From bdbc9ab29d37e644ad7505f9dde1eacc0218a517 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 8 Jan 2011 08:00:56 -0800 Subject: [PATCH] Initiate 4.4.17 --- Shorewall-init/install.sh | 2 +- Shorewall-init/shorewall-init.spec | 6 +- Shorewall-init/uninstall.sh | 2 +- Shorewall-lite/install.sh | 2 +- Shorewall-lite/shorewall-lite.spec | 6 +- Shorewall-lite/uninstall.sh | 2 +- Shorewall/Perl/Shorewall/Config.pm | 2 +- Shorewall/changelog.txt | 8 + Shorewall/install.sh | 2 +- Shorewall/releasenotes.txt | 261 ++++++++++++++------------- Shorewall/shorewall.spec | 6 +- Shorewall/uninstall.sh | 2 +- Shorewall6-lite/install.sh | 2 +- Shorewall6-lite/shorewall6-lite.spec | 6 +- Shorewall6-lite/uninstall.sh | 2 +- Shorewall6/install.sh | 2 +- Shorewall6/shorewall6.spec | 6 +- Shorewall6/uninstall.sh | 2 +- 18 files changed, 176 insertions(+), 145 deletions(-) diff --git a/Shorewall-init/install.sh b/Shorewall-init/install.sh index 5e7ef3ec8..48c03b2c4 100755 --- a/Shorewall-init/install.sh +++ b/Shorewall-init/install.sh @@ -23,7 +23,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.16 +VERSION=4.4.17-Beta1 usage() # $1 = exit status { diff --git a/Shorewall-init/shorewall-init.spec b/Shorewall-init/shorewall-init.spec index bbde62952..c91c4820c 100644 --- a/Shorewall-init/shorewall-init.spec +++ b/Shorewall-init/shorewall-init.spec @@ -1,6 +1,6 @@ %define name shorewall-init -%define version 4.4.16 -%define release 0base +%define version 4.4.17 +%define release 0Beta1 Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall). Name: %{name} @@ -119,6 +119,8 @@ fi %doc COPYING changelog.txt releasenotes.txt %changelog +* Sat Jan 08 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.17-0Beta1 * Mon Jan 03 2011 Tom Eastep tom@shorewall.net - Updated to 4.4.16-0base * Thu Dec 30 2010 Tom Eastep tom@shorewall.net diff --git a/Shorewall-init/uninstall.sh b/Shorewall-init/uninstall.sh index 4dcadb185..783be899d 100755 --- a/Shorewall-init/uninstall.sh +++ b/Shorewall-init/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.16 +VERSION=4.4.17-Beta1 usage() # $1 = exit status { diff --git a/Shorewall-lite/install.sh b/Shorewall-lite/install.sh index bf35fe81b..5793cbb12 100755 --- a/Shorewall-lite/install.sh +++ b/Shorewall-lite/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.16 +VERSION=4.4.17-Beta1 usage() # $1 = exit status { diff --git a/Shorewall-lite/shorewall-lite.spec b/Shorewall-lite/shorewall-lite.spec index 6f7f05416..9aa532e03 100644 --- a/Shorewall-lite/shorewall-lite.spec +++ b/Shorewall-lite/shorewall-lite.spec @@ -1,6 +1,6 @@ %define name shorewall-lite -%define version 4.4.16 -%define release 0base +%define version 4.4.17 +%define release 0Beta1 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems. Name: %{name} @@ -102,6 +102,8 @@ fi %doc COPYING changelog.txt releasenotes.txt %changelog +* Sat Jan 08 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.17-0Beta1 * Mon Jan 03 2011 Tom Eastep tom@shorewall.net - Updated to 4.4.16-0base * Thu Dec 30 2010 Tom Eastep tom@shorewall.net diff --git a/Shorewall-lite/uninstall.sh b/Shorewall-lite/uninstall.sh index be958b981..22be3aba8 100755 --- a/Shorewall-lite/uninstall.sh +++ b/Shorewall-lite/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.16 +VERSION=4.4.17-Beta1 usage() # $1 = exit status { diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 466e2fc1a..389fc4276 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -359,7 +359,7 @@ sub initialize( $ ) { EXPORT => 0, STATEMATCH => '-m state --state', UNTRACKED => 0, - VERSION => "4.4.16", + VERSION => "4.4.17-Beta1", CAPVERSION => 40415 , ); diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index b444a369f..abd2400a7 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -1,3 +1,11 @@ +Changes in Shorewall 4.4.17 Beta 1 + +1) None. + +Changes in Shorewall 4.4.16 RC 1 + +1) Fix logging for jump to nat chain. + Changes in Shorewall 4.4.16 Beta 8 1) Complete parameterized actions. diff --git a/Shorewall/install.sh b/Shorewall/install.sh index b86381a8f..9659c52bc 100755 --- a/Shorewall/install.sh +++ b/Shorewall/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.16 +VERSION=4.4.17-Beta1 usage() # $1 = exit status { diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 5f2dcfec3..cefb4c003 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -1,5 +1,6 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 4 . 1 6 + S H O R E W A L L 4 . 4 . 1 7 + B E T A 1 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -13,55 +14,7 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) If the output of 'env' contained a multi-line value, then - compilation failed with an Internal Error. The code has been - changed so that the compiler now handles multi-line values - correctly. - -2) In 4.4.15, output to Standard Out (FD 2) generated by - /etc/shorewall/params (/etc/shorewall6/params) was redirected to - /dev/null. It is now redirected to Standard Error (FD 2). - -3) 2) If a params file did not appear in the CONFIG_PATH, compilation - failed with the error: - - .: 31: Can't open /etc/shorewall6/params - ERROR: Processing of /etc/shorewall6/params failed - -4) Compilation no longer fails when /bin/sh is an older (e.g., - RHEL5.x) bash. - -5) Previously, proxy ARP with logical interface names did not - work. Symptoms included numerous Perl runtime error messages. - -6) Previously, the root of a wildcard name erroneously matched that - name. For example 'eth' matched 'eth+'. Now there must be at least - one additional character (e.g., 'eth4'). - -7) Use of logical interface names in the notrack and ecn files - resulted in perl runtime warning messages. - -8) The use of wildcard-matching names in certain contexts would result - in anomalous behavior. Among the symptoms were: - - - Perl run-time messages similar to this one: - - Use of uninitialized value in numeric comparison (<=>) - at /usr/share/shorewall/Shorewall/Zones.pm line 1334. - - - Failure to treat the interface as optional or required. - -9) Where two ISPs share the same interface, if one of the ISPs was not - reachable, an iptables-restore error such as this occurred: - - iptables-restore v1.4.10: Bad mac address "-j" - -10) Previously, under very rare circumstances, a chain would be - optimized away while there were still jumps to the chain. This caused - Shorewall start/restart to fail during iptables-restore. - -11) Previously, the setting of BLACKLIST_DISPOSITION was not - validated. Now, an error is raised unless the value is DROP or REJECT. +None. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -74,80 +27,7 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) Shorewall-init now handles ppp devices. - -2) To support proxy NDP in a manner similar to Proxy ARP, an - /etc/shorewall6/proxyndp file has been added. It should be noted - that IPv6 implements a "strong host model" whereas Linux IPv4 - implements a "weak host model". In the strong model, IP addresses - are associated with interfaces; in the weak model, they are - associated with the host. This is relevant with respect to Proxy - NDP in that a multi-homed Linux IPv6 host will only respond to - neighbor discoverey requests for IPv6 addresses configured on the - interface receiving the request. So if eth0 has address - 2001:470:b:227::44/128 and eth1 has address 2001:470:b:227::1/64 - then in order for eth1 to respond to neighbor discovery requests - for 2001:470:b:227::44, the following entry in - /etc/shorewall6/proxyndp is required: - - #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT - 2001:470:b:227::44 - eth1 Yes - - As part of this change, the INTERFACE column in - /etc/shorewall/proxyarp is now optional and is only required when - HAVEROUTE=No (the default). - -3) Shorewall 4.4.16 introduces format-2 Actions. Based on the similar - feature of macros, format-2 actions allow the same column layout - for macros, actions and rules. - - In the action.xxx file, simply make the first non-commentary line: - - FORMAT 2 - - This allows the lines which follow to have the same columns as - those in the rules file. - - As part of this change, the earlier kludgy restrictions regarding - Macros and Actions have been eliminated. For example, DNAT, DNAT-, - REDIRECT, REDIRECT- and ACCEPT+ rules are now allowed in Actions - and in macros invoked from Actions. Additionally, Macros used in - Actions are now free to invoke other actions. - -4) Action processing has been largely re-implemented in this release. - The prior implementation contained a lot of duplicated code which - made maintainance difficult. The old implementation pre-processed - all action files early in the compilation process and then - post-processed the ones that had been actionally used after the - rules file had been read. The new algorithm generates the chain for - each unique action invocation at the time that the invocation is - encountered in the rules file. - - Consideration was given to eliminating the - /usr/share/shorewall/actions.std and /etc/shorewall/actions files, - since it is possible to discover actions "on the fly" in the same - way as macros are discovered. That change was ultimately rejected - because it could cause migration issues for users with macros and - actions with the same name (e.g., action.xxx and macro.xxx). If a - new major release of Shorewall (e.g., 4.6) is created, that change - will be reconsidered for inclusion at that time. - - Action names are now verified to be composed of alphanumeric - characters, '_' and '-'. - - There is now support for parameterized actions. The parameters are - a comma-separated list enclosed in parentheses following the - action name (e.g., ACT(REDIRECT,192.168.1.4)). Within the action - body, the parameter values are available in $1, $2, etc. - - You can 'omit' a parameter in the list by using '-' (e,g, - REDIRECT,-.info) would omit the second parameter (within the action - body, $2 would expand to nothing). If you want to specify '-' as a - parameter value, use '--'. - - Parameter values are also available to extensions scripts. See - http://www.shorewall.net/Actions.html#Extension for more - information. +None. ---------------------------------------------------------------------------- I V. R E L E A S E 4 . 4 H I G H L I G H T S @@ -373,6 +253,139 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES ---------------------------------------------------------------------------- V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S I N P R I O R R E L E A S E S +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 4 . 1 6 +---------------------------------------------------------------------------- + +1) If the output of 'env' contained a multi-line value, then + compilation failed with an Internal Error. The code has been + changed so that the compiler now handles multi-line values + correctly. + +2) In 4.4.15, output to Standard Out (FD 1) generated by + /etc/shorewall/params (/etc/shorewall6/params) was redirected to + /dev/null. It is now redirected to Standard Error (FD 2). + +3) 2) If a params file did not appear in the CONFIG_PATH, compilation + failed with the error: + + .: 31: Can't open /etc/shorewall6/params + ERROR: Processing of /etc/shorewall6/params failed + +4) Compilation no longer fails when /bin/sh is an older (e.g., + RHEL5.x) bash. + +5) Previously, proxy ARP with logical interface names did not + work. Symptoms included numerous Perl runtime error messages. + +6) Previously, the root of a wildcard name erroneously matched that + name. For example 'eth' matched 'eth+'. Now there must be at least + one additional character (e.g., 'eth4'). + +7) Use of logical interface names in the notrack and ecn files + resulted in perl runtime warning messages. + +8) The use of wildcard-matching names in certain contexts would result + in anomalous behavior. Among the symptoms were: + + - Perl run-time messages similar to this one: + + Use of uninitialized value in numeric comparison (<=>) + at /usr/share/shorewall/Shorewall/Zones.pm line 1334. + + - Failure to treat the interface as optional or required. + +9) Where two ISPs share the same interface, if one of the ISPs was not + reachable, an iptables-restore error such as this occurred: + + iptables-restore v1.4.10: Bad mac address "-j" + +10) Previously, under very rare circumstances, a chain would be + optimized away while there were still jumps to the chain. This caused + Shorewall start/restart to fail during iptables-restore. + +11) Previously, the setting of BLACKLIST_DISPOSITION was not + validated. Now, an error is raised unless the value is DROP or REJECT. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 4 . 1 6 +---------------------------------------------------------------------------- + +1) Shorewall-init now handles ppp devices. + +2) To support proxy NDP in a manner similar to Proxy ARP, an + /etc/shorewall6/proxyndp file has been added. It should be noted + that IPv6 implements a "strong host model" whereas Linux IPv4 + implements a "weak host model". In the strong model, IP addresses + are associated with interfaces; in the weak model, they are + associated with the host. This is relevant with respect to Proxy + NDP in that a multi-homed Linux IPv6 host will only respond to + neighbor discoverey requests for IPv6 addresses configured on the + interface receiving the request. So if eth0 has address + 2001:470:b:227::44/128 and eth1 has address 2001:470:b:227::1/64 + then in order for eth1 to respond to neighbor discovery requests + for 2001:470:b:227::44, the following entry in + /etc/shorewall6/proxyndp is required: + + #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT + 2001:470:b:227::44 - eth1 Yes + + As part of this change, the INTERFACE column in + /etc/shorewall/proxyarp is now optional and is only required when + HAVEROUTE=No (the default). + +3) Shorewall 4.4.16 introduces format-2 Actions. Based on the similar + feature of macros, format-2 actions allow the same column layout + for macros, actions and rules. + + In the action.xxx file, simply make the first non-commentary line: + + FORMAT 2 + + This allows the lines which follow to have the same columns as + those in the rules file. + + As part of this change, the earlier kludgy restrictions regarding + Macros and Actions have been eliminated. For example, DNAT, DNAT-, + REDIRECT, REDIRECT- and ACCEPT+ rules are now allowed in Actions + and in macros invoked from Actions. Additionally, Macros used in + Actions are now free to invoke other actions. + +4) Action processing has been largely re-implemented in this release. + The prior implementation contained a lot of duplicated code which + made maintainance difficult. The old implementation pre-processed + all action files early in the compilation process and then + post-processed the ones that had been actionally used after the + rules file had been read. The new algorithm generates the chain for + each unique action invocation at the time that the invocation is + encountered in the rules file. + + Consideration was given to eliminating the + /usr/share/shorewall/actions.std and /etc/shorewall/actions files, + since it is possible to discover actions "on the fly" in the same + way as macros are discovered. That change was ultimately rejected + because it could cause migration issues for users with macros and + actions with the same name (e.g., action.xxx and macro.xxx). If a + new major release of Shorewall (e.g., 4.6) is created, that change + will be reconsidered for inclusion at that time. + + Action names are now verified to be composed of alphanumeric + characters, '_' and '-'. + + There is now support for parameterized actions. The parameters are + a comma-separated list enclosed in parentheses following the + action name (e.g., ACT(REDIRECT,192.168.1.4)). Within the action + body, the parameter values are available in $1, $2, etc. + + You can 'omit' a parameter in the list by using '-' (e,g, + REDIRECT,-.info) would omit the second parameter (within the action + body, $2 would expand to nothing). If you want to specify '-' as a + parameter value, use '--'. + + Parameter values are also available to extensions scripts. See + http://www.shorewall.net/Actions.html#Extension for more + information. + ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 4 . 1 5 ---------------------------------------------------------------------------- diff --git a/Shorewall/shorewall.spec b/Shorewall/shorewall.spec index 4de7e57b8..e15f6b8da 100644 --- a/Shorewall/shorewall.spec +++ b/Shorewall/shorewall.spec @@ -1,6 +1,6 @@ %define name shorewall -%define version 4.4.16 -%define release 0base +%define version 4.4.17 +%define release 0Beta1 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. Name: %{name} @@ -109,6 +109,8 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples %changelog +* Sat Jan 08 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.17-0Beta1 * Mon Jan 03 2011 Tom Eastep tom@shorewall.net - Updated to 4.4.16-0base * Thu Dec 30 2010 Tom Eastep tom@shorewall.net diff --git a/Shorewall/uninstall.sh b/Shorewall/uninstall.sh index 17e3cd88a..0c97fa899 100755 --- a/Shorewall/uninstall.sh +++ b/Shorewall/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.16 +VERSION=4.4.17-Beta1 usage() # $1 = exit status { diff --git a/Shorewall6-lite/install.sh b/Shorewall6-lite/install.sh index f5a9ad84c..4287594d0 100755 --- a/Shorewall6-lite/install.sh +++ b/Shorewall6-lite/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.16 +VERSION=4.4.17-Beta1 usage() # $1 = exit status { diff --git a/Shorewall6-lite/shorewall6-lite.spec b/Shorewall6-lite/shorewall6-lite.spec index 9c900a53c..54aa656e6 100644 --- a/Shorewall6-lite/shorewall6-lite.spec +++ b/Shorewall6-lite/shorewall6-lite.spec @@ -1,6 +1,6 @@ %define name shorewall6-lite -%define version 4.4.16 -%define release 0base +%define version 4.4.17 +%define release 0Beta1 Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems. Name: %{name} @@ -93,6 +93,8 @@ fi %doc COPYING changelog.txt releasenotes.txt %changelog +* Sat Jan 08 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.17-0Beta1 * Mon Jan 03 2011 Tom Eastep tom@shorewall.net - Updated to 4.4.16-0base * Thu Dec 30 2010 Tom Eastep tom@shorewall.net diff --git a/Shorewall6-lite/uninstall.sh b/Shorewall6-lite/uninstall.sh index 4bdecaf2f..86d99089d 100755 --- a/Shorewall6-lite/uninstall.sh +++ b/Shorewall6-lite/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.16 +VERSION=4.4.17-Beta1 usage() # $1 = exit status { diff --git a/Shorewall6/install.sh b/Shorewall6/install.sh index c5dc13af7..72fd4a68d 100755 --- a/Shorewall6/install.sh +++ b/Shorewall6/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.16 +VERSION=4.4.17-Beta1 usage() # $1 = exit status { diff --git a/Shorewall6/shorewall6.spec b/Shorewall6/shorewall6.spec index 9605eec41..22490115d 100644 --- a/Shorewall6/shorewall6.spec +++ b/Shorewall6/shorewall6.spec @@ -1,6 +1,6 @@ %define name shorewall6 -%define version 4.4.16 -%define release 0base +%define version 4.4.17 +%define release 0Beta1 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems. Name: %{name} @@ -98,6 +98,8 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6 %changelog +* Sat Jan 08 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.17-0Beta1 * Mon Jan 03 2011 Tom Eastep tom@shorewall.net - Updated to 4.4.16-0base * Thu Dec 30 2010 Tom Eastep tom@shorewall.net diff --git a/Shorewall6/uninstall.sh b/Shorewall6/uninstall.sh index ce9458466..bbe260d5b 100755 --- a/Shorewall6/uninstall.sh +++ b/Shorewall6/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.16 +VERSION=4.4.17-Beta1 usage() # $1 = exit status {