diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.0.1/changelog.txt shorewall-4.4.0.2/changelog.txt --- shorewall-4.4.0.1/changelog.txt 2009-08-26 12:50:08.000000000 -0700 +++ shorewall-4.4.0.2/changelog.txt 2009-08-29 08:20:09.000000000 -0700 @@ -1,4 +1,12 @@ +Changes in Shorewall 4.4.0.2 + +1) Fix MULTICAST=Yes and ACCEPT policy. + +2) Allow extension of zone definition with nets=. + +3) Don't allow nets= in a multi-zone interface definition. + Changes in Shorewall 4.4.0.1 1) Updated release versions. diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.0.1/install.sh shorewall-4.4.0.2/install.sh --- shorewall-4.4.0.1/install.sh 2009-08-26 12:50:08.000000000 -0700 +++ shorewall-4.4.0.2/install.sh 2009-08-29 08:20:09.000000000 -0700 @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.0.1 +VERSION=4.4.0.2 usage() # $1 = exit status { diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.0.1/known_problems.txt shorewall-4.4.0.2/known_problems.txt --- shorewall-4.4.0.1/known_problems.txt 2009-08-26 12:50:08.000000000 -0700 +++ shorewall-4.4.0.2/known_problems.txt 2009-08-29 08:20:09.000000000 -0700 @@ -14,3 +14,13 @@ some cases. This problem was corrected in Shorewall 4.4.0.1. + +3) If MULTICAST=Yes in shorewall.conf, multicast traffic is + incorrectly exempted from ACCEPT policies. + + This problem was corrected in Shorewall 4.4.0.2. + +4) If a zone is defined with nets= in /etc/shorewall/zones, that + definition cannot be extended by entries in /etc/shorewall/hosts. + + This problem was corrected in Shorewall 4.4.0.2. diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.0.1/Perl/Shorewall/Config.pm shorewall-4.4.0.2/Perl/Shorewall/Config.pm --- shorewall-4.4.0.1/Perl/Shorewall/Config.pm 2009-08-26 12:50:08.000000000 -0700 +++ shorewall-4.4.0.2/Perl/Shorewall/Config.pm 2009-08-29 08:20:09.000000000 -0700 @@ -327,7 +327,7 @@ TC_SCRIPT => '', EXPORT => 0, UNTRACKED => 0, - VERSION => "4.4.0.1", + VERSION => "4.4.0.2", CAPVERSION => 40310 , ); diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.0.1/Perl/Shorewall/Policy.pm shorewall-4.4.0.2/Perl/Shorewall/Policy.pm --- shorewall-4.4.0.1/Perl/Shorewall/Policy.pm 2009-08-26 12:50:08.000000000 -0700 +++ shorewall-4.4.0.2/Perl/Shorewall/Policy.pm 2009-08-29 08:20:09.000000000 -0700 @@ -356,7 +356,7 @@ my ( $chainref , $target, $loglevel, $default, $dropmulticast ) = @_; unless ( $target eq 'NONE' ) { - add_rule $chainref, "-d 224.0.0.0/24 -j RETURN" if $dropmulticast && $target ne 'CONTINUE'; + add_rule $chainref, "-d 224.0.0.0/24 -j RETURN" if $dropmulticast && $target ne 'CONTINUE' && $target ne 'ACCEPT'; add_rule $chainref, "-j $default" if $default && $default ne 'none'; log_rule $loglevel , $chainref , $target , '' if $loglevel ne ''; fatal_error "Null target in policy_rules()" unless $target; diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.0.1/Perl/Shorewall/Zones.pm shorewall-4.4.0.2/Perl/Shorewall/Zones.pm --- shorewall-4.4.0.1/Perl/Shorewall/Zones.pm 2009-08-26 12:50:08.000000000 -0700 +++ shorewall-4.4.0.2/Perl/Shorewall/Zones.pm 2009-08-29 08:20:09.000000000 -0700 @@ -601,7 +601,6 @@ my $interfaceref; my $zoneref = $zones{$zone}; my $zonetype = $zoneref->{type}; - my $ifacezone = $interfaces{$interface}{zone}; $zoneref->{interfaces}{$interface} = 1; @@ -610,8 +609,6 @@ my $new = \@newnetworks; my $switched = 0; - $ifacezone = '' unless defined $ifacezone; - for my $host ( @$networks ) { $interfaces{$interface}{nets}++; @@ -626,8 +623,8 @@ unless ( $switched ) { if ( $type == $zonetype ) { - fatal_error "Duplicate Host Group ($interface:$host) in zone $zone" if $ifacezone eq $zone; - $ifacezone = $zone if $host eq ALLIP; + fatal_error "Duplicate Host Group ($interface:$host) in zone $zone" if $interfaces{$interface}{zone} eq $zone; + $interfaces{$interface}{zone} = $zone if $host eq ALLIP; } } @@ -841,6 +838,7 @@ $hostoptions{$option} = $numval if $hostopt; } elsif ( $type == IPLIST_IF_OPTION ) { fatal_error "The $option option requires a value" unless defined $value; + fatal_error q("nets=" may not be specified for a multi-zone interface) unless $zone; fatal_error "Duplicate $option option" if $nets; # # Remove parentheses from address list if present @@ -887,14 +885,14 @@ number => $nextinum , root => $root , broadcasts => $broadcasts , - options => \%options }; + options => \%options , + zone => '' + }; $nets = [ allip ] unless $nets; add_group_to_zone( $zone, $zoneref->{type}, $interface, $nets, $hostoptionsref ) if $zone; - $interfaces{$interface}{zone} = $zone; #Must follow the call to add_group_to_zone() - progress_message " Interface \"$currentline\" Validated"; return $interface; diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.0.1/releasenotes.txt shorewall-4.4.0.2/releasenotes.txt --- shorewall-4.4.0.1/releasenotes.txt 2009-08-26 12:50:08.000000000 -0700 +++ shorewall-4.4.0.2/releasenotes.txt 2009-08-29 08:20:09.000000000 -0700 @@ -154,6 +154,21 @@ 10) The name 'any' is now reserved and may not be used as a zone name. ---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 4 . 0 . 2 +---------------------------------------------------------------------------- + +1) If MULTICAST=Yes in shorewall.conf, then multicast traffic was + excluded from ACCEPT policies. + +2) If a zone was defined with nets= in /etc/shorewall/zones, that + definition could not be extended by entries in + /etc/shorewall/hosts. + +3) Previously, "nets=" could be specified in a multi-zone interface + definition ("-" in the ZONES column) in /etc/shorewall/zones. This + now raises a fatal compilation error. + + ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 4 . 0 . 1 ---------------------------------------------------------------------------- diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.0.1/shorewall.spec shorewall-4.4.0.2/shorewall.spec --- shorewall-4.4.0.1/shorewall.spec 2009-08-26 12:50:08.000000000 -0700 +++ shorewall-4.4.0.2/shorewall.spec 2009-08-29 08:20:09.000000000 -0700 @@ -1,6 +1,6 @@ %define name shorewall %define version 4.4.0 -%define release 1 +%define release 2 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. Name: %{name} @@ -104,6 +104,8 @@ %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples %changelog +* Fri Aug 28 2009 Tom Eastep tom@shorewall.net +- Updated to 4.4.0-2 * Thu Aug 13 2009 Tom Eastep tom@shorewall.net - Updated to 4.4.0-1 * Sun Aug 09 2009 Tom Eastep tom@shorewall.net diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.0.1/uninstall.sh shorewall-4.4.0.2/uninstall.sh --- shorewall-4.4.0.1/uninstall.sh 2009-08-26 12:50:08.000000000 -0700 +++ shorewall-4.4.0.2/uninstall.sh 2009-08-29 08:20:09.000000000 -0700 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.0.1 +VERSION=4.4.0.2 usage() # $1 = exit status {