shorewall_code/Shorewall/changelog.txt
Tom Eastep b0c47d4f47 Document application of sfilters to INPUT traffic.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-06-08 11:02:39 -07:00

1043 lines
22 KiB
Plaintext

Changes in Shorewall 4.4.20.2
1) Reject degenerate tcpri entries.
2) Correct tc defect.
3) Apply sfilters to INPUT traffic.
Changes in Shorewall 4.4.20.1
1) Corrected FSF address.
2) Don't modify configfiles/shorewall.conf &
configfiles/shorewall6.conf.
3) Change 'plain' default.
Changes in Shorewall 4.4.20 Final
1) Set /proc/sys/net/bridge/bridge_nf_call_ip6?tables.
2) Add 'I' and 'NI' STATEs in secmarks.
Changes in Shorewall 4.4.20 RC 1
1) Update release documents.
2) Annotate config files with manpage info.
3) Don't place negative numbers in IPMARK masks.
4) Fix IPv6 getparams
Changes in Shorewall 4.4.20 Beta 5
1) Rename Auditing Macros
2) Add -T option to compile and check
3) Implement ROUTEBACK_LOG_LEVEL and ROUTEBACK_AUDIT
Changes in Shorewall 4.4.20 Beta 4
1) Smarten up the tc devnum algorithm.
2) Implement LEGACY_FASTSTART option.
3) Add a '-c' option to the restart command.
4) /sbin/shorewall and /sbin/shorewall6 unification.
5) Remove dependence on 'make'
Changes in Shorewall 4.4.20 Beta 3
1) Add auditing support.
Changes in Shorewall 4.4.20 Beta 2
1) Use 'my' for module globals unless variable is exported.
2) Merged fixes from 4.4.19.4.
3) Implemented ACCOUNTING_TABLE
4) Implemented NFLOG accounting action.
5) Implement 'whitelist' option.
Changes in Shorewall 4.4.20 Beta 1
1) Apply Togan's patch for installation flexibility.
2) Disallow degenerate entry in tcpri.
3) More fixes to LIBEXEC/TCPRI
4) Don't allow filters and tcrules to refer to non-leaf classes.
Changes in Shorewall 4.4.19.2
1) Restore the ability to have IPSET names in the ORIGINAL DEST column
of a DNAT or REDIRECT rule.
2) Correct several complex TC issues reported by Mr Dash4.
3) Detect double exclusion involving ipset expressions.
Changes in Shorewall 4.4.19.1
1) Eliminate silly duplicate rule when stopped.
2) Don't believe that all nexthop routes are default routes.
3) Restore :<low port>-<high port> in masq file.
4) Correct default route safe/restore.
Changes in Shorewall 4.4.19.1
1) Eliminate silly duplicate rule when stopped.
2) Don't believe that all nexthop routes are default routes.
3) Restore :<low port>-<high port> in masq file.
4) Correct default route safe/restore.
5) Restore ability to use an IPSET in the ORIGINAL DEST column of
DNAT and REDIRECT rules.
Changes in Shorewall 4.4.19 Final
1) Update release documents.
2) Correct split_line() error message for the proxyndp line.
Changes in Shorewall 4.4.19 RC 1
1) Correct release notes.
2) Display mangle table in the output from 'shorewall show tc'.
3) Allow simple TC to work on both IPv4 and IPv6
4) Fix an optimizer bug in Shorewall::Chains::replace_references().
5) Correct missing jump to 'dnat'.
Changes in Shorewall 4.4.19 Beta 5
1) Fix logical naming and bridge.
Changes in Shorewall 4.4.19 Beta 4
1) Handle mis-configured ipsec host group on a bridge.
2) Significantly improve bridge/ports handling.
3) Allow port-lists in /etc/shorewall/rules.
Changes in Shorewall 4.4.19 Beta 3
1) Allow /usr executables to be installed in a designated location.
2) Allow Shorewall perl modules to be installed in a designated
location.
Changes in Shorewall 4.4.19 Beta 2
1) Minor rework of init-log creation in the installer.
2) Add VRRP macro.
3) Fix more params processing bugs.
4) Do a better job of editing ICMP type lists.
5) Allow /usr executables to be installed in a designated location.
6) Allow Shorewall perl modules to be installed in a designated
location.
Changes in Shorewall 4.4.19 Beta 1
1) Place ACK packets in the highest priority band.
2) Break ICMP lists into individual rules.
Changes in Shorewall 4.4.18 Final
1) Correct handling of IPv6 host address in a net context.
2) Restore <burst> in tcdevices.
3) Correct handling of non-present interfaces and tcfilters.
Changes in Shorewall 4.4.18 RC 1
1) Update Version.
Changes in Shorewall 4.4.18 Beta 4
1) Fix trivalue handling AGAIN.
2) Change default value of MODULE_PREFIX.
3) Combine Policy and Rules Modules
4) Move section processing to the Rules modules.
Changes in Shorewall 4.4.18 Beta 3
1) Change default chain in FORWARD section of the accounting file.
2) Restrict USER/GROUP to OUTPUT section.
3) Restore prohibition of MAC addresses in unsectioned config.
4) Fix several optimizer problems.
Changes in Shorewall 4.4.18 Beta 2
1) Fix the 'local' Provider option in IPv6
2) Remove hardcoded 0.0.0.0/0 from Providers.pm
3) Correct an optimizer defect having to do with jumps containing a
comment.
Changes in Shorewall 4.4.18 Beta 1
1) Split up modules file.
2) Add sections to the accounting file.
Changes in Shorewall 4.4.17
1) Secure helper and modules files for non-root access.
2) Rename USE_LOCAL_MODULES to EXPORTMODULES
Changes in Shorewall 4.4.17
1) Added sch_tbf to the modules files.
Changes in Shorewall 4.4.17 RC 1
1) Documentation and release notes cleanup.
2) Ensure that manual and accounting chains aren't too long.
3) Tighten up the editing of ACCOUNT(...).
4) Add 'show ipa' command.
5) Several fixes to IPv6 tcfilters.
6) Correct three issues in per-IP accounting.
Changes in Shorewall 4.4.17 Beta 3
1) Allow run-time address variables in the masq file.
2) Fix silly bug in expand_rule().
3) Correct two defects in compiler module loading.
4) Implement per-IP module loading.
Changes in Shorewall 4.4.17 Beta 2
1) Handle line containing only INCLUDE.
2) Fix empty SHELL variable handling with bash.
3) Correct 'check -r' with OPTIMIZE=8
4) Add sch_prio to modules file.
5) Add 'USE_LOCAL_MODULES' option.
6) Implement run-time address variables (&interface)
Changes in Shorewall 4.4.17 Beta 1
1) Improve readability of logging logic in expand_rule().
2) Improve efficency of oddball targets in process_rule1().
3) Export (param,value) pairs with EXPORTPARAMS=No.
4) Only produce 'done.' progress message on success.
5) Support INCLUDE in user exits.
6) Use updaterc.d during uninstall on Debian.
Changes in Shorewall 4.4.16 RC 1
1) Fix logging for jump to nat chain.
Changes in Shorewall 4.4.16 Beta 8
1) Complete parameterized actions.
2) Fix issue in expand_rule().
3) Eliminate Actions module.
4) Eliminate process_actions3().
5) Validate BLACKLIST_DISPOSITION.
Changes in Shorewall 4.4.16 Beta 7
1) Parameterized actions.
Changes in Shorewall 4.4.16 Beta 6
1) Don't let root match wildcard.
2) Fix use of wildcard names in the notrack file.
3) Fix use of wildcard names in the proxyarp file
4) Prevent perl runtime warnings with cached interface entries.
Changes in Shorewall 4.4.16 Beta 5
1) Fix broken logical naming with Proxy ARP.
2) Add support for proxyndp.
3) Move mid-level rule processing to the Actions module.
4) Implement format-2 actions.
5) Allow DNAT and REDIRECT in actions.
6) Remove kludgy restrictions regarding Macros and Actions.
Changes in Shorewall 4.4.16 Beta 4
1) Only issue get_params() warnings under 'trace'
2) Add ppp support to Shorewall-init
Changes in Shorewall 4.4.16 Beta 3
1) Integrate bug catcher into 'trace' and correct handling of
getparams on old (RHEL 5) shells.
Changes in Shorewall 4.4.16 Beta 2
1) Install bug catcher.
Changes in Shorewall 4.4.16 Beta 1
1) Handle multi-line ENV values
2) Fix for absent params file.
Changes in Shorewall 4.4.15
1) Add macros from Tuomo Soini.
2) Corrected macro.JAP.
3) Added fatal_error() functions to the -lite CLIs.
RC 1
1) Another Perl 5.12 warning.
2) Avoid anomalous behavior regarding syn flood chains.
3) Add HEADERS column for IPv6
Beta 2
1) Tweaks to IPv6 tcfilters
2) Add support for explicit provider routes
3) Fix shared TC tcfilters handling.
Beta 1
1) Handle exported VERBOSE.
2) Modernize handling of the params file.
3) Fix NULL_ROUTE_RFC1918
4) Fix problem of appending incorrect files.
5) Implement shared TC.
Changes in Shorewall 4.4.14
1) Support ipset lists.
2) Use conntrack in 'shorewall connections'
3) Clean up Shorewall6 error messages when running on a kernel <
2.6.24
4) Clean up ipset related error reporting out of validate_net().
5) Dramatically reduce the amount of CPU time spent in optimization.
6) Add 'scfilter' script.
7) Fix -lite init scripts.
8) Clamp VERBOSITY to valid range.
9) Delete obsolete options from shorewall.conf.
10) Change value of FORWARD_CLEAR_MARK in *.conf.
11) Use update-rc.d to install init symlinks.
12) Fix split_list().
13) Fix 10+ TC Interfaces.
14) Insure that VERBOSITY=0 when interrogating compiled script's version
Changes in Shorewall 4.4.13
1) Allow zone lists in rules SOURCE and DEST.
2) Fix exclusion in the blacklist file.
3) Correct several old exclusion bugs.
4) Fix exclusion with CONTINUE/NONAT/ACCEPT+
5) Re-implement optional interface handling.
6) Add secmark config file.
7) Split in and out blacklisting.
8) Correct handling of [{src|dst},...] in ipset invocation
9) Correct SAME.
10) TC Enhancements:
<burst> in IN-BANDWIDTH columns.
OUT-BANDWIDTH column in tcinterfaces.
11) Create dynamic zone ipsets on 'start'.
12) Remove new blacklisting implementation.
13) Implement an alternative blacklisting scheme.
14) Use '-m state' for UNTRACKED.
15) Clear raw table on 'clear'
16) Correct port-range check in tcfilters.
17) Disallow '*' in interface names.
Changes in Shorewall 4.4.12
1) Fix IPv6 shorecap program.
2) Eradicate incorrect IPv6 Multicast Network
3) Add ADD/DEL support.
4) Allow :random to work with REDIRECT
5) Add per-ip log rate limiting.
6) Use new hashlimit match syntax if available.
7) Add Universal sample.
8) Add COMPLETE option.
9) Make ICMP a synonym for IPV6-ICMP in ipv6 configs.
10) Support new set match syntax.
11) Blacklisting by DEST IP.
12) Fix duplicate rule generation with 'any'.
13) Fix port range editing problem.
14) Display the .conf file directory in response to the status command.
15) Correct AUTOMAKE
Changes in Shorewall 4.4.11
1) Apply patch from Gabriel.
2) Fix IPSET match detection when a pathname is specified for IPSET.
3) Fix start priority of shorewall-init on Debian
4) Make IPv6 log and connections output readable.
5) Add REQUIRE_INTERFACE to shorewall*.conf
6) Avoid run-time warnings when options are not listed in
shorewall.conf.
7) Implement Vserver zones.
8) Make find_hosts_by_option() work correctly where ALL_IP appears in
hosts file.
9) Add CLEAR_FORWARD_MARK option.
10) Avoid missing closing quote when REQUIRE_INTERFACE=Yes.
11) Add PERL option.
12) Fix nets= in Shorewall6
Changes in Shorewall 4.4.10
1) Fix regression with scripts.
2) Log startup errors.
3) Implement Shorewall-init.
4) Add SAFESTOP option to /etc/default/shorewall*
5) Restore -a functionality to the version command.
6) Correct Optimization issue
7) Rename PREFIX to DESTDIR in install scripts
8) Correct handling of optional/required interfaces with wildcard names.
Changes in Shorewall 4.4.9
1) Auto-detection of bridges.
2) Correct handling of a logical interface name in the EXTERNAL column
of proxyarp.
3) More robust 'trace'.
4) Added IPv6 mDNS macro.
5) Fix find_first_interface_address() error reporting.
6) Fix propagation of zero-valued config variables.
7) Fix OPTIMIZE 4 bug.
8) Deallocate unused rules.
9) Keep rule arrays compressed during optimization.
10) Remove remaining fallback scripts.
11) Rationalize startup logs.
12) Optimize 8.
13) Don't create output chains for BPORT zones.
14) Implement 'show log ip-addr' in /sbin/shorewall and
/sbin/shorewall-lite/
15) Restore lone ACCEPT rule to the OUTPUT chain under OPTIMIZE 2.
16) Change chain policy on OUTPUT chain with lone ACCEPT rule.
17) Set IP before sourcing the params file.
18) Fix rare optimization bug.
19) Allow definition of an addressless bridge without a zone.
20) In the routestopped file, assume 'routeback' if the interface has
'routeback'.
21) Make Shorewall and Shorewall6 installable on OS X.
Changes in Shorewall 4.4.8
1) Correct handling of RATE LIMIT on NAT rules.
2) Don't create a logging chain for rules with '-j RETURN'.
3) Avoid duplicate SFQ class numbers.
4) Fix low per-IP rate limits.
5) Fix Debian init script exit status
6) Fix NFQUEUE(queue-num) in policy
7) Implement -s option in install.sh
8) Add HKP Macro
9) Fix multiple policy matches with OPTIMIZE 4 and not KLUDGEFREE
10) Eliminate up-cased variable names that aren't documented options.
11) Don't show 'OLD' capabilities if they are not available.
12) Attempt to flag use of '-' as a port-range separator.
13) Add undocumented OPTIMIZE=-1 setting.
14) Replace OPTIMIZE=-1 with undocumented optimize 4096 which DISABLES
default optimizations.
15) Add support for UDPLITE
16) Distinguish between 'Started' and 'Restored' in ${VARDIR}/state
17) Issue warnings when 'blacklist' but no blacklist file entries.
18) Don't optimize 'blacklst'.
Changes in Shorewall 4.4.7
1) Backport optimization changes from 4.5.
2) Backport two new options from 4.5.
3) Backport TPROXY from 4.5
4) Add TC_PRIOMAP to shorewall*.conf
5) Implement LOAD_HELPERS_ONLY
6) Avoid excessive module loading with LOAD_HELPERS_ONLY=Yes
7) Fix case where MARK target is unavailable.
8) Change default to ADD_IP_ALIASES=No
9) Correct defects in generate_matrix().
10) Fix and optimize 'nosmurfs'.
11) Use 'OLD_HL_MATCH' to suppress use of 'flow' in Simple TC.
Changes in Shorewall 4.4.6
1) Fix for rp_filter and kernel 2.6.31.
2) Add a hack to work around a bug in Lenny + xtables-addons
3) Re-enable SAVE_IPSETS
4) Allow both <...> and [...] for IPv6 Addresses.
5) Port mark geometry change from 4.5.
6) Add Macro patch from Tuomo Soini
7) Add 'show macro' command.
8) Add -r option to check.
9) Port simplified TC from 4.5.
Changes in Shorewall 4.4.5
1) Fix 15-port limit removal change.
2) Fix handling of interfaces with the 'bridge' option.
3) Generate error for port number 0
4) Allow zone::serverport in rules DEST column.
5) Fix 'show policies' in Shorewall6.
6) Auto-load tc modules.
7) Allow LOGFILE=/dev/null
8) Fix shorewall6-lite/shorecap
9) Fix MODULE_SUFFIX.
10) Fix ENHANCED_REJECT detection for IPv4.
11) Fix DONT_LOAD vs 'reload -c'
12) Fix handling of SOURCE and DEST vs macros.
13) Remove silly logic in expand_rule().
14) Add current and limit to Conntrack Table Heading.
Changes in Shorewall 4.4.4
1) Change STARTUP_LOG and LOG_VERBOSITY in default shorewall6.conf.
2) Fix access to uninitialized variable.
3) Add logrotate scripts.
4) Allow long port lists in /etc/shorewall/routestopped.
5) Implement 'physical' interface option.
6) Implement ZONE2ZONE option.
7) Suppress duplicate COMMENT warnings.
8) Implement 'show policies' command.
9) Fix route_rule suppression for down provider.
10) Suppress redundant tests for provider availability in route rules
processing.
11) Implement the '-l' option to the 'show' command.
12) Fix class number assignment when WIDE_TC_MARKS=Yes
13) Allow wide marks in tcclasses when WIDE_TC_MARKS=Yes
Changes in Shorewall 4.4.3
1) Move Debian INITLOG initialization to /etc/default/shorewall
2) Fix 'routeback' in /etc/shorewall/routestopped.
3) Rename 'object' to 'script' in compiler and config modules.
4) Correct RETAIN_ALIASES=No.
5) Fix detection of IP config.
6) Fix nested zones.
7) Move all function declarations from prog.footer to prog.header
8) Remove superfluous variables from generated script
9) Make 'track' the default.
10) Add TRACK_PROVIDERS option.
11) Fix IPv6 address parsing bug.
12) Add hack to work around iproute IPv6 bug in route handling
13) Correct messages issued when an optional provider is not usable.
14) Fix optional interfaces.
15) Add 'limit' option to tcclasses.
Changes in Shorewall 4.4.2
1) BUGFIX: Correct detection of Persistent SNAT support
2) BUGFIX: Fix chain table initialization
3) BUGFIX: Validate routestopped file on 'check'
4) Let the Actions module add the builtin actions to
%Shorewall::Chains::targets. Much better modularization that way.
5) Some changes to make Lenny->Squeeze less painful.
6) Allow comments at the end of continued lines.
7) Call process_routestopped() during 'check' rather than
'compile_stop_firewall()'.
8) Don't look for an extension script for built-in actions.
9) Apply Jesse Shrieve's patch for SNAT range.
10) Add -<family> to 'ip route del default' command.
11) Add three new columns to macro body.
12) Change 'wait4ifup' so that it requires no PATH
13) Allow extension scripts for accounting chains.
14) Allow per-ip LIMIT to work on ancient iptables releases.
15) Add 'MARK' column to action body.
Changes in Shorewall 4.4.1
1) Deleted extra 'use ...IPAddrs.pm' from Nat.pm.
2) Deleted superfluous export from Chains.pm.
3) Added support for --persistent.
4) Don't do module initialization in an INIT block.
5) Minor performance improvements.
6) Add 'clean' target to Makefile.
7) Redefine 'full' for sub-classes.
8) Fix log level in rules at the end of INPUT and OUTPUT chains.
9) Fix nested ipsec zones.
10) Change one-interface sample to IP_FORWARDING=Off.
11) Allow multicast to non-dynamic zones defined with nets=.
12) Allow zones with nets= to be extended by /etc/shorewall/hosts
entries.
13) Don't allow nets= in a multi-zone interface definition.
14) Fix rule generated by MULTICAST=Yes
15) Fix silly hole in zones file parsing.
16) Tighen up zone membership checking.
17) Combine portlist-spitting routines into a single function.
Changes in Shorewall 4.4.0
1) Fix 'compile ... -' so that it no longer requires '-v-1'
2) Fix rule generation for logging nat rules with no exclusion.
3) Fix log record formatting.
4) Restore ipset binding
5) Fix 'upnpclient' with required interfaces.
6) Fix provider number in masq file.
Changes in Shorewall 4.4.0-RC2
1) Fix capabilities file with Shorewall6.
2) Allow Shorewall6 to recognize TC, IP and IPSET
3) Make 'any' a reserved zone name.
4) Correct handling of an ipsec zone nested in a non-ipsec zone.
Changes in Shorewall 4.4.0-RC1
1) Delete duplicate Git macro.
2) Fix routing when no providers.
3) Add 'any' as a SOURCE/DEST in rules.
4) Fix NONAT on child zone.
5) Fix rpm -U from earlier versions
6) Generate error on 'status' by non-root.
7) Get rid of prog.functions and prog.functions6
Changes in Shorewall 4.4.0-Beta4
1) Add more macros.
2) Correct broadcast address detection
3) Fix 'show dynamic'
4) Fix BGP and OSFP macros.
5) Change DISABLE_IPV6 default and use 'correct' ip6tables.
Changes in Shorewall 4.4.0-Beta3
1) Add new macros.
2) Work around mis-configured interfaces.
3) Fix 'show dynamic'.
4) Check for xt_LOG.
5) Fix 'findgw'
Changes in Shorewall 4.4.0-Beta2
1) The 'find_first_interface_address()' and
'find_first_interface_address_if_any()' functions have been restored to
lib.base.
2) Integerize r2q before inserting it into 'tc qdisc add root'
command.
3) Remove '-h' from the help text for install.sh in Shorewall and
Shorewall6.
4) Delete the 'continue' file from the Shorewall package.
5) Add 'upnpclient' interface option.
6) Fix handling of optional interfaces.
7) Add 'iptrace' and 'noiptrace' command.
8) Add 'USER/GROUP' column to masq file.
9) Added lib.private.
Changes in Shorewall 4.4.0-Beta1
1) Correct typo in Shorewall6 two-interface sample shorewall.conf.
2) Fix TOS mnemonic handling in /etc/shorewall/tcfilters.
Changes in Shorewall 4.3.12
1) Eliminate 'large quantum' warnings.
2) Add HFSC support.
3) Delete support for ipset binding. Jozsef has removed the capability
from ipset.
4) Add TOS and LENGTH columns to tcfilters file.
5) Fix 'reset' command.
6) Fix 'findgw'.
7) Remove 'norfc1918' support.
Changes in Shorewall 4.3.11
1) Reduce the number of arguments passed in may cases.
2) Fix SCTP source port handling in tcfilters.
3) Add 'findgw' user exit.
4) Add macro.Trcrt
Changes in Shorewall 4.3.10
1) Fix handling of shared optional providers.
2) Add WIDE_TC_MARKS option.
3) Allow compile to STDOUT.
4) Fix handling of class IDs.
5) Deprecate use of an interface in the SOURCE column of
/etc/shorewall/masq.
6) Fix handling of 'all' in the SOURCE of DNAT- rules.
7) Fix compile for export.
8) Optimize IPMARK.
9) Implement nested HTB classes.
10) Fix 'iprange' command.
11) Make traffic shaping work better with IPv6.
12) Externalize 'flow'.
13) Fix 'start' with AUTOMAKE=Yes
Changes in Shorewall 4.3.9
1) Logging rules now create separate chain.
2) Fix netmask genereation in tcfilters.
3) Allow Shorewall6 with kernel 2.6.24
4) Avoid 'Invalid BROADCAST address' errors.
5) Allow Shorewall6 on kernel 4.2.24:Shorewall/changelog.txt
6) Add IP, TC and IPSET options in shorewall.conf and shorewall6.conf.
7) Add IPMARK support
Changes in Shorewall 4.3.8
1) Apply Tuomo Soini's patch for USE_DEFAULT_RT.
2) Use 'startup_error' for those errors caught early.
3) Fix swping
4) Detect gateway via dhclient leases file.
5) Suppress leading whitespace on certain continuation lines.
6) Use iptables[6]-restore to stop the firewall.
7) Add AUTOMAKE option
8) Remove SAME support.
9) Allow 'compile' without a pathname.
10) Fix LOG_MARTIANS=Yes.
11) Adapt I. Buijs's hashlimit patch.
Changes in Shorewall 4.3.7
1) Fix forward treatment of interface options.
2) Replace $VARDIR/.restore with $VARDIR/firewall
3) Fix DNAT- parsing of DEST column.
4) Implement dynamic zones
5) Allow 'HOST' options on bridge ports.
6) Deprecate old macro parameter syntax.
Changes in Shorewall 4.3.6
1) Add SAME tcrules target.
2) Make 'dump' display the raw table. Fix shorewall6 dump anomalies.
3) Fix split_list1()
4) Fix Shorewall6 file location bugs.
Changes in Shorewall 4.3.5
1) Remove support for shorewall-shell.
2) Combine shorewall-common and shorewall-perl to produce shorewall.
3) Add nets= OPTION in interfaces file.