Initialize release documents for 4.4.15

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2010-10-29 08:28:58 -07:00 · 2010-10-29 08:28:58 -07:00 · 4daf4c372e
commit 4daf4c372e
parent 1db13849ab
2 changed files with 153 additions and 135 deletions
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -1,3 +1,7 @@
 Changes in Shorewall 4.4.15
 1)  Handle exported VERBOSE.
 Changes in Shorewall 4.4.14
 1)  Support ipset lists.
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -1,5 +1,6 @@
 ----------------------------------------------------------------------------
-                      S H O R E W A L L  4 . 4 . 1 4
+                      S H O R E W A L L  4 . 4 . 1 5
                               B E T A  1
 ----------------------------------------------------------------------------
 I.    PROBLEMS CORRECTED IN THIS RELEASE
@ -13,98 +14,8 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
  I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
 ----------------------------------------------------------------------------
-1)  Previously, messages to the STARTUP_LOG had inconsistent date formats.
+1)  If the variable VERBOSE was exported with a non-zero value then
-
+    startup would fail.
 2)  The blacklisting change in 4.4.13 was broken in some simple
    configurations with the effect that blacklisting was not enabled.
 3)  Previously, Shorewall6 produced an untidy sequence of error
    messages when an attempt was made to start it on a system running a
    kernel older than 2.6.24:
       [root@localhost shorewall6]# shorewall6 start
       Compiling...
       Processing /etc/shorewall6/shorewall6.conf...
       Loading Modules...
       Compiling /etc/shorewall6/zones...
       ...
       Shorewall configuration compiled to /var/lib/shorewall6/.start
          ERROR: Shorewall6 requires Linux kernel 2.6.24 or later
       /usr/share/shorewall6/lib.common: line 73:
             [: -lt: unary operator expected
          ERROR: Shorewall6 requires Linux kernel 2.6.24 or later
       [root@localhost shorewall6]#
    This has been corrected so that a single ERROR message is
    generated.
 4)  Previously, an ipset name appearing in the /etc/shorewall/hosts
    file could be qualified with a list of 'src' and/or 'dst' enclosed
    in quotes. This was virtually guaranteed not to work since the set
    must match when used to verify both a packet source and a
    packet destination. Now, the following error is raised:
    	   ERROR: ipset name qualification is disallowed in this file
    As part of this change, the ipset name is now verified to begin
    with a letter and be composed of letters, digits, underscores ("_")
    and hyphens ("-").
 5)  The Shorewall-lite and Shorewall6-lite Debian init scripts contained a
    syntax error.
 6)  If the -v or -q options were used in /sbin/shorewall-lite or
    /sbin/shorewall6-lite commands that involve the compiled firewall
    script and the resulting effective VERBOSITY was > 2 or < -1, then
    the command would fail.
 7)  The log reading commands (show log, logwatch, and dump) returned no
    log records when run on one of the -lite products.
 8)  To avoid future confusion, the following obsolete options have been
    deleted from the sample shorewall.conf files:
    	    BRIDGING
    	    DELAYBLACKLISTLOAD
 	    PKTTYPE
    They will still be recognized by the rules compiler.
 9)  All sample .conf files have been changed to specify
    	FORWARD_CLEAR_MARK=
    rather than
    	FORWARD_CLEAR_MARK=Yes
    That way, systems without MARK support will still be able to
    install the sample configurations and FORWARD_CLEAR_MARK will
    default to Yes on systems with MARK support.
 10) The install scripts in the tarballs now correctly create init
    symlinks on recent Ubuntu releases.
 11) Previously, this entry in the OPTIONS column of
    /etc/shorewall/interfaces incorrectly generated a syntax error.
    	nets=(1.2.3.0/24)
    The error was:
    	ERROR: Invalid VLSM (24))
 12) Previously, if 10 or more interfaces were configured in Complex
    Traffic Shaping (/etc/shorewall/tcdevices), the following
    compilation diagnostic was generated:
        Argument "a" isn't numeric in sprintf at
 	/usr/share/shorewall/Shorewall/Config.pm line 893.
    and an invalid TC configuration was generated.
 13) If the current environment exported the VERBOSITY variable with a
    non-zero value, startup would fail.
 ----------------------------------------------------------------------------
           I I.  K N O W N   P R O B L E M S   R E M A I N I N G
@ -117,48 +28,7 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
      I I I.  N E W   F E A T U R E S   I N   T H I S  R E L E A S E
 ----------------------------------------------------------------------------
-1)  Multiple source or destination ipset matches can be generated by
+None.
    enclosing the ipset list in +[...].
    Example (/etc/shorewall/rules):
        ACCEPT $FW net:+[dest-ip-map,dest-port-map]
 2)  Shorewall now uses the 'conntrack' utility for 'show connections'
    if that utility is installed. Going forward, the Netfilter team
    will be enhancing this interface rather than the /proc interface.
 3)  The CPU time required for optimization has been reduced by 2/3.
 4)  An 'scfilter' extension script has been added. This extension
    script differs from other such scripts in that it is invoked by the
    command line tools (/sbin/shorewall, /sbin/shorewall6,
    /sbin/shorewall-lite and /sbin/shorewall6-lite).
    The script acts as a filter for the output of the 'show
    connections' command. Each connection is piped through the filter
    which can modify and/or drop information as desired.
    Example:
 	#!/bin/sh
 	sed 's/secmark=0 //'
    That script will remove 'secmark=0 ' from each line.
    The default script is:
    	#!/bin/sh
 	cat -
    which passes the output through unmodified.
    If you are using Shorewall-lite and/or Shorewall6-lite, the
    scfilter file is kept on the administrative system. The compiler
    encapsulates the script into a shell function that is copied
    into the generated auxillary configuration file
    (firewall.conf). That function is then invoked by the 'show
    connections' command.
 ----------------------------------------------------------------------------
             I V.  R E L E A S E  4 . 4  H I G H L I G H T S
@ -379,6 +249,150 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
 ----------------------------------------------------------------------------
 V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
      I N   P R I O R  R E L E A S E S
 ----------------------------------------------------------------------------
         P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 4
 ----------------------------------------------------------------------------
 1)  Previously, messages to the STARTUP_LOG had inconsistent date formats.
 2)  The blacklisting change in 4.4.13 was broken in some simple
    configurations with the effect that blacklisting was not enabled.
 3)  Previously, Shorewall6 produced an untidy sequence of error
    messages when an attempt was made to start it on a system running a
    kernel older than 2.6.24:
       [root@localhost shorewall6]# shorewall6 start
       Compiling...
       Processing /etc/shorewall6/shorewall6.conf...
       Loading Modules...
       Compiling /etc/shorewall6/zones...
       ...
       Shorewall configuration compiled to /var/lib/shorewall6/.start
          ERROR: Shorewall6 requires Linux kernel 2.6.24 or later
       /usr/share/shorewall6/lib.common: line 73:
             [: -lt: unary operator expected
          ERROR: Shorewall6 requires Linux kernel 2.6.24 or later
       [root@localhost shorewall6]#
    This has been corrected so that a single ERROR message is
    generated.
 4)  Previously, an ipset name appearing in the /etc/shorewall/hosts
    file could be qualified with a list of 'src' and/or 'dst' enclosed
    in quotes. This was virtually guaranteed not to work since the set
    must match when used to verify both a packet source and a
    packet destination. Now, the following error is raised:
    	   ERROR: ipset name qualification is disallowed in this file
    As part of this change, the ipset name is now verified to begin
    with a letter and be composed of letters, digits, underscores ("_")
    and hyphens ("-").
 5)  The Shorewall-lite and Shorewall6-lite Debian init scripts contained a
    syntax error.
 6)  If the -v or -q options were used in /sbin/shorewall-lite or
    /sbin/shorewall6-lite commands that involve the compiled firewall
    script and the resulting effective VERBOSITY was > 2 or < -1, then
    the command would fail.
 7)  The log reading commands (show log, logwatch, and dump) returned no
    log records when run on one of the -lite products.
 8)  To avoid future confusion, the following obsolete options have been
    deleted from the sample shorewall.conf files:
    	    BRIDGING
    	    DELAYBLACKLISTLOAD
 	    PKTTYPE
    They will still be recognized by the rules compiler.
 9)  All sample .conf files have been changed to specify
    	FORWARD_CLEAR_MARK=
    rather than
    	FORWARD_CLEAR_MARK=Yes
    That way, systems without MARK support will still be able to
    install the sample configurations and FORWARD_CLEAR_MARK will
    default to Yes on systems with MARK support.
 10) The install scripts in the tarballs now correctly create init
    symlinks on recent Ubuntu releases.
 11) Previously, this entry in the OPTIONS column of
    /etc/shorewall/interfaces incorrectly generated a syntax error.
    	nets=(1.2.3.0/24)
    The error was:
    	ERROR: Invalid VLSM (24))
 12) Previously, if 10 or more interfaces were configured in Complex
    Traffic Shaping (/etc/shorewall/tcdevices), the following
    compilation diagnostic was generated:
        Argument "a" isn't numeric in sprintf at
 	/usr/share/shorewall/Shorewall/Config.pm line 893.
    and an invalid TC configuration was generated.
 13) If the current environment exported the VERBOSITY variable with a
    non-zero value, startup would fail.
 ----------------------------------------------------------------------------
               N E W   F E A T U R E S   I N   4 . 4 . 1 4
 ----------------------------------------------------------------------------
 1)  Multiple source or destination ipset matches can be generated by
    enclosing the ipset list in +[...].
    Example (/etc/shorewall/rules):
        ACCEPT $FW net:+[dest-ip-map,dest-port-map]
 2)  Shorewall now uses the 'conntrack' utility for 'show connections'
    if that utility is installed. Going forward, the Netfilter team
    will be enhancing this interface rather than the /proc interface.
 3)  The CPU time required for optimization has been reduced by 2/3.
 4)  An 'scfilter' extension script has been added. This extension
    script differs from other such scripts in that it is invoked by the
    command line tools (/sbin/shorewall, /sbin/shorewall6,
    /sbin/shorewall-lite and /sbin/shorewall6-lite).
    The script acts as a filter for the output of the 'show
    connections' command. Each connection is piped through the filter
    which can modify and/or drop information as desired.
    Example:
 	#!/bin/sh
 	sed 's/secmark=0 //'
    That script will remove 'secmark=0 ' from each line.
    The default script is:
    	#!/bin/sh
 	cat -
    which passes the output through unmodified.
    If you are using Shorewall-lite and/or Shorewall6-lite, the
    scfilter file is kept on the administrative system. The compiler
    encapsulates the script into a shell function that is copied
    into the generated auxillary configuration file
    (firewall.conf). That function is then invoked by the 'show
    connections' command.
 ----------------------------------------------------------------------------
         P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 3
 ----------------------------------------------------------------------------