diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/changelog.txt shorewall6-5.0.12/changelog.txt
--- shorewall6-5.0.11/changelog.txt 2016-08-06 07:57:47.277241125 -0700
+++ shorewall6-5.0.12/changelog.txt 2016-10-01 14:48:18.609026043 -0700
@@ -1,3 +1,61 @@
+Changes in 5.0.12 Final
+
+1) Update release documents.
+
+2) Correct permissions of files created by the 'save' command.
+
+Changes in 5.0.12 RC 3
+
+1) Update release documents.
+
+2) Correct disabled persistent' WRT start, restart and reload.
+
+3) Don't assume that all probability-balanced interfaces are optional.
+
+Changes in 5.0.12 RC 2
+
+1) Update release documents.
+
+2) Handle down or missing interfaces in the disable logic.
+
+Changes in 5.0.12 RC 1
+
+1) Update release documents.
+
+2) Add DEFAULT_PAGER to shorewallrc.
+
+3) Add support for the 'contiguous' time option.
+
+4) Clear packet marks in PREROUTING and OUTPUT.
+
+Changes in 5.0.12 Beta 2
+
+1) Update release documents.
+
+2) Restore 'use Shorewall::Config(shorewall)' in ?PERL handling.
+
+3) Make POSTROUTING the default chain for CHECKSUM.
+
+Changes in 5.0.12 Beta 1
+
+1) Update release documents.
+
+2) Minor cleanup in the Rules module
+
+3) Allow zone lists in policy SOURCE and DEST columns.
+
+Changes in 5.0.11 Final
+
+1) Update release documents.
+
+Changes in 5.0.11 RC 1
+
+1) Update release documents.
+
+2) Update module versions.
+
+3) Allow provider interface to match wildcard interfaces entry.
+
Changes in 5.0.11 Beta 2
1) Update release documents
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/configfiles/mangle.annotated shorewall6-5.0.12/configfiles/mangle.annotated
--- shorewall6-5.0.11/configfiles/mangle.annotated 2016-08-06 07:59:03.320730656 -0700
+++ shorewall6-5.0.12/configfiles/mangle.annotated 2016-10-01 14:49:30.140486042 -0700
@@ -797,6 +797,12 @@
#
# Defines the ending time of day.
#
+# contiguous
+#
+# Added in Shoreawll 5.0.12. When timestop is smaller than timestart
+# value, match this as a single time period instead of distinct
+# intervals.
+#
# utc
#
# Times are expressed in Greenwich Mean Time.
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/configfiles/policy.annotated shorewall6-5.0.12/configfiles/policy.annotated
--- shorewall6-5.0.11/configfiles/policy.annotated 2016-08-06 07:59:04.888720130 -0700
+++ shorewall6-5.0.12/configfiles/policy.annotated 2016-10-01 14:49:31.682026043 -0700
@@ -18,7 +18,7 @@
# This file determines what to do with a new connection request if we don't get a
# match from the /etc/shorewall6/rules file . For each source/destination pair,
# the file is processed in order until a match is found ("all" will match any
-# client or server).
+# source or destination).
#
# Important
#
@@ -38,7 +38,7 @@
# different name in parentheses, the different name is used in the alternate
# specification syntax).
#
-# SOURCE - zone|$FW|all|all+
+# SOURCE - zone[,...[+]]|$FW|all|all+
#
# Source zone. Must be the name of a zone defined in shorewall6-zones(5),
# $FW, "all" or "all+".
@@ -46,7 +46,12 @@
# Support for "all+" was added in Shorewall 4.5.17. "all" does not override
# the implicit intra-zone ACCEPT policy while "all+" does.
#
-# DEST - zone|$FW|all|all+
+# Beginning with Shorewall 5.0.12, multiple zones may be listed separated by
+# commas. As above, if '+' is specified after two or more zone names, then
+# the policy overrides the implicit intra-zone ACCEPT policy if the same zone
+# appears in both the SOURCE and DEST columns.
+#
+# DEST - zone[,...[+]]|$FW|all|all+
#
# Destination zone. Must be the name of a zone defined in shorewall6-zones
# (5), $FW, "all" or "all+". If the DEST is a bport zone, then the SOURCE
@@ -56,6 +61,11 @@
# Support for "all+" was added in Shorewall 4.5.17. "all" does not override
# the implicit intra-zone ACCEPT policy while "all+" does.
#
+# Beginning with Shorewall 5.0.12, multiple zones may be listed separated by
+# commas. As above, if '+' is specified after two or more zone names, then
+# the policy overrides the implicit intra-zone ACCEPT policy if the same zone
+# appears in both the SOURCE and DEST columns.
+#
# POLICY - {ACCEPT|DROP|REJECT|CONTINUE|QUEUE|NFQUEUE[(queuenumber1[:queuenumber2
# ])]|NONE}[:{default-action-or-macro[:level]|None}]
#
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/configfiles/providers.annotated shorewall6-5.0.12/configfiles/providers.annotated
--- shorewall6-5.0.11/configfiles/providers.annotated 2016-08-06 07:59:05.192718089 -0700
+++ shorewall6-5.0.12/configfiles/providers.annotated 2016-10-01 14:49:31.978322043 -0700
@@ -201,6 +201,13 @@
#
# ☆ Persistent routing rules in shorewall6-rtrules(5) are present.
#
+# Note
+#
+# The generated script will attempt to reenable a disabled persistent
+# provider during execution of the start, restart and reload commands.
+# When persistent is not specified, only the enable and reenable commands
+# can reenable the provider.
+#
# COPY - [{none|interface[,interface]...}]
#
# A comma-separated list of other interfaces on your firewall. Wildcards
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/configfiles/rules.annotated shorewall6-5.0.12/configfiles/rules.annotated
--- shorewall6-5.0.11/configfiles/rules.annotated 2016-08-06 07:59:06.524709148 -0700
+++ shorewall6-5.0.12/configfiles/rules.annotated 2016-10-01 14:49:33.231574043 -0700
@@ -884,6 +884,12 @@
#
# Defines the ending time of day.
#
+# contiguous
+#
+# Added in Shoreawll 5.0.12. When timestop is smaller than timestart
+# value, match this as a single time period instead of distinct
+# intervals.
+#
# utc
#
# Times are expressed in Greenwich Mean Time.
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/configfiles/shorewall6.conf shorewall6-5.0.12/configfiles/shorewall6.conf
--- shorewall6-5.0.11/configfiles/shorewall6.conf 2016-08-04 11:03:36.000000000 -0700
+++ shorewall6-5.0.12/configfiles/shorewall6.conf 2016-10-01 13:49:35.000000000 -0700
@@ -219,6 +219,8 @@
WORKAROUNDS=No
+ZERO_MARKS=No
+
ZONE2ZONE=-
###############################################################################
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/configfiles/shorewall6.conf.annotated shorewall6-5.0.12/configfiles/shorewall6.conf.annotated
--- shorewall6-5.0.11/configfiles/shorewall6.conf.annotated 2016-08-06 07:59:07.292703992 -0700
+++ shorewall6-5.0.12/configfiles/shorewall6.conf.annotated 2016-10-01 14:49:33.956298043 -0700
@@ -91,6 +91,9 @@
# and the dump command are piped through the named program when the output
# file is a terminal.
#
+# Beginning with Shorewall 5.0.12, the default value of this option is the
+# DEFAULT_PAGER setting in shorewallrc.
+#
###############################################################################
# L O G G I N G
###############################################################################
@@ -596,6 +599,9 @@
# continue to work and all new connections from the firewall system
# itself are allowed.
#
+# Note that the routestopped file is not supported in Shorewall 5.0 and
+# later versions.
+#
# stoppedrules
#
# All existing connections continue to work. To sever all existing
@@ -738,13 +744,13 @@
# CLEAR_TC=[Yes|No]
#
# If this option is set to No then Shorewall6 won't clear the current traffic
-# control rules during [re]start. This setting is intended for use by people
-# that prefer to configure traffic shaping when the network interfaces come
-# up rather than when the firewall is started. If that is what you want to
-# do, set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an /etc/shorewall6
-# /tcstart file. That way, your traffic shaping rules can still use the
-# “fwmark” classifier based on packet marking defined in shorewall6-tcrules
-# (5). If not specified, CLEAR_TC=No is assumed.
+# control rules during [re]start or reload. This setting is intended for use
+# by people that prefer to configure traffic shaping when the network
+# interfaces come up rather than when the firewall is started. If that is
+# what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do not supply
+# an /etc/shorewall6/tcstart file. That way, your traffic shaping rules can
+# still use the “fwmark” classifier based on packet marking defined in
+# shorewall6-tcrules(5). If not specified, CLEAR_TC=No is assumed.
#
# Warning
#
@@ -786,10 +792,10 @@
#
# DELETE_THEN_ADD={Yes|No}
#
-# If set to Yes (the default value), entries in the /etc/shorewall6/
-# route_stopped files cause an 'ip rule del' command to be generated in
-# addition to an 'ip rule add' command. Setting this option to No, causes the
-# 'ip rule del' command to be omitted.
+# If set to Yes (the default value), entries in the /etc/shorewall6/rtrules
+# file cause an 'ip rule del' command to be generated in addition to an 'ip
+# rule add' command. Setting this option to No, causes the 'ip rule del'
+# command to be omitted.
#
DONT_LOAD=
#
@@ -849,7 +855,8 @@
# commands), the compiler will copy the modules or helpers file from the
# administrative system into the script. When set to No or not specified, the
# compiler will not copy the modules or helpers file from /usr/share/
-# shorewall6 but will copy the found in another location on the CONFIG_PATH.
+# shorewall6 but will copy those found in another location on the
+# CONFIG_PATH.
#
# When compiling for direct use by Shorewall6, causes the contents of the
# local module or helpers file to be copied into the compiled script. When
@@ -874,8 +881,8 @@
#
# FORWARD_CLEAR_MARK={Yes|No}
#
-# Added in Shorewall 4.4.11 Beta 3. Traditionally, Shorewall has cleared the
-# packet mark in the first rule in the mangle FORWARD chain. This behavior is
+# Added in Shorewall 4.4.11. Traditionally, Shorewall has cleared the packet
+# mark in the first rule in the mangle FORWARD chain. This behavior is
# maintained with the default setting of this option (FORWARD_CLEAR_MARK=
# Yes). If FORWARD_CLEAR_MARK is set to 'No', packet marks set in the mangle
# PREROUTING chain are retained in the FORWARD chains.
@@ -1260,18 +1267,18 @@
# #TARGET SOURCE DEST PROTO
# Broadcast(DROP) - - -
# DROP - - 2
-# INLINE - - 6 ; -j REJECT --reject-with tcp-reset
+# INLINE - - 6 ;; -j REJECT --reject-with tcp-reset
# ?if __ENHANCED_REJECT
-# INLINE - - 17 ; -j REJECT
+# INLINE - - 17 ;; -j REJECT
# ?if __IPV4
-# INLINE - - 1 ; -j REJECT --reject-with icmp-host-unreachable
-# INLINE - - - ; -j REJECT --reject-with icmp-host-prohibited
+# INLINE - - 1 ;; -j REJECT --reject-with icmp-host-unreachable
+# INLINE - - - ;; -j REJECT --reject-with icmp-host-prohibited
# ?else
-# INLINE - - 58 ; -j REJECT --reject-with icmp6-addr-unreachable
-# INLINE - - - ; -j REJECT --reject-with icmp6-adm-prohibited
+# INLINE - - 58 ;; -j REJECT --reject-with icmp6-addr-unreachable
+# INLINE - - - ;; -j REJECT --reject-with icmp6-adm-prohibited
# ?endif
# ?else
-# INLINE - - - ; -j REJECT
+# INLINE - - - ;; -j REJECT
# ?endif
#
REQUIRE_INTERFACE=No
@@ -1301,9 +1308,9 @@
# Added in Shorewall 4.5.9. When set to Yes (the default), provider marks are
# restored unconditionally at the top of the mangle OUTPUT and PREROUTING
# chains, even if the saved mark is zero. When this option is set to No, the
-# mark is restored even when it is zero. If you have problems with IPSEC ESP
-# packets not being routed correctly on output, try setting this option to No
-# .
+# mark is restored only if it is non-zero. If you have problems with IPSEC
+# ESP packets not being routed correctly on output, try setting this option
+# to No.
#
SAVE_IPSETS=No
#
@@ -1523,6 +1530,20 @@
# Shorewall-generated scripts (such as created by the save command) built by
# Shorewall 4.4.7 or older.
#
+ZERO_MARKS=No
+#
+# ZERO_MARKS=[Yes|No]
+#
+# Added in Shorewall 5.0.12, this is a workaround for an issue where packet
+# marks are not zeroed by the kernel. It should be set to No (the default)
+# unless you find that incoming packets are being mis-routed for no apparent
+# reasons.
+#
+# Caution
+#
+# Do not set this option to Yes if you have IPSEC software running on the
+# firewall system.
+#
ZONE2ZONE=-
#
# ZONE2ZONE={2|-}
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/configure shorewall6-5.0.12/configure
--- shorewall6-5.0.11/configure 2016-08-06 07:57:47.273241152 -0700
+++ shorewall6-5.0.12/configure 2016-10-01 14:48:18.609026043 -0700
@@ -28,7 +28,7 @@
#
# Build updates this
#
-VERSION=5.0.11
+VERSION=5.0.12
case "$BASH_VERSION" in
[4-9].*)
@@ -235,7 +235,8 @@
SPARSE \
ANNOTATED \
VARLIB \
- VARDIR
+ VARDIR \
+ DEFAULT_PAGER
do
echo "$on=${options[${on}]}"
echo "$on=${options[${on}]}" >> shorewallrc
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/configure.pl shorewall6-5.0.12/configure.pl
--- shorewall6-5.0.11/configure.pl 2016-08-06 07:57:47.273241152 -0700
+++ shorewall6-5.0.12/configure.pl 2016-10-01 14:48:18.609026043 -0700
@@ -31,7 +31,7 @@
# Build updates this
#
use constant {
- VERSION => '5.0.11'
+ VERSION => '5.0.12'
};
my %params;
@@ -209,7 +209,8 @@
SPARSE
ANNOTATED
VARLIB
- VARDIR / ) {
+ VARDIR
+ DEFAULT_PAGER / ) {
my $val = $options{$_} || '';
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/install.sh shorewall6-5.0.12/install.sh
--- shorewall6-5.0.11/install.sh 2016-08-06 07:57:47.277241125 -0700
+++ shorewall6-5.0.12/install.sh 2016-10-01 14:48:18.609026043 -0700
@@ -22,7 +22,7 @@
# along with this program; if not, see .
#
-VERSION=5.0.11
+VERSION=5.0.12
#
# Change to the directory containing this script
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/manpages/shorewall6.8 shorewall6-5.0.12/manpages/shorewall6.8
--- shorewall6-5.0.11/manpages/shorewall6.8 2016-08-06 07:58:59.948753292 -0700
+++ shorewall6-5.0.12/manpages/shorewall6.8 2016-10-01 14:49:26.965314042 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Administrative Commands
.\" Source: Administrative Commands
.\" Language: English
.\"
-.TH "SHOREWALL6" "8" "08/06/2016" "Administrative Commands" "Administrative Commands"
+.TH "SHOREWALL6" "8" "10/01/2016" "Administrative Commands" "Administrative Commands"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/manpages/shorewall6-accounting.5 shorewall6-5.0.12/manpages/shorewall6-accounting.5
--- shorewall6-5.0.11/manpages/shorewall6-accounting.5 2016-08-06 07:58:36.780908814 -0700
+++ shorewall6-5.0.12/manpages/shorewall6-accounting.5 2016-10-01 14:49:05.175546042 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-accounting
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-ACCOUNTI" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-ACCOUNTI" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/manpages/shorewall6-actions.5 shorewall6-5.0.12/manpages/shorewall6-actions.5
--- shorewall6-5.0.11/manpages/shorewall6-actions.5 2016-08-06 07:58:37.344905028 -0700
+++ shorewall6-5.0.12/manpages/shorewall6-actions.5 2016-10-01 14:49:05.748118043 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-actions
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-ACTIONS" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-ACTIONS" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/manpages/shorewall6-blrules.5 shorewall6-5.0.12/manpages/shorewall6-blrules.5
--- shorewall6-5.0.11/manpages/shorewall6-blrules.5 2016-08-06 07:58:37.960900893 -0700
+++ shorewall6-5.0.12/manpages/shorewall6-blrules.5 2016-10-01 14:49:06.328698043 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-blrules
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-BLRULES" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-BLRULES" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/manpages/shorewall6.conf.5 shorewall6-5.0.12/manpages/shorewall6.conf.5
--- shorewall6-5.0.11/manpages/shorewall6.conf.5 2016-08-06 07:58:40.128886339 -0700
+++ shorewall6-5.0.12/manpages/shorewall6.conf.5 2016-10-01 14:49:08.310678043 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6.conf
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\&.CONF" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\&.CONF" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -186,6 +186,8 @@
routestopped
is accepted when Shorewall is stopped\&. When ADMINISABSENTMINDED=Yes, in addition to traffic to/from addresses in
routestopped, connections that were active when Shorewall stopped continue to work and all new connections from the firewall system itself are allowed\&.
+.sp
+Note that the routestopped file is not supported in Shorewall 5\&.0 and later versions\&.
.RE
.PP
stoppedrules
@@ -406,7 +408,9 @@
.RS 4
If this option is set to
\fBNo\fR
-then Shorewall6 won\*(Aqt clear the current traffic control rules during [re]start\&. This setting is intended for use by people that prefer to configure traffic shaping when the network interfaces come up rather than when the firewall is started\&. If that is what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an /etc/shorewall6/tcstart file\&. That way, your traffic shaping rules can still use the \(lqfwmark\(rq classifier based on packet marking defined in
+then Shorewall6 won\*(Aqt clear the current traffic control rules during [\fBre\fR]\fBstart\fR
+or
+\fBreload\fR\&. This setting is intended for use by people that prefer to configure traffic shaping when the network interfaces come up rather than when the firewall is started\&. If that is what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an /etc/shorewall6/tcstart file\&. That way, your traffic shaping rules can still use the \(lqfwmark\(rq classifier based on packet marking defined in
\m[blue]\fBshorewall6\-tcrules\fR\m[]\&\s-2\u[9]\d\s+2(5)\&. If not specified, CLEAR_TC=No is assumed\&.
.if n \{\
.sp
@@ -506,7 +510,7 @@
.PP
\fBDELETE_THEN_ADD=\fR{\fBYes\fR|\fBNo\fR}
.RS 4
-If set to Yes (the default value), entries in the /etc/shorewall6/route_stopped files cause an \*(Aqip rule del\*(Aq command to be generated in addition to an \*(Aqip rule add\*(Aq command\&. Setting this option to No, causes the \*(Aqip rule del\*(Aq command to be omitted\&.
+If set to Yes (the default value), entries in the /etc/shorewall6/rtrules file cause an \*(Aqip rule del\*(Aq command to be generated in addition to an \*(Aqip rule add\*(Aq command\&. Setting this option to No, causes the \*(Aqip rule del\*(Aq command to be omitted\&.
.RE
.PP
\fBDONT_LOAD=\fR[\fImodule\fR[,\fImodule\fR]\&.\&.\&.]
@@ -567,7 +571,7 @@
\fBshorewall6 export\fR
commands), the compiler will copy the modules or helpers file from the administrative system into the script\&. When set to No or not specified, the compiler will not copy the modules or helpers file from
/usr/share/shorewall6
-but will copy the found in another location on the CONFIG_PATH\&.
+but will copy those found in another location on the CONFIG_PATH\&.
.sp
When compiling for direct use by Shorewall6, causes the contents of the local module or helpers file to be copied into the compiled script\&. When set to No or not set, the compiled script reads the file itself\&.
.RE
@@ -582,7 +586,7 @@
.PP
\fBFORWARD_CLEAR_MARK=\fR{\fBYes\fR|\fBNo\fR}
.RS 4
-Added in Shorewall 4\&.4\&.11 Beta 3\&. Traditionally, Shorewall has cleared the packet mark in the first rule in the mangle FORWARD chain\&. This behavior is maintained with the default setting of this option (FORWARD_CLEAR_MARK=Yes)\&. If FORWARD_CLEAR_MARK is set to \*(AqNo\*(Aq, packet marks set in the mangle PREROUTING chain are retained in the FORWARD chains\&.
+Added in Shorewall 4\&.4\&.11\&. Traditionally, Shorewall has cleared the packet mark in the first rule in the mangle FORWARD chain\&. This behavior is maintained with the default setting of this option (FORWARD_CLEAR_MARK=Yes)\&. If FORWARD_CLEAR_MARK is set to \*(AqNo\*(Aq, packet marks set in the mangle PREROUTING chain are retained in the FORWARD chains\&.
.RE
.PP
\fBGEOIPDIR\fR=[\fIpathname\fR]
@@ -1469,6 +1473,8 @@
commands and the
\fBdump\fR
command are piped through the named program when the output file is a terminal\&.
+.sp
+Beginning with Shorewall 5\&.0\&.12, the default value of this option is the DEFAULT_PAGER setting in shorewallrc\&.
.RE
.PP
\fBPATH=\fR\fIpathname\fR[\fB:\fR\fIpathname\fR]\&.\&.\&.
@@ -1657,18 +1663,18 @@
#TARGET SOURCE DEST PROTO
Broadcast(DROP) \- \- \-
DROP \- \- 2
-INLINE \- \- 6 ; \-j REJECT \-\-reject\-with tcp\-reset
+INLINE \- \- 6 ;; \-j REJECT \-\-reject\-with tcp\-reset
?if __ENHANCED_REJECT
-INLINE \- \- 17 ; \-j REJECT
+INLINE \- \- 17 ;; \-j REJECT
?if __IPV4
-INLINE \- \- 1 ; \-j REJECT \-\-reject\-with icmp\-host\-unreachable
-INLINE \- \- \- ; \-j REJECT \-\-reject\-with icmp\-host\-prohibited
+INLINE \- \- 1 ;; \-j REJECT \-\-reject\-with icmp\-host\-unreachable
+INLINE \- \- \- ;; \-j REJECT \-\-reject\-with icmp\-host\-prohibited
?else
-INLINE \- \- 58 ; \-j REJECT \-\-reject\-with icmp6\-addr\-unreachable
-INLINE \- \- \- ; \-j REJECT \-\-reject\-with icmp6\-adm\-prohibited
+INLINE \- \- 58 ;; \-j REJECT \-\-reject\-with icmp6\-addr\-unreachable
+INLINE \- \- \- ;; \-j REJECT \-\-reject\-with icmp6\-adm\-prohibited
?endif
?else
-INLINE \- \- \- ; \-j REJECT
+INLINE \- \- \- ;; \-j REJECT
?endif
.fi
.if n \{\
@@ -1705,7 +1711,7 @@
Added in Shorewall 4\&.5\&.9\&. When set to
\fBYes\fR
(the default), provider marks are restored unconditionally at the top of the mangle OUTPUT and PREROUTING chains, even if the saved mark is zero\&. When this option is set to
-\fBNo\fR, the mark is restored even when it is zero\&. If you have problems with IPSEC ESP packets not being routed correctly on output, try setting this option to
+\fBNo\fR, the mark is restored only if it is non\-zero\&. If you have problems with IPSEC ESP packets not being routed correctly on output, try setting this option to
\fBNo\fR\&.
.RE
.PP
@@ -2157,6 +2163,26 @@
.sp .5v
.RE
.RE
+.PP
+\fBZERO_MARKS=\fR[\fBYes\fR|\fBNo\fR]
+.RS 4
+Added in Shorewall 5\&.0\&.12, this is a workaround for an issue where packet marks are not zeroed by the kernel\&. It should be set to No (the default) unless you find that incoming packets are being mis\-routed for no apparent reasons\&.
+.if n \{\
+.sp
+.\}
+.RS 4
+.it 1 an-trap
+.nr an-no-space-flag 1
+.nr an-break-flag 1
+.br
+.ps +1
+\fBCaution\fR
+.ps -1
+.br
+Do not set this option to Yes if you have IPSEC software running on the firewall system\&.
+.sp .5v
+.RE
+.RE
.PP
\fBZONE_BITS\fR=[\fInumber\fR]
.RS 4
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/manpages/shorewall6-conntrack.5 shorewall6-5.0.12/manpages/shorewall6-conntrack.5
--- shorewall6-5.0.11/manpages/shorewall6-conntrack.5 2016-08-06 07:58:40.816881720 -0700
+++ shorewall6-5.0.12/manpages/shorewall6-conntrack.5 2016-10-01 14:49:08.963330043 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-conntrack
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-CONNTRAC" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-CONNTRAC" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/manpages/shorewall6-exclusion.5 shorewall6-5.0.12/manpages/shorewall6-exclusion.5
--- shorewall6-5.0.11/manpages/shorewall6-exclusion.5 2016-08-06 07:58:41.384877908 -0700
+++ shorewall6-5.0.12/manpages/shorewall6-exclusion.5 2016-10-01 14:49:09.531898043 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-exclusion
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-EXCLUSIO" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-EXCLUSIO" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/manpages/shorewall6-hosts.5 shorewall6-5.0.12/manpages/shorewall6-hosts.5
--- shorewall6-5.0.11/manpages/shorewall6-hosts.5 2016-08-06 07:58:41.972873961 -0700
+++ shorewall6-5.0.12/manpages/shorewall6-hosts.5 2016-10-01 14:49:10.092458043 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-hosts
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-HOSTS" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-HOSTS" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/manpages/shorewall6-interfaces.5 shorewall6-5.0.12/manpages/shorewall6-interfaces.5
--- shorewall6-5.0.11/manpages/shorewall6-interfaces.5 2016-08-06 07:58:42.676869235 -0700
+++ shorewall6-5.0.12/manpages/shorewall6-interfaces.5 2016-10-01 14:49:10.745110043 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-interfaces
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-INTERFAC" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-INTERFAC" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/manpages/shorewall6-ipsets.5 shorewall6-5.0.12/manpages/shorewall6-ipsets.5
--- shorewall6-5.0.11/manpages/shorewall6-ipsets.5 2016-08-06 07:58:43.292865100 -0700
+++ shorewall6-5.0.12/manpages/shorewall6-ipsets.5 2016-10-01 14:49:11.313678042 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-ipsets
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-IPSETS" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-IPSETS" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/manpages/shorewall6-maclist.5 shorewall6-5.0.12/manpages/shorewall6-maclist.5
--- shorewall6-5.0.11/manpages/shorewall6-maclist.5 2016-08-06 07:58:43.912860938 -0700
+++ shorewall6-5.0.12/manpages/shorewall6-maclist.5 2016-10-01 14:49:11.902266043 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-maclist
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-MACLIST" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-MACLIST" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/manpages/shorewall6-mangle.5 shorewall6-5.0.12/manpages/shorewall6-mangle.5
--- shorewall6-5.0.11/manpages/shorewall6-mangle.5 2016-08-06 07:58:44.860854574 -0700
+++ shorewall6-5.0.12/manpages/shorewall6-mangle.5 2016-10-01 14:49:12.759122043 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-mangle
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-MANGLE" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-MANGLE" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -1124,6 +1124,15 @@
Defines the ending time of day\&.
.RE
.PP
+contiguous
+.RS 4
+Added in Shoreawll 5\&.0\&.12\&. When
+\fBtimestop\fR
+is smaller than
+\fBtimestart\fR
+value, match this as a single time period instead of distinct intervals\&.
+.RE
+.PP
utc
.RS 4
Times are expressed in Greenwich Mean Time\&.
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/manpages/shorewall6-masq.5 shorewall6-5.0.12/manpages/shorewall6-masq.5
--- shorewall6-5.0.11/manpages/shorewall6-masq.5 2016-08-06 07:58:45.524850117 -0700
+++ shorewall6-5.0.12/manpages/shorewall6-masq.5 2016-10-01 14:49:13.375738043 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-masq
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-MASQ" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-MASQ" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/manpages/shorewall6-modules.5 shorewall6-5.0.12/manpages/shorewall6-modules.5
--- shorewall6-5.0.11/manpages/shorewall6-modules.5 2016-08-06 07:58:46.140845982 -0700
+++ shorewall6-5.0.12/manpages/shorewall6-modules.5 2016-10-01 14:49:13.928290042 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-modules
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-MODULES" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-MODULES" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/manpages/shorewall6-nat.5 shorewall6-5.0.12/manpages/shorewall6-nat.5
--- shorewall6-5.0.11/manpages/shorewall6-nat.5 2016-08-06 07:58:46.688842303 -0700
+++ shorewall6-5.0.12/manpages/shorewall6-nat.5 2016-10-01 14:49:14.476838042 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-nat
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-NAT" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-NAT" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/manpages/shorewall6-nesting.5 shorewall6-5.0.12/manpages/shorewall6-nesting.5
--- shorewall6-5.0.11/manpages/shorewall6-nesting.5 2016-08-06 07:58:47.236838624 -0700
+++ shorewall6-5.0.12/manpages/shorewall6-nesting.5 2016-10-01 14:49:15.025386043 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-nesting
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-NESTING" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-NESTING" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/manpages/shorewall6-netmap.5 shorewall6-5.0.12/manpages/shorewall6-netmap.5
--- shorewall6-5.0.11/manpages/shorewall6-netmap.5 2016-08-06 07:58:47.800834839 -0700
+++ shorewall6-5.0.12/manpages/shorewall6-netmap.5 2016-10-01 14:49:15.597958043 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-netmap
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-NETMAP" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-NETMAP" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/manpages/shorewall6-params.5 shorewall6-5.0.12/manpages/shorewall6-params.5
--- shorewall6-5.0.11/manpages/shorewall6-params.5 2016-08-06 07:58:48.352831133 -0700
+++ shorewall6-5.0.12/manpages/shorewall6-params.5 2016-10-01 14:49:16.138498043 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-params
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-PARAMS" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-PARAMS" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/manpages/shorewall6-policy.5 shorewall6-5.0.12/manpages/shorewall6-policy.5
--- shorewall6-5.0.11/manpages/shorewall6-policy.5 2016-08-06 07:58:48.932827239 -0700
+++ shorewall6-5.0.12/manpages/shorewall6-policy.5 2016-10-01 14:49:16.719078042 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-policy
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-POLICY" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-POLICY" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -51,7 +51,7 @@
.PP
The order of entries in this file is important
.PP
-This file determines what to do with a new connection request if we don\*(Aqt get a match from the /etc/shorewall6/rules file \&. For each source/destination pair, the file is processed in order until a match is found ("all" will match any client or server)\&.
+This file determines what to do with a new connection request if we don\*(Aqt get a match from the /etc/shorewall6/rules file \&. For each source/destination pair, the file is processed in order until a match is found ("all" will match any source or destination)\&.
.sp .5v
.RE
.if n \{\
@@ -77,20 +77,28 @@
.PP
The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in the alternate specification syntax)\&.
.PP
-\fBSOURCE\fR \- \fIzone\fR|\fB$FW\fR|\fBall\fR|\fBall+\fR
+\fBSOURCE\fR \- \fIzone\fR[,\&.\&.\&.[+]]|\fB$FW\fR|\fBall\fR|\fBall+\fR
.RS 4
Source zone\&. Must be the name of a zone defined in
\m[blue]\fBshorewall6\-zones\fR\m[]\&\s-2\u[1]\d\s+2(5), $FW, "all" or "all+"\&.
.sp
Support for "all+" was added in Shorewall 4\&.5\&.17\&. "all" does not override the implicit intra\-zone ACCEPT policy while "all+" does\&.
+.sp
+Beginning with Shorewall 5\&.0\&.12, multiple zones may be listed separated by commas\&. As above, if \*(Aq+\*(Aq is specified after two or more zone names, then the policy overrides the implicit intra\-zone ACCEPT policy if the same
+\fIzone\fR
+appears in both the SOURCE and DEST columns\&.
.RE
.PP
-\fBDEST\fR \- \fIzone\fR|\fB$FW\fR|\fBall\fR|\fBall+\fR
+\fBDEST\fR \- \fIzone\fR[,\&.\&.\&.[+]]|\fB$FW\fR|\fBall\fR|\fBall+\fR
.RS 4
Destination zone\&. Must be the name of a zone defined in
\m[blue]\fBshorewall6\-zones\fR\m[]\&\s-2\u[1]\d\s+2(5), $FW, "all" or "all+"\&. If the DEST is a bport zone, then the SOURCE must be "all", "all+", another bport zone associated with the same bridge, or it must be an ipv4 zone that is associated with only the same bridge\&.
.sp
Support for "all+" was added in Shorewall 4\&.5\&.17\&. "all" does not override the implicit intra\-zone ACCEPT policy while "all+" does\&.
+.sp
+Beginning with Shorewall 5\&.0\&.12, multiple zones may be listed separated by commas\&. As above, if \*(Aq+\*(Aq is specified after two or more zone names, then the policy overrides the implicit intra\-zone ACCEPT policy if the same
+\fIzone\fR
+appears in both the SOURCE and DEST columns\&.
.RE
.PP
\fBPOLICY\fR \- {\fBACCEPT\fR|\fBDROP\fR|\fBREJECT\fR|\fBCONTINUE\fR|\fBQUEUE\fR|\fBNFQUEUE\fR[(\fIqueuenumber1\fR[:\fIqueuenumber2\fR])]|\fBNONE\fR}[\fB:\fR{\fIdefault\-action\-or\-macro\fR[:level]|\fBNone\fR}]
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/manpages/shorewall6-providers.5 shorewall6-5.0.12/manpages/shorewall6-providers.5
--- shorewall6-5.0.11/manpages/shorewall6-providers.5 2016-08-06 07:58:49.516823319 -0700
+++ shorewall6-5.0.12/manpages/shorewall6-providers.5 2016-10-01 14:49:17.327686043 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-providers
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-PROVIDER" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-PROVIDER" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -304,6 +304,33 @@
\m[blue]\fBshorewall6\-rtrules(5)\fR\m[]\&\s-2\u[6]\d\s+2
are present\&.
.RE
+.sp
+.if n \{\
+.sp
+.\}
+.RS 4
+.it 1 an-trap
+.nr an-no-space-flag 1
+.nr an-break-flag 1
+.br
+.ps +1
+\fBNote\fR
+.ps -1
+.br
+The generated script will attempt to reenable a disabled persistent provider during execution of the
+\fBstart\fR,
+\fBrestart\fR
+and
+\fBreload\fR
+commands\&. When
+\fBpersistent\fR
+is not specified, only the
+\fBenable\fR
+and
+\fBreenable\fR
+commands can reenable the provider\&.
+.sp .5v
+.RE
.RE
.RE
.PP
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/manpages/shorewall6-proxyndp.5 shorewall6-5.0.12/manpages/shorewall6-proxyndp.5
--- shorewall6-5.0.11/manpages/shorewall6-proxyndp.5 2016-08-06 07:58:50.072819587 -0700
+++ shorewall6-5.0.12/manpages/shorewall6-proxyndp.5 2016-10-01 14:49:17.876234042 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-proxyndp
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-PROXYNDP" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-PROXYNDP" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/manpages/shorewall6-routes.5 shorewall6-5.0.12/manpages/shorewall6-routes.5
--- shorewall6-5.0.11/manpages/shorewall6-routes.5 2016-08-06 07:58:50.608815989 -0700
+++ shorewall6-5.0.12/manpages/shorewall6-routes.5 2016-10-01 14:49:18.420778043 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-routes
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-ROUTES" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-ROUTES" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/manpages/shorewall6-rtrules.5 shorewall6-5.0.12/manpages/shorewall6-rtrules.5
--- shorewall6-5.0.11/manpages/shorewall6-rtrules.5 2016-08-06 07:58:51.156812310 -0700
+++ shorewall6-5.0.12/manpages/shorewall6-rtrules.5 2016-10-01 14:49:18.985342043 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-rtrules
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-RTRULES" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-RTRULES" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/manpages/shorewall6-rules.5 shorewall6-5.0.12/manpages/shorewall6-rules.5
--- shorewall6-5.0.11/manpages/shorewall6-rules.5 2016-08-06 07:58:52.280804766 -0700
+++ shorewall6-5.0.12/manpages/shorewall6-rules.5 2016-10-01 14:49:20.086442043 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-rules
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-RULES" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-RULES" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -1150,6 +1150,15 @@
Defines the ending time of day\&.
.RE
.PP
+contiguous
+.RS 4
+Added in Shoreawll 5\&.0\&.12\&. When
+\fBtimestop\fR
+is smaller than
+\fBtimestart\fR
+value, match this as a single time period instead of distinct intervals\&.
+.RE
+.PP
utc
.RS 4
Times are expressed in Greenwich Mean Time\&.
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/manpages/shorewall6-secmarks.5 shorewall6-5.0.12/manpages/shorewall6-secmarks.5
--- shorewall6-5.0.11/manpages/shorewall6-secmarks.5 2016-08-06 07:58:52.872800791 -0700
+++ shorewall6-5.0.12/manpages/shorewall6-secmarks.5 2016-10-01 14:49:20.699054043 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-secmarks
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-SECMARKS" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-SECMARKS" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/manpages/shorewall6-stoppedrules.5 shorewall6-5.0.12/manpages/shorewall6-stoppedrules.5
--- shorewall6-5.0.11/manpages/shorewall6-stoppedrules.5 2016-08-06 07:58:53.416797139 -0700
+++ shorewall6-5.0.12/manpages/shorewall6-stoppedrules.5 2016-10-01 14:49:21.267622043 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-stoppedrules
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-STOPPEDR" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-STOPPEDR" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/manpages/shorewall6-tcclasses.5 shorewall6-5.0.12/manpages/shorewall6-tcclasses.5
--- shorewall6-5.0.11/manpages/shorewall6-tcclasses.5 2016-08-06 07:58:54.072792736 -0700
+++ shorewall6-5.0.12/manpages/shorewall6-tcclasses.5 2016-10-01 14:49:21.888242042 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-tcclasses
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-TCCLASSE" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-TCCLASSE" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/manpages/shorewall6-tcdevices.5 shorewall6-5.0.12/manpages/shorewall6-tcdevices.5
--- shorewall6-5.0.11/manpages/shorewall6-tcdevices.5 2016-08-06 07:58:54.692788573 -0700
+++ shorewall6-5.0.12/manpages/shorewall6-tcdevices.5 2016-10-01 14:49:22.464818043 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-tcdevices
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-TCDEVICE" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-TCDEVICE" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/manpages/shorewall6-tcfilters.5 shorewall6-5.0.12/manpages/shorewall6-tcfilters.5
--- shorewall6-5.0.11/manpages/shorewall6-tcfilters.5 2016-08-06 07:58:55.336784250 -0700
+++ shorewall6-5.0.12/manpages/shorewall6-tcfilters.5 2016-10-01 14:49:23.057410043 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-tcfilters
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-TCFILTER" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-TCFILTER" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/manpages/shorewall6-tcinterfaces.5 shorewall6-5.0.12/manpages/shorewall6-tcinterfaces.5
--- shorewall6-5.0.11/manpages/shorewall6-tcinterfaces.5 2016-08-06 07:58:55.928780277 -0700
+++ shorewall6-5.0.12/manpages/shorewall6-tcinterfaces.5 2016-10-01 14:49:23.625978043 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-tcinterfaces
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-TCINTERF" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-TCINTERF" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/manpages/shorewall6-tcpri.5 shorewall6-5.0.12/manpages/shorewall6-tcpri.5
--- shorewall6-5.0.11/manpages/shorewall6-tcpri.5 2016-08-06 07:58:56.500776437 -0700
+++ shorewall6-5.0.12/manpages/shorewall6-tcpri.5 2016-10-01 14:49:24.186538043 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-tcpri
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-TCPRI" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-TCPRI" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/manpages/shorewall6-tunnels.5 shorewall6-5.0.12/manpages/shorewall6-tunnels.5
--- shorewall6-5.0.11/manpages/shorewall6-tunnels.5 2016-08-06 07:58:57.168771953 -0700
+++ shorewall6-5.0.12/manpages/shorewall6-tunnels.5 2016-10-01 14:49:24.763114043 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-tunnels
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-TUNNELS" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-TUNNELS" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/manpages/shorewall6-vardir.5 shorewall6-5.0.12/manpages/shorewall6-vardir.5
--- shorewall6-5.0.11/manpages/shorewall6-vardir.5 2016-08-06 07:58:57.776767871 -0700
+++ shorewall6-5.0.12/manpages/shorewall6-vardir.5 2016-10-01 14:49:25.303654043 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-vardir
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-VARDIR" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-VARDIR" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/manpages/shorewall6-zones.5 shorewall6-5.0.12/manpages/shorewall6-zones.5
--- shorewall6-5.0.11/manpages/shorewall6-zones.5 2016-08-06 07:59:00.632748699 -0700
+++ shorewall6-5.0.12/manpages/shorewall6-zones.5 2016-10-01 14:49:27.625974043 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-zones
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 08/06/2016
+.\" Date: 10/01/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-ZONES" "5" "08/06/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-ZONES" "5" "10/01/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/releasenotes.txt shorewall6-5.0.12/releasenotes.txt
--- shorewall6-5.0.11/releasenotes.txt 2016-08-06 07:57:47.277241125 -0700
+++ shorewall6-5.0.12/releasenotes.txt 2016-10-01 14:48:18.609026043 -0700
@@ -1,7 +1,7 @@
----------------------------------------------------------------------------
- S H O R E W A L L 5 . 0 . 1 1
+ S H O R E W A L L 5 . 0 . 1 2
----------------------------
- A u g u s t 1 2 , 2 0 1 6
+ O c t o b e r 0 3 , 2 0 1 6
----------------------------------------------------------------------------
I. PROBLEMS CORRECTED IN THIS RELEASE
@@ -14,27 +14,48 @@
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
-1) This release contains defect repair through Shorewall 5.0.10.1.
+1) Minor cleanup, mostly commentary, in the Rules.pm module.
-2) In Shorewall 5.0, the default chain for DSCP rules was
- inadvertently chained to PREROUTING (FORWARD, if
- MARK_IN_FORWARD_CHAIN=Yes).
+2) In Shorewall 5.0.7, The assumed 'use Shorewall::Config(shorewall)'
+ statement in ?PERL and ?BEGIN PERL...?END PERL handling was
+ inadvertently removed. This results in Perl compilation errors if
+ the 'shorewall' function is invoked. The statement has now been
+ restored.
- The default is now restored to POSTROUTING, its earlier value.
+3) Previously, the firewall would fail to start if the configuration
+ contained a CHECKSUM rule without a chain designator and
+ MARK_IN_FORWARD_CHAIN=No. Now, the compiler defaults these rules to
+ the POSTROUTING chain and forbids them in the PREROUTING chain.
-3) When 'trace' was specified, prevously the output of ip[6]tables
- rules containing a comment were displayed incorrectly. The "-m
- comment --comment" specification was missing and the comment was
- not enclosed in double quotes. This has been corrected.
+4) Recently, a case was observed where certain incoming packets had a
+ non-zero packet mark in the raw PREROUTING chain, causing them to
+ be misrouted. To guard against this issue, packet marks are now
+ cleared at the top of the PREROUTING and OUTPUT mangle chains when
+ the new ZERO_MARKS option is set to yes. Note that ZERO_MARKS=Yes
+ can break IPSEC in multi-ISP configurations.
-4) Previously, if a provider interface matched only a wildcard entry
- (one whose physical interface name ended in '+'), then the
- generated script would always find the interface to be
- unusable. That has been corrected.
+5) Two distinct problems have been corrected in the 'disable'
+ command logic:
-5) A change released in 5.0.9.1 and that allowed simple traffic
- shaping to support more than 9 interfaces prevented some users'
- configurations from starting. That has been corrected.
+ a) If a balanced or fallback interface was down or had been
+ deleted, then the 'disable' command could fail.
+
+ b) If a persistent optional interface was down, then the
+ generated script would fail when it attempted to add routes out
+ of the interface.
+
+6) Previously, the generated script would attempt to reenable a
+ disabled persistent provider at each 'start', 'reload' or
+ 'restart'. Now, disabled persistent providers are handled the same
+ as other providers and require the 'enable' or 'reenable' command
+ to enable them.
+
+7) Previously, the generated script assumed that all
+ probability-balanced providers (those with the 'load' option
+ specified) were optional. That assumption has been removed.
+
+8) Previously, the permissions of files created by the 'save' command
+ were more relaxed than necessary. This has been corrected.
----------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G
@@ -51,21 +72,69 @@
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
-1) When using the alternate input form, it is now possible to specify
- a comment to be attached to the generated ip[6]tables rule. Simply
- use the 'comment' keyword. If the comment contains embedded white
- space, then it must be enclosed in double quotes. Any double
- quotes embedded in the comment must be escaped using a backslash.
+1) You may now place comma-separated zone lists in the SOURCE and DEST
+ columns in /etc/shorewall[6]/policy.
Example:
- ACCEPT net $FW { proto=tcp, dport=22, comment="Accept \"SSH\"" }
+ #SOURCE DEST POLICY ...
+ loc,dmz net REJECT
-2) OPTIMIZE level 16 no longer deletes duplicate COUNT rules, allowing
- multiple similar COUNT rules in a chain.
+ That line is equivalent to:
-3) Beginning with this release, source RPMs are available on the
- download sites.
+ #SOURCE DEST POLICY ...
+ loc net REJECT
+ loc dmz REJECT
+
+ If the same zone appears in both columns, the default ACCEPT
+ intrazone policy is not overridden unless the list is followed
+ immediately by '+'.
+
+ Example:
+
+ #SOURCE DEST POLICY ...
+ dmz,loc loc,dmz+ REJECT
+
+ That line is equivalent to:
+
+ #SOURCE DEST POLICY ...
+ dmz loc REJECT
+ dmz dmz REJECT
+ loc loc REJECT
+ loc dmz REJECT
+
+ Without the plus sine, it would be equivalent to
+
+ #SOURCE DEST POLICY ...
+ dmz loc REJECT
+ loc dmz REJECT
+
+2) Distribution maintainers may now set a default pager via the
+ configure and configure.pl programs in Shorewall-core to set
+ DEFAULT_PAGER in the generated shorewallrc file. The
+ Shorewall-provided shorewallrc files for Debian currently specify
+ 'less' for DEFAULT_PAGER. The other shorewallrc files do not
+ specify DEFAULT_PAGER.
+
+ If shorewall[6].conf does not specify PAGER then the DEFAULT_PAGER
+ setting is used.
+
+3) The 'contiguous' option is now supported in TIME columns. When the
+ 'timestop' value is smaller than the 'timestart' value, match this
+ as a single time period instead distinct intervals.
+
+ Example:
+
+ weekdays=Mo×tart=23:00×top=01:00
+
+ Will match Monday, for one hour from midnight to 1 a.m., and
+ then again for another hour from 23:00 onwards. If this is
+ unwanted, e.g. if you would like 'match for two hours from
+ Monday 23:00 onwards' you need to also specify the 'contiguous'
+ option in the example above.
+
+ See http://www.shorewall.org/configuration_file_basics.htm#TIME for
+ additional TIME column examples.
----------------------------------------------------------------------------
I V. M I G R A T I O N I S S U E S
@@ -214,7 +283,7 @@
these requests, so they are simply logged and dropped.
IMPORTANT: If you want to continue to reject Auth requests, you
- can do so by chaning your DROP_DEFAULT setting to make the second
+ can do so by changing your DROP_DEFAULT setting to make the second
parameter REJECT. For example, if you currently have:
DROP_DEFAULT=Drop
@@ -226,6 +295,52 @@
----------------------------------------------------------------------------
V. N O T E S F R O M O T H E R 5 . 0 R E L E A S E S
----------------------------------------------------------------------------
+ P R O B L E M S C O R R E C T E D I N 5 . 0 . 1 1
+----------------------------------------------------------------------------
+
+1) This release contains defect repair through Shorewall 5.0.10.1.
+
+2) In Shorewall 5.0, the default chain for DSCP rules was
+ inadvertently chained to PREROUTING (FORWARD, if
+ MARK_IN_FORWARD_CHAIN=Yes).
+
+ The default is now restored to POSTROUTING, its earlier value.
+
+3) When 'trace' was specified, previously the output of ip[6]tables
+ rules containing a comment were displayed incorrectly. The "-m
+ comment --comment" specification was missing and the comment was
+ not enclosed in double quotes. This has been corrected.
+
+4) Previously, if a provider interface matched only a wildcard entry
+ (one whose physical interface name ended in '+'), then the
+ generated script would always find the interface to be
+ unusable. That has been corrected.
+
+5) A change released in 5.0.9.1 and that allowed simple traffic
+ shaping to support more than 9 interfaces prevented some users'
+ configurations from starting. That has been corrected.
+
+----------------------------------------------------------------------------
+ N E W F E A T U R E S I N 5 . 0 . 1 1
+----------------------------------------------------------------------------
+
+1) When using the alternate input form, it is now possible to specify
+ a comment to be attached to the generated ip[6]tables rule. Simply
+ use the 'comment' keyword. If the comment contains embedded white
+ space, then it must be enclosed in double quotes. Any double
+ quotes embedded in the comment must be escaped using a backslash.
+
+ Example:
+
+ ACCEPT net $FW { proto=tcp, dport=22, comment="Accept \"SSH\"" }
+
+2) OPTIMIZE level 16 no longer deletes duplicate COUNT rules, allowing
+ multiple similar COUNT rules in a chain.
+
+3) Beginning with this release, source RPMs are available on the
+ download sites.
+
+----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 5 . 0 . 1 0
----------------------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/Samples6/one-interface/policy.annotated shorewall6-5.0.12/Samples6/one-interface/policy.annotated
--- shorewall6-5.0.11/Samples6/one-interface/policy.annotated 2016-08-06 07:59:10.508682404 -0700
+++ shorewall6-5.0.12/Samples6/one-interface/policy.annotated 2016-10-01 14:49:37.139478043 -0700
@@ -23,7 +23,7 @@
# This file determines what to do with a new connection request if we don't get a
# match from the /etc/shorewall6/rules file . For each source/destination pair,
# the file is processed in order until a match is found ("all" will match any
-# client or server).
+# source or destination).
#
# Important
#
@@ -43,7 +43,7 @@
# different name in parentheses, the different name is used in the alternate
# specification syntax).
#
-# SOURCE - zone|$FW|all|all+
+# SOURCE - zone[,...[+]]|$FW|all|all+
#
# Source zone. Must be the name of a zone defined in shorewall6-zones(5),
# $FW, "all" or "all+".
@@ -51,7 +51,12 @@
# Support for "all+" was added in Shorewall 4.5.17. "all" does not override
# the implicit intra-zone ACCEPT policy while "all+" does.
#
-# DEST - zone|$FW|all|all+
+# Beginning with Shorewall 5.0.12, multiple zones may be listed separated by
+# commas. As above, if '+' is specified after two or more zone names, then
+# the policy overrides the implicit intra-zone ACCEPT policy if the same zone
+# appears in both the SOURCE and DEST columns.
+#
+# DEST - zone[,...[+]]|$FW|all|all+
#
# Destination zone. Must be the name of a zone defined in shorewall6-zones
# (5), $FW, "all" or "all+". If the DEST is a bport zone, then the SOURCE
@@ -61,6 +66,11 @@
# Support for "all+" was added in Shorewall 4.5.17. "all" does not override
# the implicit intra-zone ACCEPT policy while "all+" does.
#
+# Beginning with Shorewall 5.0.12, multiple zones may be listed separated by
+# commas. As above, if '+' is specified after two or more zone names, then
+# the policy overrides the implicit intra-zone ACCEPT policy if the same zone
+# appears in both the SOURCE and DEST columns.
+#
# POLICY - {ACCEPT|DROP|REJECT|CONTINUE|QUEUE|NFQUEUE[(queuenumber1[:queuenumber2
# ])]|NONE}[:{default-action-or-macro[:level]|None}]
#
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/Samples6/one-interface/rules.annotated shorewall6-5.0.12/Samples6/one-interface/rules.annotated
--- shorewall6-5.0.11/Samples6/one-interface/rules.annotated 2016-08-06 07:59:10.924679611 -0700
+++ shorewall6-5.0.12/Samples6/one-interface/rules.annotated 2016-10-01 14:49:37.547886043 -0700
@@ -888,6 +888,12 @@
#
# Defines the ending time of day.
#
+# contiguous
+#
+# Added in Shoreawll 5.0.12. When timestop is smaller than timestart
+# value, match this as a single time period instead of distinct
+# intervals.
+#
# utc
#
# Times are expressed in Greenwich Mean Time.
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/Samples6/one-interface/shorewall6.conf shorewall6-5.0.12/Samples6/one-interface/shorewall6.conf
--- shorewall6-5.0.11/Samples6/one-interface/shorewall6.conf 2016-08-04 11:03:36.000000000 -0700
+++ shorewall6-5.0.12/Samples6/one-interface/shorewall6.conf 2016-10-01 13:49:35.000000000 -0700
@@ -220,6 +220,8 @@
WORKAROUNDS=No
+ZERO_MARKS=No
+
ZONE2ZONE=-
###############################################################################
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/Samples6/one-interface/shorewall6.conf.annotated shorewall6-5.0.12/Samples6/one-interface/shorewall6.conf.annotated
--- shorewall6-5.0.11/Samples6/one-interface/shorewall6.conf.annotated 2016-08-06 07:59:11.340676819 -0700
+++ shorewall6-5.0.12/Samples6/one-interface/shorewall6.conf.annotated 2016-10-01 14:49:37.952290043 -0700
@@ -92,6 +92,9 @@
# and the dump command are piped through the named program when the output
# file is a terminal.
#
+# Beginning with Shorewall 5.0.12, the default value of this option is the
+# DEFAULT_PAGER setting in shorewallrc.
+#
###############################################################################
# L O G G I N G
###############################################################################
@@ -597,6 +600,9 @@
# continue to work and all new connections from the firewall system
# itself are allowed.
#
+# Note that the routestopped file is not supported in Shorewall 5.0 and
+# later versions.
+#
# stoppedrules
#
# All existing connections continue to work. To sever all existing
@@ -739,13 +745,13 @@
# CLEAR_TC=[Yes|No]
#
# If this option is set to No then Shorewall6 won't clear the current traffic
-# control rules during [re]start. This setting is intended for use by people
-# that prefer to configure traffic shaping when the network interfaces come
-# up rather than when the firewall is started. If that is what you want to
-# do, set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an /etc/shorewall6
-# /tcstart file. That way, your traffic shaping rules can still use the
-# “fwmark” classifier based on packet marking defined in shorewall6-tcrules
-# (5). If not specified, CLEAR_TC=No is assumed.
+# control rules during [re]start or reload. This setting is intended for use
+# by people that prefer to configure traffic shaping when the network
+# interfaces come up rather than when the firewall is started. If that is
+# what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do not supply
+# an /etc/shorewall6/tcstart file. That way, your traffic shaping rules can
+# still use the “fwmark” classifier based on packet marking defined in
+# shorewall6-tcrules(5). If not specified, CLEAR_TC=No is assumed.
#
# Warning
#
@@ -787,10 +793,10 @@
#
# DELETE_THEN_ADD={Yes|No}
#
-# If set to Yes (the default value), entries in the /etc/shorewall6/
-# route_stopped files cause an 'ip rule del' command to be generated in
-# addition to an 'ip rule add' command. Setting this option to No, causes the
-# 'ip rule del' command to be omitted.
+# If set to Yes (the default value), entries in the /etc/shorewall6/rtrules
+# file cause an 'ip rule del' command to be generated in addition to an 'ip
+# rule add' command. Setting this option to No, causes the 'ip rule del'
+# command to be omitted.
#
DONT_LOAD=
#
@@ -850,7 +856,8 @@
# commands), the compiler will copy the modules or helpers file from the
# administrative system into the script. When set to No or not specified, the
# compiler will not copy the modules or helpers file from /usr/share/
-# shorewall6 but will copy the found in another location on the CONFIG_PATH.
+# shorewall6 but will copy those found in another location on the
+# CONFIG_PATH.
#
# When compiling for direct use by Shorewall6, causes the contents of the
# local module or helpers file to be copied into the compiled script. When
@@ -875,8 +882,8 @@
#
# FORWARD_CLEAR_MARK={Yes|No}
#
-# Added in Shorewall 4.4.11 Beta 3. Traditionally, Shorewall has cleared the
-# packet mark in the first rule in the mangle FORWARD chain. This behavior is
+# Added in Shorewall 4.4.11. Traditionally, Shorewall has cleared the packet
+# mark in the first rule in the mangle FORWARD chain. This behavior is
# maintained with the default setting of this option (FORWARD_CLEAR_MARK=
# Yes). If FORWARD_CLEAR_MARK is set to 'No', packet marks set in the mangle
# PREROUTING chain are retained in the FORWARD chains.
@@ -1261,18 +1268,18 @@
# #TARGET SOURCE DEST PROTO
# Broadcast(DROP) - - -
# DROP - - 2
-# INLINE - - 6 ; -j REJECT --reject-with tcp-reset
+# INLINE - - 6 ;; -j REJECT --reject-with tcp-reset
# ?if __ENHANCED_REJECT
-# INLINE - - 17 ; -j REJECT
+# INLINE - - 17 ;; -j REJECT
# ?if __IPV4
-# INLINE - - 1 ; -j REJECT --reject-with icmp-host-unreachable
-# INLINE - - - ; -j REJECT --reject-with icmp-host-prohibited
+# INLINE - - 1 ;; -j REJECT --reject-with icmp-host-unreachable
+# INLINE - - - ;; -j REJECT --reject-with icmp-host-prohibited
# ?else
-# INLINE - - 58 ; -j REJECT --reject-with icmp6-addr-unreachable
-# INLINE - - - ; -j REJECT --reject-with icmp6-adm-prohibited
+# INLINE - - 58 ;; -j REJECT --reject-with icmp6-addr-unreachable
+# INLINE - - - ;; -j REJECT --reject-with icmp6-adm-prohibited
# ?endif
# ?else
-# INLINE - - - ; -j REJECT
+# INLINE - - - ;; -j REJECT
# ?endif
#
REQUIRE_INTERFACE=No
@@ -1302,9 +1309,9 @@
# Added in Shorewall 4.5.9. When set to Yes (the default), provider marks are
# restored unconditionally at the top of the mangle OUTPUT and PREROUTING
# chains, even if the saved mark is zero. When this option is set to No, the
-# mark is restored even when it is zero. If you have problems with IPSEC ESP
-# packets not being routed correctly on output, try setting this option to No
-# .
+# mark is restored only if it is non-zero. If you have problems with IPSEC
+# ESP packets not being routed correctly on output, try setting this option
+# to No.
#
SAVE_IPSETS=No
#
@@ -1524,6 +1531,20 @@
# Shorewall-generated scripts (such as created by the save command) built by
# Shorewall 4.4.7 or older.
#
+ZERO_MARKS=No
+#
+# ZERO_MARKS=[Yes|No]
+#
+# Added in Shorewall 5.0.12, this is a workaround for an issue where packet
+# marks are not zeroed by the kernel. It should be set to No (the default)
+# unless you find that incoming packets are being mis-routed for no apparent
+# reasons.
+#
+# Caution
+#
+# Do not set this option to Yes if you have IPSEC software running on the
+# firewall system.
+#
ZONE2ZONE=-
#
# ZONE2ZONE={2|-}
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/Samples6/three-interfaces/policy.annotated shorewall6-5.0.12/Samples6/three-interfaces/policy.annotated
--- shorewall6-5.0.11/Samples6/three-interfaces/policy.annotated 2016-08-06 07:59:12.300670374 -0700
+++ shorewall6-5.0.12/Samples6/three-interfaces/policy.annotated 2016-10-01 14:49:38.905242043 -0700
@@ -22,7 +22,7 @@
# This file determines what to do with a new connection request if we don't get a
# match from the /etc/shorewall6/rules file . For each source/destination pair,
# the file is processed in order until a match is found ("all" will match any
-# client or server).
+# source or destination).
#
# Important
#
@@ -42,7 +42,7 @@
# different name in parentheses, the different name is used in the alternate
# specification syntax).
#
-# SOURCE - zone|$FW|all|all+
+# SOURCE - zone[,...[+]]|$FW|all|all+
#
# Source zone. Must be the name of a zone defined in shorewall6-zones(5),
# $FW, "all" or "all+".
@@ -50,7 +50,12 @@
# Support for "all+" was added in Shorewall 4.5.17. "all" does not override
# the implicit intra-zone ACCEPT policy while "all+" does.
#
-# DEST - zone|$FW|all|all+
+# Beginning with Shorewall 5.0.12, multiple zones may be listed separated by
+# commas. As above, if '+' is specified after two or more zone names, then
+# the policy overrides the implicit intra-zone ACCEPT policy if the same zone
+# appears in both the SOURCE and DEST columns.
+#
+# DEST - zone[,...[+]]|$FW|all|all+
#
# Destination zone. Must be the name of a zone defined in shorewall6-zones
# (5), $FW, "all" or "all+". If the DEST is a bport zone, then the SOURCE
@@ -60,6 +65,11 @@
# Support for "all+" was added in Shorewall 4.5.17. "all" does not override
# the implicit intra-zone ACCEPT policy while "all+" does.
#
+# Beginning with Shorewall 5.0.12, multiple zones may be listed separated by
+# commas. As above, if '+' is specified after two or more zone names, then
+# the policy overrides the implicit intra-zone ACCEPT policy if the same zone
+# appears in both the SOURCE and DEST columns.
+#
# POLICY - {ACCEPT|DROP|REJECT|CONTINUE|QUEUE|NFQUEUE[(queuenumber1[:queuenumber2
# ])]|NONE}[:{default-action-or-macro[:level]|None}]
#
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/Samples6/three-interfaces/rules.annotated shorewall6-5.0.12/Samples6/three-interfaces/rules.annotated
--- shorewall6-5.0.11/Samples6/three-interfaces/rules.annotated 2016-08-06 07:59:12.684667797 -0700
+++ shorewall6-5.0.12/Samples6/three-interfaces/rules.annotated 2016-10-01 14:49:39.289626043 -0700
@@ -888,6 +888,12 @@
#
# Defines the ending time of day.
#
+# contiguous
+#
+# Added in Shoreawll 5.0.12. When timestop is smaller than timestart
+# value, match this as a single time period instead of distinct
+# intervals.
+#
# utc
#
# Times are expressed in Greenwich Mean Time.
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/Samples6/three-interfaces/shorewall6.conf shorewall6-5.0.12/Samples6/three-interfaces/shorewall6.conf
--- shorewall6-5.0.11/Samples6/three-interfaces/shorewall6.conf 2016-08-04 11:03:36.000000000 -0700
+++ shorewall6-5.0.12/Samples6/three-interfaces/shorewall6.conf 2016-10-01 13:49:35.000000000 -0700
@@ -219,6 +219,8 @@
WORKAROUNDS=No
+ZERO_MARKS=No
+
ZONE2ZONE=-
###############################################################################
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/Samples6/three-interfaces/shorewall6.conf.annotated shorewall6-5.0.12/Samples6/three-interfaces/shorewall6.conf.annotated
--- shorewall6-5.0.11/Samples6/three-interfaces/shorewall6.conf.annotated 2016-08-06 07:59:13.096665031 -0700
+++ shorewall6-5.0.12/Samples6/three-interfaces/shorewall6.conf.annotated 2016-10-01 14:49:39.698034043 -0700
@@ -91,6 +91,9 @@
# and the dump command are piped through the named program when the output
# file is a terminal.
#
+# Beginning with Shorewall 5.0.12, the default value of this option is the
+# DEFAULT_PAGER setting in shorewallrc.
+#
###############################################################################
# L O G G I N G
###############################################################################
@@ -596,6 +599,9 @@
# continue to work and all new connections from the firewall system
# itself are allowed.
#
+# Note that the routestopped file is not supported in Shorewall 5.0 and
+# later versions.
+#
# stoppedrules
#
# All existing connections continue to work. To sever all existing
@@ -738,13 +744,13 @@
# CLEAR_TC=[Yes|No]
#
# If this option is set to No then Shorewall6 won't clear the current traffic
-# control rules during [re]start. This setting is intended for use by people
-# that prefer to configure traffic shaping when the network interfaces come
-# up rather than when the firewall is started. If that is what you want to
-# do, set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an /etc/shorewall6
-# /tcstart file. That way, your traffic shaping rules can still use the
-# “fwmark” classifier based on packet marking defined in shorewall6-tcrules
-# (5). If not specified, CLEAR_TC=No is assumed.
+# control rules during [re]start or reload. This setting is intended for use
+# by people that prefer to configure traffic shaping when the network
+# interfaces come up rather than when the firewall is started. If that is
+# what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do not supply
+# an /etc/shorewall6/tcstart file. That way, your traffic shaping rules can
+# still use the “fwmark” classifier based on packet marking defined in
+# shorewall6-tcrules(5). If not specified, CLEAR_TC=No is assumed.
#
# Warning
#
@@ -786,10 +792,10 @@
#
# DELETE_THEN_ADD={Yes|No}
#
-# If set to Yes (the default value), entries in the /etc/shorewall6/
-# route_stopped files cause an 'ip rule del' command to be generated in
-# addition to an 'ip rule add' command. Setting this option to No, causes the
-# 'ip rule del' command to be omitted.
+# If set to Yes (the default value), entries in the /etc/shorewall6/rtrules
+# file cause an 'ip rule del' command to be generated in addition to an 'ip
+# rule add' command. Setting this option to No, causes the 'ip rule del'
+# command to be omitted.
#
DONT_LOAD=
#
@@ -849,7 +855,8 @@
# commands), the compiler will copy the modules or helpers file from the
# administrative system into the script. When set to No or not specified, the
# compiler will not copy the modules or helpers file from /usr/share/
-# shorewall6 but will copy the found in another location on the CONFIG_PATH.
+# shorewall6 but will copy those found in another location on the
+# CONFIG_PATH.
#
# When compiling for direct use by Shorewall6, causes the contents of the
# local module or helpers file to be copied into the compiled script. When
@@ -874,8 +881,8 @@
#
# FORWARD_CLEAR_MARK={Yes|No}
#
-# Added in Shorewall 4.4.11 Beta 3. Traditionally, Shorewall has cleared the
-# packet mark in the first rule in the mangle FORWARD chain. This behavior is
+# Added in Shorewall 4.4.11. Traditionally, Shorewall has cleared the packet
+# mark in the first rule in the mangle FORWARD chain. This behavior is
# maintained with the default setting of this option (FORWARD_CLEAR_MARK=
# Yes). If FORWARD_CLEAR_MARK is set to 'No', packet marks set in the mangle
# PREROUTING chain are retained in the FORWARD chains.
@@ -1260,18 +1267,18 @@
# #TARGET SOURCE DEST PROTO
# Broadcast(DROP) - - -
# DROP - - 2
-# INLINE - - 6 ; -j REJECT --reject-with tcp-reset
+# INLINE - - 6 ;; -j REJECT --reject-with tcp-reset
# ?if __ENHANCED_REJECT
-# INLINE - - 17 ; -j REJECT
+# INLINE - - 17 ;; -j REJECT
# ?if __IPV4
-# INLINE - - 1 ; -j REJECT --reject-with icmp-host-unreachable
-# INLINE - - - ; -j REJECT --reject-with icmp-host-prohibited
+# INLINE - - 1 ;; -j REJECT --reject-with icmp-host-unreachable
+# INLINE - - - ;; -j REJECT --reject-with icmp-host-prohibited
# ?else
-# INLINE - - 58 ; -j REJECT --reject-with icmp6-addr-unreachable
-# INLINE - - - ; -j REJECT --reject-with icmp6-adm-prohibited
+# INLINE - - 58 ;; -j REJECT --reject-with icmp6-addr-unreachable
+# INLINE - - - ;; -j REJECT --reject-with icmp6-adm-prohibited
# ?endif
# ?else
-# INLINE - - - ; -j REJECT
+# INLINE - - - ;; -j REJECT
# ?endif
#
REQUIRE_INTERFACE=No
@@ -1301,9 +1308,9 @@
# Added in Shorewall 4.5.9. When set to Yes (the default), provider marks are
# restored unconditionally at the top of the mangle OUTPUT and PREROUTING
# chains, even if the saved mark is zero. When this option is set to No, the
-# mark is restored even when it is zero. If you have problems with IPSEC ESP
-# packets not being routed correctly on output, try setting this option to No
-# .
+# mark is restored only if it is non-zero. If you have problems with IPSEC
+# ESP packets not being routed correctly on output, try setting this option
+# to No.
#
SAVE_IPSETS=No
#
@@ -1523,6 +1530,20 @@
# Shorewall-generated scripts (such as created by the save command) built by
# Shorewall 4.4.7 or older.
#
+ZERO_MARKS=No
+#
+# ZERO_MARKS=[Yes|No]
+#
+# Added in Shorewall 5.0.12, this is a workaround for an issue where packet
+# marks are not zeroed by the kernel. It should be set to No (the default)
+# unless you find that incoming packets are being mis-routed for no apparent
+# reasons.
+#
+# Caution
+#
+# Do not set this option to Yes if you have IPSEC software running on the
+# firewall system.
+#
ZONE2ZONE=-
#
# ZONE2ZONE={2|-}
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/Samples6/two-interfaces/policy.annotated shorewall6-5.0.12/Samples6/two-interfaces/policy.annotated
--- shorewall6-5.0.11/Samples6/two-interfaces/policy.annotated 2016-08-06 07:59:14.376656439 -0700
+++ shorewall6-5.0.12/Samples6/two-interfaces/policy.annotated 2016-10-01 14:49:40.935270042 -0700
@@ -22,7 +22,7 @@
# This file determines what to do with a new connection request if we don't get a
# match from the /etc/shorewall6/rules file . For each source/destination pair,
# the file is processed in order until a match is found ("all" will match any
-# client or server).
+# source or destination).
#
# Important
#
@@ -42,7 +42,7 @@
# different name in parentheses, the different name is used in the alternate
# specification syntax).
#
-# SOURCE - zone|$FW|all|all+
+# SOURCE - zone[,...[+]]|$FW|all|all+
#
# Source zone. Must be the name of a zone defined in shorewall6-zones(5),
# $FW, "all" or "all+".
@@ -50,7 +50,12 @@
# Support for "all+" was added in Shorewall 4.5.17. "all" does not override
# the implicit intra-zone ACCEPT policy while "all+" does.
#
-# DEST - zone|$FW|all|all+
+# Beginning with Shorewall 5.0.12, multiple zones may be listed separated by
+# commas. As above, if '+' is specified after two or more zone names, then
+# the policy overrides the implicit intra-zone ACCEPT policy if the same zone
+# appears in both the SOURCE and DEST columns.
+#
+# DEST - zone[,...[+]]|$FW|all|all+
#
# Destination zone. Must be the name of a zone defined in shorewall6-zones
# (5), $FW, "all" or "all+". If the DEST is a bport zone, then the SOURCE
@@ -60,6 +65,11 @@
# Support for "all+" was added in Shorewall 4.5.17. "all" does not override
# the implicit intra-zone ACCEPT policy while "all+" does.
#
+# Beginning with Shorewall 5.0.12, multiple zones may be listed separated by
+# commas. As above, if '+' is specified after two or more zone names, then
+# the policy overrides the implicit intra-zone ACCEPT policy if the same zone
+# appears in both the SOURCE and DEST columns.
+#
# POLICY - {ACCEPT|DROP|REJECT|CONTINUE|QUEUE|NFQUEUE[(queuenumber1[:queuenumber2
# ])]|NONE}[:{default-action-or-macro[:level]|None}]
#
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/Samples6/two-interfaces/rules.annotated shorewall6-5.0.12/Samples6/two-interfaces/rules.annotated
--- shorewall6-5.0.11/Samples6/two-interfaces/rules.annotated 2016-08-06 07:59:14.764653834 -0700
+++ shorewall6-5.0.12/Samples6/two-interfaces/rules.annotated 2016-10-01 14:49:41.315650043 -0700
@@ -888,6 +888,12 @@
#
# Defines the ending time of day.
#
+# contiguous
+#
+# Added in Shoreawll 5.0.12. When timestop is smaller than timestart
+# value, match this as a single time period instead of distinct
+# intervals.
+#
# utc
#
# Times are expressed in Greenwich Mean Time.
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/Samples6/two-interfaces/shorewall6.conf shorewall6-5.0.12/Samples6/two-interfaces/shorewall6.conf
--- shorewall6-5.0.11/Samples6/two-interfaces/shorewall6.conf 2016-08-04 11:03:36.000000000 -0700
+++ shorewall6-5.0.12/Samples6/two-interfaces/shorewall6.conf 2016-10-01 13:49:35.000000000 -0700
@@ -219,6 +219,8 @@
WORKAROUNDS=No
+ZERO_MARKS=No
+
ZONE2ZONE=-
###############################################################################
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/Samples6/two-interfaces/shorewall6.conf.annotated shorewall6-5.0.12/Samples6/two-interfaces/shorewall6.conf.annotated
--- shorewall6-5.0.11/Samples6/two-interfaces/shorewall6.conf.annotated 2016-08-06 07:59:15.192650961 -0700
+++ shorewall6-5.0.12/Samples6/two-interfaces/shorewall6.conf.annotated 2016-10-01 14:49:41.724058043 -0700
@@ -91,6 +91,9 @@
# and the dump command are piped through the named program when the output
# file is a terminal.
#
+# Beginning with Shorewall 5.0.12, the default value of this option is the
+# DEFAULT_PAGER setting in shorewallrc.
+#
###############################################################################
# L O G G I N G
###############################################################################
@@ -596,6 +599,9 @@
# continue to work and all new connections from the firewall system
# itself are allowed.
#
+# Note that the routestopped file is not supported in Shorewall 5.0 and
+# later versions.
+#
# stoppedrules
#
# All existing connections continue to work. To sever all existing
@@ -738,13 +744,13 @@
# CLEAR_TC=[Yes|No]
#
# If this option is set to No then Shorewall6 won't clear the current traffic
-# control rules during [re]start. This setting is intended for use by people
-# that prefer to configure traffic shaping when the network interfaces come
-# up rather than when the firewall is started. If that is what you want to
-# do, set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an /etc/shorewall6
-# /tcstart file. That way, your traffic shaping rules can still use the
-# “fwmark” classifier based on packet marking defined in shorewall6-tcrules
-# (5). If not specified, CLEAR_TC=No is assumed.
+# control rules during [re]start or reload. This setting is intended for use
+# by people that prefer to configure traffic shaping when the network
+# interfaces come up rather than when the firewall is started. If that is
+# what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do not supply
+# an /etc/shorewall6/tcstart file. That way, your traffic shaping rules can
+# still use the “fwmark” classifier based on packet marking defined in
+# shorewall6-tcrules(5). If not specified, CLEAR_TC=No is assumed.
#
# Warning
#
@@ -786,10 +792,10 @@
#
# DELETE_THEN_ADD={Yes|No}
#
-# If set to Yes (the default value), entries in the /etc/shorewall6/
-# route_stopped files cause an 'ip rule del' command to be generated in
-# addition to an 'ip rule add' command. Setting this option to No, causes the
-# 'ip rule del' command to be omitted.
+# If set to Yes (the default value), entries in the /etc/shorewall6/rtrules
+# file cause an 'ip rule del' command to be generated in addition to an 'ip
+# rule add' command. Setting this option to No, causes the 'ip rule del'
+# command to be omitted.
#
DONT_LOAD=
#
@@ -849,7 +855,8 @@
# commands), the compiler will copy the modules or helpers file from the
# administrative system into the script. When set to No or not specified, the
# compiler will not copy the modules or helpers file from /usr/share/
-# shorewall6 but will copy the found in another location on the CONFIG_PATH.
+# shorewall6 but will copy those found in another location on the
+# CONFIG_PATH.
#
# When compiling for direct use by Shorewall6, causes the contents of the
# local module or helpers file to be copied into the compiled script. When
@@ -874,8 +881,8 @@
#
# FORWARD_CLEAR_MARK={Yes|No}
#
-# Added in Shorewall 4.4.11 Beta 3. Traditionally, Shorewall has cleared the
-# packet mark in the first rule in the mangle FORWARD chain. This behavior is
+# Added in Shorewall 4.4.11. Traditionally, Shorewall has cleared the packet
+# mark in the first rule in the mangle FORWARD chain. This behavior is
# maintained with the default setting of this option (FORWARD_CLEAR_MARK=
# Yes). If FORWARD_CLEAR_MARK is set to 'No', packet marks set in the mangle
# PREROUTING chain are retained in the FORWARD chains.
@@ -1260,18 +1267,18 @@
# #TARGET SOURCE DEST PROTO
# Broadcast(DROP) - - -
# DROP - - 2
-# INLINE - - 6 ; -j REJECT --reject-with tcp-reset
+# INLINE - - 6 ;; -j REJECT --reject-with tcp-reset
# ?if __ENHANCED_REJECT
-# INLINE - - 17 ; -j REJECT
+# INLINE - - 17 ;; -j REJECT
# ?if __IPV4
-# INLINE - - 1 ; -j REJECT --reject-with icmp-host-unreachable
-# INLINE - - - ; -j REJECT --reject-with icmp-host-prohibited
+# INLINE - - 1 ;; -j REJECT --reject-with icmp-host-unreachable
+# INLINE - - - ;; -j REJECT --reject-with icmp-host-prohibited
# ?else
-# INLINE - - 58 ; -j REJECT --reject-with icmp6-addr-unreachable
-# INLINE - - - ; -j REJECT --reject-with icmp6-adm-prohibited
+# INLINE - - 58 ;; -j REJECT --reject-with icmp6-addr-unreachable
+# INLINE - - - ;; -j REJECT --reject-with icmp6-adm-prohibited
# ?endif
# ?else
-# INLINE - - - ; -j REJECT
+# INLINE - - - ;; -j REJECT
# ?endif
#
REQUIRE_INTERFACE=No
@@ -1301,9 +1308,9 @@
# Added in Shorewall 4.5.9. When set to Yes (the default), provider marks are
# restored unconditionally at the top of the mangle OUTPUT and PREROUTING
# chains, even if the saved mark is zero. When this option is set to No, the
-# mark is restored even when it is zero. If you have problems with IPSEC ESP
-# packets not being routed correctly on output, try setting this option to No
-# .
+# mark is restored only if it is non-zero. If you have problems with IPSEC
+# ESP packets not being routed correctly on output, try setting this option
+# to No.
#
SAVE_IPSETS=No
#
@@ -1523,6 +1530,20 @@
# Shorewall-generated scripts (such as created by the save command) built by
# Shorewall 4.4.7 or older.
#
+ZERO_MARKS=No
+#
+# ZERO_MARKS=[Yes|No]
+#
+# Added in Shorewall 5.0.12, this is a workaround for an issue where packet
+# marks are not zeroed by the kernel. It should be set to No (the default)
+# unless you find that incoming packets are being mis-routed for no apparent
+# reasons.
+#
+# Caution
+#
+# Do not set this option to Yes if you have IPSEC software running on the
+# firewall system.
+#
ZONE2ZONE=-
#
# ZONE2ZONE={2|-}
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/Samples6/Universal/policy.annotated shorewall6-5.0.12/Samples6/Universal/policy.annotated
--- shorewall6-5.0.11/Samples6/Universal/policy.annotated 2016-08-06 07:59:16.444642556 -0700
+++ shorewall6-5.0.12/Samples6/Universal/policy.annotated 2016-10-01 14:49:42.937270043 -0700
@@ -18,7 +18,7 @@
# This file determines what to do with a new connection request if we don't get a
# match from the /etc/shorewall6/rules file . For each source/destination pair,
# the file is processed in order until a match is found ("all" will match any
-# client or server).
+# source or destination).
#
# Important
#
@@ -38,7 +38,7 @@
# different name in parentheses, the different name is used in the alternate
# specification syntax).
#
-# SOURCE - zone|$FW|all|all+
+# SOURCE - zone[,...[+]]|$FW|all|all+
#
# Source zone. Must be the name of a zone defined in shorewall6-zones(5),
# $FW, "all" or "all+".
@@ -46,7 +46,12 @@
# Support for "all+" was added in Shorewall 4.5.17. "all" does not override
# the implicit intra-zone ACCEPT policy while "all+" does.
#
-# DEST - zone|$FW|all|all+
+# Beginning with Shorewall 5.0.12, multiple zones may be listed separated by
+# commas. As above, if '+' is specified after two or more zone names, then
+# the policy overrides the implicit intra-zone ACCEPT policy if the same zone
+# appears in both the SOURCE and DEST columns.
+#
+# DEST - zone[,...[+]]|$FW|all|all+
#
# Destination zone. Must be the name of a zone defined in shorewall6-zones
# (5), $FW, "all" or "all+". If the DEST is a bport zone, then the SOURCE
@@ -56,6 +61,11 @@
# Support for "all+" was added in Shorewall 4.5.17. "all" does not override
# the implicit intra-zone ACCEPT policy while "all+" does.
#
+# Beginning with Shorewall 5.0.12, multiple zones may be listed separated by
+# commas. As above, if '+' is specified after two or more zone names, then
+# the policy overrides the implicit intra-zone ACCEPT policy if the same zone
+# appears in both the SOURCE and DEST columns.
+#
# POLICY - {ACCEPT|DROP|REJECT|CONTINUE|QUEUE|NFQUEUE[(queuenumber1[:queuenumber2
# ])]|NONE}[:{default-action-or-macro[:level]|None}]
#
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/Samples6/Universal/rules.annotated shorewall6-5.0.12/Samples6/Universal/rules.annotated
--- shorewall6-5.0.11/Samples6/Universal/rules.annotated 2016-08-06 07:59:16.832639952 -0700
+++ shorewall6-5.0.12/Samples6/Universal/rules.annotated 2016-10-01 14:49:43.337670043 -0700
@@ -884,6 +884,12 @@
#
# Defines the ending time of day.
#
+# contiguous
+#
+# Added in Shoreawll 5.0.12. When timestop is smaller than timestart
+# value, match this as a single time period instead of distinct
+# intervals.
+#
# utc
#
# Times are expressed in Greenwich Mean Time.
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/Samples6/Universal/shorewall6.conf shorewall6-5.0.12/Samples6/Universal/shorewall6.conf
--- shorewall6-5.0.11/Samples6/Universal/shorewall6.conf 2016-08-04 11:03:36.000000000 -0700
+++ shorewall6-5.0.12/Samples6/Universal/shorewall6.conf 2016-10-01 13:49:35.000000000 -0700
@@ -219,6 +219,8 @@
WORKAROUNDS=No
+ZERO_MARKS=No
+
ZONE2ZONE=-
###############################################################################
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/Samples6/Universal/shorewall6.conf.annotated shorewall6-5.0.12/Samples6/Universal/shorewall6.conf.annotated
--- shorewall6-5.0.11/Samples6/Universal/shorewall6.conf.annotated 2016-08-06 07:59:17.248637159 -0700
+++ shorewall6-5.0.12/Samples6/Universal/shorewall6.conf.annotated 2016-10-01 14:49:43.762094043 -0700
@@ -91,6 +91,9 @@
# and the dump command are piped through the named program when the output
# file is a terminal.
#
+# Beginning with Shorewall 5.0.12, the default value of this option is the
+# DEFAULT_PAGER setting in shorewallrc.
+#
###############################################################################
# L O G G I N G
###############################################################################
@@ -596,6 +599,9 @@
# continue to work and all new connections from the firewall system
# itself are allowed.
#
+# Note that the routestopped file is not supported in Shorewall 5.0 and
+# later versions.
+#
# stoppedrules
#
# All existing connections continue to work. To sever all existing
@@ -738,13 +744,13 @@
# CLEAR_TC=[Yes|No]
#
# If this option is set to No then Shorewall6 won't clear the current traffic
-# control rules during [re]start. This setting is intended for use by people
-# that prefer to configure traffic shaping when the network interfaces come
-# up rather than when the firewall is started. If that is what you want to
-# do, set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an /etc/shorewall6
-# /tcstart file. That way, your traffic shaping rules can still use the
-# “fwmark” classifier based on packet marking defined in shorewall6-tcrules
-# (5). If not specified, CLEAR_TC=No is assumed.
+# control rules during [re]start or reload. This setting is intended for use
+# by people that prefer to configure traffic shaping when the network
+# interfaces come up rather than when the firewall is started. If that is
+# what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do not supply
+# an /etc/shorewall6/tcstart file. That way, your traffic shaping rules can
+# still use the “fwmark” classifier based on packet marking defined in
+# shorewall6-tcrules(5). If not specified, CLEAR_TC=No is assumed.
#
# Warning
#
@@ -786,10 +792,10 @@
#
# DELETE_THEN_ADD={Yes|No}
#
-# If set to Yes (the default value), entries in the /etc/shorewall6/
-# route_stopped files cause an 'ip rule del' command to be generated in
-# addition to an 'ip rule add' command. Setting this option to No, causes the
-# 'ip rule del' command to be omitted.
+# If set to Yes (the default value), entries in the /etc/shorewall6/rtrules
+# file cause an 'ip rule del' command to be generated in addition to an 'ip
+# rule add' command. Setting this option to No, causes the 'ip rule del'
+# command to be omitted.
#
DONT_LOAD=
#
@@ -849,7 +855,8 @@
# commands), the compiler will copy the modules or helpers file from the
# administrative system into the script. When set to No or not specified, the
# compiler will not copy the modules or helpers file from /usr/share/
-# shorewall6 but will copy the found in another location on the CONFIG_PATH.
+# shorewall6 but will copy those found in another location on the
+# CONFIG_PATH.
#
# When compiling for direct use by Shorewall6, causes the contents of the
# local module or helpers file to be copied into the compiled script. When
@@ -874,8 +881,8 @@
#
# FORWARD_CLEAR_MARK={Yes|No}
#
-# Added in Shorewall 4.4.11 Beta 3. Traditionally, Shorewall has cleared the
-# packet mark in the first rule in the mangle FORWARD chain. This behavior is
+# Added in Shorewall 4.4.11. Traditionally, Shorewall has cleared the packet
+# mark in the first rule in the mangle FORWARD chain. This behavior is
# maintained with the default setting of this option (FORWARD_CLEAR_MARK=
# Yes). If FORWARD_CLEAR_MARK is set to 'No', packet marks set in the mangle
# PREROUTING chain are retained in the FORWARD chains.
@@ -1260,18 +1267,18 @@
# #TARGET SOURCE DEST PROTO
# Broadcast(DROP) - - -
# DROP - - 2
-# INLINE - - 6 ; -j REJECT --reject-with tcp-reset
+# INLINE - - 6 ;; -j REJECT --reject-with tcp-reset
# ?if __ENHANCED_REJECT
-# INLINE - - 17 ; -j REJECT
+# INLINE - - 17 ;; -j REJECT
# ?if __IPV4
-# INLINE - - 1 ; -j REJECT --reject-with icmp-host-unreachable
-# INLINE - - - ; -j REJECT --reject-with icmp-host-prohibited
+# INLINE - - 1 ;; -j REJECT --reject-with icmp-host-unreachable
+# INLINE - - - ;; -j REJECT --reject-with icmp-host-prohibited
# ?else
-# INLINE - - 58 ; -j REJECT --reject-with icmp6-addr-unreachable
-# INLINE - - - ; -j REJECT --reject-with icmp6-adm-prohibited
+# INLINE - - 58 ;; -j REJECT --reject-with icmp6-addr-unreachable
+# INLINE - - - ;; -j REJECT --reject-with icmp6-adm-prohibited
# ?endif
# ?else
-# INLINE - - - ; -j REJECT
+# INLINE - - - ;; -j REJECT
# ?endif
#
REQUIRE_INTERFACE=Yes
@@ -1301,9 +1308,9 @@
# Added in Shorewall 4.5.9. When set to Yes (the default), provider marks are
# restored unconditionally at the top of the mangle OUTPUT and PREROUTING
# chains, even if the saved mark is zero. When this option is set to No, the
-# mark is restored even when it is zero. If you have problems with IPSEC ESP
-# packets not being routed correctly on output, try setting this option to No
-# .
+# mark is restored only if it is non-zero. If you have problems with IPSEC
+# ESP packets not being routed correctly on output, try setting this option
+# to No.
#
SAVE_IPSETS=No
#
@@ -1523,6 +1530,20 @@
# Shorewall-generated scripts (such as created by the save command) built by
# Shorewall 4.4.7 or older.
#
+ZERO_MARKS=No
+#
+# ZERO_MARKS=[Yes|No]
+#
+# Added in Shorewall 5.0.12, this is a workaround for an issue where packet
+# marks are not zeroed by the kernel. It should be set to No (the default)
+# unless you find that incoming packets are being mis-routed for no apparent
+# reasons.
+#
+# Caution
+#
+# Do not set this option to Yes if you have IPSEC software running on the
+# firewall system.
+#
ZONE2ZONE=-
#
# ZONE2ZONE={2|-}
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/shorewall6.spec shorewall6-5.0.12/shorewall6.spec
--- shorewall6-5.0.11/shorewall6.spec 2016-08-06 07:57:47.273241152 -0700
+++ shorewall6-5.0.12/shorewall6.spec 2016-10-01 14:48:18.601018043 -0700
@@ -1,5 +1,5 @@
%define name shorewall6
-%define version 5.0.11
+%define version 5.0.12
%define release 0base
Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
@@ -119,6 +119,18 @@
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
%changelog
+* Sat Oct 01 2016 Tom Eastep tom@shorewall.net
+- Updated to 5.0.12-0base
+* Sat Oct 01 2016 Tom Eastep tom@shorewall.net
+- Updated to 5.0.12-0RC3
+* Tue Sep 27 2016 Tom Eastep tom@shorewall.net
+- Updated to 5.0.12-0RC2
+* Tue Sep 20 2016 Tom Eastep tom@shorewall.net
+- Updated to 5.0.12-0RC1
+* Tue Sep 13 2016 Tom Eastep tom@shorewall.net
+- Updated to 5.0.12-0Beta2
+* Sat Aug 13 2016 Tom Eastep tom@shorewall.net
+- Updated to 5.0.12-0Beta1
* Sat Aug 06 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.11-0base
* Sat Jul 30 2016 Tom Eastep tom@shorewall.net
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/shorewallrc.apple shorewall6-5.0.12/shorewallrc.apple
--- shorewall6-5.0.11/shorewallrc.apple 2016-08-06 07:57:47.273241152 -0700
+++ shorewall6-5.0.12/shorewallrc.apple 2016-10-01 14:48:18.609026043 -0700
@@ -19,3 +19,4 @@
SYSCONFDIR= #Unused on OS X
SPARSE=Yes #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
VARLIB=/var/lib #Unused on OS X
+DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/shorewallrc.archlinux shorewall6-5.0.12/shorewallrc.archlinux
--- shorewall6-5.0.11/shorewallrc.archlinux 2016-08-06 07:57:47.273241152 -0700
+++ shorewall6-5.0.12/shorewallrc.archlinux 2016-10-01 14:48:18.609026043 -0700
@@ -20,3 +20,4 @@
SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
VARLIB=/var/lib #Directory where product variable data is stored.
VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
+DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/shorewallrc.cygwin shorewall6-5.0.12/shorewallrc.cygwin
--- shorewall6-5.0.11/shorewallrc.cygwin 2016-08-06 07:57:47.273241152 -0700
+++ shorewall6-5.0.12/shorewallrc.cygwin 2016-10-01 14:48:18.609026043 -0700
@@ -19,3 +19,4 @@
SYSCONFDIR= #Unused on Cygwin
SPARSE=Yes #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
VARLIB=/var/lib #Unused on Cygwin
+DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/shorewallrc.debian.systemd shorewall6-5.0.12/shorewallrc.debian.systemd
--- shorewall6-5.0.11/shorewallrc.debian.systemd 2016-08-06 07:57:47.273241152 -0700
+++ shorewall6-5.0.12/shorewallrc.debian.systemd 2016-10-01 14:48:18.609026043 -0700
@@ -21,3 +21,4 @@
SPARSE=Yes #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
VARLIB=/var/lib #Directory where product variable data is stored.
VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
+DEFAULT_PAGER=/usr/bin/less #Pager to use if none specified in shorewall[6].conf
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/shorewallrc.debian.sysvinit shorewall6-5.0.12/shorewallrc.debian.sysvinit
--- shorewall6-5.0.11/shorewallrc.debian.sysvinit 2016-08-06 07:57:47.273241152 -0700
+++ shorewall6-5.0.12/shorewallrc.debian.sysvinit 2016-10-01 14:48:18.609026043 -0700
@@ -21,3 +21,4 @@
SPARSE=Yes #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
VARLIB=/var/lib #Directory where product variable data is stored.
VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
+DEFAULT_PAGER=/usr/bin/less #Pager to use if none specified in shorewall[6].conf
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/shorewallrc.default shorewall6-5.0.12/shorewallrc.default
--- shorewall6-5.0.11/shorewallrc.default 2016-08-06 07:57:47.273241152 -0700
+++ shorewall6-5.0.12/shorewallrc.default 2016-10-01 14:48:18.609026043 -0700
@@ -21,3 +21,4 @@
SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
VARLIB=/var/lib #Directory where product variable data is stored.
VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
+DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/shorewallrc.openwrt shorewall6-5.0.12/shorewallrc.openwrt
--- shorewall6-5.0.11/shorewallrc.openwrt 2016-08-06 07:57:47.273241152 -0700
+++ shorewall6-5.0.12/shorewallrc.openwrt 2016-10-01 14:48:18.609026043 -0700
@@ -21,3 +21,4 @@
SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
VARLIB=/lib #Directory where product variable data is stored.
VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
+DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/shorewallrc.redhat shorewall6-5.0.12/shorewallrc.redhat
--- shorewall6-5.0.11/shorewallrc.redhat 2016-08-06 07:57:47.273241152 -0700
+++ shorewall6-5.0.12/shorewallrc.redhat 2016-10-01 14:48:18.609026043 -0700
@@ -21,3 +21,4 @@
SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
VARLIB=/var/lib #Directory where product variable data is stored.
VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
+DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/shorewallrc.slackware shorewall6-5.0.12/shorewallrc.slackware
--- shorewall6-5.0.11/shorewallrc.slackware 2016-08-06 07:57:47.273241152 -0700
+++ shorewall6-5.0.12/shorewallrc.slackware 2016-10-01 14:48:18.609026043 -0700
@@ -22,3 +22,4 @@
ANNOTATED= #If non-empty, install annotated configuration files
VARLIB=/var/lib #Directory where product variable data is stored.
VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
+DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/shorewallrc.suse shorewall6-5.0.12/shorewallrc.suse
--- shorewall6-5.0.11/shorewallrc.suse 2016-08-06 07:57:47.273241152 -0700
+++ shorewall6-5.0.12/shorewallrc.suse 2016-10-01 14:48:18.609026043 -0700
@@ -21,3 +21,4 @@
SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
VARLIB=/var/lib #Directory where persistent product data is stored.
VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
+DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall6-5.0.11/uninstall.sh shorewall6-5.0.12/uninstall.sh
--- shorewall6-5.0.11/uninstall.sh 2016-08-06 07:57:47.269241178 -0700
+++ shorewall6-5.0.12/uninstall.sh 2016-10-01 14:48:18.601018043 -0700
@@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
-VERSION=5.0.11
+VERSION=5.0.12
PRODUCT=shorewall6
Product=Shorewall6