diff -Naurdw -X /Users/teastep/bin/exclude.txt shorewall6-4.4.19.1/changelog.txt shorewall6-4.4.19.2/changelog.txt --- shorewall6-4.4.19.1/changelog.txt 2011-04-14 15:21:47.000000000 -0700 +++ shorewall6-4.4.19.2/changelog.txt 2011-05-05 16:31:22.000000000 -0700 @@ -1,3 +1,12 @@ +Changes in Shorewall 4.4.19.2 + +1) Restore the ability to have IPSET names in the ORIGINAL DEST column + of a DNAT or REDIRECT rule. + +2) Correct several complex TC issues reported by Mr Dash4. + +3) Detect double exclusion involving ipset expressions. + Changes in Shorewall 4.4.19.1 1) Eliminate silly duplicate rule when stopped. diff -Naurdw -X /Users/teastep/bin/exclude.txt shorewall6-4.4.19.1/install.sh shorewall6-4.4.19.2/install.sh --- shorewall6-4.4.19.1/install.sh 2011-04-14 15:20:15.000000000 -0700 +++ shorewall6-4.4.19.2/install.sh 2011-05-05 16:18:04.000000000 -0700 @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.19.1 +VERSION=4.4.19.2 usage() # $1 = exit status { diff -Naurdw -X /Users/teastep/bin/exclude.txt shorewall6-4.4.19.1/releasenotes.txt shorewall6-4.4.19.2/releasenotes.txt --- shorewall6-4.4.19.1/releasenotes.txt 2011-04-14 15:21:47.000000000 -0700 +++ shorewall6-4.4.19.2/releasenotes.txt 2011-05-05 16:31:23.000000000 -0700 @@ -1,5 +1,5 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 4 . 1 9 . 1 + S H O R E W A L L 4 . 4 . 1 9 . 2 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -13,6 +13,58 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- +4.4.19.2 + +1) In Shorewall-shell, there was the ability to specify IPSET names in + the ORIGINAL DEST column of DNAT and REDIRECT rules. That ability, + inadvertently dropped in Shorewall-perl, has been restored. + + CAUTION: When an IPSET is used in this way, the server port is + opened from the SOURCE zone. + + Example: + + DNAT net dmz:10.1.1.2 tcp 80 - +foo + + will implicitly add this rule + + ACCEPT net dmz:10.1.1.2 tcp 80 + +2) Several problems with complex TC have been corrected: + + a) The following entry in /etc/shorewall/tcclasses + + A:1 - 10*full/100:50ms 20*full/100 1 tcp-ack + + produced this error: + + ERROR: Unknown INTERFACE (A) : /etc/shorewall/tcclasses + + This has been corrected. + + b) Shorewall reserves class number 1 for the root class of the + queuing discipline. Definining class 1 in + /etc/shorewall/tcclasses was previoulsly escaping detection by + the compiler, resulting in a run-time error. + + c) The compiler did not complain if a CLASSID specified in the MARK + column of tcrules referred to an IFB class. Such a rule would be + nonsensical since packets are passed through the IFB before + they are passed through any marking rules. Such a configuration + now results in a compilation error. + + d) Where there are more than 10 tcdevices, tcfilter entries could + generate invalid rules. + +3) Double exclusion involving ipset lists was previously not detected, + resulting in anomalous behavior. + + Example: + + ACCEPT:info $FW net:!10.1.0.7,10.1.0.9,+[!my-host[src]]] + + Such cases now result in a compilation error. + 4.4.19.1 1) A duplicate ACCEPT rule in the INPUT chain has been eliminated when diff -Naurdw -X /Users/teastep/bin/exclude.txt shorewall6-4.4.19.1/shorewall6.spec shorewall6-4.4.19.2/shorewall6.spec --- shorewall6-4.4.19.1/shorewall6.spec 2011-04-14 15:20:15.000000000 -0700 +++ shorewall6-4.4.19.2/shorewall6.spec 2011-05-05 16:18:04.000000000 -0700 @@ -1,6 +1,6 @@ %define name shorewall6 %define version 4.4.19 -%define release 1 +%define release 2 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems. Name: %{name} @@ -98,6 +98,8 @@ %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6 %changelog +* Sat Apr 16 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.19-2 * Wed Apr 13 2011 Tom Eastep tom@shorewall.net - Updated to 4.4.19-1 * Sat Apr 09 2011 Tom Eastep tom@shorewall.net diff -Naurdw -X /Users/teastep/bin/exclude.txt shorewall6-4.4.19.1/uninstall.sh shorewall6-4.4.19.2/uninstall.sh --- shorewall6-4.4.19.1/uninstall.sh 2011-04-14 15:20:15.000000000 -0700 +++ shorewall6-4.4.19.2/uninstall.sh 2011-05-05 16:18:04.000000000 -0700 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.19.1 +VERSION=4.4.19.2 usage() # $1 = exit status {