From d5cc302ad9c50ca677c9f39b6ba815acaf8d1a56 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 16 Jan 2010 08:11:13 -0800 Subject: [PATCH] Start 4.4.7 Signed-off-by: Tom Eastep --- Shorewall-lite/fallback.sh | 2 +- Shorewall-lite/install.sh | 2 +- Shorewall-lite/shorewall-lite.spec | 4 +- Shorewall-lite/uninstall.sh | 2 +- Shorewall/Perl/Shorewall/Config.pm | 2 +- Shorewall/changelog.txt | 4 + Shorewall/install.sh | 2 +- Shorewall/known_problems.txt | 2 +- Shorewall/releasenotes.txt | 244 ++++++++++++++------------- Shorewall/shorewall.spec | 4 +- Shorewall/uninstall.sh | 2 +- Shorewall6-lite/fallback.sh | 2 +- Shorewall6-lite/install.sh | 2 +- Shorewall6-lite/shorewall6-lite.spec | 4 +- Shorewall6-lite/uninstall.sh | 2 +- Shorewall6/fallback.sh | 2 +- Shorewall6/install.sh | 2 +- Shorewall6/shorewall6.spec | 4 +- Shorewall6/uninstall.sh | 2 +- 19 files changed, 157 insertions(+), 133 deletions(-) diff --git a/Shorewall-lite/fallback.sh b/Shorewall-lite/fallback.sh index 4f47297f7..c6dc7d5b5 100755 --- a/Shorewall-lite/fallback.sh +++ b/Shorewall-lite/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=4.4.6 +VERSION=4.4.7 usage() # $1 = exit status { diff --git a/Shorewall-lite/install.sh b/Shorewall-lite/install.sh index bc135811e..b8b3b77a8 100755 --- a/Shorewall-lite/install.sh +++ b/Shorewall-lite/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.6 +VERSION=4.4.7 usage() # $1 = exit status { diff --git a/Shorewall-lite/shorewall-lite.spec b/Shorewall-lite/shorewall-lite.spec index 005655b3d..b6e8bd247 100644 --- a/Shorewall-lite/shorewall-lite.spec +++ b/Shorewall-lite/shorewall-lite.spec @@ -1,5 +1,5 @@ %define name shorewall-lite -%define version 4.4.6 +%define version 4.4.7 %define release 0base Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems. @@ -100,6 +100,8 @@ fi %doc COPYING changelog.txt releasenotes.txt %changelog +* Sat Jan 16 2010 Tom Eastep tom@shorewall.net +- Updated to 4.4.7-0base * Wed Jan 13 2010 Tom Eastep tom@shorewall.net - Updated to 4.4.6-0base * Tue Jan 12 2010 Tom Eastep tom@shorewall.net diff --git a/Shorewall-lite/uninstall.sh b/Shorewall-lite/uninstall.sh index d74c8065e..9e84dcd89 100755 --- a/Shorewall-lite/uninstall.sh +++ b/Shorewall-lite/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.6 +VERSION=4.4.7 usage() # $1 = exit status { diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 5b8816d0f..896102601 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -330,7 +330,7 @@ sub initialize( $ ) { TC_SCRIPT => '', EXPORT => 0, UNTRACKED => 0, - VERSION => "4.4.6", + VERSION => "4.4.7", CAPVERSION => 40407 , ); diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index eb1f767ca..cba955eec 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -1,3 +1,7 @@ +Changes in Shorewall 4.4.7 + +None. + Changes in Shorewall 4.4.6 1) Fix for rp_filter and kernel 2.6.31. diff --git a/Shorewall/install.sh b/Shorewall/install.sh index d6f6023e9..c13da95c9 100755 --- a/Shorewall/install.sh +++ b/Shorewall/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.6 +VERSION=4.4.7 usage() # $1 = exit status { diff --git a/Shorewall/known_problems.txt b/Shorewall/known_problems.txt index df1f0fc5f..b01f94245 100644 --- a/Shorewall/known_problems.txt +++ b/Shorewall/known_problems.txt @@ -1 +1 @@ -There are no known problems in Shorewall 4.4.6 +There are no known problems in Shorewall 4.4.7 diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 7b7fccf09..52b08b08b 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -1,4 +1,4 @@ -Shorewall 4.4.6 +Shorewall 4.4.7 ---------------------------------------------------------------------------- R E L E A S E 4 . 4 H I G H L I G H T S @@ -175,21 +175,10 @@ Shorewall 4.4.6 then it may have no additional members in /etc/shorewall/hosts. ---------------------------------------------------------------------------- - P R O B L E M S C O R R E C T E D I N 4 . 4 . 6 + P R O B L E M S C O R R E C T E D I N 4 . 4 . 7 ---------------------------------------------------------------------------- -1) A 'feature' of xtables-addons when applied to Debian Lenny causes - extra /31 networks to appear for nethash sets in the output of - "ipset -L" and "ipset -S". A hack has been added to prevent these - from being saved when Shorewall is saving IPSETS during 'stop'. - - As part of this change, the generated script is more careful about - verifying the existence of the correct ipset utility before using - it to save the contents of the sets. - -2) The mDNS macro previously did not include IGMP (protocol 2) and it - did not specify the mDNS multicast address (224.0.0.251). These - omissions have been corrected. +None. ---------------------------------------------------------------------------- K N O W N P R O B L E M S R E M A I N I N G @@ -198,110 +187,10 @@ Shorewall 4.4.6 None. ---------------------------------------------------------------------------- - N E W F E A T U R E S I N 4 . 4 . 6 + N E W F E A T U R E S I N 4 . 4 . 7 ---------------------------------------------------------------------------- -1) In kernel 2.6.31, the handling of the rp_filter interface option was - changed incompatibly. Previously, the effective value was determined - by the setting of net.ipv4.config.dev.rp_filter logically ANDed with - the setting of net.ipv4.config.all.rp_filter. - - Beginning with kernel 2.6.31, the value is the arithmetic MAX of - those two values. - - Given that Shorewall sets net.ipv4.config.all.rp_filter to 1 if - there are any interfaces specifying 'routefilter', specifying - 'routefilter' on any interface has the effect of setting the option - on all interfaces. - - To allow Shorewall to handle this issue, a number of changes were - necessary: - - a) There is no way to safely determine if a kernel supports the - new semantics or the old so the Shorewall compiler uses the - kernel version reported by uname. - - b) This means that the kernel version is now recorded in - the capabilities file. So if you use capabilities files, you - need to regenerate the files with Shorewall[-lite] 4.4.6 or - later. - - c) If the capabilities file does not contain a kernel version, - the compiler assumes version 2.6.30 (the old rp_filter - behavior). - - d) The ROUTE_FILTER option in shorewall.conf now accepts the - following values: - - 0 or No - Shorewall sets net.ipv4.config.all.rp_filter to 0. - 1 or Yes - Shorewall sets net.ipv4.config.all.rp_filter to 1. - 2 - Shorewall sets net.ipv4.config.all.rp_filter to 2. - Keep - Shorewall does not change the setting of - net.ipv4.config.all.rp_filter if the kernel version - is 2.6.31 or later. - - The default remains Keep. - - e) The 'routefilter' interface option can have values 0,1 or 2. If - 'routefilter' is specified without a value, the value 1 is - assumed. - -2) SAVE_IPSETS=Yes has been resurrected but in a different form. With - this setting, the contents of your ipsets are saved during 'shorewall - stop' and 'shorewall save' and they are restored during 'shorewall - start' and 'shorewall restore'. Note that the contents may only be - restored during 'restore' if the firewall is currently in the - stopped state and there are no ipsets currently in use. In - particular, when 'restore' is being executed to recover from a - failed start/restart, the contents of the ipsets are not changed. - - When SAVE_IPSETS=Yes, you may not include ipsets in your - /etc/shorewall/routestopped configuration. - -3) IPv6 addresses following a colon (":") may either be surrounded by - <..> or by the more standard [..]. - -4) A DHCPfwd macro has been added that allows unicast DHCP traffic to - be forwarded through the firewall. Courtesy of Tuomo Soini. - -5) Shorewall (/sbin/shorewall) now supports a 'show macro' command: - - shorewall show macro - - Example: - - shorewall show macro LDAP - - The command displays the contents of the macro. file. - -6) You may now preview the generated ruleset by using the '-r' option - to the 'check' command (e.g., "shorewall check -r"). - - The output is a shell script fragment, similar to the way it - appears in the generated script. - -7) It is now possible to enable a simplified traffic shaping - facility by setting TC_ENABLED=Simple in shorewall.conf. - - See http://www.shorewall.net/simple_traffic_shaping.html for - details. - -8) Previously, when TC_EXPERT=No, packets arriving through 'tracked' - provider interfaces were unconditionally passed to the PREROUTING - tcrules. This was done so that tcrules could reset the packet mark - to zero, thus allowing the packet to be routed using the 'main' - routing table. Using the main table allowed dynamic routes (such as - those added for VPNs) to be effective. - - The route_rules file was created to provide a better alternative - to clearing the packet mark. As a consequence, passing these - packets to PREROUTING complicates things without providing any real - benefit. - - Beginning with this release, when TRACK_PROVIDERS=Yes and TC_EXPERT=No, - packets arriving through 'tracked' interfaces will not be passed to - the PREROUTING rules. Since TRACK_PROVIDERS was just introduced in - 4.4.3, this change should be transparent to most, if not all, users. +None. ---------------------------------------------------------------------------- N E W F E A T U R E S I N 4 . 4 . 0 @@ -1495,3 +1384,126 @@ None. In that case, there were 62 current connections out of a maximum number supported of 65536. + +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 4 . 6 +---------------------------------------------------------------------------- + +1) A 'feature' of xtables-addons when applied to Debian Lenny causes + extra /31 networks to appear for nethash sets in the output of + "ipset -L" and "ipset -S". A hack has been added to prevent these + from being saved when Shorewall is saving IPSETS during 'stop'. + + As part of this change, the generated script is more careful about + verifying the existence of the correct ipset utility before using + it to save the contents of the sets. + +2) The mDNS macro previously did not include IGMP (protocol 2) and it + did not specify the mDNS multicast address (224.0.0.251). These + omissions have been corrected. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 4 . 6 +---------------------------------------------------------------------------- + +1) In kernel 2.6.31, the handling of the rp_filter interface option was + changed incompatibly. Previously, the effective value was determined + by the setting of net.ipv4.config.dev.rp_filter logically ANDed with + the setting of net.ipv4.config.all.rp_filter. + + Beginning with kernel 2.6.31, the value is the arithmetic MAX of + those two values. + + Given that Shorewall sets net.ipv4.config.all.rp_filter to 1 if + there are any interfaces specifying 'routefilter', specifying + 'routefilter' on any interface has the effect of setting the option + on all interfaces. + + To allow Shorewall to handle this issue, a number of changes were + necessary: + + a) There is no way to safely determine if a kernel supports the + new semantics or the old so the Shorewall compiler uses the + kernel version reported by uname. + + b) This means that the kernel version is now recorded in + the capabilities file. So if you use capabilities files, you + need to regenerate the files with Shorewall[-lite] 4.4.6 or + later. + + c) If the capabilities file does not contain a kernel version, + the compiler assumes version 2.6.30 (the old rp_filter + behavior). + + d) The ROUTE_FILTER option in shorewall.conf now accepts the + following values: + + 0 or No - Shorewall sets net.ipv4.config.all.rp_filter to 0. + 1 or Yes - Shorewall sets net.ipv4.config.all.rp_filter to 1. + 2 - Shorewall sets net.ipv4.config.all.rp_filter to 2. + Keep - Shorewall does not change the setting of + net.ipv4.config.all.rp_filter if the kernel version + is 2.6.31 or later. + + The default remains Keep. + + e) The 'routefilter' interface option can have values 0,1 or 2. If + 'routefilter' is specified without a value, the value 1 is + assumed. + +2) SAVE_IPSETS=Yes has been resurrected but in a different form. With + this setting, the contents of your ipsets are saved during 'shorewall + stop' and 'shorewall save' and they are restored during 'shorewall + start' and 'shorewall restore'. Note that the contents may only be + restored during 'restore' if the firewall is currently in the + stopped state and there are no ipsets currently in use. In + particular, when 'restore' is being executed to recover from a + failed start/restart, the contents of the ipsets are not changed. + + When SAVE_IPSETS=Yes, you may not include ipsets in your + /etc/shorewall/routestopped configuration. + +3) IPv6 addresses following a colon (":") may either be surrounded by + <..> or by the more standard [..]. + +4) A DHCPfwd macro has been added that allows unicast DHCP traffic to + be forwarded through the firewall. Courtesy of Tuomo Soini. + +5) Shorewall (/sbin/shorewall) now supports a 'show macro' command: + + shorewall show macro + + Example: + + shorewall show macro LDAP + + The command displays the contents of the macro. file. + +6) You may now preview the generated ruleset by using the '-r' option + to the 'check' command (e.g., "shorewall check -r"). + + The output is a shell script fragment, similar to the way it + appears in the generated script. + +7) It is now possible to enable a simplified traffic shaping + facility by setting TC_ENABLED=Simple in shorewall.conf. + + See http://www.shorewall.net/simple_traffic_shaping.html for + details. + +8) Previously, when TC_EXPERT=No, packets arriving through 'tracked' + provider interfaces were unconditionally passed to the PREROUTING + tcrules. This was done so that tcrules could reset the packet mark + to zero, thus allowing the packet to be routed using the 'main' + routing table. Using the main table allowed dynamic routes (such as + those added for VPNs) to be effective. + + The route_rules file was created to provide a better alternative + to clearing the packet mark. As a consequence, passing these + packets to PREROUTING complicates things without providing any real + benefit. + + Beginning with this release, when TRACK_PROVIDERS=Yes and TC_EXPERT=No, + packets arriving through 'tracked' interfaces will not be passed to + the PREROUTING rules. Since TRACK_PROVIDERS was just introduced in + 4.4.3, this change should be transparent to most, if not all, users. diff --git a/Shorewall/shorewall.spec b/Shorewall/shorewall.spec index 87cdbaa79..59eca84ad 100644 --- a/Shorewall/shorewall.spec +++ b/Shorewall/shorewall.spec @@ -1,5 +1,5 @@ %define name shorewall -%define version 4.4.6 +%define version 4.4.7 %define release 0base Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. @@ -106,6 +106,8 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples %changelog +* Sat Jan 16 2010 Tom Eastep tom@shorewall.net +- Updated to 4.4.7-0base * Wed Jan 13 2010 Tom Eastep tom@shorewall.net - Updated to 4.4.6-0base * Wed Jan 13 2010 Tom Eastep tom@shorewall.net diff --git a/Shorewall/uninstall.sh b/Shorewall/uninstall.sh index 05e1c99ef..190b507d7 100755 --- a/Shorewall/uninstall.sh +++ b/Shorewall/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.6 +VERSION=4.4.7 usage() # $1 = exit status { diff --git a/Shorewall6-lite/fallback.sh b/Shorewall6-lite/fallback.sh index 4f47297f7..c6dc7d5b5 100755 --- a/Shorewall6-lite/fallback.sh +++ b/Shorewall6-lite/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=4.4.6 +VERSION=4.4.7 usage() # $1 = exit status { diff --git a/Shorewall6-lite/install.sh b/Shorewall6-lite/install.sh index 1e262de69..e166d9f56 100755 --- a/Shorewall6-lite/install.sh +++ b/Shorewall6-lite/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.6 +VERSION=4.4.7 usage() # $1 = exit status { diff --git a/Shorewall6-lite/shorewall6-lite.spec b/Shorewall6-lite/shorewall6-lite.spec index 47738c222..0d5f79007 100644 --- a/Shorewall6-lite/shorewall6-lite.spec +++ b/Shorewall6-lite/shorewall6-lite.spec @@ -1,5 +1,5 @@ %define name shorewall6-lite -%define version 4.4.6 +%define version 4.4.7 %define release 0base Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems. @@ -91,6 +91,8 @@ fi %doc COPYING changelog.txt releasenotes.txt %changelog +* Sat Jan 16 2010 Tom Eastep tom@shorewall.net +- Updated to 4.4.7-0base * Wed Jan 13 2010 Tom Eastep tom@shorewall.net - Updated to 4.4.6-0base * Tue Jan 12 2010 Tom Eastep tom@shorewall.net diff --git a/Shorewall6-lite/uninstall.sh b/Shorewall6-lite/uninstall.sh index 57375804b..0e736ae0d 100755 --- a/Shorewall6-lite/uninstall.sh +++ b/Shorewall6-lite/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.6 +VERSION=4.4.7 usage() # $1 = exit status { diff --git a/Shorewall6/fallback.sh b/Shorewall6/fallback.sh index fec2614b0..01fb4a6ae 100755 --- a/Shorewall6/fallback.sh +++ b/Shorewall6/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=4.4.6 +VERSION=4.4.7 usage() # $1 = exit status { diff --git a/Shorewall6/install.sh b/Shorewall6/install.sh index dcf67519c..66a4b6ed1 100755 --- a/Shorewall6/install.sh +++ b/Shorewall6/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.6 +VERSION=4.4.7 usage() # $1 = exit status { diff --git a/Shorewall6/shorewall6.spec b/Shorewall6/shorewall6.spec index 01109aacd..2847f468e 100644 --- a/Shorewall6/shorewall6.spec +++ b/Shorewall6/shorewall6.spec @@ -1,5 +1,5 @@ %define name shorewall6 -%define version 4.4.6 +%define version 4.4.7 %define release 0base Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems. @@ -95,6 +95,8 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6 %changelog +* Sat Jan 16 2010 Tom Eastep tom@shorewall.net +- Updated to 4.4.7-0base * Wed Jan 13 2010 Tom Eastep tom@shorewall.net - Updated to 4.4.6-0base * Tue Jan 12 2010 Tom Eastep tom@shorewall.net diff --git a/Shorewall6/uninstall.sh b/Shorewall6/uninstall.sh index 76d2a98f8..cbd6a4569 100755 --- a/Shorewall6/uninstall.sh +++ b/Shorewall6/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.6 +VERSION=4.4.7 usage() # $1 = exit status {