shorewall_code/Shorewall/changelog.txt

Changes in Shorewall 4.4.17 Beta 1

1) Improve readability of logging logic in expand_rule().

2) Improve efficency of oddball targets in process_rule1().

3) Export (param,value) pairs with EXPORTPARAMS=No.

Changes in Shorewall 4.4.16 RC 1

1) Fix logging for jump to nat chain.

Changes in Shorewall 4.4.16 Beta 8

1)  Complete parameterized actions.

2)  Fix issue in expand_rule().

3)  Eliminate Actions module.

4)  Eliminate process_actions3().

5)  Validate BLACKLIST_DISPOSITION.

Changes in Shorewall 4.4.16 Beta 7

1)  Parameterized actions.

Changes in Shorewall 4.4.16 Beta 6

1)  Don't let root match wildcard.

2)  Fix use of wildcard names in the notrack file.

3)  Fix use of wildcard names in the proxyarp file

4)  Prevent perl runtime warnings with cached interface entries.

Changes in Shorewall 4.4.16 Beta 5

1)  Fix broken logical naming with Proxy ARP.

2)  Add support for proxyndp.

3)  Move mid-level rule processing to the Actions module.

4)  Implement format-2 actions.

5)  Allow DNAT and REDIRECT in actions.

6)  Remove kludgy restrictions regarding Macros and Actions.

Changes in Shorewall 4.4.16 Beta 4

1)  Only issue get_params() warnings under 'trace'

2)  Add ppp support to Shorewall-init

Changes in Shorewall 4.4.16 Beta 3

1)  Integrate bug catcher into 'trace' and correct handling of
    getparams on old (RHEL 5) shells.

Changes in Shorewall 4.4.16 Beta 2

1)  Install bug catcher.

Changes in Shorewall 4.4.16 Beta 1

1)  Handle multi-line ENV values

2)  Fix for absent params file.

Changes in Shorewall 4.4.15

1)  Add macros from Tuomo Soini.

2)  Corrected macro.JAP.

3)  Added fatal_error() functions to the -lite CLIs.

RC 1

1)  Another Perl 5.12 warning.

2)  Avoid anomalous behavior regarding syn flood chains.

3)  Add HEADERS column for IPv6

Beta 2

1)  Tweaks to IPv6 tcfilters

2)  Add support for explicit provider routes

3)  Fix shared TC tcfilters handling.

Beta 1

1)  Handle exported VERBOSE.

2)  Modernize handling of the params file.

3)  Fix NULL_ROUTE_RFC1918

4)  Fix problem of appending incorrect files.

5)  Implement shared TC.

Changes in Shorewall 4.4.14

1)  Support ipset lists.

2)  Use conntrack in 'shorewall connections'

3)  Clean up Shorewall6 error messages when running on a kernel <
    2.6.24

4)  Clean up ipset related error reporting out of validate_net().

5)  Dramatically reduce the amount of CPU time spent in optimization.

6)  Add 'scfilter' script.

7)  Fix -lite init scripts.

8)  Clamp VERBOSITY to valid range.

9)  Delete obsolete options from shorewall.conf.

10) Change value of FORWARD_CLEAR_MARK in *.conf.

11) Use update-rc.d to install init symlinks.

12) Fix split_list().

13) Fix 10+ TC Interfaces.

14) Insure that VERBOSITY=0 when interrogating compiled script's version

Changes in Shorewall 4.4.13

1)  Allow zone lists in rules SOURCE and DEST.

2)  Fix exclusion in the blacklist file.

3)  Correct several old exclusion bugs.

4)  Fix exclusion with CONTINUE/NONAT/ACCEPT+

5)  Re-implement optional interface handling.

6)  Add secmark config file.

7)  Split in and out blacklisting.

8)  Correct handling of [{src|dst},...] in ipset invocation

9)  Correct SAME.

10) TC Enhancements:

    <burst> in IN-BANDWIDTH columns.
    OUT-BANDWIDTH column in tcinterfaces.

11) Create dynamic zone ipsets on 'start'.

12) Remove new blacklisting implementation.

13) Implement an alternative blacklisting scheme.

14) Use '-m state' for UNTRACKED.

15) Clear raw table on 'clear'

16) Correct port-range check in tcfilters.

17) Disallow '*' in interface names.

Changes in Shorewall 4.4.12

1)  Fix IPv6 shorecap program.

2)  Eradicate incorrect IPv6 Multicast Network

3)  Add ADD/DEL support.

4)  Allow :random to work with REDIRECT

5)  Add per-ip log rate limiting.

6)  Use new hashlimit match syntax if available.

7)  Add Universal sample.

8)  Add COMPLETE option.

9)  Make ICMP a synonym for IPV6-ICMP in ipv6 configs.

10) Support new set match syntax.

11) Blacklisting by DEST IP.

12) Fix duplicate rule generation with 'any'.

13) Fix port range editing problem.

14) Display the .conf file directory in response to the status command.

15)  Correct AUTOMAKE

Changes in Shorewall 4.4.11

1)  Apply patch from Gabriel.

2)  Fix IPSET match detection when a pathname is specified for IPSET.

3)  Fix start priority of shorewall-init on Debian

4)  Make IPv6 log and connections output readable.

5)  Add REQUIRE_INTERFACE to shorewall*.conf

6)  Avoid run-time warnings when options are not listed in
    shorewall.conf.

7)  Implement Vserver zones.

8)  Make find_hosts_by_option() work correctly where ALL_IP appears in
    hosts file.

9)  Add CLEAR_FORWARD_MARK option.

10) Avoid missing closing quote when REQUIRE_INTERFACE=Yes.

11) Add PERL option.

12) Fix nets= in Shorewall6

Changes in Shorewall 4.4.10

1)  Fix regression with scripts.

2)  Log startup errors.

3)  Implement Shorewall-init.

4)  Add SAFESTOP option to /etc/default/shorewall*

5)  Restore -a functionality to the version command.

6)  Correct Optimization issue

7)  Rename PREFIX to DESTDIR in install scripts

8)  Correct handling of optional/required interfaces with wildcard names.

Changes in Shorewall 4.4.9

1)  Auto-detection of bridges.

2)  Correct handling of a logical interface name in the EXTERNAL column
    of proxyarp.

3)  More robust 'trace'.

4)  Added IPv6 mDNS macro.

5)  Fix find_first_interface_address() error reporting.

6)  Fix propagation of zero-valued config variables.

7)  Fix OPTIMIZE 4 bug.

8)  Deallocate unused rules.

9)  Keep rule arrays compressed during optimization.

10) Remove remaining fallback scripts.

11) Rationalize startup logs.

12) Optimize 8.

13) Don't create output chains for BPORT zones.

14) Implement 'show log ip-addr' in /sbin/shorewall and
    /sbin/shorewall-lite/

15) Restore lone ACCEPT rule to the OUTPUT chain under OPTIMIZE 2.

16) Change chain policy on OUTPUT chain with lone ACCEPT rule.

17) Set IP before sourcing the params file.

18) Fix rare optimization bug.

19) Allow definition of an addressless bridge without a zone.

20) In the routestopped file, assume 'routeback' if the interface has
    'routeback'.

21) Make Shorewall and Shorewall6 installable on OS X.

Changes in Shorewall 4.4.8

1)  Correct handling of RATE LIMIT on NAT rules.

2)  Don't create a logging chain for rules with '-j RETURN'.

3)  Avoid duplicate SFQ class numbers.

4)  Fix low per-IP rate limits.

5)  Fix Debian init script exit status

6)  Fix NFQUEUE(queue-num) in policy

7)  Implement -s option in install.sh

8)  Add HKP Macro

9)  Fix multiple policy matches with OPTIMIZE 4 and not KLUDGEFREE

10) Eliminate up-cased variable names that aren't documented options.

11) Don't show 'OLD' capabilities if they are not available.

12) Attempt to flag use of '-' as a port-range separator.

13) Add undocumented OPTIMIZE=-1 setting.

14) Replace OPTIMIZE=-1 with undocumented optimize 4096 which DISABLES
    default optimizations.

15) Add support for UDPLITE

16) Distinguish between 'Started' and 'Restored' in ${VARDIR}/state

17) Issue warnings when 'blacklist' but no blacklist file entries.

18) Don't optimize 'blacklst'.

Changes in Shorewall 4.4.7

1)  Backport optimization changes from 4.5.

2)  Backport two new options from 4.5.

3)  Backport TPROXY from 4.5

4)  Add TC_PRIOMAP to shorewall*.conf

5)  Implement LOAD_HELPERS_ONLY

6)  Avoid excessive module loading with LOAD_HELPERS_ONLY=Yes

7)  Fix case where MARK target is unavailable.

8)  Change default to ADD_IP_ALIASES=No

9)  Correct defects in generate_matrix().

10) Fix and optimize 'nosmurfs'.

11) Use 'OLD_HL_MATCH' to suppress use of 'flow' in Simple TC.

Changes in Shorewall 4.4.6

1)  Fix for rp_filter and kernel 2.6.31.

2)  Add a hack to work around a bug in Lenny + xtables-addons

3)  Re-enable SAVE_IPSETS

4)  Allow both <...> and [...] for IPv6 Addresses.

5)  Port mark geometry change from 4.5.

6)  Add Macro patch from Tuomo Soini

7)  Add 'show macro' command.

8)  Add -r option to check.

9)  Port simplified TC from 4.5.

Changes in Shorewall 4.4.5

1)  Fix 15-port limit removal change.

2)  Fix handling of interfaces with the 'bridge' option.

3)  Generate error for port number 0

4)  Allow zone::serverport in rules DEST column.

5)  Fix 'show policies' in Shorewall6.

6)  Auto-load tc modules.

7)  Allow LOGFILE=/dev/null

8)  Fix shorewall6-lite/shorecap

9) Fix MODULE_SUFFIX.

10) Fix ENHANCED_REJECT detection for IPv4.

11) Fix DONT_LOAD vs 'reload -c'

12) Fix handling of SOURCE and DEST vs macros.

13) Remove silly logic in expand_rule().

14) Add current and limit to Conntrack Table Heading.

Changes in Shorewall 4.4.4

1)  Change STARTUP_LOG and LOG_VERBOSITY in default shorewall6.conf.

2)  Fix access to uninitialized variable.

3)  Add logrotate scripts.

4)  Allow long port lists in /etc/shorewall/routestopped.

5)  Implement 'physical' interface option.

6)  Implement ZONE2ZONE option.

7)  Suppress duplicate COMMENT warnings.

8)  Implement 'show policies' command.

9)  Fix route_rule suppression for down provider.

10) Suppress redundant tests for provider availability in route rules
    processing.

11) Implement the '-l' option to the 'show' command.

12) Fix class number assignment when WIDE_TC_MARKS=Yes

13) Allow wide marks in tcclasses when WIDE_TC_MARKS=Yes

Changes in Shorewall 4.4.3

1)  Move Debian INITLOG initialization to /etc/default/shorewall

2)  Fix 'routeback' in /etc/shorewall/routestopped.

3)  Rename 'object' to 'script' in compiler and config modules.

4)  Correct RETAIN_ALIASES=No.

5)  Fix detection of IP config.

6)  Fix nested zones.

7)  Move all function declarations from prog.footer to prog.header

8)  Remove superfluous variables from generated script

9)  Make 'track' the default.

10)  Add TRACK_PROVIDERS option.

11)  Fix IPv6 address parsing bug.

12)  Add hack to work around iproute IPv6 bug in route handling

13)  Correct messages issued when an optional provider is not usable.

14)  Fix optional interfaces.

15)  Add 'limit' option to tcclasses.

Changes in Shorewall 4.4.2

1)  BUGFIX: Correct detection of Persistent SNAT support

2)  BUGFIX: Fix chain table initialization

3)  BUGFIX: Validate routestopped file on 'check'

4)  Let the Actions module add the builtin actions to
    %Shorewall::Chains::targets. Much better modularization that way.

5)  Some changes to make Lenny->Squeeze less painful.

6)  Allow comments at the end of continued lines.

7)  Call process_routestopped() during 'check' rather than
    'compile_stop_firewall()'.

8)  Don't look for an extension script for built-in actions.

9)  Apply Jesse Shrieve's patch for SNAT range.

10) Add -<family> to 'ip route del default' command.

11) Add three new columns to macro body.

12) Change 'wait4ifup' so that it requires no PATH

13) Allow extension scripts for accounting chains.

14) Allow per-ip LIMIT to work on ancient iptables releases.

15) Add 'MARK' column to action body.

Changes in Shorewall 4.4.1

1)  Deleted extra 'use ...IPAddrs.pm' from Nat.pm.

2)  Deleted superfluous export from Chains.pm.

3)  Added support for --persistent.

4)  Don't do module initialization in an INIT block.

5)  Minor performance improvements.

6)  Add 'clean' target to Makefile.

7)  Redefine 'full' for sub-classes.

8)  Fix log level in rules at the end of INPUT and OUTPUT chains.

9)  Fix nested ipsec zones.

10) Change one-interface sample to IP_FORWARDING=Off.

11) Allow multicast to non-dynamic zones defined with nets=.

12) Allow zones with nets= to be extended by /etc/shorewall/hosts
    entries.

13) Don't allow nets= in a multi-zone interface definition.

14) Fix rule generated by MULTICAST=Yes

15) Fix silly hole in zones file parsing.

16) Tighen up zone membership checking.

17) Combine portlist-spitting routines into a single function.

Changes in Shorewall 4.4.0

1)  Fix 'compile ... -' so that it no longer requires '-v-1'

2)  Fix rule generation for logging nat rules with no exclusion.

3)  Fix log record formatting.

4)  Restore ipset binding

5)  Fix 'upnpclient' with required interfaces.

6)  Fix provider number in masq file.

Changes in Shorewall 4.4.0-RC2

1)  Fix capabilities file with Shorewall6.

2)  Allow Shorewall6 to recognize TC, IP and IPSET

3)  Make 'any' a reserved zone name.

4)  Correct handling of an ipsec zone nested in a non-ipsec zone.

Changes in Shorewall 4.4.0-RC1

1)  Delete duplicate Git macro.

2)  Fix routing when no providers.

3)  Add 'any' as a SOURCE/DEST in rules.

4)  Fix NONAT on child zone.

5)  Fix rpm -U from earlier versions

6)  Generate error on 'status' by non-root.

7)  Get rid of prog.functions and prog.functions6

Changes in Shorewall 4.4.0-Beta4

1)  Add more macros.

2)  Correct broadcast address detection

3) Fix 'show dynamic'

4) Fix BGP and OSFP macros.

5) Change DISABLE_IPV6 default and use 'correct' ip6tables.

Changes in Shorewall 4.4.0-Beta3

1)  Add new macros.

2)  Work around mis-configured interfaces.

3)  Fix 'show dynamic'.

4)  Check for xt_LOG.

5)  Fix 'findgw'

Changes in Shorewall 4.4.0-Beta2

1)  The 'find_first_interface_address()' and
    'find_first_interface_address_if_any()' functions have been restored to
    lib.base.

2)  Integerize r2q before inserting it into 'tc qdisc add root'
    command.

3)  Remove '-h' from the help text for install.sh in Shorewall and
    Shorewall6.

4)  Delete the 'continue' file from the Shorewall package.

5)  Add 'upnpclient' interface option.

6)  Fix handling of optional interfaces.

7)  Add 'iptrace' and 'noiptrace' command.

8)  Add 'USER/GROUP' column to masq file.

9)  Added lib.private.

Changes in Shorewall 4.4.0-Beta1

1)  Correct typo in Shorewall6 two-interface sample shorewall.conf.

2)  Fix TOS mnemonic handling in /etc/shorewall/tcfilters.

Changes in Shorewall 4.3.12

1) Eliminate 'large quantum' warnings.

2) Add HFSC support.

3) Delete support for ipset binding. Jozsef has removed the capability
   from ipset.

4) Add TOS and LENGTH columns to tcfilters file.

5) Fix 'reset' command.

6) Fix 'findgw'.

7) Remove 'norfc1918' support.

Changes in Shorewall 4.3.11

1) Reduce the number of arguments passed in may cases.

2) Fix SCTP source port handling in tcfilters.

3) Add 'findgw' user exit.

4) Add macro.Trcrt

Changes in Shorewall 4.3.10

1) Fix handling of shared optional providers.

2) Add WIDE_TC_MARKS option.

3) Allow compile to STDOUT.

4) Fix handling of class IDs.

5) Deprecate use of an interface in the SOURCE column of
   /etc/shorewall/masq.

6) Fix handling of 'all' in the SOURCE of DNAT- rules.

7) Fix compile for export.

8) Optimize IPMARK.

9) Implement nested HTB classes.

10) Fix 'iprange' command.

11) Make traffic shaping work better with IPv6.

12) Externalize 'flow'.

13) Fix 'start' with AUTOMAKE=Yes

Changes in Shorewall 4.3.9

1) Logging rules now create separate chain.

2) Fix netmask genereation in tcfilters.

3) Allow Shorewall6 with kernel 2.6.24

4) Avoid 'Invalid BROADCAST address' errors.

5) Allow Shorewall6 on kernel 4.2.24:Shorewall/changelog.txt

6) Add IP, TC and IPSET options in shorewall.conf and shorewall6.conf.

7) Add IPMARK support

Changes in Shorewall 4.3.8

1) Apply Tuomo Soini's patch for USE_DEFAULT_RT.

2) Use 'startup_error' for those errors caught early.

3) Fix swping

4) Detect gateway via dhclient leases file.

5) Suppress leading whitespace on certain continuation lines.

6) Use iptables[6]-restore to stop the firewall.

7) Add AUTOMAKE option

8) Remove SAME support.

9) Allow 'compile' without a pathname.

10) Fix LOG_MARTIANS=Yes.

11) Adapt I. Buijs's hashlimit patch.

Changes in Shorewall 4.3.7

1)  Fix forward treatment of interface options.

2)  Replace $VARDIR/.restore with $VARDIR/firewall

3)  Fix DNAT- parsing of DEST column.

4)  Implement dynamic zones

5)  Allow 'HOST' options on bridge ports.

6)  Deprecate old macro parameter syntax.

Changes in Shorewall 4.3.6

1)  Add SAME tcrules target.

2)  Make 'dump' display the raw table. Fix shorewall6 dump anomalies.

3)  Fix split_list1()

4)  Fix Shorewall6 file location bugs.

Changes in Shorewall 4.3.5

1)  Remove support for shorewall-shell.

2)  Combine shorewall-common and shorewall-perl to produce shorewall.

3)  Add nets= OPTION in interfaces file.