diff -Naur -X /usr/local/bin/exclude.txt shorewall6-4.4.0/changelog.txt shorewall6-4.4.1/changelog.txt --- shorewall6-4.4.0/changelog.txt 2009-08-12 14:05:16.000000000 -0700 +++ shorewall6-4.4.1/changelog.txt 2009-09-03 06:57:35.000000000 -0700 @@ -1,3 +1,40 @@ +Changes in Shorewall 4.4.1 + +1) Deleted extra 'use ...IPAddrs.pm' from Nat.pm. + +2) Deleted superfluous export from Chains.pm. + +3) Added support for --persistent. + +4) Don't do module initialization in an INIT block. + +5) Minor performance improvements. + +6) Add 'clean' target to Makefile. + +7) Redefine 'full' for sub-classes. + +8) Fix log level in rules at the end of INPUT and OUTPUT chains. + +9) Fix nested ipsec zones. + +10) Change one-interface sample to IP_FORWARDING=Off. + +11) Allow multicast to non-dynamic zones defined with nets=. + +12) Allow zones with nets= to be extended by /etc/shorewall/hosts + entries. + +13) Don't allow nets= in a multi-zone interface definition. + +14) Fix rule generated by MULTICAST=Yes + +15) Fix silly hole in zones file parsing. + +16) Tighen up zone membership checking. + +17) Combine portlist-spitting routines into a single function. + Changes in Shorewall 4.4.0 1) Fix 'compile ... -' so that it no longer requires '-v-1' @@ -10,7 +47,7 @@ 5) Fix 'upnpclient' with required interfaces. -5) Fix provider number in +5) Fix provider number in masq file. Changes in Shorewall 4.4.0-RC2 @@ -216,10 +253,8 @@ 1) Remove support for shorewall-shell. -2) Combine shorewall-common and shorewall-perl to product shorewall. +2) Combine shorewall-common and shorewall-perl to produce shorewall. 3) Add nets= OPTION in interfaces file. -4) Add SAME MARK/CLASSIFY target - diff -Naur -X /usr/local/bin/exclude.txt shorewall6-4.4.0/fallback.sh shorewall6-4.4.1/fallback.sh --- shorewall6-4.4.0/fallback.sh 2009-08-12 14:04:22.000000000 -0700 +++ shorewall6-4.4.1/fallback.sh 2009-09-02 15:30:26.000000000 -0700 @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=4.4.0 +VERSION=4.4.1 usage() # $1 = exit status { diff -Naur -X /usr/local/bin/exclude.txt shorewall6-4.4.0/install.sh shorewall6-4.4.1/install.sh --- shorewall6-4.4.0/install.sh 2009-08-12 14:04:22.000000000 -0700 +++ shorewall6-4.4.1/install.sh 2009-09-02 15:30:26.000000000 -0700 @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.0 +VERSION=4.4.1 usage() # $1 = exit status { diff -Naur -X /usr/local/bin/exclude.txt shorewall6-4.4.0/lib.base shorewall6-4.4.1/lib.base --- shorewall6-4.4.0/lib.base 2009-08-12 14:04:22.000000000 -0700 +++ shorewall6-4.4.1/lib.base 2009-09-02 15:30:26.000000000 -0700 @@ -33,7 +33,7 @@ # SHOREWALL_LIBVERSION=40300 -SHOREWALL_CAPVERSION=40310 +SHOREWALL_CAPVERSION=40401 [ -n "${VARDIR:=/var/lib/shorewall6}" ] [ -n "${SHAREDIR:=/usr/share/shorewall6}" ] diff -Naur -X /usr/local/bin/exclude.txt shorewall6-4.4.0/Makefile shorewall6-4.4.1/Makefile --- shorewall6-4.4.0/Makefile 2009-08-12 14:04:22.000000000 -0700 +++ shorewall6-4.4.1/Makefile 2009-09-02 15:30:26.000000000 -0700 @@ -14,4 +14,8 @@ /sbin/shorewall6 -q restart 2>&1 | tail >&2; \ fi +clean: + @rm -f $(CONFDIR)/*~ $(CONFDIR)/.*~ +.PHONY: clean + # EOF diff -Naur -X /usr/local/bin/exclude.txt shorewall6-4.4.0/releasenotes.txt shorewall6-4.4.1/releasenotes.txt --- shorewall6-4.4.0/releasenotes.txt 2009-08-12 14:05:16.000000000 -0700 +++ shorewall6-4.4.1/releasenotes.txt 2009-09-03 06:57:35.000000000 -0700 @@ -1,4 +1,4 @@ -Shorewall 4.4.0 +Shorewall 4.4.1 ---------------------------------------------------------------------------- R E L E A S E 4 . 4 H I G H L I G H T S @@ -13,6 +13,8 @@ Token Bucket" queuing discipline where realtime traffic such as VOIP is being used. + HTB remains the default queuing discipline. + 3) Support for the "flow" traffic classifier has been added. This classifier can help prevent multi-connection applications such as BitTorrent from using an unfair amount of bandwidth. @@ -151,60 +153,124 @@ 10) The name 'any' is now reserved and may not be used as a zone name. +11) Perl module initialization has changed in Shorewall + 4.4.1. Previously, each Shorewall Perl package would initialize its + global variables for IPv4 in an INIT block. Then, if the + compilation turned out to be for IPv6, + Shorewall::Compiler::compiler() would reinitialize them for IPv6. + + Beginning in Shorewall 4.4.1, the modules do not initialize + themselves in an INIT block. So if you use Shorewall modules + outside of the Shorewall compilation environment, then you must + explicitly call the module's 'initialize' function after the module + has been loaded. + +12) Checking for zone membership has been tighened up. Previously, + a zone could contain :0.0.0.0/0 along with other hosts; + now, if the zone has :0.0.0.0/0 (even with exclusions), + then it may have no additional members in /etc/shorewall/hosts. + ---------------------------------------------------------------------------- - P R O B L E M S C O R R E C T E D I N 4 . 4 . 0 + P R O B L E M S C O R R E C T E D I N 4 . 4 . 1 ---------------------------------------------------------------------------- -1) When compiling to standard out, it is no longer necessary to - specify '-v-1' to suppress the 'Compiling...' progress message - -2) Previously, Shorewall would generate invalid iptables-restore input - if all of these conditions were met: - - - a nat rule (DNAT, REDIRECT, DNAT-, etc.) changed the destination - port number - - logging was specified on the rule - - no non-trivial exclusions in the rule (a non-trivial exclusion is - one whose exclusion list has more than one element) - - Example of rule: +1) If ULOG was specified as the LOG LEVEL in the all->all policy, the + rules at the end of the INPUT and OUTPUT chains would still use the + LOG target rather than ULOG. + +2) Using CONTINUE policies with a nested IPSEC zone was still broken + in some cases. + +3) The setting of IP_FORWARDING has been change to Off in the + one-interface sample configuration since forwarding is typically + not required with only a single interface. + +4) If MULTICAST=Yes in shorewall.conf, multicast traffic was + incorrectly exempted from ACCEPT policies. + +5) Previously, the definition of a zone that specified "nets=" in + /etc/shorewall/interfaces could not be extended by entries in + /etc/shorewall/hosts. + +6) Previously, "nets=" could be specified in a multi-zone interface + definition ("-" in the ZONES column) in /etc/shorewall/zones. This + now raises a fatal compilation error. + +7) MULTICAST=Yes generates an incorrect rule that limits its + effectiveness to a small part of the multicast address space. + +8) Checking for zone membership has been tighened up. Previously, + a zone could contain :0.0.0.0/0 along with other hosts; + now, if the zone has :0.0.0.0/0 (even with exclusions), + then it may have no additional members in /etc/shorewall/hosts. - REDIRECT:ULOG wall 82 tcp 80 - - Example of error message: +---------------------------------------------------------------------------- + K N O W N P R O B L E M S R E M A I N I N G +---------------------------------------------------------------------------- - iptables v1.3.5: Need TCP or UDP with port specification - Try `iptables -h' or 'iptables --help' for more information. - ERROR: Command "/sbin/iptables -A log0 -j REDIRECT --to-port - 82" Failed +None. -3) Previously, log displays from the 'dump', 'show log' and 'logwatch' - commands did not properly suppress redundant fields in the records - (host name, and leading constant part of the LOGPREFIX). +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 4 . 1 +---------------------------------------------------------------------------- -4) Given that Jozsef Kadlecsik has not yet released ipset 3.1, ipset - bindings are once again supported. +1) To replace the SAME keyword in /etc/shorewall/masq, support has + been added for 'persistent' SNAT. Persistent SNAT is required when + an address range is specified in the ADDRESS column and when you + want a client to always receive the same source/destination IP + pair. It replaces SAME: which was removed in Shorewall 4.4.0. -5) The 'upnpclient' option only worked correctly if 'optional' was - also specified for the interface. + To specify persistence, follow the address range with + ":persistent". -6) Where more than one internet provider shares the same external - interface, specifying the provider by number in /etc/shorewall/masq - (e.g., eth1(2)) resulted in the fatal compilation error: + Example: - ERROR: 2 is not a shared-interface provider + #INTERFACE SOURCE ADDRESS + eth0 0.0.0.0/0 206.124.146.177-206.124.146.179:persistent - Also, the shorewall-masq (5) man page did not describe the syntax - for specifying the provider. + This feature requires Persistent SNAT support in your kernel and + iptables. ----------------------------------------------------------------------------- - K N O W N P R O B L E M S R E M A I N I N G ----------------------------------------------------------------------------- + If you use a capabilities file, you will need to create a new one + as a result of this feature. -None. + WARNING: Linux kernels beginning with 2.6.29 include persistent + SNAT support. If your iptables supports persistent SNAT but your + kernel does not, there is no way for Shorewall to determine that + persistent SNAT isn't going to work. The kernel SNAT code blindly + accepts all SNAT flags without verifying them and returns them to + iptables when asked. + +2) A 'clean' target has been added to the Makefiles. It removes backup + files (*~ and .*~). + +3) The meaning of 'full' has been redefined when used in the context + of a traffic shaping sub-class. Previously, 'full' always meant the + OUT-BANDWIDTH of the device. In the case of a sub-class, however, + that definition is awkward to use because the sub-class is limited + by the parent class. + + Beginning with this release, 'full' in a sub-class definition + refers to the specified rate defined for the parent class. So + 'full' used in the RATE column refers to the parent class's RATE; + when used in the CEIL column, 'full' refers to the parent class's + CEIL. + + As part of this change, the compiler now issues a warning if the + sum of the top-level classes' RATEs exceeds the OUT-BANDWIDTH of + the device. Similarly, a warning is issued if the sum of the RATEs + of a class's sub-classes exceeds the rate of the CLASS. + +4) When 'nets=' or 'nets=(,,...) is specified in + /etc/shorewall/interfaces, multicast traffic will now be sent to + the zone along with limited broadcasts. + +5) A flaw in the parsing logic for the zones file allowed most zone + types containing the character string 'ip' to be accepted as a + synonym for 'ipv4' (or ipv6 if compiling an IPv6 configuration). ---------------------------------------------------------------------------- - N E W F E A T U R E S IN 4 . 4 + N E W F E A T U R E S I N 4 . 4 ---------------------------------------------------------------------------- 1) The Shorewall packaging has been completely revamped in Shorewall @@ -216,6 +282,8 @@ Shorewall-perl packages. Has everything needed to create an IPv4 firewall. + Shorewall-shell is no longer available. + - Shorewall6. Requires Shorewall. Adds the components necessary to create an IPv6 firewall. diff -Naur -X /usr/local/bin/exclude.txt shorewall6-4.4.0/shorewall6.spec shorewall6-4.4.1/shorewall6.spec --- shorewall6-4.4.0/shorewall6.spec 2009-08-12 14:04:22.000000000 -0700 +++ shorewall6-4.4.1/shorewall6.spec 2009-09-02 15:30:26.000000000 -0700 @@ -1,5 +1,5 @@ %define name shorewall6 -%define version 4.4.0 +%define version 4.4.1 %define release 0base Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems. @@ -93,6 +93,8 @@ %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6 %changelog +* Fri Aug 14 2009 Tom Eastep tom@shorewall.net +- Updated to 4.4.1-0base * Mon Aug 03 2009 Tom Eastep tom@shorewall.net - Updated to 4.4.0-0base * Tue Jul 28 2009 Tom Eastep tom@shorewall.net diff -Naur -X /usr/local/bin/exclude.txt shorewall6-4.4.0/uninstall.sh shorewall6-4.4.1/uninstall.sh --- shorewall6-4.4.0/uninstall.sh 2009-08-12 14:04:22.000000000 -0700 +++ shorewall6-4.4.1/uninstall.sh 2009-09-02 15:30:26.000000000 -0700 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.0 +VERSION=4.4.1 usage() # $1 = exit status {