diff --git a/Shorewall-common/changelog.txt b/Shorewall-common/changelog.txt index 976ec2e64..36b896f27 100644 --- a/Shorewall-common/changelog.txt +++ b/Shorewall-common/changelog.txt @@ -10,6 +10,8 @@ Changes in 4.0.0 Beta 3 5) Add new bridge code. +6) Fix bad bug in exclusion. + Changes in 4.0.0 Beta 2 1) Fix screwup in get_routed_networks(). diff --git a/Shorewall-common/fallback.sh b/Shorewall-common/fallback.sh index b1af3ac3f..f7b2352db 100755 --- a/Shorewall-common/fallback.sh +++ b/Shorewall-common/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=4.0.0-Beta3 +VERSION=4.0.0-Beta4 usage() # $1 = exit status { diff --git a/Shorewall-common/install.sh b/Shorewall-common/install.sh index 5b047840b..44a93fa1c 100755 --- a/Shorewall-common/install.sh +++ b/Shorewall-common/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # -VERSION=4.0.0-Beta3 +VERSION=4.0.0-Beta4 usage() # $1 = exit status { diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt index 6500beec1..bec10669e 100644 --- a/Shorewall-common/releasenotes.txt +++ b/Shorewall-common/releasenotes.txt @@ -21,6 +21,9 @@ Problems corrected in 4.0.0 Beta 4. attempt to override NONE policies with the result that the compile phase fails (Shorewall-perl only). +2) When exclusion is used in the /etc/shorewall/hosts file, correct + rules are now generated. + Other changes in Shorewall 4.0.0 Beta 3. 1) Shorewall-perl has a new implementation of bridging code that works @@ -172,15 +175,83 @@ Migration Considerations: b) Now that Netfilter has features to deal reasonably with port lists, I see no reason to duplicate those features in Shorewall. The Bourne-shell compiler goes to great pain (in some cases) to - break very long port lists ( > 15 where port ranges in lists count - as two ports) into individual rules. In the new compiler, I'm + break very long port lists ( > 15 where port ranges in lists + count as two ports) into individual rules. In the new compiler, I'm avoiding the ugliness required to do that. The new compiler just generates an error if your list is too long. It will also produce an error if you insert a port range into a port list and you don't have extended multiport support. - c) BRIDGING=Yes is not supported. The kernel code necessary to - support this option was removed in Linux kernel 2.6.20. + c) The old BRIDGEING=Yes support has been replaced by new bridge + support that uses the reduced 'physdev match' capabilities found + in kernel 2.6.20 and later. This new implementation may be used + where it is desired to control traffic through a bridge. + + The new implementation includes the following features: + + a) A new "Bridge Port" zone type is defined. Specify 'bport' or + 'bport4' in the TYPE column of /etc/shorewall/zones. + + Bridge Port zones must be a sub-zone of a regular ipv4 zone + that represents all hosts attached to the bridge. + + b) A new 'bridge' option is defined for entries in + /etc/shorewall/interfaces. Bridges should have this option + specified if traffic through the bridge is to be controlled + with rules/policies. + + c) Bridge ports must now be defined in + /etc/shorewall/interfaces. The INTERFACE column contains + both the bridge name and the port name separated by a colon + (e.g., "br0:eth1"). No OPTIONS are allowed for bridge + ports. The bridge must be defined before its ports. + + Bridge Port (BP) zones have a number of limitations: + + a) Each BP zone may only be associated with ports on a single + bridge. + + b) BP zones may not be associated with interfaces that are not + bridge ports. + + c) You may not have policies or rules where the DEST is a BP + zone but the source is not a BP zone. If you need such + rules, you must use the BP zone's parent zone as the DEST. + + Example (Bridge br0 with ports eth1 and tap0): + + /etc/shorewall/zones: + + fw firewall + net ipv4 + loc ipv4 + lan:loc bport + vpn:loc bport + + /etc/shorewall/interfaces: + + net eth0 - ... + loc br0 - ... + lan eth1 + vpn tap0 + + When using the /etc/shorewall/hosts file to define a bport4 + zone, you specify only the port name: + + Example: + + /etc/shorewall/zones: + + fw firewall + net ipv4 + loc ipv4 + lan:loc bport + vpn:loc bport + + /etc/shorewall/hosts + + lan eth1:192.168.2.0/24 ... + d) The BROADCAST column in the interfaces file is essentially unused; if you enter anything in this column but '-' or 'detect', you will diff --git a/Shorewall-common/shorewall.spec b/Shorewall-common/shorewall.spec index 15343528a..07e4bfcb4 100644 --- a/Shorewall-common/shorewall.spec +++ b/Shorewall-common/shorewall.spec @@ -1,6 +1,6 @@ %define name shorewall %define version 4.0.0 -%define release 0Beta3 +%define release 0Beta4 %define prefix /usr Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. @@ -252,6 +252,8 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples %changelog +* Fri Jun 08 2007 Tom Eastep tom@shorewall.net +- Updated to 4.0.0-0Beta4 * Tue Jun 05 2007 Tom Eastep tom@shorewall.net - Updated to 4.0.0-0Beta3 * Tue May 15 2007 Tom Eastep tom@shorewall.net diff --git a/Shorewall-common/uninstall.sh b/Shorewall-common/uninstall.sh index eff110c58..f4af0dd10 100755 --- a/Shorewall-common/uninstall.sh +++ b/Shorewall-common/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.0.0-Beta3 +VERSION=4.0.0-Beta4 usage() # $1 = exit status { diff --git a/Shorewall-lite/fallback.sh b/Shorewall-lite/fallback.sh index 06b9dabd5..7c403bcef 100755 --- a/Shorewall-lite/fallback.sh +++ b/Shorewall-lite/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=4.0.0-Beta3 +VERSION=4.0.0-Beta4 usage() # $1 = exit status { diff --git a/Shorewall-lite/install.sh b/Shorewall-lite/install.sh index 2b99768cc..e6f24639b 100755 --- a/Shorewall-lite/install.sh +++ b/Shorewall-lite/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # -VERSION=4.0.0-Beta3 +VERSION=4.0.0-Beta4 usage() # $1 = exit status { diff --git a/Shorewall-lite/shorewall-lite.spec b/Shorewall-lite/shorewall-lite.spec index e58c6ef4b..fc5c64464 100644 --- a/Shorewall-lite/shorewall-lite.spec +++ b/Shorewall-lite/shorewall-lite.spec @@ -1,6 +1,6 @@ %define name shorewall-lite %define version 4.0.0 -%define release 0Beta3 +%define release 0Beta4 %define prefix /usr Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems. @@ -99,6 +99,8 @@ fi %doc COPYING changelog.txt releasenotes.txt %changelog +* Fri Jun 08 2007 Tom Eastep tom@shorewall.net +- Updated to 4.0.0-0Beta4 * Tue Jun 05 2007 Tom Eastep tom@shorewall.net - Updated to 4.0.0-0Beta3 * Tue May 15 2007 Tom Eastep tom@shorewall.net diff --git a/Shorewall-lite/uninstall.sh b/Shorewall-lite/uninstall.sh index f6fe9eba4..83fc81d16 100755 --- a/Shorewall-lite/uninstall.sh +++ b/Shorewall-lite/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.0.0-Beta3 +VERSION=4.0.0-Beta4 usage() # $1 = exit status { diff --git a/Shorewall-perl/install.sh b/Shorewall-perl/install.sh index 2a73f277a..a096fc357 100755 --- a/Shorewall-perl/install.sh +++ b/Shorewall-perl/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # -VERSION=4.0.0-Beta3 +VERSION=4.0.0-Beta4 usage() # $1 = exit status { diff --git a/Shorewall-perl/shorewall-perl.spec b/Shorewall-perl/shorewall-perl.spec index e22b03a96..401aeda3e 100644 --- a/Shorewall-perl/shorewall-perl.spec +++ b/Shorewall-perl/shorewall-perl.spec @@ -1,6 +1,6 @@ %define name shorewall-perl %define version 4.0.0 -%define release 0Beta3 +%define release 0Beta4 %define prefix /usr Summary: Shoreline Firewall Perl-based compiler. @@ -81,6 +81,8 @@ rm -rf $RPM_BUILD_ROOT %doc COPYING releasenotes.txt %changelog +* Fri Jun 08 2007 Tom Eastep tom@shorewall.net +- Updated to 4.0.0-0Beta4 * Tue Jun 05 2007 Tom Eastep tom@shorewall.net - Updated to 4.0.0-0Beta3 * Sat May 26 2007 Tom Eastep tom@shorewall.net diff --git a/Shorewall-shell/install.sh b/Shorewall-shell/install.sh index fc9a1150c..1f5f7d65b 100755 --- a/Shorewall-shell/install.sh +++ b/Shorewall-shell/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # -VERSION=4.0.0-Beta3 +VERSION=4.0.0-Beta4 usage() # $1 = exit status { diff --git a/Shorewall-shell/shorewall-shell.spec b/Shorewall-shell/shorewall-shell.spec index a4ad8caef..e7db55629 100644 --- a/Shorewall-shell/shorewall-shell.spec +++ b/Shorewall-shell/shorewall-shell.spec @@ -1,6 +1,6 @@ %define name shorewall-shell %define version 4.0.0 -%define release 0Beta3 +%define release 0Beta4 %define prefix /usr Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. @@ -64,6 +64,8 @@ rm -rf $RPM_BUILD_ROOT %doc COPYING INSTALL %changelog +* Fri Jun 08 2007 Tom Eastep tom@shorewall.net +- Updated to 4.0.0-0Beta4 * Tue Jun 05 2007 Tom Eastep tom@shorewall.net - Updated to 4.0.0-0Beta3 * Tue May 15 2007 Tom Eastep tom@shorewall.net