Update release and changelog files

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@312 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/changelog.txt

@@ -1,18 +1,37 @@
-Changes since 1.3.8
+Changes since 1.3.9
 
-1. DNAT rules that remap a port but leave the IP address unchanged are
-   now handled properly.
+1. Fix dumb bug in 1.3.9 Tunnel Handling.
 
-2. The use of shell variables in the LOG LEVEL or SYNPARMS columns of 
-   the policy file now works correctly.
+2. First implementaiton of dynamic zones.
 
-3. Added support for /etc/shorewall/startup_disabled.
+3. Corrections to Dynamic Zones.
 
-4. Added support for DNS names in config files.
+4. More fixes for Dynamic Zones.
 
-5. Don't insist on state NEW for protocols other than tcp, udp and
-   icmp. Workaround for conntrack glitches in other protocols.
+5. Correct a typo in an error message.
 
-6. Move 'functions', 'version' and 'firewall' to /usr/lib/shorewall.
+6. Fix rule insertion algorithms for Dynamic Zones.
 
-7. Fix problems with oddball shells.
+7. Optimize dynamic zones code
+
+8. Remove iptables 1.2.7 hacks.
+
+9. Fix dumb typo in 1.3.9 (recalculate_interfacess)
+
+10. Add PATH assignment to the install script
+
+11. Correct 'functions' file handling in the install script.
+
+12. Add ipsecnat tunnel type. 
+
+13. Correct typo in the shorewall.spec file.
+
+14. Add support for PPTP client and server to the tunnels file.
+
+15. Move the main firewall script to /usr/lib/shorewall
+
+16. Allow SNAT using primary IP and ADD_SNAT_ALIASES=Yes
+
+17. Add MAC verificaiton
+
+18. Conserve space by removing comment decorations.

Shorewall/firewall

@@ -1326,9 +1326,11 @@ setup_proxy_arp() {
 setup_mac_lists() {
     local interface
     local mac
+    local addresses
     local address
     local chain
     local logpart
+    local macpart
     local blob
     local hosts
     #
@@ -1367,18 +1369,24 @@ setup_mac_lists() {
     #
     strip_file maclist
 
-    while read interface mac address; do
-	expandv interface mac address
+    while read interface mac addresses; do
+	expandv interface mac addresses
 
 	chain=`mac_chain $interface`
 
 	if ! havechain $chain ; then
 	    fatal_error "Error: No hosts on $interface have the maclist option specified"
 	fi
+	
+	macpart=`mac_match $mac`
 
-	[ -n "$address" ] && addr_match="-s $address" || addr_match=
-
-	run_iptables -A $chain `mac_match $mac` $addr_match -j RETURN
+	if [ -z "$addresses" ]; then
+	    run_iptables -A $chain $macpart -j RETURN
+	else
+	    for address in `separate_list $addresses` ; do
+		run_iptables -A $chain $macpart -s $address -j RETURN
+	    done
+	fi
     done < $TMP_DIR/maclist
     #
     # Setup Logging variables

Shorewall/maclist

@@ -10,8 +10,9 @@
 #	MAC		MAC address of the host -- you do not need to use
 #			the Shorewall format for MAC addresses here
 #
-#	IP ADDRESS	Optional -- if specified, both the MAC and IP address
-#			must match.
+#	IP ADDRESSES	Optional -- if specified, both the MAC and IP address
+#			must match. This column can contain a comma-separated
+#			list of host and/or subnet addresses.
 ##############################################################################
-#INTERFACE	        MAC			IP ADDRESS (Optional)
+#INTERFACE	        MAC			IP ADDRESSES (Optional)
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Shorewall/releasenotes.txt

@@ -1,16 +1,27 @@
-This is a minor release of Shorewall which rolls up a number of bug
-fixes.
+This is a minor release of Shorewall that has a number of new features..
 
 New features include:
 
-1. DNS Names are now allowed in Shorewall config files.
+1) You may now define the contents of a zone dynamically with the 
+   "shorewall add" and "shorewall delete" commands. These commands
+   are expected to be used primarily within FreeS/Wan updown scripts.
+    
+2) Shorewall can now do MAC verification on ethernet segments. You can
+   specify the set of allowed MAC addresses on the segment and you can
+   optionally tie each MAC address to an IP address.
+    
+3) PPTP Servers and Clients running on the firewall system may now be
+   defined in the /etc/shorewall/tunnels file.
 
-2. The connection SOURCE may now be qualified by both interface
-   and IP address in a Shorewall rule.
-
-3. Shorewall startup is now disabled after initial installation until
-   the file /etc/shorewall/startup_disabled is removed.
-
-4. The 'functions' and 'version' files and the 'firewall' symbolic link
-   have been moved from /var/lib/shorewall to /usr/lib/shorewall to
-   appease the LFS police at Debian.
+4) A new 'ipsecnat' tunnel type is supported for use when the remote
+   IPSEC endpoint is behind a NAT gateway.
+    
+5) The PATH used by Shorewall may now be specified in
+   /etc/shorewall/shorewall.conf.
+   
+6) The main firewall script is now /usr/lib/shorewall/firewall. The
+   script in /etc/init.d/shorewall is very small and uses
+   /sbin/shorewall to do the real work. This change makes custom
+   distributions such as for Debian and for Gentoo easier to manage
+   since it is /etc/init.d/shorewall that tends to have
+   distribution-dependent code.

Shorewall/shorewall.spec

@@ -1,5 +1,5 @@
 %define name shorewall
-%define version 1.3.10
+%define version 1.3.10b1
 %define release 1
 %define prefix /usr
 
@@ -101,6 +101,8 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
 
 %changelog
+* Wed Oct 23 2002 Tom Eastep <tom@shorewall.net>
+- Changes version to 1.3.10b1
 * Tue Oct 22 2002 Tom Eastep <tom@shorewall.net>
 - Added maclist file
 * Tue Oct 15 2002 Tom Eastep <tom@shorewall.net>