diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.4.1/changelog.txt shorewall-4.4.4.2/changelog.txt --- shorewall-4.4.4.1/changelog.txt 2009-11-21 15:37:22.000000000 -0800 +++ shorewall-4.4.4.2/changelog.txt 2009-12-06 08:48:09.000000000 -0800 @@ -4,6 +4,12 @@ 2) Fix handling of interfaces with the 'bridge' option. +3) Disallow port 0 + +4) Improve IPv6 address validation and range checking. + +5) Correct Shorewall6 capabilities detection. + Changes in Shorewall 4.4.4 1) Change STARTUP_LOG and LOG_VERBOSITY in default shorewall6.conf. diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.4.1/install.sh shorewall-4.4.4.2/install.sh --- shorewall-4.4.4.1/install.sh 2009-11-21 15:37:22.000000000 -0800 +++ shorewall-4.4.4.2/install.sh 2009-12-06 08:48:09.000000000 -0800 @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.4.1 +VERSION=4.4.4.2 usage() # $1 = exit status { diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.4.1/known_problems.txt shorewall-4.4.4.2/known_problems.txt --- shorewall-4.4.4.1/known_problems.txt 2009-11-21 15:37:22.000000000 -0800 +++ shorewall-4.4.4.2/known_problems.txt 2009-12-06 08:48:09.000000000 -0800 @@ -11,3 +11,18 @@ at /usr/share/shorewall/Shorewall/Rules.pm line 2319. This problem is corrected in Shorewall 4.4.4.1. + +3) The 'show policies' command doesn't work in Shorewall6 and + Shorewall6-lite. + + This problem is corrected in Shorewall 4.4.4.2. + +4) In some contexts, DNS names are not accepted by Shorewall6. + + This problem is corrected in Shorewall 4.4.4.2. + +5) An iptables-restore error can occur if port 0 is specified in some + contexts. + + In Shorewall 4.4.4.2, port 0 is flagged as an error in all + contexts. diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.4.1/Perl/Shorewall/Config.pm shorewall-4.4.4.2/Perl/Shorewall/Config.pm --- shorewall-4.4.4.1/Perl/Shorewall/Config.pm 2009-11-21 15:37:22.000000000 -0800 +++ shorewall-4.4.4.2/Perl/Shorewall/Config.pm 2009-12-06 08:48:09.000000000 -0800 @@ -327,7 +327,7 @@ TC_SCRIPT => '', EXPORT => 0, UNTRACKED => 0, - VERSION => "4.4.4.1", + VERSION => "4.4.4.2", CAPVERSION => 40402 , ); diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.4.1/Perl/Shorewall/IPAddrs.pm shorewall-4.4.4.2/Perl/Shorewall/IPAddrs.pm --- shorewall-4.4.4.1/Perl/Shorewall/IPAddrs.pm 2009-11-21 15:37:22.000000000 -0800 +++ shorewall-4.4.4.2/Perl/Shorewall/IPAddrs.pm 2009-12-06 08:48:09.000000000 -0800 @@ -72,7 +72,7 @@ validate_icmp6 ); our @EXPORT_OK = qw( ); -our $VERSION = '4.4_1'; +our $VERSION = '4.4_4'; # # Some IPv4/6 useful stuff @@ -302,7 +302,7 @@ my $value; if ( $port =~ /^(\d+)$/ ) { - return $port if $port <= 65535; + return $port if $port && $port <= 65535; } else { $proto = proto_name $proto if $proto =~ /^(\d+)$/; $value = getservbyname( $port, $proto ); @@ -485,16 +485,16 @@ return 0 unless ( @address == $max ) || $address =~ /::/; return 0 if $address =~ /:::/ || $address =~ /::.*::/; - if ( $address =~ /^:/ ) { - unless ( $address eq '::' ) { - return 0 if $address =~ /:$/ || $address =~ /^:.*::/; - } - } elsif ( $address =~ /:$/ ) { - return 0 if $address =~ /::.*:$/; + unless ( $address =~ /^::/ ) { + return 0 if $address =~ /^:/; } + unless ( $address =~ /::$/ ) { + return 0 if $address =~ /:$/; + } + for my $a ( @address ) { - return 0 unless $a eq '' || ( $a =~ /^[a-fA-f\d]+$/ && oct "0x$a" < 65536 ); + return 0 unless $a eq '' || ( $a =~ /^[a-fA-f\d]+$/ && length $a < 5 ); } 1; @@ -543,13 +543,27 @@ sub normalize_6addr( $ ) { my $addr = shift; - while ( $addr =~ tr/:/:/ < 6 ) { - $addr =~ s/::/:0::/; - } + if ( $addr eq '::' ) { + '0:0:0:0:0:0:0:0'; + } else { + # + # Suppress leading zeros + # + $addr =~ s/^0+//; + $addr =~ s/:0+/:/g; + $addr =~ s/^:/0:/; + $addr =~ s/:$/:0/; - $addr =~ s/::/:0:/; + $addr =~ s/::/:0::/ while $addr =~ tr/:/:/ < 7; + # + # Note: "s/::/:0:/g" doesn't work here + # + 1 while $addr =~ s/::/:0:/; - $addr; + $addr =~ s/^0+:/0:/; + + $addr; + } } sub validate_6range( $$ ) { @@ -573,7 +587,7 @@ } sub validate_6host( $$ ) { - my ( $host, $allow_name ) = $_[0]; + my ( $host, $allow_name ) = @_; if ( $host =~ /^(.*:.*)-(.*:.*)$/ ) { validate_6range $1, $2; diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.4.1/releasenotes.txt shorewall-4.4.4.2/releasenotes.txt --- shorewall-4.4.4.1/releasenotes.txt 2009-11-21 15:37:22.000000000 -0800 +++ shorewall-4.4.4.2/releasenotes.txt 2009-12-06 08:48:09.000000000 -0800 @@ -169,9 +169,27 @@ now, if the zone has :0.0.0.0/0 (even with exclusions), then it may have no additional members in /etc/shorewall/hosts. -13) Because the 'track' provider option is so useful, it is now the - default. If, for some reason, you don't want 'track' then specify - 'notrack' for the provider. +--------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 4 . 4 . 2 +---------------------------------------------------------------------------- + +1) Previously, DNS names were not accepted in some contexts by + Shorewall6. + +2) Validation of IPv6 addresses has been improved and now catches more + invalid addresses. + +3) Previously, port 0 was accepted in all contexts with the result + that iptables-restore errors could occur. Port 0 is now flagged as + an error. + +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 4 . 4 . 2 +---------------------------------------------------------------------------- + +1) The Shorewall6-lite shorecap program was including the wrong + library. Also, Shorewall6 is determining the availablity of the + mangle table before it ensures that ip6tables is installed. ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 4 . 4 . 1 diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.4.1/shorewall.spec shorewall-4.4.4.2/shorewall.spec --- shorewall-4.4.4.1/shorewall.spec 2009-11-21 15:37:22.000000000 -0800 +++ shorewall-4.4.4.2/shorewall.spec 2009-12-06 08:48:09.000000000 -0800 @@ -1,6 +1,6 @@ %define name shorewall %define version 4.4.4 -%define release 1 +%define release 2 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. Name: %{name} @@ -106,6 +106,8 @@ %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples %changelog +* Sun Dec 06 2009 Tom Eastep tom@shorewall.net +- Updated to 4.4.4-2 * Sat Nov 21 2009 Tom Eastep tom@shorewall.net - Updated to 4.4.4-1 * Fri Nov 13 2009 Tom Eastep tom@shorewall.net diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.4.1/uninstall.sh shorewall-4.4.4.2/uninstall.sh --- shorewall-4.4.4.1/uninstall.sh 2009-11-21 15:37:22.000000000 -0800 +++ shorewall-4.4.4.2/uninstall.sh 2009-12-06 08:48:09.000000000 -0800 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.4.1 +VERSION=4.4.4.2 usage() # $1 = exit status {