diff -Naurd -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-core-5.0.14/changelog.txt shorewall-core-5.0.15/changelog.txt
--- shorewall-core-5.0.14/changelog.txt 2016-11-03 15:07:35.450680704 -0700
+++ shorewall-core-5.0.15/changelog.txt 2016-12-02 15:21:56.472615101 -0800
@@ -1,3 +1,31 @@
+Changes in 5.0.15 Final
+
+1) Update release documents.
+
+2) Correct 'restore' exit status
+
+3) Correct optimizer defect in merge_rules().
+
+Changes in 5.0.15 RC 2
+
+1) Update release documents.
+
+2) Correct syntax error in Providers.pm.
+
+Changes in 5.0.15 RC 1
+
+1) Update release documents.
+
+2) Use $PAGER in 'show macro'.
+
+3) Implement the -p option
+
+Changes in 5.0.15 Beta 1
+
+1) Update release documents.
+
+2) Preserve shell variables over 'update'.
+
Changes in 5.0.14 Final
1) Update release documents.
diff -Naurd -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-core-5.0.14/configure shorewall-core-5.0.15/configure
--- shorewall-core-5.0.14/configure 2016-11-03 15:07:34.562685407 -0700
+++ shorewall-core-5.0.15/configure 2016-12-02 15:21:56.368614782 -0800
@@ -28,7 +28,7 @@
#
# Build updates this
#
-VERSION=5.0.14
+VERSION=5.0.15
case "$BASH_VERSION" in
[4-9].*)
diff -Naurd -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-core-5.0.14/configure.pl shorewall-core-5.0.15/configure.pl
--- shorewall-core-5.0.14/configure.pl 2016-11-03 15:07:34.566685386 -0700
+++ shorewall-core-5.0.15/configure.pl 2016-12-02 15:21:56.368614782 -0800
@@ -31,7 +31,7 @@
# Build updates this
#
use constant {
- VERSION => '5.0.14'
+ VERSION => '5.0.15'
};
my %params;
diff -Naurd -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-core-5.0.14/install.sh shorewall-core-5.0.15/install.sh
--- shorewall-core-5.0.14/install.sh 2016-11-03 15:07:34.558685429 -0700
+++ shorewall-core-5.0.15/install.sh 2016-12-02 15:21:56.364614770 -0800
@@ -22,7 +22,7 @@
# along with this program; if not, see .
#
-VERSION=5.0.14
+VERSION=5.0.15
PRODUCT=shorewall-core
Product="Shorewall Core"
diff -Naurd -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-core-5.0.14/lib.cli shorewall-core-5.0.15/lib.cli
--- shorewall-core-5.0.14/lib.cli 2016-11-03 15:06:38.000000000 -0700
+++ shorewall-core-5.0.15/lib.cli 2016-12-02 14:47:03.000000000 -0800
@@ -949,7 +949,7 @@
for file in /proc/net/xt_recent/*; do
base=$(basename $file)
- if [ $base != %CURRENTTIME ]; then
+ if [ "$base" != %CURRENTTIME -a "$base" != "*" ]; then
echo $base
show_event $base
echo
@@ -1161,6 +1161,11 @@
done
}
+show_a_macro() {
+ echo "Shorewall $SHOREWALL_VERSION Macro $1 at $g_hostname - $(date)"
+ cat ${directory}/macro.$1
+}
+
#
# Show Command Executor
#
@@ -1441,8 +1446,7 @@
[ $# -ne 2 ] && too_many_arguments $2
for directory in $(split $CONFIG_PATH); do
if [ -f ${directory}/macro.$2 ]; then
- echo "Shorewall $SHOREWALL_VERSION Macro $2 at $g_hostname - $(date)"
- cat ${directory}/macro.$2
+ eval show_a_macro $2 $g_pager
return
fi
done
@@ -1805,6 +1809,7 @@
restore_command() {
local finished
finished=0
+ local result
while [ $finished -eq 0 -a $# -gt 0 ]; do
option=$1
@@ -1869,8 +1874,11 @@
progress_message3 "Restoring $g_product..."
run_it $g_restorepath restore && progress_message3 "$g_product restored from ${VARDIR}/$RESTOREFILE"
+ result=$?
[ -n "$g_nolock" ] || mutex_off
+
+ exit $result
else
echo "File $g_restorepath: file not found"
[ -n "$g_nolock" ] || mutex_off
@@ -3992,24 +4000,26 @@
g_loopback=$(find_loopback_interfaces)
- [ -n "$PAGER" ] || PAGER=$DEFAULT_PAGER
+ if [ -z "$g_nopager" ]; then
+ [ -n "$PAGER" ] || PAGER=$DEFAULT_PAGER
- if [ -n "$PAGER" -a -t 1 ]; then
- case $PAGER in
- /*)
- g_pager="$PAGER"
- [ -f "$g_pager" ] || fatal_error "PAGER=$PAGER does not exist"
- ;;
- *)
- g_pager=$(mywhich $PAGER 2> /dev/null)
- [ -n "$g_pager" ] || fatal_error "PAGER=$PAGER does not exist"
- ;;
- esac
+ if [ -n "$PAGER" -a -t 1 ]; then
+ case $PAGER in
+ /*)
+ g_pager="$PAGER"
+ [ -f "$g_pager" ] || fatal_error "PAGER=$PAGER does not exist"
+ ;;
+ *)
+ g_pager=$(mywhich $PAGER 2> /dev/null)
+ [ -n "$g_pager" ] || fatal_error "PAGER=$PAGER does not exist"
+ ;;
+ esac
- [ -x "$g_pager" ] || fatal_error "PAGER $g_pager is not executable"
+ [ -x "$g_pager" ] || fatal_error "PAGER $g_pager is not executable"
- g_pager="| $g_pager"
- fi
+ g_pager="| $g_pager"
+ fi
+ fi
if [ -n "$DYNAMIC_BLACKLIST" ]; then
setup_dbl
@@ -4357,6 +4367,7 @@
g_loopback=
g_compiled=
g_pager=
+ g_nopager=
g_blacklistipset=
g_disconnect=
@@ -4453,6 +4464,11 @@
g_timestamp=Yes
option=${option#t}
;;
+ p*)
+ g_nopager=Yes
+ option=${option#p}
+ ;;
+
-)
finished=1
option=
diff -Naurd -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-core-5.0.14/releasenotes.txt shorewall-core-5.0.15/releasenotes.txt
--- shorewall-core-5.0.14/releasenotes.txt 2016-11-03 15:07:35.454680685 -0700
+++ shorewall-core-5.0.15/releasenotes.txt 2016-12-02 15:21:56.472615101 -0800
@@ -1,7 +1,7 @@
----------------------------------------------------------------------------
- S H O R E W A L L 5 . 0 . 1 4 R C 3
+ S H O R E W A L L 5 . 0 . 1 5
------------------------------
- N o v e m b e r 0 1, 2 0 1 6
+ D e c e m b e r 0 5, 2 0 1 6
----------------------------------------------------------------------------
I. PROBLEMS CORRECTED IN THIS RELEASE
@@ -14,47 +14,42 @@
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
-1) This release includes defect repair up through Shorewall 5.0.13.4.
+1) This release includes defect repair through Shorewall 5.0.14.1.
-2) When the address variable for an optional interface was used, and
- the interface did not have an IP address when the firewall was
- started, then enabling the interface did not previously
- create/alter the rules that use the address variable. Also, if the
- IP address of a disabled interface changed, enabling the interface
- did not update/add rules using the interface's gateway address
- variable.
+2) Previously, when the 'update' command transformed a superseded
+ file's contents into a newer file, with the exception of the
+ 'notrack' -> 'conntrack' conversion, the transformation was
+ incomplete:
- Now, if the IP address of a disabled optional interface
- changes from its value (if any) when the netfilter ruleset was
- instantiated, then after a successful 'enable', the ruleset is
- automatically reloaded if the interface's address variable was
- used.
+ a) All shell variables were expanded in the converted file.
- Similarly, if 'detect' is specified as the GATEWAY for an optional
- provider, then if the gateway at the time that the provider is
- successfully enabled is different from that (if any) when the
- netfilter ruleset was instantiated, then the ruleset is
- automatically reloaded if the provider interface's run-time gateway
- variable was used.
+ b) Any lines omitted by compiler directives ( ?if.... etc. ) were
+ also omitted from the converted file.
- As part of this change, if an IP address is specified as the
- GATEWAY for a provider, then the run-time gateway variable for the
- provider's interface is expanded at compile time rather than at
- runtime.
+ These deficiencies have been corrected. Now, shell variables are
+ preserved in the converted file and omitted lines are now
+ translated.
- Example:
+ EXCEPTIONS: Because the translations of the 'blacklist' and
+ 'routestopped' files are not 1:1, omitted lines and compiler
+ directives are not transferred to the converted files. If either
+ are present, the compiler issues a warning:
- #PROVIDER NUMBER MARK DUPLICATE INTRFACE GATEWAY OPTIONS COPY
- foo 1 1 - eth0 1.2.3.4 primary -
+ WARNING: "Omitted rules and compiler directives were not
+ translated
- Then %eth0 will be expanded at compile time to '1.2.3.4'.
+3) In earlier versions, when USE_DEFAULT_RT=No in shorewall6.conf,
+ the generated script would attempt to copy fe80:* routes from the
+ DUPLICATE routing table to provider tables, which could fail.
+ Now, the generated script ignores these routes.
-3) Previously, the ADDRESS column in /etc/shorewall[6]/masq was
- documented as allowing a list of addresses and/or address ranges.
- That feature depended on iptables support which is no longer
- present in current distributions. The code now disallows more than
- one address[-range] and the documentation has been changed
- accordingly.
+4) Previously, if the 'restore' command failed, the failure was not
+ corrected reflected in the exit status. The exit status now
+ correctly indicates the outcome of the command.
+
+5) A defect in OPTIMIZE level 4 processing, could previously result in
+ the incorrect omission of a -i, -o, -s or -d rule option in an
+ optimized rules. That defect has been corrected.
----------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G
@@ -67,38 +62,22 @@
correctly in configurations with USE_DEFAULT_RT=No and optional
providers listed in the DUPLICATE column.
+3) While the 'ip' utility now accepts IPv6 routes with multiple
+ 'nexthop' destinations, these routes are not balanced. They are
+ rather instantiated as a sequence of single routes with different
+ metrics. Furthermore, the 'ip route replace' command fails on
+ such routes. Beginning with Shorewall6 5.0.15, the generated script
+ will use a "delete..add.." sequence on these routes rather than a
+ single "replace" command.
+
----------------------------------------------------------------------------
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
-1) /etc/shorewall[6]/masq has been superseded by
- /etc/shorewall[6]/snat. The new 'snat' file is similar to most of
- the other configuration files in that the first column specifies
- the ACTION to be performed, the second contains the SOURCE and so
- on.
-
- The 'shorewall[6] update' command will convert an existing masq
- file into the equivalent 'snat' file and will rename masq to
- masq.bak.
-
- See shorewall[6]-snat(5) for details.
-
-2) Actions (both inline and regular) are now supported out of the new
- snat file. Like other actions, these 'SNAT actions' must be
- declared in the /etc/shorewall[6]/actions file where the new 'nat'
- option must be specified.
-
- Like other actions, the action rules are placed in a file named
- action.. Those rules have the same format as those in the
- snat file with two restrictions:
-
- 1. The '+' is not allowed in the ACTION column to specify that the
- rules should be applied before one-to-one NAT. It must rather be
- specified when the action is invoked.
+1) The 'show macro' command now uses the configured PAGER, if any.
- 2. Interface names are not permitted in the DEST column, so all of
- the rules apply to the interface(s) specified when the action was
- invoked.
+2) The PAGER may now be deactivated through use of the '-p' option
+ (e.g., "shorewall -p show" ).
----------------------------------------------------------------------------
I V. M I G R A T I O N I S S U E S
@@ -259,6 +238,85 @@
----------------------------------------------------------------------------
V. N O T E S F R O M O T H E R 5 . 0 R E L E A S E S
----------------------------------------------------------------------------
+ P R O B L E M S C O R R E C T E D I N 5 . 0 . 1 4
+----------------------------------------------------------------------------
+
+1) This release includes defect repair up through Shorewall 5.0.13.4.
+
+2) When the address variable for an optional interface was used, and
+ the interface did not have an IP address when the firewall was
+ started, then enabling the interface did not previously
+ create/alter the rules that use the address variable. Also, if the
+ IP address of a disabled interface changed, enabling the interface
+ did not update/add rules using the interface's gateway address
+ variable.
+
+ Now, if the IP address of a disabled optional interface
+ changes from its value (if any) when the netfilter ruleset was
+ instantiated, then after a successful 'enable', the ruleset is
+ automatically reloaded if the interface's address variable was
+ used.
+
+ Similarly, if 'detect' is specified as the GATEWAY for an optional
+ provider, then if the gateway at the time that the provider is
+ successfully enabled is different from that (if any) when the
+ netfilter ruleset was instantiated, then the ruleset is
+ automatically reloaded if the provider interface's run-time gateway
+ variable was used.
+
+ As part of this change, if an IP address is specified as the
+ GATEWAY for a provider, then the run-time gateway variable for the
+ provider's interface is expanded at compile time rather than at
+ runtime.
+
+ Example:
+
+ #PROVIDER NUMBER MARK DUPLICATE INTRFACE GATEWAY OPTIONS COPY
+ foo 1 1 - eth0 1.2.3.4 primary -
+
+ Then %eth0 will be expanded at compile time to '1.2.3.4'.
+
+3) Previously, the ADDRESS column in /etc/shorewall[6]/masq was
+ documented as allowing a list of addresses and/or address ranges.
+ That feature depended on iptables support which is no longer
+ present in current distributions. The code now disallows more than
+ one address[-range] and the documentation has been changed
+ accordingly.
+
+----------------------------------------------------------------------------
+ N E W F E A T U R E S I N 5 . 0 . 1 4
+----------------------------------------------------------------------------
+
+1) /etc/shorewall[6]/masq has been superseded by
+ /etc/shorewall[6]/snat. The new 'snat' file is similar to most of
+ the other configuration files in that the first column specifies
+ the ACTION to be performed, the second contains the SOURCE and so
+ on.
+
+ The 'shorewall[6] update' command will convert an existing masq
+ file into the equivalent 'snat' file and will rename masq to
+ masq.bak.
+
+ See shorewall[6]-snat(5) for details.
+
+2) Actions (both inline and regular) are now supported out of the new
+ snat file. Like other actions, these 'SNAT actions' must be
+ declared in the /etc/shorewall[6]/actions file where the new 'nat'
+ option must be specified.
+
+ Like other actions, the action rules are placed in a file named
+ action.. Those rules have the same format as those in the
+ snat file with two restrictions:
+
+ 1. The '+' is not allowed in the ACTION column to specify that the
+ rules should be applied before one-to-one NAT. It must rather be
+ specified when the action is invoked.
+
+ 2. Interface names are not permitted in the DEST column, so all of
+ the rules apply to the interface(s) specified when the action was
+ invoked.
+
+----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 5 . 0 . 1 3
----------------------------------------------------------------------------
diff -Naurd -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-core-5.0.14/shorewall-core.spec shorewall-core-5.0.15/shorewall-core.spec
--- shorewall-core-5.0.14/shorewall-core.spec 2016-11-03 15:07:35.454680685 -0700
+++ shorewall-core-5.0.15/shorewall-core.spec 2016-12-02 15:21:56.472615101 -0800
@@ -1,6 +1,6 @@
%define name shorewall-core
-%define version 5.0.14
-%define release 0RC3
+%define version 5.0.15
+%define release 0base
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
Name: %{name}
@@ -63,6 +63,16 @@
%doc COPYING INSTALL changelog.txt releasenotes.txt
%changelog
+* Fri Dec 02 2016 Tom Eastep tom@shorewall.net
+- Updated to 5.0.15-0base
+* Thu Dec 01 2016 Tom Eastep tom@shorewall.net
+- Updated to 5.0.15-0RC2
+* Sun Nov 27 2016 Tom Eastep tom@shorewall.net
+- Updated to 5.0.15-0RC1
+* Thu Nov 17 2016 Tom Eastep tom@shorewall.net
+- Updated to 5.0.15-0Beta2
+* Sun Nov 06 2016 Tom Eastep tom@shorewall.net
+- Updated to 5.0.15-0Beta1
* Mon Oct 31 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.14-0RC3
* Sat Oct 29 2016 Tom Eastep tom@shorewall.net
diff -Naurd -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-core-5.0.14/uninstall.sh shorewall-core-5.0.15/uninstall.sh
--- shorewall-core-5.0.14/uninstall.sh 2016-11-03 15:07:34.562685407 -0700
+++ shorewall-core-5.0.15/uninstall.sh 2016-12-02 15:21:56.364614770 -0800
@@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
-VERSION=5.0.14
+VERSION=5.0.15
PRODUCT="shorewall-core"
Product="Shorewall Core"