diff -Naur -X /usr/local/bin/exclude.txt shorewall6-lite-4.4.5/changelog.txt shorewall6-lite-4.4.5.4/changelog.txt --- shorewall6-lite-4.4.5/changelog.txt 2009-12-19 07:28:11.000000000 -0800 +++ shorewall6-lite-4.4.5.4/changelog.txt 2009-12-24 10:33:14.000000000 -0800 @@ -1,3 +1,19 @@ +Changes in Shorewall 4.4.5.4 + +1) Fix breakage in Shorewall6 'forward' interface option. + +Changes in Shorewall 4.4.5.3 + +1) Yet another fix for the ^%$& ROUTE_FILTER mess. + +Changes in Shorewall 4.4.5.2 + +1) Allow KERNELVERSION in capabilities file. + +Changes in Shorewall 4.4.5.1 + +1) Handle rp_filter and kernel's 2.6.31 and later. + Changes in Shorewall 4.4.5 1) Fix 15-port limit removal change. diff -Naur -X /usr/local/bin/exclude.txt shorewall6-lite-4.4.5/fallback.sh shorewall6-lite-4.4.5.4/fallback.sh --- shorewall6-lite-4.4.5/fallback.sh 2009-12-19 07:24:17.000000000 -0800 +++ shorewall6-lite-4.4.5.4/fallback.sh 2009-12-24 10:32:48.000000000 -0800 @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=4.4.5 +VERSION=4.4.5.4 usage() # $1 = exit status { diff -Naur -X /usr/local/bin/exclude.txt shorewall6-lite-4.4.5/install.sh shorewall6-lite-4.4.5.4/install.sh --- shorewall6-lite-4.4.5/install.sh 2009-12-19 07:24:17.000000000 -0800 +++ shorewall6-lite-4.4.5.4/install.sh 2009-12-24 10:32:48.000000000 -0800 @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.5 +VERSION=4.4.5.4 usage() # $1 = exit status { diff -Naur -X /usr/local/bin/exclude.txt shorewall6-lite-4.4.5/lib.base shorewall6-lite-4.4.5.4/lib.base --- shorewall6-lite-4.4.5/lib.base 2009-12-19 07:28:11.000000000 -0800 +++ shorewall6-lite-4.4.5.4/lib.base 2009-12-24 10:33:14.000000000 -0800 @@ -33,7 +33,7 @@ # SHOREWALL_LIBVERSION=40300 -SHOREWALL_CAPVERSION=40402 +SHOREWALL_CAPVERSION=40406 [ -n "${VARDIR:=/var/lib/shorewall6}" ] [ -n "${SHAREDIR:=/usr/share/shorewall6}" ] @@ -872,6 +872,7 @@ qt $IP6TABLES -X $chain1 CAPVERSION=$SHOREWALL_CAPVERSION + KERNELVERSION=$(printf "%d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g')) } report_capabilities() { @@ -988,6 +989,7 @@ report_capability1 LOG_TARGET echo CAPVERSION=$SHOREWALL_CAPVERSION + echo KERNELVERSION=$KERNELVERSION } detect_gateway() # $1 = interface diff -Naur -X /usr/local/bin/exclude.txt shorewall6-lite-4.4.5/releasenotes.txt shorewall6-lite-4.4.5.4/releasenotes.txt --- shorewall6-lite-4.4.5/releasenotes.txt 2009-12-19 07:28:11.000000000 -0800 +++ shorewall6-lite-4.4.5.4/releasenotes.txt 2009-12-24 10:33:14.000000000 -0800 @@ -1,4 +1,4 @@ -Shorewall 4.4.5 +Shorewall 4.4.5 Patch Release 4. ---------------------------------------------------------------------------- R E L E A S E 4 . 4 H I G H L I G H T S @@ -170,6 +170,91 @@ then it may have no additional members in /etc/shorewall/hosts. ---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 4 . 5 . 4 +---------------------------------------------------------------------------- + +1) With Shorewall 4.4.5.3, using a capabilities file with Shorewall6 + will result in the following warnings during compilation: + + WARNING: Your capabilities file is out of date -- it does not + contain all of the capabilities defined by Shorewall6 version + 4.4.5.3 + + WARNING: Your capabilities file does not contain a Kernel + Version -- using 2.6.30 + +2) The change in Shoreawll 4.4.5.1 broke the 'forward' interface + option in Shorewall6. + +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 4 . 5 . 3 +---------------------------------------------------------------------------- + +1) 'shorewall6 start' on Shorewall 4.4.5.2 generates a Perl run-time + error. Also, handling of ROUTE_FILTER on kernel 2.6.31 and later + was broken. + +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 4 . 5 . 2 +---------------------------------------------------------------------------- + +1) When using an up-to-date capabilities file with Shorewall 4.4.5.1, the + following warning messages were issued. + + WARNING: Unknown capability (KERNELVERSION) + ignored : /etc/shorewall2/capabilities (line 49) + WARNING: Your capabilities file does not contain a Kernel Version -- + using 2.6.30 + +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 4 . 5 . 1 +---------------------------------------------------------------------------- + +1) In kernel 2.6.31, the handling of the rp_filter interface option was + changed incompatibly. Previously, the effective value was determined + by the setting of net.ipv4.config.dev.rp_filter logically ANDed with + the setting of net.ipv4.config.all.rp_filter. + + Beginning with kernel 2.6.31, the value is the arithmetic MAX of + those two values. + + Given that Shorewall sets net.ipv4.config.all.rp_filter to 1 if + there are any interfaces specifying 'routefilter', specifying + 'routefilter' on any interface has the effect of setting the option + on all interfaces. + + To allow Shorewall to handle this issue, a number of changes were + necessary: + + a) There is no way to safely determine if a kernel supports the + new semantics or the old so the Shorewall compiler uses the + kernel version reported by uname. + + b) This means that the kernel version is now recorded in + the capabilities file. So if you use capabilities files, you + need to regenerate the files with Shorewall[-lite] 4.4.5.1. + + c) If the capabilities file does not contain a kernel version, + the compiler assumes version 2.6.30 (the old rp_filter + behavior). + + d) The ROUTE_FILTER option in shorewall.conf now accepts the + following values: + + 0 or No - Shorewall sets net.ipv4.config.all.rp_filter to 0. + 1 or Yes - Shorewall sets net.ipv4.config.all.rp_filter to 1. + 2 - Shorewall sets net.ipv4.config.all.rp_filter to 2. + Keep - Shorewall does not change the setting of + net.ipv4.config.all.rp_filter if the kernel version + is 2.6.31 or later. + + The default remains Keep. + + e) The 'routefilter' interface option can have values 0,1 or 2. If + 'routefilter' is specified without a value, the value 1 is + assumed. + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 4 . 5 ---------------------------------------------------------------------------- diff -Naur -X /usr/local/bin/exclude.txt shorewall6-lite-4.4.5/shorewall6-lite.spec shorewall6-lite-4.4.5.4/shorewall6-lite.spec --- shorewall6-lite-4.4.5/shorewall6-lite.spec 2009-12-19 07:24:17.000000000 -0800 +++ shorewall6-lite-4.4.5.4/shorewall6-lite.spec 2009-12-24 10:32:48.000000000 -0800 @@ -1,6 +1,6 @@ %define name shorewall6-lite %define version 4.4.5 -%define release 0base +%define release 4 Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems. Name: %{name} @@ -91,6 +91,14 @@ %doc COPYING changelog.txt releasenotes.txt %changelog +* Thu Dec 24 2009 Tom Eastep tom@shorewall.net +- Updated to 4.4.5-4 +* Thu Dec 24 2009 Tom Eastep tom@shorewall.net +- Updated to 4.4.5-4 +* Sun Dec 20 2009 Tom Eastep tom@shorewall.net +- Updated to 4.4.5-2 +* Sat Dec 19 2009 Tom Eastep tom@shorewall.net +- Updated to 4.4.5-1 * Fri Nov 27 2009 Tom Eastep tom@shorewall.net - Updated to 4.4.5-0base * Sat Nov 21 2009 Tom Eastep tom@shorewall.net diff -Naur -X /usr/local/bin/exclude.txt shorewall6-lite-4.4.5/uninstall.sh shorewall6-lite-4.4.5.4/uninstall.sh --- shorewall6-lite-4.4.5/uninstall.sh 2009-12-19 07:24:17.000000000 -0800 +++ shorewall6-lite-4.4.5.4/uninstall.sh 2009-12-24 10:32:48.000000000 -0800 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.5 +VERSION=4.4.5.4 usage() # $1 = exit status {