From 169c99594001b86fd7d921d82f43e352caea981d Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 1 Jun 2011 06:53:09 -0700 Subject: [PATCH 1/2] Fix a typo in the release notes Signed-off-by: Tom Eastep --- Shorewall/releasenotes.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 5866a37ca..be673868a 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -204,7 +204,7 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES performed by the action to be audited. Note: The builtin actions are those actions listed in the - output of 'shorewall show actions' with names begin with a + output of 'shorewall show actions' with names that begin with a lower-case letter. Example: From 561d461a2511d95743391bb69aadf95149a17c94 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 2 Jun 2011 10:06:27 -0700 Subject: [PATCH 2/2] Add 'NI' STATE setting in secmarks. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Tc.pm | 4 +++- Shorewall/changelog.txt | 2 ++ Shorewall/releasenotes.txt | 3 +++ manpages/shorewall-secmarks.xml | 6 ++++-- manpages6/shorewall6-secmarks.xml | 6 ++++-- 5 files changed, 16 insertions(+), 5 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index bd441fe07..88c61caa1 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -1604,8 +1604,10 @@ sub process_secmark_rule() { O => 'tcout' , ); my %state = ( N => 'NEW' , + NI => 'NEW,INVALID', E => 'ESTABLISHED' , - ER => 'ESTABLISHED,RELATED' ); + ER => 'ESTABLISHED,RELATED', + ); my ( $chain , $state, $rest) = split ':', $chainin , 3; diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 584350dc7..815e32516 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -2,6 +2,8 @@ Changes in Shorewall 4.4.20 Final 1) Set /proc/sys/net/bridge/bridge_nf_call_ip6?tables. +2) Add 'NI' STATE in secmarks. + Changes in Shorewall 4.4.20 RC 1 1) Update release documents. diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index be673868a..e294563f4 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -253,6 +253,9 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES versions are available in the configfiles directory within the tarball. +11) The STATE subcolumn of the secmarks file now allow the value 'NI' + which will match packets in either NEW or INVALID state. + ---------------------------------------------------------------------------- I V. R E L E A S E 4 . 4 H I G H L I G H T S ---------------------------------------------------------------------------- diff --git a/manpages/shorewall-secmarks.xml b/manpages/shorewall-secmarks.xml index 30b24c60d..aaf94d650 100644 --- a/manpages/shorewall-secmarks.xml +++ b/manpages/shorewall-secmarks.xml @@ -90,7 +90,7 @@ CHAIN:STATE - - {P|I|F|O|T}[:{N|E|ER}] + {P|I|F|O|T}[:{N|NI|E|ER}] This column determines the CHAIN where the SElinux context is @@ -109,12 +109,14 @@ It may be optionally followed by a colon and an indication of - the connection state(s) at which the context is to be + the Netfilter connection state(s) at which the context is to be applied: :N - NEW connection + :NI - NEW or INVALID connection + :E - ESTABLISHED connection :ER - ESTABLISHED or RELATED connection diff --git a/manpages6/shorewall6-secmarks.xml b/manpages6/shorewall6-secmarks.xml index f580069d7..3c693ff9a 100644 --- a/manpages6/shorewall6-secmarks.xml +++ b/manpages6/shorewall6-secmarks.xml @@ -90,7 +90,7 @@ CHAIN - - {P|I|F|O|T}[:{N|E|ER}] + {P|I|F|O|T}[:{N|NI|E|ER}] @@ -106,12 +106,14 @@ It may be optionally followed by a colon and an indication of - the connection state(s) at which the context is to be + the Netfilter connection state(s) at which the context is to be applied: :N - NEW connection + :NI - New or INVALID connection + :E - ESTABLISHED connection :ER - ESTABLISHED or RELATED connection