forked from extern/shorewall_code
Initiate 4.4.16
This commit is contained in:
parent
6ef0f0f9d3
commit
cae5ddc7e0
@ -23,7 +23,7 @@
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
|
||||
VERSION=4.4.15
|
||||
VERSION=4.4.16-Beta1
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -1,6 +1,6 @@
|
||||
%define name shorewall-init
|
||||
%define version 4.4.15
|
||||
%define release 0base
|
||||
%define version 4.4.16
|
||||
%define release 0Beta1
|
||||
|
||||
Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
|
||||
Name: %{name}
|
||||
@ -99,6 +99,8 @@ fi
|
||||
%doc COPYING changelog.txt releasenotes.txt
|
||||
|
||||
%changelog
|
||||
* Tue Nov 30 2010 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.16-0Beta1
|
||||
* Fri Nov 26 2010 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.15-0base
|
||||
* Mon Nov 22 2010 Tom Eastep tom@shorewall.net
|
||||
|
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Shorewall Firewall
|
||||
|
||||
VERSION=4.4.15
|
||||
VERSION=4.4.16-Beta1
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -22,7 +22,7 @@
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
|
||||
VERSION=4.4.15
|
||||
VERSION=4.4.16-Beta1
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -1,6 +1,6 @@
|
||||
%define name shorewall-lite
|
||||
%define version 4.4.15
|
||||
%define release 0base
|
||||
%define version 4.4.16
|
||||
%define release 0Beta1
|
||||
|
||||
Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
|
||||
Name: %{name}
|
||||
@ -102,6 +102,8 @@ fi
|
||||
%doc COPYING changelog.txt releasenotes.txt
|
||||
|
||||
%changelog
|
||||
* Tue Nov 30 2010 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.16-0Beta1
|
||||
* Fri Nov 26 2010 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.15-0base
|
||||
* Mon Nov 22 2010 Tom Eastep tom@shorewall.net
|
||||
|
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Shorewall Firewall
|
||||
|
||||
VERSION=4.4.15
|
||||
VERSION=4.4.16-Beta1
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -353,7 +353,7 @@ sub initialize( $ ) {
|
||||
EXPORT => 0,
|
||||
STATEMATCH => '-m state --state',
|
||||
UNTRACKED => 0,
|
||||
VERSION => "4.4.15",
|
||||
VERSION => "4.4.16-Beta1",
|
||||
CAPVERSION => 40415 ,
|
||||
);
|
||||
|
||||
|
@ -1,3 +1,7 @@
|
||||
Changes in Shorewall 4.4.16
|
||||
|
||||
None.
|
||||
|
||||
Changes in Shorewall 4.4.15
|
||||
|
||||
1) Add macros from Tuomo Soini.
|
||||
|
@ -22,7 +22,7 @@
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
|
||||
VERSION=4.4.15
|
||||
VERSION=4.4.16-Beta1
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -1 +1 @@
|
||||
There are no known problems in Shorewall 4.4.15
|
||||
There are no known problems in Shorewall 4.4.16-Beta1
|
||||
|
@ -13,65 +13,7 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
|
||||
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
|
||||
----------------------------------------------------------------------------
|
||||
|
||||
1) Previously, if
|
||||
|
||||
a) syn flood protection was enabled in a policy that
|
||||
specified 'all' for the SOURCE or DEST, and
|
||||
b) there was only one pair of zones matching that policy, and
|
||||
c) PROPAGATE_POLICIES=Yes in shorewall.conf, and
|
||||
d) logging was specified on the policy
|
||||
|
||||
then the chain implementing the chain had "all" in its name while
|
||||
the logging rule did not.
|
||||
|
||||
Example
|
||||
|
||||
On a simple standalone configuration, /etc/shorewall/policy
|
||||
has:
|
||||
|
||||
#SOURCE DEST POLICY LOGGING
|
||||
net all DROP info
|
||||
|
||||
then the chain implementing syn flood protection would be named
|
||||
@net2all while the logging rule would indicate net2fw.
|
||||
|
||||
Now, the chain will be named @net2fw.
|
||||
|
||||
2) If the current environment exported the VERBOSE variable with a
|
||||
non-zero value, then startup would fail.
|
||||
|
||||
3) If a route existed for an entire RFC1918 subnet (10.0.0.0/8,
|
||||
172.20.0.0/12 or 192.168.0.0/16), then setting
|
||||
NULL_ROUTE_RFC1918=Yes would cause the route to be replaced with an
|
||||
'unreachable' one.
|
||||
|
||||
4) Shorewall6 failed to start correctly if all the following were true:
|
||||
|
||||
- Shorewall was installed using the tarball. It may have
|
||||
subsequently been installed using a distribution-specific package
|
||||
or the rpm from shorewall.net without first unstalling the
|
||||
tarball components.
|
||||
|
||||
- Shorewall6 was installed using a distribution-specific package or
|
||||
the rpm from shorewall.net.
|
||||
|
||||
- The file /etc/shorewall6/init was not created.
|
||||
|
||||
5) If an interface with physical='+' is given the 'optional' or
|
||||
'required' option, then invalid shell variables names were
|
||||
generated by the compiler.
|
||||
|
||||
6) The contributed macro macro.JAP generated a fatal error when used.
|
||||
The root cause was a defect in parameter processing in nested
|
||||
macros (if 'PARAM' was passed to an nested macro invocation, it was
|
||||
not expanded to the current parameter value).
|
||||
|
||||
7) Previously, if find_first_interface_address() failed when running
|
||||
shorewall-lite or shoreawll6-lite, the following unhelpful message
|
||||
was issued:
|
||||
|
||||
/usr/share/shorewall-lite/lib.common: line 449: startup_error: command
|
||||
not found
|
||||
None.
|
||||
|
||||
----------------------------------------------------------------------------
|
||||
I I. K N O W N P R O B L E M S R E M A I N I N G
|
||||
@ -84,79 +26,7 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
|
||||
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
|
||||
----------------------------------------------------------------------------
|
||||
|
||||
1) Munin and Squid macros have been contributed by Tuomo Soini.
|
||||
|
||||
2) The Shorewall6 accounting, tcrules and rules files now include a
|
||||
HEADERS column which allows matching based on the IPv6 extension and
|
||||
protocol headers included in a packet.
|
||||
|
||||
The contents of the column are:
|
||||
|
||||
[any:|exactly:]<header list>
|
||||
|
||||
where <header list> is a comma-separated list of headers from the
|
||||
following:
|
||||
|
||||
Long Name Short Name Number
|
||||
--------------------------------------
|
||||
auth ah 51
|
||||
esp esp 50
|
||||
d hop-by-hop hop 0
|
||||
route ipv6-route 41
|
||||
frag ipv6-frag 44
|
||||
none ipv6-nonxt 59
|
||||
protocol proto 255
|
||||
|
||||
If 'any:' is specified, the rule will match if any of the listed
|
||||
headers are present. If 'exactly:' is specified, the will match
|
||||
packets that exactly include all specified headers. If neither is
|
||||
given, 'any:' is assumed.
|
||||
|
||||
This change adds a new capability (Header Match) so if you use a
|
||||
capabilities file, you will need to regenerate using this release.
|
||||
|
||||
3) It is now possible to add explicit routes to individual provider
|
||||
routing tables using the /etc/shorewall/routes (/etc/shorewall6/routes)
|
||||
file.
|
||||
|
||||
See the shorewall-routes (5) and/or the shorewall6-routes (5) manpage.
|
||||
|
||||
4) Previously, /usr/share/shorewall/compiler.pl expected the contents
|
||||
of the params file to be passed in the environment. Now, the
|
||||
compiler invokes a small shell program
|
||||
(/usr/share/shorewall/getparams) to process the file and to pass
|
||||
the (variable,value) pairs back to the compiler.
|
||||
|
||||
Shell variable expansion uses the value from the params file if the
|
||||
parameter was set in that file. Otherwise the current environment
|
||||
is used. If the variable does not appear in either place, an error
|
||||
message is generated.
|
||||
|
||||
5) Shared IPv4/IPv6 traffic shaping configuraiton is now
|
||||
available. The device and class configuration can be included in
|
||||
either the Shorewall or the Shorewall6 configuration. To place it
|
||||
in the Shorewall configuration:
|
||||
|
||||
a) Set TC_ENABLED=Internal in shorewall.conf
|
||||
b) Set TC_ENABLED=Shared in shorewall6.conf
|
||||
c) Create symbolic link /etc/shorewall6/tcdevices pointing to
|
||||
/etc/shorewall/tcdevices.
|
||||
d) Create symbolic link /etc/shorewall6/tcclasses pointing to
|
||||
/etc/shorewall/tcclasses.
|
||||
e) Entries for both IPv4 and IPv6 can be included in
|
||||
/etc/shorewall/tcfilters. This file has been extended to allow
|
||||
both IPv4 and IPv6 entries to be included in a single file.
|
||||
f) Packet marking rules are included in both configurations'
|
||||
tcrules file as needed. CLASSIFY rules in
|
||||
/etc/shorewall6/tcrules are validated against the Shorewall TC
|
||||
configuration.
|
||||
|
||||
In this setup, the tcdevices and tcclasses will only be updated
|
||||
when Shorewall is restarted. The IPv6 marking rules are updated
|
||||
when Shorewall6 is restarted.
|
||||
|
||||
The above configuration may be reversed to allow Shorewall6 to
|
||||
control the TC configuration.
|
||||
None.
|
||||
|
||||
----------------------------------------------------------------------------
|
||||
I V. R E L E A S E 4 . 4 H I G H L I G H T S
|
||||
@ -377,6 +247,148 @@ d hop-by-hop hop 0
|
||||
----------------------------------------------------------------------------
|
||||
V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
|
||||
I N P R I O R R E L E A S E S
|
||||
----------------------------------------------------------------------------
|
||||
P R O B L E M S C O R R E C T E D I N 4 . 4 . 1 5
|
||||
----------------------------------------------------------------------------
|
||||
|
||||
1) Previously, if
|
||||
|
||||
a) syn flood protection was enabled in a policy that
|
||||
specified 'all' for the SOURCE or DEST, and
|
||||
b) there was only one pair of zones matching that policy, and
|
||||
c) PROPAGATE_POLICIES=Yes in shorewall.conf, and
|
||||
d) logging was specified on the policy
|
||||
|
||||
then the chain implementing the chain had "all" in its name while
|
||||
the logging rule did not.
|
||||
|
||||
Example
|
||||
|
||||
On a simple standalone configuration, /etc/shorewall/policy
|
||||
has:
|
||||
|
||||
#SOURCE DEST POLICY LOGGING
|
||||
net all DROP info
|
||||
|
||||
then the chain implementing syn flood protection would be named
|
||||
@net2all while the logging rule would indicate net2fw.
|
||||
|
||||
Now, the chain will be named @net2fw.
|
||||
|
||||
2) If the current environment exported the VERBOSE variable with a
|
||||
non-zero value, then startup would fail.
|
||||
|
||||
3) If a route existed for an entire RFC1918 subnet (10.0.0.0/8,
|
||||
172.20.0.0/12 or 192.168.0.0/16), then setting
|
||||
NULL_ROUTE_RFC1918=Yes would cause the route to be replaced with an
|
||||
'unreachable' one.
|
||||
|
||||
4) Shorewall6 failed to start correctly if all the following were true:
|
||||
|
||||
- Shorewall was installed using the tarball. It may have
|
||||
subsequently been installed using a distribution-specific package
|
||||
or the rpm from shorewall.net without first unstalling the
|
||||
tarball components.
|
||||
|
||||
- Shorewall6 was installed using a distribution-specific package or
|
||||
the rpm from shorewall.net.
|
||||
|
||||
- The file /etc/shorewall6/init was not created.
|
||||
|
||||
5) If an interface with physical='+' is given the 'optional' or
|
||||
'required' option, then invalid shell variables names were
|
||||
generated by the compiler.
|
||||
|
||||
6) The contributed macro macro.JAP generated a fatal error when used.
|
||||
The root cause was a defect in parameter processing in nested
|
||||
macros (if 'PARAM' was passed to an nested macro invocation, it was
|
||||
not expanded to the current parameter value).
|
||||
|
||||
7) Previously, if find_first_interface_address() failed when running
|
||||
shorewall-lite or shoreawll6-lite, the following unhelpful message
|
||||
was issued:
|
||||
|
||||
/usr/share/shorewall-lite/lib.common: line 449: startup_error: command
|
||||
not found
|
||||
|
||||
----------------------------------------------------------------------------
|
||||
N E W F E A T U R E S I N 4 . 4 . 1 5
|
||||
----------------------------------------------------------------------------
|
||||
|
||||
1) Munin and Squid macros have been contributed by Tuomo Soini.
|
||||
|
||||
2) The Shorewall6 accounting, tcrules and rules files now include a
|
||||
HEADERS column which allows matching based on the IPv6 extension and
|
||||
protocol headers included in a packet.
|
||||
|
||||
The contents of the column are:
|
||||
|
||||
[any:|exactly:]<header list>
|
||||
|
||||
where <header list> is a comma-separated list of headers from the
|
||||
following:
|
||||
|
||||
Long Name Short Name Number
|
||||
--------------------------------------
|
||||
auth ah 51
|
||||
esp esp 50
|
||||
d hop-by-hop hop 0
|
||||
route ipv6-route 41
|
||||
frag ipv6-frag 44
|
||||
none ipv6-nonxt 59
|
||||
protocol proto 255
|
||||
|
||||
If 'any:' is specified, the rule will match if any of the listed
|
||||
headers are present. If 'exactly:' is specified, the will match
|
||||
packets that exactly include all specified headers. If neither is
|
||||
given, 'any:' is assumed.
|
||||
|
||||
This change adds a new capability (Header Match) so if you use a
|
||||
capabilities file, you will need to regenerate using this release.
|
||||
|
||||
3) It is now possible to add explicit routes to individual provider
|
||||
routing tables using the /etc/shorewall/routes (/etc/shorewall6/routes)
|
||||
file.
|
||||
|
||||
See the shorewall-routes (5) and/or the shorewall6-routes (5) manpage.
|
||||
|
||||
4) Previously, /usr/share/shorewall/compiler.pl expected the contents
|
||||
of the params file to be passed in the environment. Now, the
|
||||
compiler invokes a small shell program
|
||||
(/usr/share/shorewall/getparams) to process the file and to pass
|
||||
the (variable,value) pairs back to the compiler.
|
||||
|
||||
Shell variable expansion uses the value from the params file if the
|
||||
parameter was set in that file. Otherwise the current environment
|
||||
is used. If the variable does not appear in either place, an error
|
||||
message is generated.
|
||||
|
||||
5) Shared IPv4/IPv6 traffic shaping configuraiton is now
|
||||
available. The device and class configuration can be included in
|
||||
either the Shorewall or the Shorewall6 configuration. To place it
|
||||
in the Shorewall configuration:
|
||||
|
||||
a) Set TC_ENABLED=Internal in shorewall.conf
|
||||
b) Set TC_ENABLED=Shared in shorewall6.conf
|
||||
c) Create symbolic link /etc/shorewall6/tcdevices pointing to
|
||||
/etc/shorewall/tcdevices.
|
||||
d) Create symbolic link /etc/shorewall6/tcclasses pointing to
|
||||
/etc/shorewall/tcclasses.
|
||||
e) Entries for both IPv4 and IPv6 can be included in
|
||||
/etc/shorewall/tcfilters. This file has been extended to allow
|
||||
both IPv4 and IPv6 entries to be included in a single file.
|
||||
f) Packet marking rules are included in both configurations'
|
||||
tcrules file as needed. CLASSIFY rules in
|
||||
/etc/shorewall6/tcrules are validated against the Shorewall TC
|
||||
configuration.
|
||||
|
||||
In this setup, the tcdevices and tcclasses will only be updated
|
||||
when Shorewall is restarted. The IPv6 marking rules are updated
|
||||
when Shorewall6 is restarted.
|
||||
|
||||
The above configuration may be reversed to allow Shorewall6 to
|
||||
control the TC configuration.
|
||||
|
||||
----------------------------------------------------------------------------
|
||||
P R O B L E M S C O R R E C T E D I N 4 . 4 . 1 4
|
||||
----------------------------------------------------------------------------
|
||||
|
@ -1,6 +1,6 @@
|
||||
%define name shorewall
|
||||
%define version 4.4.15
|
||||
%define release 0base
|
||||
%define version 4.4.16
|
||||
%define release 0Beta1
|
||||
|
||||
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
|
||||
Name: %{name}
|
||||
@ -109,6 +109,8 @@ fi
|
||||
%doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples
|
||||
|
||||
%changelog
|
||||
* Tue Nov 30 2010 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.16-0Beta1
|
||||
* Fri Nov 26 2010 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.15-0base
|
||||
* Mon Nov 22 2010 Tom Eastep tom@shorewall.net
|
||||
|
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Shorewall Firewall
|
||||
|
||||
VERSION=4.4.15
|
||||
VERSION=4.4.16-Beta1
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -22,7 +22,7 @@
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
|
||||
VERSION=4.4.15
|
||||
VERSION=4.4.16-Beta1
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -1,6 +1,6 @@
|
||||
%define name shorewall6-lite
|
||||
%define version 4.4.15
|
||||
%define release 0base
|
||||
%define version 4.4.16
|
||||
%define release 0Beta1
|
||||
|
||||
Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
|
||||
Name: %{name}
|
||||
@ -93,6 +93,8 @@ fi
|
||||
%doc COPYING changelog.txt releasenotes.txt
|
||||
|
||||
%changelog
|
||||
* Tue Nov 30 2010 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.16-0Beta1
|
||||
* Fri Nov 26 2010 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.15-0base
|
||||
* Mon Nov 22 2010 Tom Eastep tom@shorewall.net
|
||||
|
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Shorewall Firewall
|
||||
|
||||
VERSION=4.4.15
|
||||
VERSION=4.4.16-Beta1
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -22,7 +22,7 @@
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
|
||||
VERSION=4.4.15
|
||||
VERSION=4.4.16-Beta1
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -1,6 +1,6 @@
|
||||
%define name shorewall6
|
||||
%define version 4.4.15
|
||||
%define release 0base
|
||||
%define version 4.4.16
|
||||
%define release 0Beta1
|
||||
|
||||
Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
|
||||
Name: %{name}
|
||||
@ -98,6 +98,8 @@ fi
|
||||
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
|
||||
|
||||
%changelog
|
||||
* Tue Nov 30 2010 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.16-0Beta1
|
||||
* Fri Nov 26 2010 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.15-0base
|
||||
* Mon Nov 22 2010 Tom Eastep tom@shorewall.net
|
||||
|
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Shorewall Firewall
|
||||
|
||||
VERSION=4.4.15
|
||||
VERSION=4.4.16-Beta1
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
Loading…
Reference in New Issue
Block a user