diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-init-5.0.11/changelog.txt shorewall-init-5.0.12/changelog.txt --- shorewall-init-5.0.11/changelog.txt 2016-08-06 07:57:47.329240776 -0700 +++ shorewall-init-5.0.12/changelog.txt 2016-10-01 14:48:18.641058043 -0700 @@ -1,3 +1,61 @@ +Changes in 5.0.12 Final + +1) Update release documents. + +2) Correct permissions of files created by the 'save' command. + +Changes in 5.0.12 RC 3 + +1) Update release documents. + +2) Correct disabled persistent' WRT start, restart and reload. + +3) Don't assume that all probability-balanced interfaces are optional. + +Changes in 5.0.12 RC 2 + +1) Update release documents. + +2) Handle down or missing interfaces in the disable logic. + +Changes in 5.0.12 RC 1 + +1) Update release documents. + +2) Add DEFAULT_PAGER to shorewallrc. + +3) Add support for the 'contiguous' time option. + +4) Clear packet marks in PREROUTING and OUTPUT. + +Changes in 5.0.12 Beta 2 + +1) Update release documents. + +2) Restore 'use Shorewall::Config(shorewall)' in ?PERL handling. + +3) Make POSTROUTING the default chain for CHECKSUM. + +Changes in 5.0.12 Beta 1 + +1) Update release documents. + +2) Minor cleanup in the Rules module + +3) Allow zone lists in policy SOURCE and DEST columns. + +Changes in 5.0.11 Final + +1) Update release documents. + +Changes in 5.0.11 RC 1 + +1) Update release documents. + +2) Update module versions. + +3) Allow provider interface to match wildcard interfaces entry. + Changes in 5.0.11 Beta 2 1) Update release documents diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-init-5.0.11/configure shorewall-init-5.0.12/configure --- shorewall-init-5.0.11/configure 2016-08-06 07:57:47.321240829 -0700 +++ shorewall-init-5.0.12/configure 2016-10-01 14:48:18.629046043 -0700 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=5.0.11 +VERSION=5.0.12 case "$BASH_VERSION" in [4-9].*) @@ -235,7 +235,8 @@ SPARSE \ ANNOTATED \ VARLIB \ - VARDIR + VARDIR \ + DEFAULT_PAGER do echo "$on=${options[${on}]}" echo "$on=${options[${on}]}" >> shorewallrc diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-init-5.0.11/configure.pl shorewall-init-5.0.12/configure.pl --- shorewall-init-5.0.11/configure.pl 2016-08-06 07:57:47.325240803 -0700 +++ shorewall-init-5.0.12/configure.pl 2016-10-01 14:48:18.633050043 -0700 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '5.0.11' + VERSION => '5.0.12' }; my %params; @@ -209,7 +209,8 @@ SPARSE ANNOTATED VARLIB - VARDIR / ) { + VARDIR + DEFAULT_PAGER / ) { my $val = $options{$_} || ''; diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-init-5.0.11/install.sh shorewall-init-5.0.12/install.sh --- shorewall-init-5.0.11/install.sh 2016-08-06 07:57:47.313240884 -0700 +++ shorewall-init-5.0.12/install.sh 2016-10-01 14:48:18.625042043 -0700 @@ -27,7 +27,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=5.0.11 +VERSION=5.0.12 PRODUCT=shorewall-init Product="Shorewall Init" diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-init-5.0.11/releasenotes.txt shorewall-init-5.0.12/releasenotes.txt --- shorewall-init-5.0.11/releasenotes.txt 2016-08-06 07:57:47.329240776 -0700 +++ shorewall-init-5.0.12/releasenotes.txt 2016-10-01 14:48:18.641058043 -0700 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 5 . 0 . 1 1 + S H O R E W A L L 5 . 0 . 1 2 ---------------------------- - A u g u s t 1 2 , 2 0 1 6 + O c t o b e r 0 3 , 2 0 1 6 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,27 +14,48 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) This release contains defect repair through Shorewall 5.0.10.1. +1) Minor cleanup, mostly commentary, in the Rules.pm module. -2) In Shorewall 5.0, the default chain for DSCP rules was - inadvertently chained to PREROUTING (FORWARD, if - MARK_IN_FORWARD_CHAIN=Yes). +2) In Shorewall 5.0.7, The assumed 'use Shorewall::Config(shorewall)' + statement in ?PERL and ?BEGIN PERL...?END PERL handling was + inadvertently removed. This results in Perl compilation errors if + the 'shorewall' function is invoked. The statement has now been + restored. - The default is now restored to POSTROUTING, its earlier value. +3) Previously, the firewall would fail to start if the configuration + contained a CHECKSUM rule without a chain designator and + MARK_IN_FORWARD_CHAIN=No. Now, the compiler defaults these rules to + the POSTROUTING chain and forbids them in the PREROUTING chain. -3) When 'trace' was specified, prevously the output of ip[6]tables - rules containing a comment were displayed incorrectly. The "-m - comment --comment" specification was missing and the comment was - not enclosed in double quotes. This has been corrected. +4) Recently, a case was observed where certain incoming packets had a + non-zero packet mark in the raw PREROUTING chain, causing them to + be misrouted. To guard against this issue, packet marks are now + cleared at the top of the PREROUTING and OUTPUT mangle chains when + the new ZERO_MARKS option is set to yes. Note that ZERO_MARKS=Yes + can break IPSEC in multi-ISP configurations. -4) Previously, if a provider interface matched only a wildcard entry - (one whose physical interface name ended in '+'), then the - generated script would always find the interface to be - unusable. That has been corrected. +5) Two distinct problems have been corrected in the 'disable' + command logic: -5) A change released in 5.0.9.1 and that allowed simple traffic - shaping to support more than 9 interfaces prevented some users' - configurations from starting. That has been corrected. + a) If a balanced or fallback interface was down or had been + deleted, then the 'disable' command could fail. + + b) If a persistent optional interface was down, then the + generated script would fail when it attempted to add routes out + of the interface. + +6) Previously, the generated script would attempt to reenable a + disabled persistent provider at each 'start', 'reload' or + 'restart'. Now, disabled persistent providers are handled the same + as other providers and require the 'enable' or 'reenable' command + to enable them. + +7) Previously, the generated script assumed that all + probability-balanced providers (those with the 'load' option + specified) were optional. That assumption has been removed. + +8) Previously, the permissions of files created by the 'save' command + were more relaxed than necessary. This has been corrected. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -51,21 +72,69 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) When using the alternate input form, it is now possible to specify - a comment to be attached to the generated ip[6]tables rule. Simply - use the 'comment' keyword. If the comment contains embedded white - space, then it must be enclosed in double quotes. Any double - quotes embedded in the comment must be escaped using a backslash. +1) You may now place comma-separated zone lists in the SOURCE and DEST + columns in /etc/shorewall[6]/policy. Example: - ACCEPT net $FW { proto=tcp, dport=22, comment="Accept \"SSH\"" } + #SOURCE DEST POLICY ... + loc,dmz net REJECT -2) OPTIMIZE level 16 no longer deletes duplicate COUNT rules, allowing - multiple similar COUNT rules in a chain. + That line is equivalent to: -3) Beginning with this release, source RPMs are available on the - download sites. + #SOURCE DEST POLICY ... + loc net REJECT + loc dmz REJECT + + If the same zone appears in both columns, the default ACCEPT + intrazone policy is not overridden unless the list is followed + immediately by '+'. + + Example: + + #SOURCE DEST POLICY ... + dmz,loc loc,dmz+ REJECT + + That line is equivalent to: + + #SOURCE DEST POLICY ... + dmz loc REJECT + dmz dmz REJECT + loc loc REJECT + loc dmz REJECT + + Without the plus sine, it would be equivalent to + + #SOURCE DEST POLICY ... + dmz loc REJECT + loc dmz REJECT + +2) Distribution maintainers may now set a default pager via the + configure and configure.pl programs in Shorewall-core to set + DEFAULT_PAGER in the generated shorewallrc file. The + Shorewall-provided shorewallrc files for Debian currently specify + 'less' for DEFAULT_PAGER. The other shorewallrc files do not + specify DEFAULT_PAGER. + + If shorewall[6].conf does not specify PAGER then the DEFAULT_PAGER + setting is used. + +3) The 'contiguous' option is now supported in TIME columns. When the + 'timestop' value is smaller than the 'timestart' value, match this + as a single time period instead distinct intervals. + + Example: + + weekdays=Mo×tart=23:00×top=01:00 + + Will match Monday, for one hour from midnight to 1 a.m., and + then again for another hour from 23:00 onwards. If this is + unwanted, e.g. if you would like 'match for two hours from + Monday 23:00 onwards' you need to also specify the 'contiguous' + option in the example above. + + See http://www.shorewall.org/configuration_file_basics.htm#TIME for + additional TIME column examples. ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -214,7 +283,7 @@ these requests, so they are simply logged and dropped. IMPORTANT: If you want to continue to reject Auth requests, you - can do so by chaning your DROP_DEFAULT setting to make the second + can do so by changing your DROP_DEFAULT setting to make the second parameter REJECT. For example, if you currently have: DROP_DEFAULT=Drop @@ -226,6 +295,52 @@ ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 5 . 0 R E L E A S E S ---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 5 . 0 . 1 1 +---------------------------------------------------------------------------- + +1) This release contains defect repair through Shorewall 5.0.10.1. + +2) In Shorewall 5.0, the default chain for DSCP rules was + inadvertently chained to PREROUTING (FORWARD, if + MARK_IN_FORWARD_CHAIN=Yes). + + The default is now restored to POSTROUTING, its earlier value. + +3) When 'trace' was specified, previously the output of ip[6]tables + rules containing a comment were displayed incorrectly. The "-m + comment --comment" specification was missing and the comment was + not enclosed in double quotes. This has been corrected. + +4) Previously, if a provider interface matched only a wildcard entry + (one whose physical interface name ended in '+'), then the + generated script would always find the interface to be + unusable. That has been corrected. + +5) A change released in 5.0.9.1 and that allowed simple traffic + shaping to support more than 9 interfaces prevented some users' + configurations from starting. That has been corrected. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 5 . 0 . 1 1 +---------------------------------------------------------------------------- + +1) When using the alternate input form, it is now possible to specify + a comment to be attached to the generated ip[6]tables rule. Simply + use the 'comment' keyword. If the comment contains embedded white + space, then it must be enclosed in double quotes. Any double + quotes embedded in the comment must be escaped using a backslash. + + Example: + + ACCEPT net $FW { proto=tcp, dport=22, comment="Accept \"SSH\"" } + +2) OPTIMIZE level 16 no longer deletes duplicate COUNT rules, allowing + multiple similar COUNT rules in a chain. + +3) Beginning with this release, source RPMs are available on the + download sites. + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 5 . 0 . 1 0 ---------------------------------------------------------------------------- diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-init-5.0.11/shorewall-init.spec shorewall-init-5.0.12/shorewall-init.spec --- shorewall-init-5.0.11/shorewall-init.spec 2016-08-06 07:57:47.321240829 -0700 +++ shorewall-init-5.0.12/shorewall-init.spec 2016-10-01 14:48:18.629046043 -0700 @@ -1,5 +1,5 @@ %define name shorewall-init -%define version 5.0.11 +%define version 5.0.12 %define release 0base Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall). @@ -135,6 +135,18 @@ %doc COPYING changelog.txt releasenotes.txt %changelog +* Sat Oct 01 2016 Tom Eastep tom@shorewall.net +- Updated to 5.0.12-0base +* Sat Oct 01 2016 Tom Eastep tom@shorewall.net +- Updated to 5.0.12-0RC3 +* Tue Sep 27 2016 Tom Eastep tom@shorewall.net +- Updated to 5.0.12-0RC2 +* Tue Sep 20 2016 Tom Eastep tom@shorewall.net +- Updated to 5.0.12-0RC1 +* Tue Sep 13 2016 Tom Eastep tom@shorewall.net +- Updated to 5.0.12-0Beta2 +* Sat Aug 13 2016 Tom Eastep tom@shorewall.net +- Updated to 5.0.12-0Beta1 * Sat Aug 06 2016 Tom Eastep tom@shorewall.net - Updated to 5.0.11-0base * Sat Jul 30 2016 Tom Eastep tom@shorewall.net diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-init-5.0.11/shorewallrc.apple shorewall-init-5.0.12/shorewallrc.apple --- shorewall-init-5.0.11/shorewallrc.apple 2016-08-06 07:57:47.321240829 -0700 +++ shorewall-init-5.0.12/shorewallrc.apple 2016-10-01 14:48:18.629046043 -0700 @@ -19,3 +19,4 @@ SYSCONFDIR= #Unused on OS X SPARSE=Yes #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR. VARLIB=/var/lib #Unused on OS X +DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-init-5.0.11/shorewallrc.archlinux shorewall-init-5.0.12/shorewallrc.archlinux --- shorewall-init-5.0.11/shorewallrc.archlinux 2016-08-06 07:57:47.321240829 -0700 +++ shorewall-init-5.0.12/shorewallrc.archlinux 2016-10-01 14:48:18.629046043 -0700 @@ -20,3 +20,4 @@ SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR VARLIB=/var/lib #Directory where product variable data is stored. VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored. +DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-init-5.0.11/shorewallrc.cygwin shorewall-init-5.0.12/shorewallrc.cygwin --- shorewall-init-5.0.11/shorewallrc.cygwin 2016-08-06 07:57:47.321240829 -0700 +++ shorewall-init-5.0.12/shorewallrc.cygwin 2016-10-01 14:48:18.629046043 -0700 @@ -19,3 +19,4 @@ SYSCONFDIR= #Unused on Cygwin SPARSE=Yes #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR. VARLIB=/var/lib #Unused on Cygwin +DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-init-5.0.11/shorewallrc.debian.systemd shorewall-init-5.0.12/shorewallrc.debian.systemd --- shorewall-init-5.0.11/shorewallrc.debian.systemd 2016-08-06 07:57:47.321240829 -0700 +++ shorewall-init-5.0.12/shorewallrc.debian.systemd 2016-10-01 14:48:18.629046043 -0700 @@ -21,3 +21,4 @@ SPARSE=Yes #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR VARLIB=/var/lib #Directory where product variable data is stored. VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored. +DEFAULT_PAGER=/usr/bin/less #Pager to use if none specified in shorewall[6].conf diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-init-5.0.11/shorewallrc.debian.sysvinit shorewall-init-5.0.12/shorewallrc.debian.sysvinit --- shorewall-init-5.0.11/shorewallrc.debian.sysvinit 2016-08-06 07:57:47.321240829 -0700 +++ shorewall-init-5.0.12/shorewallrc.debian.sysvinit 2016-10-01 14:48:18.629046043 -0700 @@ -21,3 +21,4 @@ SPARSE=Yes #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR VARLIB=/var/lib #Directory where product variable data is stored. VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored. +DEFAULT_PAGER=/usr/bin/less #Pager to use if none specified in shorewall[6].conf diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-init-5.0.11/shorewallrc.default shorewall-init-5.0.12/shorewallrc.default --- shorewall-init-5.0.11/shorewallrc.default 2016-08-06 07:57:47.321240829 -0700 +++ shorewall-init-5.0.12/shorewallrc.default 2016-10-01 14:48:18.629046043 -0700 @@ -21,3 +21,4 @@ SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR VARLIB=/var/lib #Directory where product variable data is stored. VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored. +DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-init-5.0.11/shorewallrc.openwrt shorewall-init-5.0.12/shorewallrc.openwrt --- shorewall-init-5.0.11/shorewallrc.openwrt 2016-08-06 07:57:47.321240829 -0700 +++ shorewall-init-5.0.12/shorewallrc.openwrt 2016-10-01 14:48:18.629046043 -0700 @@ -21,3 +21,4 @@ SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR VARLIB=/lib #Directory where product variable data is stored. VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored. +DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-init-5.0.11/shorewallrc.redhat shorewall-init-5.0.12/shorewallrc.redhat --- shorewall-init-5.0.11/shorewallrc.redhat 2016-08-06 07:57:47.321240829 -0700 +++ shorewall-init-5.0.12/shorewallrc.redhat 2016-10-01 14:48:18.629046043 -0700 @@ -21,3 +21,4 @@ SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR VARLIB=/var/lib #Directory where product variable data is stored. VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored. +DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-init-5.0.11/shorewallrc.slackware shorewall-init-5.0.12/shorewallrc.slackware --- shorewall-init-5.0.11/shorewallrc.slackware 2016-08-06 07:57:47.321240829 -0700 +++ shorewall-init-5.0.12/shorewallrc.slackware 2016-10-01 14:48:18.629046043 -0700 @@ -22,3 +22,4 @@ ANNOTATED= #If non-empty, install annotated configuration files VARLIB=/var/lib #Directory where product variable data is stored. VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored. +DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-init-5.0.11/shorewallrc.suse shorewall-init-5.0.12/shorewallrc.suse --- shorewall-init-5.0.11/shorewallrc.suse 2016-08-06 07:57:47.321240829 -0700 +++ shorewall-init-5.0.12/shorewallrc.suse 2016-10-01 14:48:18.629046043 -0700 @@ -21,3 +21,4 @@ SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR VARLIB=/var/lib #Directory where persistent product data is stored. VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored. +DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-init-5.0.11/uninstall.sh shorewall-init-5.0.12/uninstall.sh --- shorewall-init-5.0.11/uninstall.sh 2016-08-06 07:57:47.317240856 -0700 +++ shorewall-init-5.0.12/uninstall.sh 2016-10-01 14:48:18.629046043 -0700 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=5.0.11 +VERSION=5.0.12 PRODUCT=shorewall-init Product="Shorewall Init"