mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-27 01:53:27 +01:00
b0c47d4f47
Signed-off-by: Tom Eastep <teastep@shorewall.net>
1043 lines
22 KiB
Plaintext
1043 lines
22 KiB
Plaintext
Changes in Shorewall 4.4.20.2
|
|
|
|
1) Reject degenerate tcpri entries.
|
|
|
|
2) Correct tc defect.
|
|
|
|
3) Apply sfilters to INPUT traffic.
|
|
|
|
Changes in Shorewall 4.4.20.1
|
|
|
|
1) Corrected FSF address.
|
|
|
|
2) Don't modify configfiles/shorewall.conf &
|
|
configfiles/shorewall6.conf.
|
|
|
|
3) Change 'plain' default.
|
|
|
|
Changes in Shorewall 4.4.20 Final
|
|
|
|
1) Set /proc/sys/net/bridge/bridge_nf_call_ip6?tables.
|
|
|
|
2) Add 'I' and 'NI' STATEs in secmarks.
|
|
|
|
Changes in Shorewall 4.4.20 RC 1
|
|
|
|
1) Update release documents.
|
|
|
|
2) Annotate config files with manpage info.
|
|
|
|
3) Don't place negative numbers in IPMARK masks.
|
|
|
|
4) Fix IPv6 getparams
|
|
|
|
Changes in Shorewall 4.4.20 Beta 5
|
|
|
|
1) Rename Auditing Macros
|
|
|
|
2) Add -T option to compile and check
|
|
|
|
3) Implement ROUTEBACK_LOG_LEVEL and ROUTEBACK_AUDIT
|
|
|
|
Changes in Shorewall 4.4.20 Beta 4
|
|
|
|
1) Smarten up the tc devnum algorithm.
|
|
|
|
2) Implement LEGACY_FASTSTART option.
|
|
|
|
3) Add a '-c' option to the restart command.
|
|
|
|
4) /sbin/shorewall and /sbin/shorewall6 unification.
|
|
|
|
5) Remove dependence on 'make'
|
|
|
|
Changes in Shorewall 4.4.20 Beta 3
|
|
|
|
1) Add auditing support.
|
|
|
|
Changes in Shorewall 4.4.20 Beta 2
|
|
|
|
1) Use 'my' for module globals unless variable is exported.
|
|
|
|
2) Merged fixes from 4.4.19.4.
|
|
|
|
3) Implemented ACCOUNTING_TABLE
|
|
|
|
4) Implemented NFLOG accounting action.
|
|
|
|
5) Implement 'whitelist' option.
|
|
|
|
Changes in Shorewall 4.4.20 Beta 1
|
|
|
|
1) Apply Togan's patch for installation flexibility.
|
|
|
|
2) Disallow degenerate entry in tcpri.
|
|
|
|
3) More fixes to LIBEXEC/TCPRI
|
|
|
|
4) Don't allow filters and tcrules to refer to non-leaf classes.
|
|
|
|
Changes in Shorewall 4.4.19.2
|
|
|
|
1) Restore the ability to have IPSET names in the ORIGINAL DEST column
|
|
of a DNAT or REDIRECT rule.
|
|
|
|
2) Correct several complex TC issues reported by Mr Dash4.
|
|
|
|
3) Detect double exclusion involving ipset expressions.
|
|
|
|
Changes in Shorewall 4.4.19.1
|
|
|
|
1) Eliminate silly duplicate rule when stopped.
|
|
|
|
2) Don't believe that all nexthop routes are default routes.
|
|
|
|
3) Restore :<low port>-<high port> in masq file.
|
|
|
|
4) Correct default route safe/restore.
|
|
|
|
Changes in Shorewall 4.4.19.1
|
|
|
|
1) Eliminate silly duplicate rule when stopped.
|
|
|
|
2) Don't believe that all nexthop routes are default routes.
|
|
|
|
3) Restore :<low port>-<high port> in masq file.
|
|
|
|
4) Correct default route safe/restore.
|
|
|
|
5) Restore ability to use an IPSET in the ORIGINAL DEST column of
|
|
DNAT and REDIRECT rules.
|
|
|
|
Changes in Shorewall 4.4.19 Final
|
|
|
|
1) Update release documents.
|
|
|
|
2) Correct split_line() error message for the proxyndp line.
|
|
|
|
Changes in Shorewall 4.4.19 RC 1
|
|
|
|
1) Correct release notes.
|
|
|
|
2) Display mangle table in the output from 'shorewall show tc'.
|
|
|
|
3) Allow simple TC to work on both IPv4 and IPv6
|
|
|
|
4) Fix an optimizer bug in Shorewall::Chains::replace_references().
|
|
|
|
5) Correct missing jump to 'dnat'.
|
|
|
|
Changes in Shorewall 4.4.19 Beta 5
|
|
|
|
1) Fix logical naming and bridge.
|
|
|
|
Changes in Shorewall 4.4.19 Beta 4
|
|
|
|
1) Handle mis-configured ipsec host group on a bridge.
|
|
|
|
2) Significantly improve bridge/ports handling.
|
|
|
|
3) Allow port-lists in /etc/shorewall/rules.
|
|
|
|
Changes in Shorewall 4.4.19 Beta 3
|
|
|
|
1) Allow /usr executables to be installed in a designated location.
|
|
|
|
2) Allow Shorewall perl modules to be installed in a designated
|
|
location.
|
|
|
|
Changes in Shorewall 4.4.19 Beta 2
|
|
|
|
1) Minor rework of init-log creation in the installer.
|
|
|
|
2) Add VRRP macro.
|
|
|
|
3) Fix more params processing bugs.
|
|
|
|
4) Do a better job of editing ICMP type lists.
|
|
|
|
5) Allow /usr executables to be installed in a designated location.
|
|
|
|
6) Allow Shorewall perl modules to be installed in a designated
|
|
location.
|
|
|
|
Changes in Shorewall 4.4.19 Beta 1
|
|
|
|
1) Place ACK packets in the highest priority band.
|
|
|
|
2) Break ICMP lists into individual rules.
|
|
|
|
Changes in Shorewall 4.4.18 Final
|
|
|
|
1) Correct handling of IPv6 host address in a net context.
|
|
|
|
2) Restore <burst> in tcdevices.
|
|
|
|
3) Correct handling of non-present interfaces and tcfilters.
|
|
|
|
Changes in Shorewall 4.4.18 RC 1
|
|
|
|
1) Update Version.
|
|
|
|
Changes in Shorewall 4.4.18 Beta 4
|
|
|
|
1) Fix trivalue handling AGAIN.
|
|
|
|
2) Change default value of MODULE_PREFIX.
|
|
|
|
3) Combine Policy and Rules Modules
|
|
|
|
4) Move section processing to the Rules modules.
|
|
|
|
Changes in Shorewall 4.4.18 Beta 3
|
|
|
|
1) Change default chain in FORWARD section of the accounting file.
|
|
|
|
2) Restrict USER/GROUP to OUTPUT section.
|
|
|
|
3) Restore prohibition of MAC addresses in unsectioned config.
|
|
|
|
4) Fix several optimizer problems.
|
|
|
|
Changes in Shorewall 4.4.18 Beta 2
|
|
|
|
1) Fix the 'local' Provider option in IPv6
|
|
|
|
2) Remove hardcoded 0.0.0.0/0 from Providers.pm
|
|
|
|
3) Correct an optimizer defect having to do with jumps containing a
|
|
comment.
|
|
|
|
Changes in Shorewall 4.4.18 Beta 1
|
|
|
|
1) Split up modules file.
|
|
|
|
2) Add sections to the accounting file.
|
|
|
|
Changes in Shorewall 4.4.17
|
|
|
|
1) Secure helper and modules files for non-root access.
|
|
|
|
2) Rename USE_LOCAL_MODULES to EXPORTMODULES
|
|
|
|
Changes in Shorewall 4.4.17
|
|
|
|
1) Added sch_tbf to the modules files.
|
|
|
|
Changes in Shorewall 4.4.17 RC 1
|
|
|
|
1) Documentation and release notes cleanup.
|
|
|
|
2) Ensure that manual and accounting chains aren't too long.
|
|
|
|
3) Tighten up the editing of ACCOUNT(...).
|
|
|
|
4) Add 'show ipa' command.
|
|
|
|
5) Several fixes to IPv6 tcfilters.
|
|
|
|
6) Correct three issues in per-IP accounting.
|
|
|
|
Changes in Shorewall 4.4.17 Beta 3
|
|
|
|
1) Allow run-time address variables in the masq file.
|
|
|
|
2) Fix silly bug in expand_rule().
|
|
|
|
3) Correct two defects in compiler module loading.
|
|
|
|
4) Implement per-IP module loading.
|
|
|
|
Changes in Shorewall 4.4.17 Beta 2
|
|
|
|
1) Handle line containing only INCLUDE.
|
|
|
|
2) Fix empty SHELL variable handling with bash.
|
|
|
|
3) Correct 'check -r' with OPTIMIZE=8
|
|
|
|
4) Add sch_prio to modules file.
|
|
|
|
5) Add 'USE_LOCAL_MODULES' option.
|
|
|
|
6) Implement run-time address variables (&interface)
|
|
|
|
Changes in Shorewall 4.4.17 Beta 1
|
|
|
|
1) Improve readability of logging logic in expand_rule().
|
|
|
|
2) Improve efficency of oddball targets in process_rule1().
|
|
|
|
3) Export (param,value) pairs with EXPORTPARAMS=No.
|
|
|
|
4) Only produce 'done.' progress message on success.
|
|
|
|
5) Support INCLUDE in user exits.
|
|
|
|
6) Use updaterc.d during uninstall on Debian.
|
|
|
|
Changes in Shorewall 4.4.16 RC 1
|
|
|
|
1) Fix logging for jump to nat chain.
|
|
|
|
Changes in Shorewall 4.4.16 Beta 8
|
|
|
|
1) Complete parameterized actions.
|
|
|
|
2) Fix issue in expand_rule().
|
|
|
|
3) Eliminate Actions module.
|
|
|
|
4) Eliminate process_actions3().
|
|
|
|
5) Validate BLACKLIST_DISPOSITION.
|
|
|
|
Changes in Shorewall 4.4.16 Beta 7
|
|
|
|
1) Parameterized actions.
|
|
|
|
Changes in Shorewall 4.4.16 Beta 6
|
|
|
|
1) Don't let root match wildcard.
|
|
|
|
2) Fix use of wildcard names in the notrack file.
|
|
|
|
3) Fix use of wildcard names in the proxyarp file
|
|
|
|
4) Prevent perl runtime warnings with cached interface entries.
|
|
|
|
Changes in Shorewall 4.4.16 Beta 5
|
|
|
|
1) Fix broken logical naming with Proxy ARP.
|
|
|
|
2) Add support for proxyndp.
|
|
|
|
3) Move mid-level rule processing to the Actions module.
|
|
|
|
4) Implement format-2 actions.
|
|
|
|
5) Allow DNAT and REDIRECT in actions.
|
|
|
|
6) Remove kludgy restrictions regarding Macros and Actions.
|
|
|
|
Changes in Shorewall 4.4.16 Beta 4
|
|
|
|
1) Only issue get_params() warnings under 'trace'
|
|
|
|
2) Add ppp support to Shorewall-init
|
|
|
|
Changes in Shorewall 4.4.16 Beta 3
|
|
|
|
1) Integrate bug catcher into 'trace' and correct handling of
|
|
getparams on old (RHEL 5) shells.
|
|
|
|
Changes in Shorewall 4.4.16 Beta 2
|
|
|
|
1) Install bug catcher.
|
|
|
|
Changes in Shorewall 4.4.16 Beta 1
|
|
|
|
1) Handle multi-line ENV values
|
|
|
|
2) Fix for absent params file.
|
|
|
|
Changes in Shorewall 4.4.15
|
|
|
|
1) Add macros from Tuomo Soini.
|
|
|
|
2) Corrected macro.JAP.
|
|
|
|
3) Added fatal_error() functions to the -lite CLIs.
|
|
|
|
RC 1
|
|
|
|
1) Another Perl 5.12 warning.
|
|
|
|
2) Avoid anomalous behavior regarding syn flood chains.
|
|
|
|
3) Add HEADERS column for IPv6
|
|
|
|
Beta 2
|
|
|
|
1) Tweaks to IPv6 tcfilters
|
|
|
|
2) Add support for explicit provider routes
|
|
|
|
3) Fix shared TC tcfilters handling.
|
|
|
|
Beta 1
|
|
|
|
1) Handle exported VERBOSE.
|
|
|
|
2) Modernize handling of the params file.
|
|
|
|
3) Fix NULL_ROUTE_RFC1918
|
|
|
|
4) Fix problem of appending incorrect files.
|
|
|
|
5) Implement shared TC.
|
|
|
|
Changes in Shorewall 4.4.14
|
|
|
|
1) Support ipset lists.
|
|
|
|
2) Use conntrack in 'shorewall connections'
|
|
|
|
3) Clean up Shorewall6 error messages when running on a kernel <
|
|
2.6.24
|
|
|
|
4) Clean up ipset related error reporting out of validate_net().
|
|
|
|
5) Dramatically reduce the amount of CPU time spent in optimization.
|
|
|
|
6) Add 'scfilter' script.
|
|
|
|
7) Fix -lite init scripts.
|
|
|
|
8) Clamp VERBOSITY to valid range.
|
|
|
|
9) Delete obsolete options from shorewall.conf.
|
|
|
|
10) Change value of FORWARD_CLEAR_MARK in *.conf.
|
|
|
|
11) Use update-rc.d to install init symlinks.
|
|
|
|
12) Fix split_list().
|
|
|
|
13) Fix 10+ TC Interfaces.
|
|
|
|
14) Insure that VERBOSITY=0 when interrogating compiled script's version
|
|
|
|
Changes in Shorewall 4.4.13
|
|
|
|
1) Allow zone lists in rules SOURCE and DEST.
|
|
|
|
2) Fix exclusion in the blacklist file.
|
|
|
|
3) Correct several old exclusion bugs.
|
|
|
|
4) Fix exclusion with CONTINUE/NONAT/ACCEPT+
|
|
|
|
5) Re-implement optional interface handling.
|
|
|
|
6) Add secmark config file.
|
|
|
|
7) Split in and out blacklisting.
|
|
|
|
8) Correct handling of [{src|dst},...] in ipset invocation
|
|
|
|
9) Correct SAME.
|
|
|
|
10) TC Enhancements:
|
|
|
|
<burst> in IN-BANDWIDTH columns.
|
|
OUT-BANDWIDTH column in tcinterfaces.
|
|
|
|
11) Create dynamic zone ipsets on 'start'.
|
|
|
|
12) Remove new blacklisting implementation.
|
|
|
|
13) Implement an alternative blacklisting scheme.
|
|
|
|
14) Use '-m state' for UNTRACKED.
|
|
|
|
15) Clear raw table on 'clear'
|
|
|
|
16) Correct port-range check in tcfilters.
|
|
|
|
17) Disallow '*' in interface names.
|
|
|
|
Changes in Shorewall 4.4.12
|
|
|
|
1) Fix IPv6 shorecap program.
|
|
|
|
2) Eradicate incorrect IPv6 Multicast Network
|
|
|
|
3) Add ADD/DEL support.
|
|
|
|
4) Allow :random to work with REDIRECT
|
|
|
|
5) Add per-ip log rate limiting.
|
|
|
|
6) Use new hashlimit match syntax if available.
|
|
|
|
7) Add Universal sample.
|
|
|
|
8) Add COMPLETE option.
|
|
|
|
9) Make ICMP a synonym for IPV6-ICMP in ipv6 configs.
|
|
|
|
10) Support new set match syntax.
|
|
|
|
11) Blacklisting by DEST IP.
|
|
|
|
12) Fix duplicate rule generation with 'any'.
|
|
|
|
13) Fix port range editing problem.
|
|
|
|
14) Display the .conf file directory in response to the status command.
|
|
|
|
15) Correct AUTOMAKE
|
|
|
|
Changes in Shorewall 4.4.11
|
|
|
|
1) Apply patch from Gabriel.
|
|
|
|
2) Fix IPSET match detection when a pathname is specified for IPSET.
|
|
|
|
3) Fix start priority of shorewall-init on Debian
|
|
|
|
4) Make IPv6 log and connections output readable.
|
|
|
|
5) Add REQUIRE_INTERFACE to shorewall*.conf
|
|
|
|
6) Avoid run-time warnings when options are not listed in
|
|
shorewall.conf.
|
|
|
|
7) Implement Vserver zones.
|
|
|
|
8) Make find_hosts_by_option() work correctly where ALL_IP appears in
|
|
hosts file.
|
|
|
|
9) Add CLEAR_FORWARD_MARK option.
|
|
|
|
10) Avoid missing closing quote when REQUIRE_INTERFACE=Yes.
|
|
|
|
11) Add PERL option.
|
|
|
|
12) Fix nets= in Shorewall6
|
|
|
|
Changes in Shorewall 4.4.10
|
|
|
|
1) Fix regression with scripts.
|
|
|
|
2) Log startup errors.
|
|
|
|
3) Implement Shorewall-init.
|
|
|
|
4) Add SAFESTOP option to /etc/default/shorewall*
|
|
|
|
5) Restore -a functionality to the version command.
|
|
|
|
6) Correct Optimization issue
|
|
|
|
7) Rename PREFIX to DESTDIR in install scripts
|
|
|
|
8) Correct handling of optional/required interfaces with wildcard names.
|
|
|
|
Changes in Shorewall 4.4.9
|
|
|
|
1) Auto-detection of bridges.
|
|
|
|
2) Correct handling of a logical interface name in the EXTERNAL column
|
|
of proxyarp.
|
|
|
|
3) More robust 'trace'.
|
|
|
|
4) Added IPv6 mDNS macro.
|
|
|
|
5) Fix find_first_interface_address() error reporting.
|
|
|
|
6) Fix propagation of zero-valued config variables.
|
|
|
|
7) Fix OPTIMIZE 4 bug.
|
|
|
|
8) Deallocate unused rules.
|
|
|
|
9) Keep rule arrays compressed during optimization.
|
|
|
|
10) Remove remaining fallback scripts.
|
|
|
|
11) Rationalize startup logs.
|
|
|
|
12) Optimize 8.
|
|
|
|
13) Don't create output chains for BPORT zones.
|
|
|
|
14) Implement 'show log ip-addr' in /sbin/shorewall and
|
|
/sbin/shorewall-lite/
|
|
|
|
15) Restore lone ACCEPT rule to the OUTPUT chain under OPTIMIZE 2.
|
|
|
|
16) Change chain policy on OUTPUT chain with lone ACCEPT rule.
|
|
|
|
17) Set IP before sourcing the params file.
|
|
|
|
18) Fix rare optimization bug.
|
|
|
|
19) Allow definition of an addressless bridge without a zone.
|
|
|
|
20) In the routestopped file, assume 'routeback' if the interface has
|
|
'routeback'.
|
|
|
|
21) Make Shorewall and Shorewall6 installable on OS X.
|
|
|
|
Changes in Shorewall 4.4.8
|
|
|
|
1) Correct handling of RATE LIMIT on NAT rules.
|
|
|
|
2) Don't create a logging chain for rules with '-j RETURN'.
|
|
|
|
3) Avoid duplicate SFQ class numbers.
|
|
|
|
4) Fix low per-IP rate limits.
|
|
|
|
5) Fix Debian init script exit status
|
|
|
|
6) Fix NFQUEUE(queue-num) in policy
|
|
|
|
7) Implement -s option in install.sh
|
|
|
|
8) Add HKP Macro
|
|
|
|
9) Fix multiple policy matches with OPTIMIZE 4 and not KLUDGEFREE
|
|
|
|
10) Eliminate up-cased variable names that aren't documented options.
|
|
|
|
11) Don't show 'OLD' capabilities if they are not available.
|
|
|
|
12) Attempt to flag use of '-' as a port-range separator.
|
|
|
|
13) Add undocumented OPTIMIZE=-1 setting.
|
|
|
|
14) Replace OPTIMIZE=-1 with undocumented optimize 4096 which DISABLES
|
|
default optimizations.
|
|
|
|
15) Add support for UDPLITE
|
|
|
|
16) Distinguish between 'Started' and 'Restored' in ${VARDIR}/state
|
|
|
|
17) Issue warnings when 'blacklist' but no blacklist file entries.
|
|
|
|
18) Don't optimize 'blacklst'.
|
|
|
|
Changes in Shorewall 4.4.7
|
|
|
|
1) Backport optimization changes from 4.5.
|
|
|
|
2) Backport two new options from 4.5.
|
|
|
|
3) Backport TPROXY from 4.5
|
|
|
|
4) Add TC_PRIOMAP to shorewall*.conf
|
|
|
|
5) Implement LOAD_HELPERS_ONLY
|
|
|
|
6) Avoid excessive module loading with LOAD_HELPERS_ONLY=Yes
|
|
|
|
7) Fix case where MARK target is unavailable.
|
|
|
|
8) Change default to ADD_IP_ALIASES=No
|
|
|
|
9) Correct defects in generate_matrix().
|
|
|
|
10) Fix and optimize 'nosmurfs'.
|
|
|
|
11) Use 'OLD_HL_MATCH' to suppress use of 'flow' in Simple TC.
|
|
|
|
Changes in Shorewall 4.4.6
|
|
|
|
1) Fix for rp_filter and kernel 2.6.31.
|
|
|
|
2) Add a hack to work around a bug in Lenny + xtables-addons
|
|
|
|
3) Re-enable SAVE_IPSETS
|
|
|
|
4) Allow both <...> and [...] for IPv6 Addresses.
|
|
|
|
5) Port mark geometry change from 4.5.
|
|
|
|
6) Add Macro patch from Tuomo Soini
|
|
|
|
7) Add 'show macro' command.
|
|
|
|
8) Add -r option to check.
|
|
|
|
9) Port simplified TC from 4.5.
|
|
|
|
Changes in Shorewall 4.4.5
|
|
|
|
1) Fix 15-port limit removal change.
|
|
|
|
2) Fix handling of interfaces with the 'bridge' option.
|
|
|
|
3) Generate error for port number 0
|
|
|
|
4) Allow zone::serverport in rules DEST column.
|
|
|
|
5) Fix 'show policies' in Shorewall6.
|
|
|
|
6) Auto-load tc modules.
|
|
|
|
7) Allow LOGFILE=/dev/null
|
|
|
|
8) Fix shorewall6-lite/shorecap
|
|
|
|
9) Fix MODULE_SUFFIX.
|
|
|
|
10) Fix ENHANCED_REJECT detection for IPv4.
|
|
|
|
11) Fix DONT_LOAD vs 'reload -c'
|
|
|
|
12) Fix handling of SOURCE and DEST vs macros.
|
|
|
|
13) Remove silly logic in expand_rule().
|
|
|
|
14) Add current and limit to Conntrack Table Heading.
|
|
|
|
Changes in Shorewall 4.4.4
|
|
|
|
1) Change STARTUP_LOG and LOG_VERBOSITY in default shorewall6.conf.
|
|
|
|
2) Fix access to uninitialized variable.
|
|
|
|
3) Add logrotate scripts.
|
|
|
|
4) Allow long port lists in /etc/shorewall/routestopped.
|
|
|
|
5) Implement 'physical' interface option.
|
|
|
|
6) Implement ZONE2ZONE option.
|
|
|
|
7) Suppress duplicate COMMENT warnings.
|
|
|
|
8) Implement 'show policies' command.
|
|
|
|
9) Fix route_rule suppression for down provider.
|
|
|
|
10) Suppress redundant tests for provider availability in route rules
|
|
processing.
|
|
|
|
11) Implement the '-l' option to the 'show' command.
|
|
|
|
12) Fix class number assignment when WIDE_TC_MARKS=Yes
|
|
|
|
13) Allow wide marks in tcclasses when WIDE_TC_MARKS=Yes
|
|
|
|
Changes in Shorewall 4.4.3
|
|
|
|
1) Move Debian INITLOG initialization to /etc/default/shorewall
|
|
|
|
2) Fix 'routeback' in /etc/shorewall/routestopped.
|
|
|
|
3) Rename 'object' to 'script' in compiler and config modules.
|
|
|
|
4) Correct RETAIN_ALIASES=No.
|
|
|
|
5) Fix detection of IP config.
|
|
|
|
6) Fix nested zones.
|
|
|
|
7) Move all function declarations from prog.footer to prog.header
|
|
|
|
8) Remove superfluous variables from generated script
|
|
|
|
9) Make 'track' the default.
|
|
|
|
10) Add TRACK_PROVIDERS option.
|
|
|
|
11) Fix IPv6 address parsing bug.
|
|
|
|
12) Add hack to work around iproute IPv6 bug in route handling
|
|
|
|
13) Correct messages issued when an optional provider is not usable.
|
|
|
|
14) Fix optional interfaces.
|
|
|
|
15) Add 'limit' option to tcclasses.
|
|
|
|
Changes in Shorewall 4.4.2
|
|
|
|
1) BUGFIX: Correct detection of Persistent SNAT support
|
|
|
|
2) BUGFIX: Fix chain table initialization
|
|
|
|
3) BUGFIX: Validate routestopped file on 'check'
|
|
|
|
4) Let the Actions module add the builtin actions to
|
|
%Shorewall::Chains::targets. Much better modularization that way.
|
|
|
|
5) Some changes to make Lenny->Squeeze less painful.
|
|
|
|
6) Allow comments at the end of continued lines.
|
|
|
|
7) Call process_routestopped() during 'check' rather than
|
|
'compile_stop_firewall()'.
|
|
|
|
8) Don't look for an extension script for built-in actions.
|
|
|
|
9) Apply Jesse Shrieve's patch for SNAT range.
|
|
|
|
10) Add -<family> to 'ip route del default' command.
|
|
|
|
11) Add three new columns to macro body.
|
|
|
|
12) Change 'wait4ifup' so that it requires no PATH
|
|
|
|
13) Allow extension scripts for accounting chains.
|
|
|
|
14) Allow per-ip LIMIT to work on ancient iptables releases.
|
|
|
|
15) Add 'MARK' column to action body.
|
|
|
|
Changes in Shorewall 4.4.1
|
|
|
|
1) Deleted extra 'use ...IPAddrs.pm' from Nat.pm.
|
|
|
|
2) Deleted superfluous export from Chains.pm.
|
|
|
|
3) Added support for --persistent.
|
|
|
|
4) Don't do module initialization in an INIT block.
|
|
|
|
5) Minor performance improvements.
|
|
|
|
6) Add 'clean' target to Makefile.
|
|
|
|
7) Redefine 'full' for sub-classes.
|
|
|
|
8) Fix log level in rules at the end of INPUT and OUTPUT chains.
|
|
|
|
9) Fix nested ipsec zones.
|
|
|
|
10) Change one-interface sample to IP_FORWARDING=Off.
|
|
|
|
11) Allow multicast to non-dynamic zones defined with nets=.
|
|
|
|
12) Allow zones with nets= to be extended by /etc/shorewall/hosts
|
|
entries.
|
|
|
|
13) Don't allow nets= in a multi-zone interface definition.
|
|
|
|
14) Fix rule generated by MULTICAST=Yes
|
|
|
|
15) Fix silly hole in zones file parsing.
|
|
|
|
16) Tighen up zone membership checking.
|
|
|
|
17) Combine portlist-spitting routines into a single function.
|
|
|
|
Changes in Shorewall 4.4.0
|
|
|
|
1) Fix 'compile ... -' so that it no longer requires '-v-1'
|
|
|
|
2) Fix rule generation for logging nat rules with no exclusion.
|
|
|
|
3) Fix log record formatting.
|
|
|
|
4) Restore ipset binding
|
|
|
|
5) Fix 'upnpclient' with required interfaces.
|
|
|
|
6) Fix provider number in masq file.
|
|
|
|
Changes in Shorewall 4.4.0-RC2
|
|
|
|
1) Fix capabilities file with Shorewall6.
|
|
|
|
2) Allow Shorewall6 to recognize TC, IP and IPSET
|
|
|
|
3) Make 'any' a reserved zone name.
|
|
|
|
4) Correct handling of an ipsec zone nested in a non-ipsec zone.
|
|
|
|
Changes in Shorewall 4.4.0-RC1
|
|
|
|
1) Delete duplicate Git macro.
|
|
|
|
2) Fix routing when no providers.
|
|
|
|
3) Add 'any' as a SOURCE/DEST in rules.
|
|
|
|
4) Fix NONAT on child zone.
|
|
|
|
5) Fix rpm -U from earlier versions
|
|
|
|
6) Generate error on 'status' by non-root.
|
|
|
|
7) Get rid of prog.functions and prog.functions6
|
|
|
|
Changes in Shorewall 4.4.0-Beta4
|
|
|
|
1) Add more macros.
|
|
|
|
2) Correct broadcast address detection
|
|
|
|
3) Fix 'show dynamic'
|
|
|
|
4) Fix BGP and OSFP macros.
|
|
|
|
5) Change DISABLE_IPV6 default and use 'correct' ip6tables.
|
|
|
|
Changes in Shorewall 4.4.0-Beta3
|
|
|
|
1) Add new macros.
|
|
|
|
2) Work around mis-configured interfaces.
|
|
|
|
3) Fix 'show dynamic'.
|
|
|
|
4) Check for xt_LOG.
|
|
|
|
5) Fix 'findgw'
|
|
|
|
Changes in Shorewall 4.4.0-Beta2
|
|
|
|
1) The 'find_first_interface_address()' and
|
|
'find_first_interface_address_if_any()' functions have been restored to
|
|
lib.base.
|
|
|
|
2) Integerize r2q before inserting it into 'tc qdisc add root'
|
|
command.
|
|
|
|
3) Remove '-h' from the help text for install.sh in Shorewall and
|
|
Shorewall6.
|
|
|
|
4) Delete the 'continue' file from the Shorewall package.
|
|
|
|
5) Add 'upnpclient' interface option.
|
|
|
|
6) Fix handling of optional interfaces.
|
|
|
|
7) Add 'iptrace' and 'noiptrace' command.
|
|
|
|
8) Add 'USER/GROUP' column to masq file.
|
|
|
|
9) Added lib.private.
|
|
|
|
Changes in Shorewall 4.4.0-Beta1
|
|
|
|
1) Correct typo in Shorewall6 two-interface sample shorewall.conf.
|
|
|
|
2) Fix TOS mnemonic handling in /etc/shorewall/tcfilters.
|
|
|
|
Changes in Shorewall 4.3.12
|
|
|
|
1) Eliminate 'large quantum' warnings.
|
|
|
|
2) Add HFSC support.
|
|
|
|
3) Delete support for ipset binding. Jozsef has removed the capability
|
|
from ipset.
|
|
|
|
4) Add TOS and LENGTH columns to tcfilters file.
|
|
|
|
5) Fix 'reset' command.
|
|
|
|
6) Fix 'findgw'.
|
|
|
|
7) Remove 'norfc1918' support.
|
|
|
|
Changes in Shorewall 4.3.11
|
|
|
|
1) Reduce the number of arguments passed in may cases.
|
|
|
|
2) Fix SCTP source port handling in tcfilters.
|
|
|
|
3) Add 'findgw' user exit.
|
|
|
|
4) Add macro.Trcrt
|
|
|
|
Changes in Shorewall 4.3.10
|
|
|
|
1) Fix handling of shared optional providers.
|
|
|
|
2) Add WIDE_TC_MARKS option.
|
|
|
|
3) Allow compile to STDOUT.
|
|
|
|
4) Fix handling of class IDs.
|
|
|
|
5) Deprecate use of an interface in the SOURCE column of
|
|
/etc/shorewall/masq.
|
|
|
|
6) Fix handling of 'all' in the SOURCE of DNAT- rules.
|
|
|
|
7) Fix compile for export.
|
|
|
|
8) Optimize IPMARK.
|
|
|
|
9) Implement nested HTB classes.
|
|
|
|
10) Fix 'iprange' command.
|
|
|
|
11) Make traffic shaping work better with IPv6.
|
|
|
|
12) Externalize 'flow'.
|
|
|
|
13) Fix 'start' with AUTOMAKE=Yes
|
|
|
|
Changes in Shorewall 4.3.9
|
|
|
|
1) Logging rules now create separate chain.
|
|
|
|
2) Fix netmask genereation in tcfilters.
|
|
|
|
3) Allow Shorewall6 with kernel 2.6.24
|
|
|
|
4) Avoid 'Invalid BROADCAST address' errors.
|
|
|
|
5) Allow Shorewall6 on kernel 4.2.24:Shorewall/changelog.txt
|
|
|
|
6) Add IP, TC and IPSET options in shorewall.conf and shorewall6.conf.
|
|
|
|
7) Add IPMARK support
|
|
|
|
Changes in Shorewall 4.3.8
|
|
|
|
1) Apply Tuomo Soini's patch for USE_DEFAULT_RT.
|
|
|
|
2) Use 'startup_error' for those errors caught early.
|
|
|
|
3) Fix swping
|
|
|
|
4) Detect gateway via dhclient leases file.
|
|
|
|
5) Suppress leading whitespace on certain continuation lines.
|
|
|
|
6) Use iptables[6]-restore to stop the firewall.
|
|
|
|
7) Add AUTOMAKE option
|
|
|
|
8) Remove SAME support.
|
|
|
|
9) Allow 'compile' without a pathname.
|
|
|
|
10) Fix LOG_MARTIANS=Yes.
|
|
|
|
11) Adapt I. Buijs's hashlimit patch.
|
|
|
|
Changes in Shorewall 4.3.7
|
|
|
|
1) Fix forward treatment of interface options.
|
|
|
|
2) Replace $VARDIR/.restore with $VARDIR/firewall
|
|
|
|
3) Fix DNAT- parsing of DEST column.
|
|
|
|
4) Implement dynamic zones
|
|
|
|
5) Allow 'HOST' options on bridge ports.
|
|
|
|
6) Deprecate old macro parameter syntax.
|
|
|
|
Changes in Shorewall 4.3.6
|
|
|
|
1) Add SAME tcrules target.
|
|
|
|
2) Make 'dump' display the raw table. Fix shorewall6 dump anomalies.
|
|
|
|
3) Fix split_list1()
|
|
|
|
4) Fix Shorewall6 file location bugs.
|
|
|
|
Changes in Shorewall 4.3.5
|
|
|
|
1) Remove support for shorewall-shell.
|
|
|
|
2) Combine shorewall-common and shorewall-perl to produce shorewall.
|
|
|
|
3) Add nets= OPTION in interfaces file.
|
|
|
|
|