Remove superfluous test; switch release docs to 3.3.4

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4720 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-12-15 19:01:19 +01:00 · 2006-10-20 17:41:13 +00:00 · 2006-10-20 17:41:13 +00:00 · 796362b3ba
commit 796362b3ba
parent 867a707d83
3 changed files with 116 additions and 147 deletions
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -1,3 +1,7 @@
 Changes in 3.3.4
 1)  Make exclusion work with "show zones"
 Changes in 3.3.3
 1)  Fix excluding in SUBNET column.
--- a/Shorewall/compiler
+++ b/Shorewall/compiler
@ -4387,13 +4387,6 @@ activate_rules()
 		# If the zone has a single interface then what matters is how many ports it has
 		#
 		[ $num_ifaces -eq 1 -a -n "$ports" ] && num_ifaces=$(list_count1 $ports)
 		#
 		# If we don't need to route back and if we have only one interface or one port to
 		# the zone then assume that hosts in the zone can communicate directly.
 		#
 		if [ $num_ifaces -lt 2 -a -z "$routeback" -a -z "$exclusions" ] ; then
 		    continue
 		fi
 	    else
 		routeback=
 		num_ifaces=0
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -1,4 +1,4 @@
-Shorewall 3.3.3
+Shorewall 3.3.4
 Note to users upgrading from Shorewall 3.0 or 3.3	 
@ -31,149 +31,14 @@ Shorewall 3.3.3
    Please see the "Migration Considerations" below for additional upgrade 	 
    information. 	 
-Problems Corrected in 3.3.3
+Problems Corrected in 3.3.4
-1)  Previously, the 'provider' portion of the packet mark was not being
+None.
    cleared after routing for traffic that originates on the firewall
    itself.
-Other changes in 3.3.3
+Other Changes in 3.3.4.
-1)  For users whose kernel and iptables have Extended MARK Target
+None.
    support, it is now possible to logically AND or OR a value into the
    current packet mark by preceding the mark value (and optional mask)
    with an ampersand ("&") or vertical bar ("|") respectively.
    Example: To logically OR the value 4 into the mark value for
    packets from 192.168.1.1:
    #MARK   SOURCE
    |4	    192.168.1.1
 2)  Previously, zone names were restricted to five characters in
    length. That length derives from the --log-prefix in Netfilter log
    messages which must be 29 bytes or less in length. With the
    standard Shorewall LOGFORMAT, 11 characters are left for the
    chain name; since many chain names are of the form
    <zone1>2<zone2>, we have a maximum zone name length of 5.
    Beginning with this release, the maximum length of a zone name is
    dependent on the LOGFORMAT (the maximum length may never be less
    than 5 but it may be greater than 5). For example, setting
    LOGFORMAT="FW:%s:%s:" will allow zone names of up to 8 characters.
    As part of this change, /sbin/shorewall[-lite] no longer uses the
    LOGFORMAT to select Shorewall messages from log files. Instead, it
    uses the regular expression /IN=.* OUT=/ which will match any
    netfilter-generated log message.
 3)  Netfilter provides support for attaching comments to Netfilter 
    rules. Comments can be up to 255 bytes in length and are 
    visible using the "shorewall show <chain>", "shorewall show nat",
    "shorewall show mangle" and "shorewall dump" commands. Comments are
    delimited by '/* ... */" in the output.
    Beginning with Shorewall 3.3.3, you may place COMMENT lines in the
    /etc/shorewall/rules, /etc/shorewall/tcrules, /etc/shorewall/nat
    and /etc/shorewall/masq files and in action files. The remainder of
    the line is treated as a comment and it will be attached as a
    Netfilter comment to the rule(s) generated by the following entries
    in the file.
    Note: Do not prefix the comment with "#". Shorewall's two-pass
    compiler strips off "#" comments in the first pass and processes
    COMMENT lines in the second pass. So by the time that COMMENT is
    processed, the "#" and everything after it has been removed (see
    example below).
    To stop the current comment from being attached to further
    rules, simply include COMMENT on a line by itself (so that the
    following rules will have no comment) or specify a new COMMENT.
    If you do not have Comment support in your iptables/kernel (see the
    output of "shorewall[-lite] show capabilities") then COMMENTS are
    ignored with this warning:
     COMMENT ignored --  requires comment support in iptables/Netfilter
    Example from my rules file:
 	    #SOURCE      SOURCE     DEST       PROTO DEST PORT(S)
 	    COMMENT Stop Microsoft Noise
 	    REJECT       loc        net        tcp   137,445
 	    REJECT       loc        net        udp   137:139
 	    COMMENT  # Stop comment from being attached to rules below
    The output of "shorewall show loc2net" includes (folded):
    0     0 reject     tcp  --  *      *       0.0.0.0/0
 	  0.0.0.0/0    multiport dports 137,445 /* Stop Microsoft Noise */
    0     0 reject     udp  --  *      *       0.0.0.0/0
 	  0.0.0.0/0    udp dpts:137:139 /* Stop Microsoft Noise */
 4)  A new macro (macro.RDP) has been added for Microsoft Remote
    Desktop. This macro was contributed by Tuomo Soini.
 5)  A new 'maclog' extension file has been added. This file is
    processed just before logging based on the setting of
    MACLIST_LOG_LEVEL is done. When invoked, the CHAIN variable will
    contain the name of the chain where rules should be inserted.
    Remember that if you have specified MACLIST_TABLE=mangle, then your
    run_iptables commands should include "-t mangle".
 6)  The SUBNET column in /etc/shorewall/masq has been renamed SOURCE to
    more accurately describe the contents of the column.
 7)  Previously, it was not possible to use exclusion in
    /etc/shorewall/hosts. Beginning with this release, you may now use
    exclusion lists in entries in this file. Exclusion lists are
    discussed at:
       http://www.shorewall.net/configuration_file_basics.htm#Exclusion.
    Example:
 	loc	eth0:192.168.1.0/24!192.168.1.4,192.168.1.16/28
    In that example, the 'loc' zone is defined to be the subnet
    192.168.1.0/24 interfacing via eth0 *except* for host 192.168.1.4
    and hosts in the sub-network 192.168.1.16/28.
 8)  In prior Shorewall versions, multiple jumps to a '2all' chain could
    be generated in succession.
    Example from an earlier shorewall version:
    gateway:~ # shorewall-lite show eth2_fwd
    Shorewall Lite 3.3.2 Chains eth2_fwd at gateway - Thu Oct 19 08:54:37 PDT 2006
    Counters reset Thu Oct 19 08:34:47 PDT 2006
    Chain eth2_fwd (1 references)
     pkts bytes target     prot opt in     out     source            destination
        0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID,NEW
        0     0 wifi2all   all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           policy match dir out pol none
        0     0 wifi2all   all  --  *      br0     0.0.0.0/0            0.0.0.0/0           policy match dir out pol none
        0     0 wifi2all   all  --  *      eth3    0.0.0.0/0            0.0.0.0/0           policy match dir out pol none
        0     0 wifi2all   all  --  *      tun+    0.0.0.0/0            0.0.0.0/0           policy match dir out pol none
    gateway:~ # 
    This redundancy has been eliminated:
    gateway:~ # shorewall-lite show eth2_fwd
    Shorewall Lite 3.3.3 Chains eth2_fwd at gateway - Thu Oct 19 09:15:24 PDT 2006
    Counters reset Thu Oct 19 09:15:19 PDT 2006
    Chain eth2_fwd (1 references)
     pkts bytes target     prot opt in     out     source               destination
        0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID,NEW
        0     0 wifi2all   all  --  *      *       0.0.0.0/0            0.0.0.0/0
    gateway:~ #
 Migration Considerations:
 1)  Shorewall supports the notion of "default actions". A default
@ -378,3 +243,110 @@ New Features:
    than 5 but it may be greater than 5). For example, setting
    LOGFORMAT="FW:%s:%s:" will allow zone names of up to 8 characters.
 6)  Netfilter provides support for attaching comments to Netfilter 
    rules. Comments can be up to 255 bytes in length and are 
    visible using the "shorewall show <chain>", "shorewall show nat",
    "shorewall show mangle" and "shorewall dump" commands. Comments are
    delimited by '/* ... */" in the output.
    Beginning with Shorewall 3.3.3, you may place COMMENT lines in the
    /etc/shorewall/rules, /etc/shorewall/tcrules, /etc/shorewall/nat
    and /etc/shorewall/masq files and in action files. The remainder of
    the line is treated as a comment and it will be attached as a
    Netfilter comment to the rule(s) generated by the following entries
    in the file.
    Note: Do not prefix the comment with "#". Shorewall's two-pass
    compiler strips off "#" comments in the first pass and processes
    COMMENT lines in the second pass. So by the time that COMMENT is
    processed, the "#" and everything after it has been removed (see
    example below).
    To stop the current comment from being attached to further
    rules, simply include COMMENT on a line by itself (so that the
    following rules will have no comment) or specify a new COMMENT.
    If you do not have Comment support in your iptables/kernel (see the
    output of "shorewall[-lite] show capabilities") then COMMENTS are
    ignored with this warning:
     COMMENT ignored --  requires comment support in iptables/Netfilter
    Example from my rules file:
 	    #SOURCE      SOURCE     DEST       PROTO DEST PORT(S)
 	    COMMENT Stop Microsoft Noise
 	    REJECT       loc        net        tcp   137,445
 	    REJECT       loc        net        udp   137:139
 	    COMMENT  # Stop comment from being attached to rules below
    The output of "shorewall show loc2net" includes (folded):
    0     0 reject     tcp  --  *      *       0.0.0.0/0
 	  0.0.0.0/0    multiport dports 137,445 /* Stop Microsoft Noise */
    0     0 reject     udp  --  *      *       0.0.0.0/0
 	  0.0.0.0/0    udp dpts:137:139 /* Stop Microsoft Noise */
 7)  A new macro (macro.RDP) has been added for Microsoft Remote
    Desktop. This macro was contributed by Tuomo Soini.
 8)  A new 'maclog' extension file has been added. This file is
    processed just before logging based on the setting of
    MACLIST_LOG_LEVEL is done. When invoked, the CHAIN variable will
    contain the name of the chain where rules should be inserted.
    Remember that if you have specified MACLIST_TABLE=mangle, then your
    run_iptables commands should include "-t mangle".
 9)  The SUBNET column in /etc/shorewall/masq has been renamed SOURCE to
    more accurately describe the contents of the column.
 10) Previously, it was not possible to use exclusion in
    /etc/shorewall/hosts. Beginning with this release, you may now use
    exclusion lists in entries in this file. Exclusion lists are
    discussed at:
       http://www.shorewall.net/configuration_file_basics.htm#Exclusion.
    Example:
 	loc	eth0:192.168.1.0/24!192.168.1.4,192.168.1.16/28
    In that example, the 'loc' zone is defined to be the subnet
    192.168.1.0/24 interfacing via eth0 *except* for host 192.168.1.4
    and hosts in the sub-network 192.168.1.16/28.
 11) In prior Shorewall versions, multiple jumps to a '2all' chain could
    be generated in succession.
    Example from an earlier shorewall version:
    gateway:~ # shorewall-lite show eth2_fwd
    Shorewall Lite 3.3.2 Chains eth2_fwd at gateway - Thu Oct 19 08:54:37 PDT 2006
    Counters reset Thu Oct 19 08:34:47 PDT 2006
    Chain eth2_fwd (1 references)
     pkts bytes target     prot opt in     out     source            destination
        0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID,NEW
        0     0 wifi2all   all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           policy match dir out pol none
        0     0 wifi2all   all  --  *      br0     0.0.0.0/0            0.0.0.0/0           policy match dir out pol none
        0     0 wifi2all   all  --  *      eth3    0.0.0.0/0            0.0.0.0/0           policy match dir out pol none
        0     0 wifi2all   all  --  *      tun+    0.0.0.0/0            0.0.0.0/0           policy match dir out pol none
    gateway:~ # 
    This redundancy has been eliminated:
    gateway:~ # shorewall-lite show eth2_fwd
    Shorewall Lite 3.3.3 Chains eth2_fwd at gateway - Thu Oct 19 09:15:24 PDT 2006
    Counters reset Thu Oct 19 09:15:19 PDT 2006
    Chain eth2_fwd (1 references)
     pkts bytes target     prot opt in     out     source               destination
        0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID,NEW
        0     0 wifi2all   all  --  *      *       0.0.0.0/0            0.0.0.0/0
    gateway:~ #