have:
+
+ DROP_DEFAULT=Drop
+
+ you can change it to:
+
+ DROP_DEFAULT="Drop(-,REJECT)"
+
+----------------------------------------------------------------------------
+ V. N O T E S F R O M O T H E R 5 . 0 R E L E A S E S
+----------------------------------------------------------------------------
+ P R O B L E M S C O R R E C T E D I N 5 . 0 . 8
+----------------------------------------------------------------------------
+
+1) This release includes defect repair through Shorewall 5.0.7.2
2) If a physical interface name was used in the INTERFACE column of an
entry in /etc/shorewall/masq, then previously a Perl diagnostic was
@@ -147,34 +405,8 @@
restart
safe-*
-16) In the last several releases, the following Known Problem
- Remaining has been listed:
-
- The 'enable', 'reenable' and 'disable' commands do now work
- correctly in configurations with USE_DEFAULT_RT=No.
-
- That description is a bit broader than is necessary and is now
- restricted to the case where an optional provider is listed in the
- DUPLICATE column (see below). Additionally, the compiler now
- generates a warning in that case:
-
- WARNING: An optional provider (xxxx) is listed in the
- DUPLICATE column - enable and disable will not work
- correctly on that provider
-
-----------------------------------------------------------------------------
- I I. K N O W N P R O B L E M S R E M A I N I N G
-----------------------------------------------------------------------------
-
-1) On systems running Upstart, shorewall-init cannot reliably secure
- the firewall before interfaces are brought up.
-
-2) The 'enable', 'reenable' and 'disable' commands do not work
- correctly in configurations with USE_DEFAULT_RT=No and optional
- providers listed in the DUPLICATE column.
-
----------------------------------------------------------------------------
- I I I. N E W F E A T U R E S I N T H I S R E L E A S E
+ N E W F E A T U R E S I N 5 . 0 . 8
----------------------------------------------------------------------------
1) Support for later versions of miniupnpd has been added in the form
@@ -248,8 +480,8 @@
?INFO
The is written to STDERR prefaced by the directive name
- (WARNING or INFO) followed by a colon (':'). It is also written to
- the STARTUP_LOG if:
+ (WARNING or INFO) followed by a colon (':'). It is also written to the
+ STARTUP_LOG if:
- A STARTUP_LOG has been configured
- The command is start, try, restart, reload, refresh or one of the
@@ -259,164 +491,6 @@
aborted.
----------------------------------------------------------------------------
- I V. M I G R A T I O N I S S U E S
-----------------------------------------------------------------------------
-
-1) If you are migrating from Shorewall 4.4.x or earlier, please see
- http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.21/releasenotes.txt
-
-2) It is strongly recommended that you first upgrade your installation
- to a 4.6 release >= 4.6.12 prior to upgrading to Shorewall 5.0.
-
- Once you are on the Shorewall 4.6 release:
-
- - shorewall update -A
-
- If you also run Shorewall6:
-
- - shorewall6 update -A
-
- These steps are necessary because Shorewall 5.0:
-
- - Does not contain support for the 'tcrules' and 'tos' files --
- existing 'tcrules' and 'tos' files must be converted to an
- equivalent set of 'mangle' file entries.
-
- - Does not contain support for the 'blacklist' file -- it must
- be converted to an equivalent 'blrules' file.
-
- - Does not contain support for the 'notrack' file -- it must be
- converted to an equivalent 'conntrack' file.
-
- - Does not contain support for the 'routestopped' file -- it must
- be converted to an equivalent 'stoppedrules' file.
-
- Note that you can run the update command(s) after you upgrade to
- Shorewall 5 but your firewall will not work correctly until
- you do those update(s).
-
-3) The following configuration options have been eliminated:
-
- - EXPORTPARAMS
- - IPSECFILE
- - LEGACY_FASTSTART
- - LOGRATE *
- - LOGBURST *
- - WIDE_TC_MARKS *
- - HIGH_ROUTE_MARKS *
- - BLACKLISTNEWONLY *
-
- A fatal error results if those flagged with an asterisk ("*")
- appear in the .conf file -- run the 'shorewall[6] update' command
- to convert their settings to use supported options.
-
- A warning is issued if any of the rest appear in the .conf file.
- 'shorewall[6] update' will drop them from the file.
-
-4) To make the command names more accurately reflect what they do,
- several changes have been included:
-
- a) Beginning with this release, the 'restart' command now does a
- true restart and is equivalent to a 'stop' followed by a
- 'start'.
-
- b) The pre-5.0.0 'load' command has been renamed 'remote_start'.
-
- c) The pre-5.0.0 'reload' command has been renamed 'remote_reload'.
-
- c) The 'reload' command now performs the same function as the
- pre-5.0.0 'restart' command.
-
- d) A 'remote_restart' command has been added to Shorewall and
- Shorewall6 to allow a remote 'restart' after updating the
- remote firewall system's compiled script.
-
- For those that can't get used to the idea of using 'reload' in
- place of 'restart', a RESTART option has been added. The
- option defaults to 'reload' for compatibility with earlier
- releases. If set to 'restart', then the 'restart' command
- does a true restart (stop followed by start)
-
-5) While the WORKAROUNDS setting is still present in the
- shorewall[6].conf file:
-
- a) It's default setting has been changed to No.
-
- b) All workarounds for old distributions have been eliminated.
-
-6) Beginning with Shorewall 5.0.0, all macros and actions are assumed
- to be FORMAT-2. FORMAT-1 macros and actions are no longer supported
- and will be silently processed as if they were FORMAT-2. For most
- macros and actions, this change will be of no concern, but may cause
- compilation errors in rare cases.
-
- To review, FORMAT-1 actions have the following columns:
-
- TARGET
- SOURCE
- DEST
- PROTO
- DEST PORT(S)
- SOURCE PORT(S)
- RATE
- USER/GROUP
- MARK
-
- FORMAT-1 macros have these columns:
-
- TARGET
- SOURCE
- DEST
- PROTO
- DEST PORT(S)
- SOURCE PORT(S)
- RATE
- USER/GROUP
-
- FORMAT-2 actions and macros, on the other hand, have:
-
- TARGET
- SOURCE
- DEST
- PROTO
- DEST PORT(S)
- SOURCE PORT(S)
- ORIGINAL DEST
- RATE
- USER/GROUP
- MARK
- CONNLIMIT
- TIME
- HEADERS (Only valid for IPv6)
- SWITCH
- HELPER
-
- To summarize, if your action or macro only uses the first 6
- columns (which most do), then it will process fine as
- FORMAT-2. Otherwise, it must be modified to place specifications in
- the proper columns.
-
-7) COMMENT, FORMAT and SECTION lines must now begin with a question
- mark ("?"). The 'update' command will change all bare COMMENT,
- FORMAT and SECTION lines to include the question mark.
-
-8) Beginning with Shorewall 5.0.8, the IPv6 default treatment of Auth
- (TCP 113) is now consistent with IPv4; nothing special is done with
- these requests, so they are simply logged and dropped.
-
- IMPORTANT: If you want to continue to reject Auth requests, you
- can do so by chaning your DROP_DEFAULT setting to make the second
- parameter REJECT. For example, if you currently have:
-
- DROP_DEFAULT=Drop
-
- you can change it to:
-
- DROP_DEFAULT="Drop(-,REJECT)"
-
-----------------------------------------------------------------------------
- V. N O T E S F R O M O T H E R 5 . 0 R E L E A S E S
-----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 5 . 0 . 7
----------------------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-core-5.0.8/shorewall-core.spec shorewall-core-5.0.9/shorewall-core.spec
--- shorewall-core-5.0.8/shorewall-core.spec 2016-04-23 06:42:06.523009000 -0700
+++ shorewall-core-5.0.9/shorewall-core.spec 2016-06-04 14:49:09.383267082 -0700
@@ -1,5 +1,5 @@
%define name shorewall-core
-%define version 5.0.8
+%define version 5.0.9
%define release 0base
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@@ -63,8 +63,14 @@
%doc COPYING INSTALL changelog.txt releasenotes.txt
%changelog
-* Tue Apr 19 2016 Tom Eastep tom@shorewall.net
-- Updated to 5.0.8-0base
+* Thu May 12 2016 Tom Eastep tom@shorewall.net
+- Updated to 5.0.9-0base
+* Thu May 05 2016 Tom Eastep tom@shorewall.net
+- Updated to 5.0.9-0RC1
+* Thu Apr 28 2016 Tom Eastep tom@shorewall.net
+- Updated to 5.0.9-0Beta2
+* Mon Apr 18 2016 Tom Eastep tom@shorewall.net
+- Updated to 5.0.9-0Beta1
* Fri Apr 15 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.8-0RC2
* Mon Apr 11 2016 Tom Eastep tom@shorewall.net
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-core-5.0.8/uninstall.sh shorewall-core-5.0.9/uninstall.sh
--- shorewall-core-5.0.8/uninstall.sh 2016-04-23 06:42:05.919009000 -0700
+++ shorewall-core-5.0.9/uninstall.sh 2016-06-04 14:49:08.742743974 -0700
@@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
-VERSION=5.0.8
+VERSION=5.0.9
PRODUCT="shorewall-core"
Product="Shorewall Core"
@@ -117,6 +117,7 @@
echo "Uninstalling Shorewall Core $VERSION"
rm -rf ${SHAREDIR}/shorewall
+rm -f ~/.shorewallrc
echo "Shorewall Core Uninstalled"