diff -Naurdw -X /Users/teastep/bin/exclude.txt shorewall-init-4.4.19.3/changelog.txt shorewall-init-4.4.19.4/changelog.txt --- shorewall-init-4.4.19.3/changelog.txt 2011-05-10 07:23:00.000000000 -0700 +++ shorewall-init-4.4.19.4/changelog.txt 2011-05-17 10:55:02.000000000 -0700 @@ -1,3 +1,17 @@ +Changes in Shorewall 4.4.19.4 + +1) Disallow degenerate entry in tcpri. + +2) More fixes to LIBEXEC/TCPRI + +3) Don't allow filters and tcrules to refer to non-leaf classes. + +4) Issue warning on missing ipset. + +5) Fix logging and exclusion vs 'refresh'. + +6) Fix deletion of IPv6 'shorewall' chain. + Changes in Shorewall 4.4.19.3 1) Eliminate issue with 'gawk'. diff -Naurdw -X /Users/teastep/bin/exclude.txt shorewall-init-4.4.19.3/install.sh shorewall-init-4.4.19.4/install.sh --- shorewall-init-4.4.19.3/install.sh 2011-05-10 07:22:30.000000000 -0700 +++ shorewall-init-4.4.19.4/install.sh 2011-05-17 10:54:30.000000000 -0700 @@ -23,7 +23,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.19.3 +VERSION=4.4.19.4 usage() # $1 = exit status { diff -Naurdw -X /Users/teastep/bin/exclude.txt shorewall-init-4.4.19.3/releasenotes.txt shorewall-init-4.4.19.4/releasenotes.txt --- shorewall-init-4.4.19.3/releasenotes.txt 2011-05-10 07:23:00.000000000 -0700 +++ shorewall-init-4.4.19.4/releasenotes.txt 2011-05-17 10:55:02.000000000 -0700 @@ -1,5 +1,5 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 4 . 1 9 . 3 + S H O R E W A L L 4 . 4 . 1 9 . 4 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -13,6 +13,56 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- +4.4.19.4 + +1) Previously, the compiler would allow a degenerate entry (only the + BAND specified) in /etc/shorewall/tcpri. Such an entry now raises a + compilation error. + +2) Previously, it was possible to specify tcfilters and tcrules that + classified traffic with the class-id of a non-leaf HFSC class. Such + classes are not capabable of handling packets. + + Shorewall now generates a compile-time warning in this case and + ignores the entry. + + If a non-leaf class is specified as the default class, then + Shorewall now generates a compile-time error since that + configuration allows no network traffic to flow. + +3) Traditionally, Shorewall has not checked for the existance of + ipsets mentioned in the configuration, potentially resulting in a + run-time start/restart failure. Now, the compiler will issue a + WARNING if: + + a) The compiler is being run by root. + b) The compilation isn't producing a script to run on a remote + system under a -lite product. + c) An ipset appearing in the configuration does not exist on the + local system. + +4) As previously implemented, the 'refresh' command could fail or + could result in a ruleset other than what was intended. If there + had been changes in the ruleset since it was originally + started/restarted/restored that added or deleted sequenced chains + (chains such as ~lognnn and ~exclnnn), the resulting ruleset could + jump to the wrong such chains or could fail to 'refresh' + successfully. + + This issue has been corrected as follows. When a 'refresh' is done + and individual chains are involved, then each table that contains + both sequenced chains and one of the chains being refreshed is + refreshed in its entirety. + + For example, if 'shorwall refresh foo' is issued and the filter + table (which is the default) contains any sequenced chains, then + the entire table is reloaded. Note that this reload operation is + atomic so no packets are passed through an inconsistent + configuration. + +5) When 'shorewall6 refresh' was run previously, a harmless + 'ip6tables: Chain exists' message was generated. + 4.4.19.3 1) The changes in 4.4.19.1 that corrected long-standing issues with @@ -24,13 +74,14 @@ 2) Previously, an entry in the USER/GROUP column in the rules and tcrules files could cause run-time start/restart failures if the - rule(s) being added did not have the firewall as the source or was - being added to the POSTROUTING chain. This error is now caught by + rule(s) being added did not have the firewall as the source (rules + file) and were not being added to the POSTROUTING chain (:T + designator in the tcrules file). This error is now caught by the compiler. 3) Shorewall now insures that a route to a default gateway exists in the main table before it attempts to add a default route through - that gateway to a provider table. This prevents start/restart + that gateway in a provider table. This prevents start/restart failures in the rare event that such a route does not exist. 4) CLASSIFY TC rules can apply to traffic exiting only the interface diff -Naurdw -X /Users/teastep/bin/exclude.txt shorewall-init-4.4.19.3/shorewall-init.spec shorewall-init-4.4.19.4/shorewall-init.spec --- shorewall-init-4.4.19.3/shorewall-init.spec 2011-05-10 07:22:30.000000000 -0700 +++ shorewall-init-4.4.19.4/shorewall-init.spec 2011-05-17 10:54:30.000000000 -0700 @@ -1,6 +1,6 @@ %define name shorewall-init %define version 4.4.19 -%define release 3 +%define release 4 Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall). Name: %{name} @@ -119,6 +119,8 @@ %doc COPYING changelog.txt releasenotes.txt %changelog +* Wed May 11 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.19-4 * Sat May 07 2011 Tom Eastep tom@shorewall.net - Updated to 4.4.19-3 * Sat Apr 16 2011 Tom Eastep tom@shorewall.net diff -Naurdw -X /Users/teastep/bin/exclude.txt shorewall-init-4.4.19.3/uninstall.sh shorewall-init-4.4.19.4/uninstall.sh --- shorewall-init-4.4.19.3/uninstall.sh 2011-05-10 07:22:30.000000000 -0700 +++ shorewall-init-4.4.19.4/uninstall.sh 2011-05-17 10:54:30.000000000 -0700 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.19.3 +VERSION=4.4.19.4 usage() # $1 = exit status {