Hello community, here is the log from the commit of package shorewall for openSUSE:Factory checked in at 2014-09-03 18:22:34 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/shorewall (Old) and /work/SRC/openSUSE:Factory/.shorewall.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shorewall" Changes: -------- --- /work/SRC/openSUSE:Factory/shorewall/shorewall.changes 2014-08-15 09:56:20.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.shorewall.new/shorewall.changes 2014-09-03 21:09:38.000000000 +0200 @@ -1,0 +2,23 @@ +Sun Aug 31 17:24:13 UTC 2014 - tog...@opensuse.org + +- Update to version 4.6.3.1 For more details see changelog.txt and + releasenotes.tx + * The DNSAmp action released in 4.6.3 matched more packets than it + should have. That has now been corrected. + * The handling of REJECT in IP[6]TABLES rules has been clarified + inthe shorewall-rules(5) and shorewall6-rules(5) manpages. + * The following misleading error message has now been corrected: + + ERROR: The xxx TARGET is now allowed in the filter table + + The message now reads: + + ERROR: The xxx TARGET is not allowed in the filter table + +- Spec fixes + + * Fixed shorewall-init requires so it needs shoreline-firewall + which is an alias for shorewall shorewall6 shorewall-lite and + shorewall6-lite packages + * shorewall-init package was missing a rc link +------------------------------------------------------------------- Old: ---- shorewall-4.6.2.5.tar.bz2 shorewall-core-4.6.2.5.tar.bz2 shorewall-docs-html-4.6.2.5.tar.bz2 shorewall-init-4.6.2.5.tar.bz2 shorewall-lite-4.6.2.5.tar.bz2 shorewall6-4.6.2.5.tar.bz2 shorewall6-lite-4.6.2.5.tar.bz2 New: ---- shorewall-4.6.3.1.tar.bz2 shorewall-core-4.6.3.1.tar.bz2 shorewall-docs-html-4.6.3.1.tar.bz2 shorewall-init-4.6.3.1.tar.bz2 shorewall-lite-4.6.3.1.tar.bz2 shorewall6-4.6.3.1.tar.bz2 shorewall6-lite-4.6.3.1.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shorewall.spec ++++++ --- /var/tmp/diff_new_pack.YNKUe7/_old 2014-09-03 21:09:40.000000000 +0200 +++ /var/tmp/diff_new_pack.YNKUe7/_new 2014-09-03 21:09:40.000000000 +0200 @@ -20,19 +20,19 @@ %define have_systemd 1 Name: shorewall -Version: 4.6.2.5 +Version: 4.6.3.1 Release: 0 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems License: GPL-2.0 Group: Productivity/Networking/Security Url: http://www.shorewall.net/ -Source: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.2/%name-%version.tar.bz2 -Source1: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.2/%name-core-%version.tar.bz2 -Source2: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.2/%name-lite-%version.tar.bz2 -Source3: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.2/%name-init-%version.tar.bz2 -Source4: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.2/%{name}6-lite-%version.tar.bz2 -Source5: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.2/%{name}6-%version.tar.bz2 -Source6: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.2/%name-docs-html-%version.tar.bz2 +Source: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.3/%name-%version.tar.bz2 +Source1: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.3/%name-core-%version.tar.bz2 +Source2: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.3/%name-lite-%version.tar.bz2 +Source3: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.3/%name-init-%version.tar.bz2 +Source4: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.3/%{name}6-lite-%version.tar.bz2 +Source5: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.3/%{name}6-%version.tar.bz2 +Source6: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.3/%name-docs-html-%version.tar.bz2 Source7: %name-4.4.22.rpmlintrc Source8: README.openSUSE # PATCH-FIX-UPSTREAM tog...@opensuse.org Shorewall-lite init.suse.sh Required Stop @@ -61,6 +61,8 @@ Requires: iptables Requires: logrotate Requires: xtables-addons +Provides: shoreline_firewall = %{version}-%{release} + BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch BuildRequires: bash >= 4 @@ -135,6 +137,7 @@ Requires: iproute2 Requires: iptables Requires: logrotate +Provides: shoreline_firewall = %{version}-%{release} %if 0%{?suse_version} Conflicts: SuSEfirewall2 %endif @@ -175,7 +178,7 @@ Requires(preun): systemd-units Requires(postun): systemd-units %endif - +Provides: shoreline_firewall = %{version}-%{release} Requires: %name > 4.5.0-0 Requires: logrotate %if 0%{?suse_version} @@ -217,6 +220,7 @@ %endif Requires: %name-core Requires: logrotate +Provides: shoreline_firewall = %{version}-%{release} %if 0%{?suse_version} Conflicts: SuSEfirewall2 %endif @@ -257,8 +261,9 @@ Requires(preun): systemd-units Requires(postun): systemd-units %endif -Requires: %name > 4.4.9 -Requires: %{name}6 > 4.4.9 + +Requires: shoreline_firewall >= 4.5.0 + Requires: logrotate %if 0%{?suse_version} Conflicts: SuSEfirewall2 @@ -391,7 +396,7 @@ done # FIXME linkto /usr/sbin/service should follow usr_move thing -rctargets="shorewall shorewall-lite shorewall6 shorewall6-lite" +rctargets="shorewall shorewall-lite shorewall6 shorewall6-lite shorewall-init" mkdir -p %buildroot/%_sbindir for i in $rctargets; do %if 0%{?suse_version} > 1220 @@ -811,6 +816,8 @@ # FIXME %if 0%{?suse_version} +%{_sbindir}/rc%{name}-init + %_localstatedir/adm/fillup-templates/sysconfig.%name-init %if 0%{?suse_version} <= 1220 %attr(0544,root,root) %_initddir/%name-init ++++++ shorewall-4.6.2.5.tar.bz2 -> shorewall-4.6.3.1.tar.bz2 ++++++ ++++ 1866 lines of diff (skipped) ++++++ shorewall-core-4.6.2.5.tar.bz2 -> shorewall-core-4.6.3.1.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.2.5/changelog.txt new/shorewall-core-4.6.3.1/changelog.txt --- old/shorewall-core-4.6.2.5/changelog.txt 2014-08-13 01:53:52.000000000 +0200 +++ new/shorewall-core-4.6.3.1/changelog.txt 2014-08-27 16:54:44.000000000 +0200 @@ -1,23 +1,45 @@ -Changes in 4.6.2.5 +Changes in 4.6.3.1 + +1) Update release documents + +2) Correct the u32 match string in action.DNSAmp. + +3) Clarify REJECT handling in IP[6]TABLES rules. + +Changes in 4.6.3 Final + +1) Update release documents. + +2) Apply Thomas D's fix for SAVE_IPSETS on Debian. + +Changes in 4.6.3 RC 1 1) Update release documents. -2) Allow a physical interface name in the INTERFACE column of the - providers files. +2) Minor code and documentation cleanup. -3) Apply Louis Lagendijk's patch for shorewall-init. +3) Defect repair from 4.6.2.5. -Changes in 4.6.2.4 +hanges in 4.6.3 Beta 2 1) Update release documents. -2) Allow inline matches in the body of an action. +2) Add DNSAmp action + +3) Allow inline matches in action bodies (from 4.6.2.4) -Changes in 4.6.2.3 +4) Allow physical names to be used in the INTERFACE column of the + providers file. + +Changes in 4.6.3 Beta 1 1) Update release documents. -2) Correct handling of optimize level 8 with Perl 5.20. +2) Describe new helper assignment in the FTP article. + +3) Merge defect repair from 4.6.2.3. + +4) Implement the 'run' command. Changes in 4.6.2.2 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.2.5/configure new/shorewall-core-4.6.3.1/configure --- old/shorewall-core-4.6.2.5/configure 2014-08-13 01:53:51.000000000 +0200 +++ new/shorewall-core-4.6.3.1/configure 2014-08-27 16:54:43.000000000 +0200 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=4.6.2.5 +VERSION=4.6.3.1 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.2.5/configure.pl new/shorewall-core-4.6.3.1/configure.pl --- old/shorewall-core-4.6.2.5/configure.pl 2014-08-13 01:53:51.000000000 +0200 +++ new/shorewall-core-4.6.3.1/configure.pl 2014-08-27 16:54:43.000000000 +0200 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '4.6.2.5' + VERSION => '4.6.3.1' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.2.5/install.sh new/shorewall-core-4.6.3.1/install.sh --- old/shorewall-core-4.6.2.5/install.sh 2014-08-13 01:53:51.000000000 +0200 +++ new/shorewall-core-4.6.3.1/install.sh 2014-08-27 16:54:43.000000000 +0200 @@ -22,7 +22,7 @@ # along with this program; if not, see <http://www.gnu.org/licenses/>. # -VERSION=4.6.2.5 +VERSION=4.6.3.1 usage() # $1 = exit status { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.2.5/known_problems.txt new/shorewall-core-4.6.3.1/known_problems.txt --- old/shorewall-core-4.6.2.5/known_problems.txt 2014-08-13 01:53:52.000000000 +0200 +++ new/shorewall-core-4.6.3.1/known_problems.txt 2014-08-27 16:54:44.000000000 +0200 @@ -1,87 +1,22 @@ 1) On systems running Upstart, shorewall-init cannot reliably secure the firewall before interfaces are brought up. -2) In the tcrules file: +2) The DNSAmp action released in 4.6.3 matches more packets than it + should. - - SAVE and RESTORE generate fatal compilation errors. - - '|' and '&' are ignored. + Workaround: Change the single rule in + /usr/share/shorewall/action.DNSAmp to: - Corrected in 4.6.2.1. + IPTABLES(@1) - - udp 53 ; -m u32 --u32 "0>>22&0x3C\@8&0xffff=0x0100 && 0>>22&0x3C\@12&0xffff0000=0x00010000" -3) In the mangle file: + Corrected in 4.6.3.1. - - '|' and '&' are ignored in MARK ACTIONS. +3) A typo results in the following misleading error message: - Corrected in 4.6.2.1. + ERROR: The xxx TARGET is now allowed in the filter table -4) The compiler fails to detect the IPv6 Header Match capability when - LOAD_MODULES_ONLY=No. + The message should read: - Workaround: Use a capabilities file or set LOAD_MODULES_ONLY=Yes. + ERROR: The xxx TARGET is not allowed in the filter table - Corrected in 4.6.2.2. - -5) The compiler fails to detect Ipset Match support when the system is - running a 3.14 Linux Kernel. - - Workaround: Use a capabilities file. - - Corrected in 4.6.2.2. - -6) The compiler fails to detect the Arptables JF capability when - LOAD_MODULES_ONLY=No. - - Workaround: Use a capabilities file or set LOAD_MODULES_ONLY=Yes. - - Corrected in 4.6.2.2. - -7) The tcfilter manpages fail to mention that BASIC_FILTERS=Yes is - required to use ipsets in the tcfilters files. - - Corrected in 4.6.2.2. - -8) The compiler fails with a Perl diagnostic if: - - - Optimize Level 8 is enabled. - - Perl 5.20 is being used - - The diagnostic is: - - Can't use string ("nat") as a HASH ref while "strict refs" in use - at /usr/share/shorewall/Shorewall/Chains.pm line 3486. - - Workaround: Disable optimize level 8 by subtracting 8 from the - current setting. If 'all' is the current value, - change the setting to OPTIMIZE=23 - - Corrected in 4.6.2.3. - -9) Inline matches are incorrectly disallowed in action files. - - Corrected in 4.6.2.4. - -10) If the following entry appears in /etc/shorewall/interfaces: - - prov2 VPNIF physical=tun1,optional - - then this entry in /etc/shorewall/provider - - prov2 2 2 - tun1 192.168.1.1 track,fallback - - results in the following: - - Use of uninitialized value $physical in pattern match - (m//) at /usr/lib/perl5/vendor_perl/5.18.1/ - Shorewall/Providers.pm line 463, <$currentfile> line 2. - ERROR: A provider interface must have at least one - associated zone /opt/etc/shorewall/providers (line 2) - - Workaround: Change the provider entry to - - prov2 2 2 - VPNIF 192.168.1.1 track,fallback - - Corrected in 4.6.2.5. - -11) Shorewall-init fails when installed on a system with systemd. - - Corrected in 4.6.2.5. + Corrected in 4.6.3.1. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.2.5/lib.cli new/shorewall-core-4.6.3.1/lib.cli --- old/shorewall-core-4.6.2.5/lib.cli 2014-08-13 01:39:52.000000000 +0200 +++ new/shorewall-core-4.6.3.1/lib.cli 2014-08-24 20:59:51.000000000 +0200 @@ -1470,22 +1470,10 @@ $g_tool -t rawpost -L $g_ipt_options fi - local count - local max + local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count) + local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max) - if [ -f /proc/sys/net/netfilter/nf_conntrack_count ]; then - count=$(cat /proc/sys/net/netfilter/nf_conntrack_count) - max=$(cat /proc/sys/net/netfilter/nf_conntrack_max) - - heading "Conntrack Table ($count out of $max)" - elif [ -f /proc/sys/net/ipv4/netfilter/ip_conntrack_count ]; then - count=$(cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count) - max=$(cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max) - - heading "Conntrack Table ($count out of $max)" - else - heading "Conntrack Table" - fi + heading "Conntrack Table ($count out of $max)" if [ $g_family -eq 4 ]; then [ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack @@ -3527,6 +3515,14 @@ return $rc } +run_command() { + if [ -x ${VARDIR}/firewall ] ; then + run_it ${VARDIR}/firewall $g_debugging $@ + else + fatal_error "${VARDIR}/firewall does not exist or is not executable" + fi +} + # # Give Usage Information # @@ -3558,6 +3554,7 @@ echo " reset [ <chain> ... ]" echo " restart [ -n ] [ -p ] [ -f ] [ <directory> ]" echo " restore [ -n ] [ <file name> ]" + echo " run <command> [ <parameter> ... ]" echo " save [ <file name> ]" echo " [ show | list | ls ] [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]" echo " [ show | list | ls ] [ -f ] capabilities" @@ -3586,6 +3583,7 @@ echo " start [ -f ] [ -p ] [ <directory> ]" echo " stop" echo " status [ -i ]" + echo " run <function> [ function ... ]" echo " version [ -a ]" echo exit $1 @@ -3830,6 +3828,11 @@ fatal_error "$g_product is not running" fi ;; + run) + [ $# -gt 1 ] || fatal_error "Missing function name" + get_config Yes + run_command $@ + ;; show|list|ls) get_config Yes No Yes shift diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.2.5/lib.common new/shorewall-core-4.6.3.1/lib.common --- old/shorewall-core-4.6.2.5/lib.common 2014-08-13 01:39:52.000000000 +0200 +++ new/shorewall-core-4.6.3.1/lib.common 2014-08-24 20:59:51.000000000 +0200 @@ -172,6 +172,7 @@ error_message() # $* = Error Message { echo " $@" >&2 + return 1 } # diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.2.5/releasenotes.txt new/shorewall-core-4.6.3.1/releasenotes.txt --- old/shorewall-core-4.6.2.5/releasenotes.txt 2014-08-13 01:53:52.000000000 +0200 +++ new/shorewall-core-4.6.3.1/releasenotes.txt 2014-08-27 16:54:44.000000000 +0200 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 6 . 2 . 5 + S H O R E W A L L 4 . 6 . 3 . 1 ------------------------------------ - A u g u s t 1 4 , 2 0 1 4 + A u g u s t 2 6 , 2 0 1 4 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,80 +14,28 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -4.6.2.5 +4.6.3 -1) Previously, when an interface specified the 'physical=' option and - the physical interface name was specified in the INTERFACES column - of the providers file, compilation would fail with diagnostics - similar to the following: +1) The DNSAmp action released in 4.6.3 matched more packets than it + should have. That has now been corrected. - Use of uninitialized value $physical in pattern match - (m//) at /usr/lib/perl5/vendor_perl/5.18.1/ - Shorewall/Providers.pm line 463, <$currentfile> line 2. - ERROR: A provider interface must have at least one - associated zone /opt/etc/shorewall/providers (line 2) +2) The handling of REJECT in IP[6]TABLES rules has been clarified in + the shorewall-rules(5) and shorewall6-rules(5) manpages. -2) Shorewall-init now works correctly on systems with systemd. - By Louis Lagendijk. +3) The following misleading error message has now been corrected: -4.6.2.4 + ERROR: The xxx TARGET is now allowed in the filter table -1) Previously, inline matches were incorrectly disallowed in action - files. These matches are now allowed. + The message now reads: -4.6.2.3 - -1) Previously, the compiler would fail with a Perl diagnostic if: - - - Optimize Level 8 was enabled. - - Perl 5.20 was being used. This is the current Perl version on - Arch Linux. + ERROR: The xxx TARGET is not allowed in the filter table - The diagnostic was: +4.6.3 - Can't use string ("nat") as a HASH ref while "strict refs" in use - at /usr/share/shorewall/Shorewall/Chains.pm line 3486. +1) This release contains defect repair up through release 4.6.2.5. -4.6.2.2 - -1) The compiler now correctly detects the IPv6 "Header Match" - capability when LOAD_MODULES_ONLY=No. - -2) The compiler now correctly detects the IPv6 "Ipset Match" - capability on systems running a 3.14 or later kernel. - -3) The compiler now correctly detects "Arptables JF" capability when - LOAD_MODULES_ONLY=No. - -3) The tcfilter manpages previously failed to mention that - BASIC_FILTERS=Yes is required to use ipsets in the tcfilters files. - -4.6.2.1 - -1) Two issues with tcrules processing have been corrected: - - - SAVE and RESTORE generated fatal compilation errors. - - '|' and '&' were ignored. - -4.6.2 - -1) The DSCP match in the mangle and tcrules files didn't work with - service class names such as EF, BE, CS1, ... (Thibaut Chèze) - -2) The SAVE and RESTORE actions were disallowed in the OUTPUT chain in - tcrules and mangle; this was a regression from 4.5.21. - -3) Additional ports required by Asus, Supermicro and Dell have been - added to the IPMI macro (Tuomo Soini). - -4) Some issues regarding install under Cygwin64 have been addressed. - - - configure.pl did not understand CYGWIN returned from `uname` - - Shorewall-core install.sh did not understand CYGWIN returned from - `uname`. - - The Shorewall and Shorewall6 installers tried to run the command - 'mkdir -p //etc/shorewall[6]' which is broken in the current - Cygwin64. +2) The SAVE_IPSETS option in the Debian version of Shorewall-init now + works correctly. Thomas D. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -100,45 +48,19 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) The 'status' command now allows a -i option which causes the state - of all optional and provider interfaces to be displayed. - - Example: - - root@gateway:/etc/shorewall# shorewall status -i - Shorewall-4.6.1 Status at gateway - Wed Jun 18 14:27:19 PDT 2014 - - Shorewall is running - State:Started (Wed Jun 18 09:50:01 PDT 2014) from /etc/shorewall/ - (/var/lib/shorewall/firewall compiled by Shorewall version 4.6.1) - - Interface eth0 is Enabled - Interface eth1 is Enabled - Interface lo is Enabled - -2) A 'shorewall show blacklists' command has been - implemented. The abbreviation 'bl' may be used in place of - 'blacklists'. - - The command displays the output of the 'dynamic' chain together - with the chains created by entries in the blrules file. - -3) A TIME column has been added to the mangle file. It has the same - use in that file as the corresponding column in the rules file. - -4) A stateful port knocking example has been added to the Events - article (http://www.shorewall.net/Events.html). This example allows - a sequence of knocking ports to be defined (Gerhard Weisinger). - -5) A macro supporting HP's Integrated Lights Out (ILO) has been added - (Tuomo Soini). - -6) It is now possible to specify the MAC address of a provider - GATEWAY. This is useful when there are multiple providers serviced - by a single interface as it avoids the need for the generated - script to detect the MAC during start/restart. - -7) The copyrights in the sample configuration files have been updated. +1) A new 'run' command has been implemented. This command allows you + to run an arbitrary command in the context of the generated + script. + + shorewall[6][-lite] run <command> [ <parameter> ... ] + + Normally, <command> will be a function declared in lib.private. + +2) A DNSAmp action has been added. This action matches recursive UDP + DNS queries. The default disposition is DROP which can be + overridden by the single action parameter (e.g, 'DNSAmp(REJECT)' + will reject these queries). Recursive DNS queries are the basis for + 'DNS Amplification' attacks; hence the action name. ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -412,7 +334,130 @@ ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 4 . 6 R E L E A S E S ---------------------------------------------------------------------------- - P R O B L E M S C O R R E C T E D I N 4 . 6 . 0 + P R O B L E M S C O R R E C T E D I N 4 . 6 . 2 +---------------------------------------------------------------------------- + +4.6.2.5 + +1) Previously, when an interface specified the 'physical=' option and + the physical interface name was specified in the INTERFACES column + of the providers file, compilation would fail with diagnostics + similar to the following: + + Use of uninitialized value $physical in pattern match + (m//) at /usr/lib/perl5/vendor_perl/5.18.1/ + Shorewall/Providers.pm line 463, <$currentfile> line 2. + ERROR: A provider interface must have at least one + associated zone /opt/etc/shorewall/providers (line 2) + +2) Shorewall-init now works correctly on systems with systemd. + By Louis Lagendijk. + +4.6.2.4 + +1) Previously, inline matches were incorrectly disallowed in action + files. These matches are now allowed. + +4.6.2.3 + +1) Previously, the compiler would fail with a Perl diagnostic if: + + - Optimize Level 8 was enabled. + - Perl 5.20 was being used. This is the current Perl version on + Arch Linux. + + The diagnostic was: + + Can't use string ("nat") as a HASH ref while "strict refs" in use + at /usr/share/shorewall/Shorewall/Chains.pm line 3486. + +4.6.2.2 + +1) The compiler now correctly detects the IPv6 "Header Match" + capability when LOAD_MODULES_ONLY=No. + +2) The compiler now correctly detects the IPv6 "Ipset Match" + capability on systems running a 3.14 or later kernel. + +3) The compiler now correctly detects "Arptables JF" capability when + LOAD_MODULES_ONLY=No. + +3) The tcfilter manpages previously failed to mention that + BASIC_FILTERS=Yes is required to use ipsets in the tcfilters files. + +4.6.2.1 + +1) Two issues with tcrules processing have been corrected: + + - SAVE and RESTORE generated fatal compilation errors. + - '|' and '&' were ignored. + +4.6.2 + +1) The DSCP match in the mangle and tcrules files didn't work with + service class names such as EF, BE, CS1, ... (Thibaut Chèze) + +2) The SAVE and RESTORE actions were disallowed in the OUTPUT chain in + tcrules and mangle; this was a regression from 4.5.21. + +3) Additional ports required by Asus, Supermicro and Dell have been + added to the IPMI macro (Tuomo Soini). + +4) Some issues regarding install under Cygwin64 have been addressed. + + - configure.pl did not understand CYGWIN returned from `uname` + - Shorewall-core install.sh did not understand CYGWIN returned from + `uname`. + - The Shorewall and Shorewall6 installers tried to run the command + 'mkdir -p //etc/shorewall[6]' which is broken in the current + Cygwin64. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 6 . 2 +---------------------------------------------------------------------------- + +1) The 'status' command now allows a -i option which causes the state + of all optional and provider interfaces to be displayed. + + Example: + + root@gateway:/etc/shorewall# shorewall status -i + Shorewall-4.6.1 Status at gateway - Wed Jun 18 14:27:19 PDT 2014 + + Shorewall is running + State:Started (Wed Jun 18 09:50:01 PDT 2014) from /etc/shorewall/ + (/var/lib/shorewall/firewall compiled by Shorewall version 4.6.1) + + Interface eth0 is Enabled + Interface eth1 is Enabled + Interface lo is Enabled + +2) A 'shorewall show blacklists' command has been + implemented. The abbreviation 'bl' may be used in place of + 'blacklists'. + + The command displays the output of the 'dynamic' chain together + with the chains created by entries in the blrules file. + +3) A TIME column has been added to the mangle file. It has the same + use in that file as the corresponding column in the rules file. + +4) A stateful port knocking example has been added to the Events + article (http://www.shorewall.net/Events.html). This example allows + a sequence of knocking ports to be defined (Gerhard Weisinger). + +5) A macro supporting HP's Integrated Lights Out (ILO) has been added + (Tuomo Soini). + +6) It is now possible to specify the MAC address of a provider + GATEWAY. This is useful when there are multiple providers serviced + by a single interface as it avoids the need for the generated + script to detect the MAC during start/restart. + +7) The copyrights in the sample configuration files have been updated. + +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 6 . 1 ---------------------------------------------------------------------------- 4.6.1.4 @@ -487,7 +532,7 @@ optimized away. ---------------------------------------------------------------------------- - N E W F E A T U R E S I N 4 . 6 . 0 + N E W F E A T U R E S I N 4 . 6 . 1 ---------------------------------------------------------------------------- 1) Tuomo Soini has provided new macros for AMOP, MongoDB, Redis, Sieve diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.2.5/shorewall-core.spec new/shorewall-core-4.6.3.1/shorewall-core.spec --- old/shorewall-core-4.6.2.5/shorewall-core.spec 2014-08-13 01:53:52.000000000 +0200 +++ new/shorewall-core-4.6.3.1/shorewall-core.spec 2014-08-27 16:54:44.000000000 +0200 @@ -1,6 +1,6 @@ %define name shorewall-core -%define version 4.6.2 -%define release 5 +%define version 4.6.3 +%define release 1 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. Name: %{name} @@ -62,12 +62,16 @@ %doc COPYING INSTALL changelog.txt releasenotes.txt %changelog -* Tue Aug 12 2014 Tom Eastep t...@shorewall.net -- Updated to 4.6.2-5 -* Tue Aug 05 2014 Tom Eastep t...@shorewall.net -- Updated to 4.6.2-4 -* Sat Jul 26 2014 Tom Eastep t...@shorewall.net -- Updated to 4.6.2-3 +* Thu Aug 21 2014 Tom Eastep t...@shorewall.net +- Updated to 4.6.3-1 +* Thu Aug 14 2014 Tom Eastep t...@shorewall.net +- Updated to 4.6.3-0base +* Sun Aug 10 2014 Tom Eastep t...@shorewall.net +- Updated to 4.6.3-0RC1 +* Sun Aug 03 2014 Tom Eastep t...@shorewall.net +- Updated to 4.6.3-0Beta2 +* Fri Jul 25 2014 Tom Eastep t...@shorewall.net +- Updated to 4.6.3-0Beta1 * Fri Jul 18 2014 Tom Eastep t...@shorewall.net - Updated to 4.6.2-2 * Fri Jul 18 2014 Tom Eastep t...@shorewall.net diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.2.5/uninstall.sh new/shorewall-core-4.6.3.1/uninstall.sh --- old/shorewall-core-4.6.2.5/uninstall.sh 2014-08-13 01:53:51.000000000 +0200 +++ new/shorewall-core-4.6.3.1/uninstall.sh 2014-08-27 16:54:43.000000000 +0200 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.6.2.5 +VERSION=4.6.3.1 usage() # $1 = exit status { ++++++ shorewall-docs-html-4.6.2.5.tar.bz2 -> shorewall-docs-html-4.6.3.1.tar.bz2 ++++++ ++++ 7168 lines of diff (skipped) ++++++ shorewall-init-4.6.2.5.tar.bz2 -> shorewall-init-4.6.3.1.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.2.5/changelog.txt new/shorewall-init-4.6.3.1/changelog.txt --- old/shorewall-init-4.6.2.5/changelog.txt 2014-08-13 01:53:52.000000000 +0200 +++ new/shorewall-init-4.6.3.1/changelog.txt 2014-08-27 16:54:44.000000000 +0200 @@ -1,23 +1,45 @@ -Changes in 4.6.2.5 +Changes in 4.6.3.1 + +1) Update release documents + +2) Correct the u32 match string in action.DNSAmp. + +3) Clarify REJECT handling in IP[6]TABLES rules. + +Changes in 4.6.3 Final + +1) Update release documents. + +2) Apply Thomas D's fix for SAVE_IPSETS on Debian. + +Changes in 4.6.3 RC 1 1) Update release documents. -2) Allow a physical interface name in the INTERFACE column of the - providers files. +2) Minor code and documentation cleanup. -3) Apply Louis Lagendijk's patch for shorewall-init. +3) Defect repair from 4.6.2.5. -Changes in 4.6.2.4 +hanges in 4.6.3 Beta 2 1) Update release documents. -2) Allow inline matches in the body of an action. +2) Add DNSAmp action + +3) Allow inline matches in action bodies (from 4.6.2.4) -Changes in 4.6.2.3 +4) Allow physical names to be used in the INTERFACE column of the + providers file. + +Changes in 4.6.3 Beta 1 1) Update release documents. -2) Correct handling of optimize level 8 with Perl 5.20. +2) Describe new helper assignment in the FTP article. + +3) Merge defect repair from 4.6.2.3. + +4) Implement the 'run' command. Changes in 4.6.2.2 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.2.5/configure new/shorewall-init-4.6.3.1/configure --- old/shorewall-init-4.6.2.5/configure 2014-08-13 01:53:52.000000000 +0200 +++ new/shorewall-init-4.6.3.1/configure 2014-08-27 16:54:44.000000000 +0200 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=4.6.2.5 +VERSION=4.6.3.1 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.2.5/configure.pl new/shorewall-init-4.6.3.1/configure.pl --- old/shorewall-init-4.6.2.5/configure.pl 2014-08-13 01:53:52.000000000 +0200 +++ new/shorewall-init-4.6.3.1/configure.pl 2014-08-27 16:54:44.000000000 +0200 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '4.6.2.5' + VERSION => '4.6.3.1' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.2.5/init.debian.sh new/shorewall-init-4.6.3.1/init.debian.sh --- old/shorewall-init-4.6.2.5/init.debian.sh 2014-08-13 01:39:52.000000000 +0200 +++ new/shorewall-init-4.6.3.1/init.debian.sh 2014-08-24 20:59:51.000000000 +0200 @@ -123,6 +123,17 @@ echo "done." + if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then + + echo -n "Restoring ipsets: " + + if ! ipset -R < "$SAVE_IPSETS"; then + echo_notdone + fi + + echo "done." + fi + return 0 } @@ -142,6 +153,20 @@ echo "done." + if [ -n "$SAVE_IPSETS" ]; then + + echo "Saving ipsets: " + + mkdir -p $(dirname "$SAVE_IPSETS") + if ipset -S > "${SAVE_IPSETS}.tmp"; then + grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" + else + echo_notdone + fi + + echo "done." + fi + return 0 } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.2.5/install.sh new/shorewall-init-4.6.3.1/install.sh --- old/shorewall-init-4.6.2.5/install.sh 2014-08-13 01:53:52.000000000 +0200 +++ new/shorewall-init-4.6.3.1/install.sh 2014-08-27 16:54:44.000000000 +0200 @@ -27,7 +27,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.6.2.5 +VERSION=4.6.3.1 usage() # $1 = exit status { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.2.5/releasenotes.txt new/shorewall-init-4.6.3.1/releasenotes.txt --- old/shorewall-init-4.6.2.5/releasenotes.txt 2014-08-13 01:53:52.000000000 +0200 +++ new/shorewall-init-4.6.3.1/releasenotes.txt 2014-08-27 16:54:44.000000000 +0200 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 6 . 2 . 5 + S H O R E W A L L 4 . 6 . 3 . 1 ------------------------------------ - A u g u s t 1 4 , 2 0 1 4 + A u g u s t 2 6 , 2 0 1 4 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,80 +14,28 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -4.6.2.5 +4.6.3 -1) Previously, when an interface specified the 'physical=' option and - the physical interface name was specified in the INTERFACES column - of the providers file, compilation would fail with diagnostics - similar to the following: +1) The DNSAmp action released in 4.6.3 matched more packets than it + should have. That has now been corrected. - Use of uninitialized value $physical in pattern match - (m//) at /usr/lib/perl5/vendor_perl/5.18.1/ - Shorewall/Providers.pm line 463, <$currentfile> line 2. - ERROR: A provider interface must have at least one - associated zone /opt/etc/shorewall/providers (line 2) +2) The handling of REJECT in IP[6]TABLES rules has been clarified in + the shorewall-rules(5) and shorewall6-rules(5) manpages. -2) Shorewall-init now works correctly on systems with systemd. - By Louis Lagendijk. +3) The following misleading error message has now been corrected: -4.6.2.4 + ERROR: The xxx TARGET is now allowed in the filter table -1) Previously, inline matches were incorrectly disallowed in action - files. These matches are now allowed. + The message now reads: -4.6.2.3 - -1) Previously, the compiler would fail with a Perl diagnostic if: - - - Optimize Level 8 was enabled. - - Perl 5.20 was being used. This is the current Perl version on - Arch Linux. + ERROR: The xxx TARGET is not allowed in the filter table - The diagnostic was: +4.6.3 - Can't use string ("nat") as a HASH ref while "strict refs" in use - at /usr/share/shorewall/Shorewall/Chains.pm line 3486. +1) This release contains defect repair up through release 4.6.2.5. -4.6.2.2 - -1) The compiler now correctly detects the IPv6 "Header Match" - capability when LOAD_MODULES_ONLY=No. - -2) The compiler now correctly detects the IPv6 "Ipset Match" - capability on systems running a 3.14 or later kernel. - -3) The compiler now correctly detects "Arptables JF" capability when - LOAD_MODULES_ONLY=No. - -3) The tcfilter manpages previously failed to mention that - BASIC_FILTERS=Yes is required to use ipsets in the tcfilters files. - -4.6.2.1 - -1) Two issues with tcrules processing have been corrected: - - - SAVE and RESTORE generated fatal compilation errors. - - '|' and '&' were ignored. - -4.6.2 - -1) The DSCP match in the mangle and tcrules files didn't work with - service class names such as EF, BE, CS1, ... (Thibaut Chèze) - -2) The SAVE and RESTORE actions were disallowed in the OUTPUT chain in - tcrules and mangle; this was a regression from 4.5.21. - -3) Additional ports required by Asus, Supermicro and Dell have been - added to the IPMI macro (Tuomo Soini). - -4) Some issues regarding install under Cygwin64 have been addressed. - - - configure.pl did not understand CYGWIN returned from `uname` - - Shorewall-core install.sh did not understand CYGWIN returned from - `uname`. - - The Shorewall and Shorewall6 installers tried to run the command - 'mkdir -p //etc/shorewall[6]' which is broken in the current - Cygwin64. +2) The SAVE_IPSETS option in the Debian version of Shorewall-init now + works correctly. Thomas D. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -100,45 +48,19 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) The 'status' command now allows a -i option which causes the state - of all optional and provider interfaces to be displayed. - - Example: - - root@gateway:/etc/shorewall# shorewall status -i - Shorewall-4.6.1 Status at gateway - Wed Jun 18 14:27:19 PDT 2014 - - Shorewall is running - State:Started (Wed Jun 18 09:50:01 PDT 2014) from /etc/shorewall/ - (/var/lib/shorewall/firewall compiled by Shorewall version 4.6.1) - - Interface eth0 is Enabled - Interface eth1 is Enabled - Interface lo is Enabled - -2) A 'shorewall show blacklists' command has been - implemented. The abbreviation 'bl' may be used in place of - 'blacklists'. - - The command displays the output of the 'dynamic' chain together - with the chains created by entries in the blrules file. - -3) A TIME column has been added to the mangle file. It has the same - use in that file as the corresponding column in the rules file. - -4) A stateful port knocking example has been added to the Events - article (http://www.shorewall.net/Events.html). This example allows - a sequence of knocking ports to be defined (Gerhard Weisinger). - -5) A macro supporting HP's Integrated Lights Out (ILO) has been added - (Tuomo Soini). - -6) It is now possible to specify the MAC address of a provider - GATEWAY. This is useful when there are multiple providers serviced - by a single interface as it avoids the need for the generated - script to detect the MAC during start/restart. - -7) The copyrights in the sample configuration files have been updated. +1) A new 'run' command has been implemented. This command allows you + to run an arbitrary command in the context of the generated + script. + + shorewall[6][-lite] run <command> [ <parameter> ... ] + + Normally, <command> will be a function declared in lib.private. + +2) A DNSAmp action has been added. This action matches recursive UDP + DNS queries. The default disposition is DROP which can be + overridden by the single action parameter (e.g, 'DNSAmp(REJECT)' + will reject these queries). Recursive DNS queries are the basis for + 'DNS Amplification' attacks; hence the action name. ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -412,7 +334,130 @@ ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 4 . 6 R E L E A S E S ---------------------------------------------------------------------------- - P R O B L E M S C O R R E C T E D I N 4 . 6 . 0 + P R O B L E M S C O R R E C T E D I N 4 . 6 . 2 +---------------------------------------------------------------------------- + +4.6.2.5 + +1) Previously, when an interface specified the 'physical=' option and + the physical interface name was specified in the INTERFACES column + of the providers file, compilation would fail with diagnostics + similar to the following: + + Use of uninitialized value $physical in pattern match + (m//) at /usr/lib/perl5/vendor_perl/5.18.1/ + Shorewall/Providers.pm line 463, <$currentfile> line 2. + ERROR: A provider interface must have at least one + associated zone /opt/etc/shorewall/providers (line 2) + +2) Shorewall-init now works correctly on systems with systemd. + By Louis Lagendijk. + +4.6.2.4 + +1) Previously, inline matches were incorrectly disallowed in action + files. These matches are now allowed. + +4.6.2.3 + +1) Previously, the compiler would fail with a Perl diagnostic if: + + - Optimize Level 8 was enabled. + - Perl 5.20 was being used. This is the current Perl version on + Arch Linux. + + The diagnostic was: + + Can't use string ("nat") as a HASH ref while "strict refs" in use + at /usr/share/shorewall/Shorewall/Chains.pm line 3486. + +4.6.2.2 + +1) The compiler now correctly detects the IPv6 "Header Match" + capability when LOAD_MODULES_ONLY=No. + +2) The compiler now correctly detects the IPv6 "Ipset Match" + capability on systems running a 3.14 or later kernel. + +3) The compiler now correctly detects "Arptables JF" capability when + LOAD_MODULES_ONLY=No. + +3) The tcfilter manpages previously failed to mention that + BASIC_FILTERS=Yes is required to use ipsets in the tcfilters files. + +4.6.2.1 + +1) Two issues with tcrules processing have been corrected: + + - SAVE and RESTORE generated fatal compilation errors. + - '|' and '&' were ignored. + +4.6.2 + +1) The DSCP match in the mangle and tcrules files didn't work with + service class names such as EF, BE, CS1, ... (Thibaut Chèze) + +2) The SAVE and RESTORE actions were disallowed in the OUTPUT chain in + tcrules and mangle; this was a regression from 4.5.21. + +3) Additional ports required by Asus, Supermicro and Dell have been + added to the IPMI macro (Tuomo Soini). + +4) Some issues regarding install under Cygwin64 have been addressed. + + - configure.pl did not understand CYGWIN returned from `uname` + - Shorewall-core install.sh did not understand CYGWIN returned from + `uname`. + - The Shorewall and Shorewall6 installers tried to run the command + 'mkdir -p //etc/shorewall[6]' which is broken in the current + Cygwin64. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 6 . 2 +---------------------------------------------------------------------------- + +1) The 'status' command now allows a -i option which causes the state + of all optional and provider interfaces to be displayed. + + Example: + + root@gateway:/etc/shorewall# shorewall status -i + Shorewall-4.6.1 Status at gateway - Wed Jun 18 14:27:19 PDT 2014 + + Shorewall is running + State:Started (Wed Jun 18 09:50:01 PDT 2014) from /etc/shorewall/ + (/var/lib/shorewall/firewall compiled by Shorewall version 4.6.1) + + Interface eth0 is Enabled + Interface eth1 is Enabled + Interface lo is Enabled + +2) A 'shorewall show blacklists' command has been + implemented. The abbreviation 'bl' may be used in place of + 'blacklists'. + + The command displays the output of the 'dynamic' chain together + with the chains created by entries in the blrules file. + +3) A TIME column has been added to the mangle file. It has the same + use in that file as the corresponding column in the rules file. + +4) A stateful port knocking example has been added to the Events + article (http://www.shorewall.net/Events.html). This example allows + a sequence of knocking ports to be defined (Gerhard Weisinger). + +5) A macro supporting HP's Integrated Lights Out (ILO) has been added + (Tuomo Soini). + +6) It is now possible to specify the MAC address of a provider + GATEWAY. This is useful when there are multiple providers serviced + by a single interface as it avoids the need for the generated + script to detect the MAC during start/restart. + +7) The copyrights in the sample configuration files have been updated. + +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 6 . 1 ---------------------------------------------------------------------------- 4.6.1.4 @@ -487,7 +532,7 @@ optimized away. ---------------------------------------------------------------------------- - N E W F E A T U R E S I N 4 . 6 . 0 + N E W F E A T U R E S I N 4 . 6 . 1 ---------------------------------------------------------------------------- 1) Tuomo Soini has provided new macros for AMOP, MongoDB, Redis, Sieve diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.2.5/shorewall-init new/shorewall-init-4.6.3.1/shorewall-init --- old/shorewall-init-4.6.2.5/shorewall-init 2014-08-13 01:39:52.000000000 +0200 +++ new/shorewall-init-4.6.3.1/shorewall-init 2014-08-24 20:59:51.000000000 +0200 @@ -63,19 +63,18 @@ for PRODUCT in $PRODUCTS; do setstatedir - if [ -x ${STATEDIR}/firewall ]; then + if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then # # Run in a sub-shell to avoid name collisions # ( - if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then - ${STATEDIR}/firewall ${OPTIONS} stop || exit 1 + if ! ${STATEDIR}/$PRODUCT/firewall status > /dev/null 2>&1; then + ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} stop || exit 1 else exit 1 fi ) else - echo ERROR: ${STATEDIR}/firewall does not exist or is not executable! exit 1 fi done @@ -96,8 +95,8 @@ for PRODUCT in $PRODUCTS; do setstatedir - if [ -x ${STATEDIR}/firewall ]; then - ${STATEDIR}/firewall ${OPTIONS} clear || exit 1 + if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then + ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} clear || exit 1 fi done diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.2.5/shorewall-init.spec new/shorewall-init-4.6.3.1/shorewall-init.spec --- old/shorewall-init-4.6.2.5/shorewall-init.spec 2014-08-13 01:53:52.000000000 +0200 +++ new/shorewall-init-4.6.3.1/shorewall-init.spec 2014-08-27 16:54:44.000000000 +0200 @@ -1,6 +1,6 @@ %define name shorewall-init -%define version 4.6.2 -%define release 5 +%define version 4.6.3 +%define release 1 Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall). Name: %{name} @@ -125,12 +125,16 @@ %doc COPYING changelog.txt releasenotes.txt %changelog -* Tue Aug 12 2014 Tom Eastep t...@shorewall.net -- Updated to 4.6.2-5 -* Tue Aug 05 2014 Tom Eastep t...@shorewall.net -- Updated to 4.6.2-4 -* Sat Jul 26 2014 Tom Eastep t...@shorewall.net -- Updated to 4.6.2-3 +* Thu Aug 21 2014 Tom Eastep t...@shorewall.net +- Updated to 4.6.3-1 +* Thu Aug 14 2014 Tom Eastep t...@shorewall.net +- Updated to 4.6.3-0base +* Sun Aug 10 2014 Tom Eastep t...@shorewall.net +- Updated to 4.6.3-0RC1 +* Sun Aug 03 2014 Tom Eastep t...@shorewall.net +- Updated to 4.6.3-0Beta2 +* Fri Jul 25 2014 Tom Eastep t...@shorewall.net +- Updated to 4.6.3-0Beta1 * Fri Jul 18 2014 Tom Eastep t...@shorewall.net - Updated to 4.6.2-2 * Fri Jul 18 2014 Tom Eastep t...@shorewall.net diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.2.5/uninstall.sh new/shorewall-init-4.6.3.1/uninstall.sh --- old/shorewall-init-4.6.2.5/uninstall.sh 2014-08-13 01:53:52.000000000 +0200 +++ new/shorewall-init-4.6.3.1/uninstall.sh 2014-08-27 16:54:44.000000000 +0200 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.6.2.5 +VERSION=4.6.3.1 usage() # $1 = exit status { ++++++ shorewall-lite-4.6.2.5.tar.bz2 -> shorewall-lite-4.6.3.1.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.2.5/changelog.txt new/shorewall-lite-4.6.3.1/changelog.txt --- old/shorewall-lite-4.6.2.5/changelog.txt 2014-08-13 01:53:52.000000000 +0200 +++ new/shorewall-lite-4.6.3.1/changelog.txt 2014-08-27 16:54:44.000000000 +0200 @@ -1,23 +1,45 @@ -Changes in 4.6.2.5 +Changes in 4.6.3.1 + +1) Update release documents + +2) Correct the u32 match string in action.DNSAmp. + +3) Clarify REJECT handling in IP[6]TABLES rules. + +Changes in 4.6.3 Final + +1) Update release documents. + +2) Apply Thomas D's fix for SAVE_IPSETS on Debian. + +Changes in 4.6.3 RC 1 1) Update release documents. -2) Allow a physical interface name in the INTERFACE column of the - providers files. +2) Minor code and documentation cleanup. -3) Apply Louis Lagendijk's patch for shorewall-init. +3) Defect repair from 4.6.2.5. -Changes in 4.6.2.4 +hanges in 4.6.3 Beta 2 1) Update release documents. -2) Allow inline matches in the body of an action. +2) Add DNSAmp action + +3) Allow inline matches in action bodies (from 4.6.2.4) -Changes in 4.6.2.3 +4) Allow physical names to be used in the INTERFACE column of the + providers file. + +Changes in 4.6.3 Beta 1 1) Update release documents. -2) Correct handling of optimize level 8 with Perl 5.20. +2) Describe new helper assignment in the FTP article. + +3) Merge defect repair from 4.6.2.3. + +4) Implement the 'run' command. Changes in 4.6.2.2 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.2.5/configure new/shorewall-lite-4.6.3.1/configure --- old/shorewall-lite-4.6.2.5/configure 2014-08-13 01:53:52.000000000 +0200 +++ new/shorewall-lite-4.6.3.1/configure 2014-08-27 16:54:44.000000000 +0200 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=4.6.2.5 +VERSION=4.6.3.1 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.2.5/configure.pl new/shorewall-lite-4.6.3.1/configure.pl --- old/shorewall-lite-4.6.2.5/configure.pl 2014-08-13 01:53:52.000000000 +0200 +++ new/shorewall-lite-4.6.3.1/configure.pl 2014-08-27 16:54:44.000000000 +0200 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '4.6.2.5' + VERSION => '4.6.3.1' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.2.5/install.sh new/shorewall-lite-4.6.3.1/install.sh --- old/shorewall-lite-4.6.2.5/install.sh 2014-08-13 01:53:52.000000000 +0200 +++ new/shorewall-lite-4.6.3.1/install.sh 2014-08-27 16:54:44.000000000 +0200 @@ -22,7 +22,7 @@ # along with this program; if not, see <http://www.gnu.org/licenses/>. # -VERSION=4.6.2.5 +VERSION=4.6.3.1 usage() # $1 = exit status { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.2.5/manpages/shorewall-lite-vardir.5 new/shorewall-lite-4.6.3.1/manpages/shorewall-lite-vardir.5 --- old/shorewall-lite-4.6.2.5/manpages/shorewall-lite-vardir.5 2014-08-13 01:57:10.000000000 +0200 +++ new/shorewall-lite-4.6.3.1/manpages/shorewall-lite-vardir.5 2014-08-27 16:58:10.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite-vardir .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 08/12/2014 +.\" Date: 08/27/2014 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-LITE\-VAR" "5" "08/12/2014" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-LITE\-VAR" "5" "08/27/2014" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.2.5/manpages/shorewall-lite.8 new/shorewall-lite-4.6.3.1/manpages/shorewall-lite.8 --- old/shorewall-lite-4.6.2.5/manpages/shorewall-lite.8 2014-08-13 01:57:12.000000000 +0200 +++ new/shorewall-lite-4.6.3.1/manpages/shorewall-lite.8 2014-08-27 16:58:12.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 08/12/2014 +.\" Date: 08/27/2014 .\" Manual: Administrative Commands .\" Source: Administrative Commands .\" Language: English .\" -.TH "SHOREWALL\-LITE" "8" "08/12/2014" "Administrative Commands" "Administrative Commands" +.TH "SHOREWALL\-LITE" "8" "08/27/2014" "Administrative Commands" "Administrative Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -75,6 +75,8 @@ .HP \w'\fBshorewall\-lite\fR\ 'u \fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBrestore\fR [\fIfilename\fR] .HP \w'\fBshorewall\-lite\fR\ 'u +\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBrun\fR function [\fIparameter\ \&.\&.\&.\fR] +.HP \w'\fBshorewall\-lite\fR\ 'u \fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBsave\fR [\fIfilename\fR] .HP \w'\fBshorewall\-lite\fR\ 'u \fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR] [\-\fIoptions\fR] [\fBshow\ |\ list\ |\ ls\ \fR] [\fB\-b\fR] [\fB\-x\fR] [\fB\-l\fR] [\fB\-t\fR\ {\fBfilter\fR|\fBmangle\fR|\fBnat\fR|\fBraw|rawpost\fR}] [[\fBchain\fR]\ \fIchain\fR...] @@ -376,6 +378,22 @@ \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2(5)\&. .RE .PP +\fBrun\fR +.RS 4 +Added in Shorewall 4\&.6\&.3\&. Executes +\fIcommand\fR +in the context of the generated script passing the supplied +\fIparameter\fRs\&. Normally, the +\fIcommand\fR +will be a function declared in +lib\&.private\&. +.sp +Before executing the +\fIcommand\fR, the script will detect the configuration, setting all SW_* variables and will run your +init +extension script with $COMMAND = \*(Aqrun\*(Aq\&. +.RE +.PP \fBsave\fR .RS 4 The dynamic blacklist is stored in /var/lib/shorewall\-lite/save\&. The state of the firewall is stored in /var/lib/shorewall\-lite/\fIfilename\fR diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.2.5/manpages/shorewall-lite.conf.5 new/shorewall-lite-4.6.3.1/manpages/shorewall-lite.conf.5 --- old/shorewall-lite-4.6.2.5/manpages/shorewall-lite.conf.5 2014-08-13 01:57:09.000000000 +0200 +++ new/shorewall-lite-4.6.3.1/manpages/shorewall-lite.conf.5 2014-08-27 16:58:09.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite.conf .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 08/12/2014 +.\" Date: 08/27/2014 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-LITE\&.CO" "5" "08/12/2014" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-LITE\&.CO" "5" "08/27/2014" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.2.5/manpages/shorewall-lite.xml new/shorewall-lite-4.6.3.1/manpages/shorewall-lite.xml --- old/shorewall-lite-4.6.2.5/manpages/shorewall-lite.xml 2014-08-13 01:57:12.000000000 +0200 +++ new/shorewall-lite-4.6.3.1/manpages/shorewall-lite.xml 2014-08-27 16:58:12.000000000 +0200 @@ -325,6 +325,21 @@ <arg>-<replaceable>options</replaceable></arg> + <arg choice="plain"><option>run</option></arg> + + <arg choice="plain">function</arg> + + <arg><replaceable>parameter ...</replaceable></arg> + </cmdsynopsis> + + <cmdsynopsis> + <command>shorewall-lite</command> + + <arg + choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg> + + <arg>-<replaceable>options</replaceable></arg> + <arg choice="plain"><option>save</option></arg> <arg choice="opt"><replaceable>filename</replaceable></arg> @@ -822,6 +837,23 @@ </listitem> </varlistentry> + <varlistentry> + <term><emphasis role="bold">run</emphasis></term> + + <listitem> + <para>Added in Shorewall 4.6.3. Executes + <replaceable>command</replaceable> in the context of the generated + script passing the supplied <replaceable>parameter</replaceable>s. + Normally, the <replaceable>command</replaceable> will be a function + declared in <filename>lib.private</filename>.</para> + + <para>Before executing the <replaceable>command</replaceable>, the + script will detect the configuration, setting all SW_* variables and + will run your <filename>init</filename> extension script with + $COMMAND = 'run'.</para> + </listitem> + </varlistentry> + <varlistentry> <term><emphasis role="bold">save</emphasis></term> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.2.5/releasenotes.txt new/shorewall-lite-4.6.3.1/releasenotes.txt --- old/shorewall-lite-4.6.2.5/releasenotes.txt 2014-08-13 01:53:52.000000000 +0200 +++ new/shorewall-lite-4.6.3.1/releasenotes.txt 2014-08-27 16:54:44.000000000 +0200 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 6 . 2 . 5 + S H O R E W A L L 4 . 6 . 3 . 1 ------------------------------------ - A u g u s t 1 4 , 2 0 1 4 + A u g u s t 2 6 , 2 0 1 4 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,80 +14,28 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -4.6.2.5 +4.6.3 -1) Previously, when an interface specified the 'physical=' option and - the physical interface name was specified in the INTERFACES column - of the providers file, compilation would fail with diagnostics - similar to the following: +1) The DNSAmp action released in 4.6.3 matched more packets than it + should have. That has now been corrected. - Use of uninitialized value $physical in pattern match - (m//) at /usr/lib/perl5/vendor_perl/5.18.1/ - Shorewall/Providers.pm line 463, <$currentfile> line 2. - ERROR: A provider interface must have at least one - associated zone /opt/etc/shorewall/providers (line 2) +2) The handling of REJECT in IP[6]TABLES rules has been clarified in + the shorewall-rules(5) and shorewall6-rules(5) manpages. -2) Shorewall-init now works correctly on systems with systemd. - By Louis Lagendijk. +3) The following misleading error message has now been corrected: -4.6.2.4 + ERROR: The xxx TARGET is now allowed in the filter table -1) Previously, inline matches were incorrectly disallowed in action - files. These matches are now allowed. + The message now reads: -4.6.2.3 - -1) Previously, the compiler would fail with a Perl diagnostic if: - - - Optimize Level 8 was enabled. - - Perl 5.20 was being used. This is the current Perl version on - Arch Linux. + ERROR: The xxx TARGET is not allowed in the filter table - The diagnostic was: +4.6.3 - Can't use string ("nat") as a HASH ref while "strict refs" in use - at /usr/share/shorewall/Shorewall/Chains.pm line 3486. +1) This release contains defect repair up through release 4.6.2.5. -4.6.2.2 - -1) The compiler now correctly detects the IPv6 "Header Match" - capability when LOAD_MODULES_ONLY=No. - -2) The compiler now correctly detects the IPv6 "Ipset Match" - capability on systems running a 3.14 or later kernel. - -3) The compiler now correctly detects "Arptables JF" capability when - LOAD_MODULES_ONLY=No. - -3) The tcfilter manpages previously failed to mention that - BASIC_FILTERS=Yes is required to use ipsets in the tcfilters files. - -4.6.2.1 - -1) Two issues with tcrules processing have been corrected: - - - SAVE and RESTORE generated fatal compilation errors. - - '|' and '&' were ignored. - -4.6.2 - -1) The DSCP match in the mangle and tcrules files didn't work with - service class names such as EF, BE, CS1, ... (Thibaut Chèze) - -2) The SAVE and RESTORE actions were disallowed in the OUTPUT chain in - tcrules and mangle; this was a regression from 4.5.21. - -3) Additional ports required by Asus, Supermicro and Dell have been - added to the IPMI macro (Tuomo Soini). - -4) Some issues regarding install under Cygwin64 have been addressed. - - - configure.pl did not understand CYGWIN returned from `uname` - - Shorewall-core install.sh did not understand CYGWIN returned from - `uname`. - - The Shorewall and Shorewall6 installers tried to run the command - 'mkdir -p //etc/shorewall[6]' which is broken in the current - Cygwin64. +2) The SAVE_IPSETS option in the Debian version of Shorewall-init now + works correctly. Thomas D. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -100,45 +48,19 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) The 'status' command now allows a -i option which causes the state - of all optional and provider interfaces to be displayed. - - Example: - - root@gateway:/etc/shorewall# shorewall status -i - Shorewall-4.6.1 Status at gateway - Wed Jun 18 14:27:19 PDT 2014 - - Shorewall is running - State:Started (Wed Jun 18 09:50:01 PDT 2014) from /etc/shorewall/ - (/var/lib/shorewall/firewall compiled by Shorewall version 4.6.1) - - Interface eth0 is Enabled - Interface eth1 is Enabled - Interface lo is Enabled - -2) A 'shorewall show blacklists' command has been - implemented. The abbreviation 'bl' may be used in place of - 'blacklists'. - - The command displays the output of the 'dynamic' chain together - with the chains created by entries in the blrules file. - -3) A TIME column has been added to the mangle file. It has the same - use in that file as the corresponding column in the rules file. - -4) A stateful port knocking example has been added to the Events - article (http://www.shorewall.net/Events.html). This example allows - a sequence of knocking ports to be defined (Gerhard Weisinger). - -5) A macro supporting HP's Integrated Lights Out (ILO) has been added - (Tuomo Soini). - -6) It is now possible to specify the MAC address of a provider - GATEWAY. This is useful when there are multiple providers serviced - by a single interface as it avoids the need for the generated - script to detect the MAC during start/restart. - -7) The copyrights in the sample configuration files have been updated. +1) A new 'run' command has been implemented. This command allows you + to run an arbitrary command in the context of the generated + script. + + shorewall[6][-lite] run <command> [ <parameter> ... ] + + Normally, <command> will be a function declared in lib.private. + +2) A DNSAmp action has been added. This action matches recursive UDP + DNS queries. The default disposition is DROP which can be + overridden by the single action parameter (e.g, 'DNSAmp(REJECT)' + will reject these queries). Recursive DNS queries are the basis for + 'DNS Amplification' attacks; hence the action name. ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -412,7 +334,130 @@ ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 4 . 6 R E L E A S E S ---------------------------------------------------------------------------- - P R O B L E M S C O R R E C T E D I N 4 . 6 . 0 + P R O B L E M S C O R R E C T E D I N 4 . 6 . 2 +---------------------------------------------------------------------------- + +4.6.2.5 + +1) Previously, when an interface specified the 'physical=' option and + the physical interface name was specified in the INTERFACES column + of the providers file, compilation would fail with diagnostics + similar to the following: + + Use of uninitialized value $physical in pattern match + (m//) at /usr/lib/perl5/vendor_perl/5.18.1/ + Shorewall/Providers.pm line 463, <$currentfile> line 2. + ERROR: A provider interface must have at least one + associated zone /opt/etc/shorewall/providers (line 2) + +2) Shorewall-init now works correctly on systems with systemd. + By Louis Lagendijk. + +4.6.2.4 + +1) Previously, inline matches were incorrectly disallowed in action + files. These matches are now allowed. + +4.6.2.3 + +1) Previously, the compiler would fail with a Perl diagnostic if: + + - Optimize Level 8 was enabled. + - Perl 5.20 was being used. This is the current Perl version on + Arch Linux. + + The diagnostic was: + + Can't use string ("nat") as a HASH ref while "strict refs" in use + at /usr/share/shorewall/Shorewall/Chains.pm line 3486. + +4.6.2.2 + +1) The compiler now correctly detects the IPv6 "Header Match" + capability when LOAD_MODULES_ONLY=No. + +2) The compiler now correctly detects the IPv6 "Ipset Match" + capability on systems running a 3.14 or later kernel. + +3) The compiler now correctly detects "Arptables JF" capability when + LOAD_MODULES_ONLY=No. + +3) The tcfilter manpages previously failed to mention that + BASIC_FILTERS=Yes is required to use ipsets in the tcfilters files. + +4.6.2.1 + +1) Two issues with tcrules processing have been corrected: + + - SAVE and RESTORE generated fatal compilation errors. + - '|' and '&' were ignored. + +4.6.2 + +1) The DSCP match in the mangle and tcrules files didn't work with + service class names such as EF, BE, CS1, ... (Thibaut Chèze) + +2) The SAVE and RESTORE actions were disallowed in the OUTPUT chain in + tcrules and mangle; this was a regression from 4.5.21. + +3) Additional ports required by Asus, Supermicro and Dell have been + added to the IPMI macro (Tuomo Soini). + +4) Some issues regarding install under Cygwin64 have been addressed. + + - configure.pl did not understand CYGWIN returned from `uname` + - Shorewall-core install.sh did not understand CYGWIN returned from + `uname`. + - The Shorewall and Shorewall6 installers tried to run the command + 'mkdir -p //etc/shorewall[6]' which is broken in the current + Cygwin64. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 6 . 2 +---------------------------------------------------------------------------- + +1) The 'status' command now allows a -i option which causes the state + of all optional and provider interfaces to be displayed. + + Example: + + root@gateway:/etc/shorewall# shorewall status -i + Shorewall-4.6.1 Status at gateway - Wed Jun 18 14:27:19 PDT 2014 + + Shorewall is running + State:Started (Wed Jun 18 09:50:01 PDT 2014) from /etc/shorewall/ + (/var/lib/shorewall/firewall compiled by Shorewall version 4.6.1) + + Interface eth0 is Enabled + Interface eth1 is Enabled + Interface lo is Enabled + +2) A 'shorewall show blacklists' command has been + implemented. The abbreviation 'bl' may be used in place of + 'blacklists'. + + The command displays the output of the 'dynamic' chain together + with the chains created by entries in the blrules file. + +3) A TIME column has been added to the mangle file. It has the same + use in that file as the corresponding column in the rules file. + +4) A stateful port knocking example has been added to the Events + article (http://www.shorewall.net/Events.html). This example allows + a sequence of knocking ports to be defined (Gerhard Weisinger). + +5) A macro supporting HP's Integrated Lights Out (ILO) has been added + (Tuomo Soini). + +6) It is now possible to specify the MAC address of a provider + GATEWAY. This is useful when there are multiple providers serviced + by a single interface as it avoids the need for the generated + script to detect the MAC during start/restart. + +7) The copyrights in the sample configuration files have been updated. + +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 6 . 1 ---------------------------------------------------------------------------- 4.6.1.4 @@ -487,7 +532,7 @@ optimized away. ---------------------------------------------------------------------------- - N E W F E A T U R E S I N 4 . 6 . 0 + N E W F E A T U R E S I N 4 . 6 . 1 ---------------------------------------------------------------------------- 1) Tuomo Soini has provided new macros for AMOP, MongoDB, Redis, Sieve diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.2.5/shorewall-lite.spec new/shorewall-lite-4.6.3.1/shorewall-lite.spec --- old/shorewall-lite-4.6.2.5/shorewall-lite.spec 2014-08-13 01:53:52.000000000 +0200 +++ new/shorewall-lite-4.6.3.1/shorewall-lite.spec 2014-08-27 16:54:44.000000000 +0200 @@ -1,6 +1,6 @@ %define name shorewall-lite -%define version 4.6.2 -%define release 5 +%define version 4.6.3 +%define release 1 %define initdir /etc/init.d Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems. @@ -105,12 +105,16 @@ %doc COPYING changelog.txt releasenotes.txt %changelog -* Tue Aug 12 2014 Tom Eastep t...@shorewall.net -- Updated to 4.6.2-5 -* Tue Aug 05 2014 Tom Eastep t...@shorewall.net -- Updated to 4.6.2-4 -* Sat Jul 26 2014 Tom Eastep t...@shorewall.net -- Updated to 4.6.2-3 +* Thu Aug 21 2014 Tom Eastep t...@shorewall.net +- Updated to 4.6.3-1 +* Thu Aug 14 2014 Tom Eastep t...@shorewall.net +- Updated to 4.6.3-0base +* Sun Aug 10 2014 Tom Eastep t...@shorewall.net +- Updated to 4.6.3-0RC1 +* Sun Aug 03 2014 Tom Eastep t...@shorewall.net +- Updated to 4.6.3-0Beta2 +* Fri Jul 25 2014 Tom Eastep t...@shorewall.net +- Updated to 4.6.3-0Beta1 * Fri Jul 18 2014 Tom Eastep t...@shorewall.net - Updated to 4.6.2-2 * Fri Jul 18 2014 Tom Eastep t...@shorewall.net diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.2.5/uninstall.sh new/shorewall-lite-4.6.3.1/uninstall.sh --- old/shorewall-lite-4.6.2.5/uninstall.sh 2014-08-13 01:53:52.000000000 +0200 +++ new/shorewall-lite-4.6.3.1/uninstall.sh 2014-08-27 16:54:44.000000000 +0200 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.6.2.5 +VERSION=4.6.3.1 usage() # $1 = exit status { ++++++ shorewall-4.6.2.5.tar.bz2 -> shorewall6-4.6.3.1.tar.bz2 ++++++ ++++ 125451 lines of diff (skipped) ++++++ shorewall-lite-4.6.2.5.tar.bz2 -> shorewall6-lite-4.6.3.1.tar.bz2 ++++++ ++++ 7782 lines of diff (skipped) -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org