From cae5ddc7e006050c412ec426e2954285b11d94ca Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 30 Nov 2010 17:30:11 -0800 Subject: [PATCH] Initiate 4.4.16 --- Shorewall-init/install.sh | 2 +- Shorewall-init/shorewall-init.spec | 6 +- Shorewall-init/uninstall.sh | 2 +- Shorewall-lite/install.sh | 2 +- Shorewall-lite/shorewall-lite.spec | 6 +- Shorewall-lite/uninstall.sh | 2 +- Shorewall/Perl/Shorewall/Config.pm | 2 +- Shorewall/changelog.txt | 4 + Shorewall/install.sh | 2 +- Shorewall/known_problems.txt | 2 +- Shorewall/releasenotes.txt | 276 ++++++++++++++------------- Shorewall/shorewall.spec | 6 +- Shorewall/uninstall.sh | 2 +- Shorewall6-lite/install.sh | 2 +- Shorewall6-lite/shorewall6-lite.spec | 6 +- Shorewall6-lite/uninstall.sh | 2 +- Shorewall6/install.sh | 2 +- Shorewall6/shorewall6.spec | 6 +- Shorewall6/uninstall.sh | 2 +- 19 files changed, 180 insertions(+), 154 deletions(-) diff --git a/Shorewall-init/install.sh b/Shorewall-init/install.sh index 1079553d1..1eee97179 100755 --- a/Shorewall-init/install.sh +++ b/Shorewall-init/install.sh @@ -23,7 +23,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.15 +VERSION=4.4.16-Beta1 usage() # $1 = exit status { diff --git a/Shorewall-init/shorewall-init.spec b/Shorewall-init/shorewall-init.spec index 6aff4a6cf..39bc3f241 100644 --- a/Shorewall-init/shorewall-init.spec +++ b/Shorewall-init/shorewall-init.spec @@ -1,6 +1,6 @@ %define name shorewall-init -%define version 4.4.15 -%define release 0base +%define version 4.4.16 +%define release 0Beta1 Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall). Name: %{name} @@ -99,6 +99,8 @@ fi %doc COPYING changelog.txt releasenotes.txt %changelog +* Tue Nov 30 2010 Tom Eastep tom@shorewall.net +- Updated to 4.4.16-0Beta1 * Fri Nov 26 2010 Tom Eastep tom@shorewall.net - Updated to 4.4.15-0base * Mon Nov 22 2010 Tom Eastep tom@shorewall.net diff --git a/Shorewall-init/uninstall.sh b/Shorewall-init/uninstall.sh index a15b5c652..d8a2d7ae2 100755 --- a/Shorewall-init/uninstall.sh +++ b/Shorewall-init/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.15 +VERSION=4.4.16-Beta1 usage() # $1 = exit status { diff --git a/Shorewall-lite/install.sh b/Shorewall-lite/install.sh index 7a6cfb69d..dba0f2184 100755 --- a/Shorewall-lite/install.sh +++ b/Shorewall-lite/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.15 +VERSION=4.4.16-Beta1 usage() # $1 = exit status { diff --git a/Shorewall-lite/shorewall-lite.spec b/Shorewall-lite/shorewall-lite.spec index 34bdb11a3..44a9c83c0 100644 --- a/Shorewall-lite/shorewall-lite.spec +++ b/Shorewall-lite/shorewall-lite.spec @@ -1,6 +1,6 @@ %define name shorewall-lite -%define version 4.4.15 -%define release 0base +%define version 4.4.16 +%define release 0Beta1 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems. Name: %{name} @@ -102,6 +102,8 @@ fi %doc COPYING changelog.txt releasenotes.txt %changelog +* Tue Nov 30 2010 Tom Eastep tom@shorewall.net +- Updated to 4.4.16-0Beta1 * Fri Nov 26 2010 Tom Eastep tom@shorewall.net - Updated to 4.4.15-0base * Mon Nov 22 2010 Tom Eastep tom@shorewall.net diff --git a/Shorewall-lite/uninstall.sh b/Shorewall-lite/uninstall.sh index c3e976261..c5c2a97c5 100755 --- a/Shorewall-lite/uninstall.sh +++ b/Shorewall-lite/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.15 +VERSION=4.4.16-Beta1 usage() # $1 = exit status { diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 4f3b6572f..7a3468854 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -353,7 +353,7 @@ sub initialize( $ ) { EXPORT => 0, STATEMATCH => '-m state --state', UNTRACKED => 0, - VERSION => "4.4.15", + VERSION => "4.4.16-Beta1", CAPVERSION => 40415 , ); diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 2f934bf6c..ff80ea31d 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -1,3 +1,7 @@ +Changes in Shorewall 4.4.16 + +None. + Changes in Shorewall 4.4.15 1) Add macros from Tuomo Soini. diff --git a/Shorewall/install.sh b/Shorewall/install.sh index 8452a15f4..3c2e1c97d 100755 --- a/Shorewall/install.sh +++ b/Shorewall/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.15 +VERSION=4.4.16-Beta1 usage() # $1 = exit status { diff --git a/Shorewall/known_problems.txt b/Shorewall/known_problems.txt index 3141b10e9..3c5830b6c 100644 --- a/Shorewall/known_problems.txt +++ b/Shorewall/known_problems.txt @@ -1 +1 @@ -There are no known problems in Shorewall 4.4.15 +There are no known problems in Shorewall 4.4.16-Beta1 diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 673322541..fe6a3940f 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -13,65 +13,7 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) Previously, if - - a) syn flood protection was enabled in a policy that - specified 'all' for the SOURCE or DEST, and - b) there was only one pair of zones matching that policy, and - c) PROPAGATE_POLICIES=Yes in shorewall.conf, and - d) logging was specified on the policy - - then the chain implementing the chain had "all" in its name while - the logging rule did not. - - Example - - On a simple standalone configuration, /etc/shorewall/policy - has: - - #SOURCE DEST POLICY LOGGING - net all DROP info - - then the chain implementing syn flood protection would be named - @net2all while the logging rule would indicate net2fw. - - Now, the chain will be named @net2fw. - -2) If the current environment exported the VERBOSE variable with a - non-zero value, then startup would fail. - -3) If a route existed for an entire RFC1918 subnet (10.0.0.0/8, - 172.20.0.0/12 or 192.168.0.0/16), then setting - NULL_ROUTE_RFC1918=Yes would cause the route to be replaced with an - 'unreachable' one. - -4) Shorewall6 failed to start correctly if all the following were true: - - - Shorewall was installed using the tarball. It may have - subsequently been installed using a distribution-specific package - or the rpm from shorewall.net without first unstalling the - tarball components. - - - Shorewall6 was installed using a distribution-specific package or - the rpm from shorewall.net. - - - The file /etc/shorewall6/init was not created. - -5) If an interface with physical='+' is given the 'optional' or - 'required' option, then invalid shell variables names were - generated by the compiler. - -6) The contributed macro macro.JAP generated a fatal error when used. - The root cause was a defect in parameter processing in nested - macros (if 'PARAM' was passed to an nested macro invocation, it was - not expanded to the current parameter value). - -7) Previously, if find_first_interface_address() failed when running - shorewall-lite or shoreawll6-lite, the following unhelpful message - was issued: - - /usr/share/shorewall-lite/lib.common: line 449: startup_error: command - not found +None. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -84,79 +26,7 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) Munin and Squid macros have been contributed by Tuomo Soini. - -2) The Shorewall6 accounting, tcrules and rules files now include a - HEADERS column which allows matching based on the IPv6 extension and - protocol headers included in a packet. - - The contents of the column are: - - [any:|exactly:]
- - where
is a comma-separated list of headers from the - following: - - Long Name Short Name Number - -------------------------------------- - auth ah 51 - esp esp 50 -d hop-by-hop hop 0 - route ipv6-route 41 - frag ipv6-frag 44 - none ipv6-nonxt 59 - protocol proto 255 - - If 'any:' is specified, the rule will match if any of the listed - headers are present. If 'exactly:' is specified, the will match - packets that exactly include all specified headers. If neither is - given, 'any:' is assumed. - - This change adds a new capability (Header Match) so if you use a - capabilities file, you will need to regenerate using this release. - -3) It is now possible to add explicit routes to individual provider - routing tables using the /etc/shorewall/routes (/etc/shorewall6/routes) - file. - - See the shorewall-routes (5) and/or the shorewall6-routes (5) manpage. - -4) Previously, /usr/share/shorewall/compiler.pl expected the contents - of the params file to be passed in the environment. Now, the - compiler invokes a small shell program - (/usr/share/shorewall/getparams) to process the file and to pass - the (variable,value) pairs back to the compiler. - - Shell variable expansion uses the value from the params file if the - parameter was set in that file. Otherwise the current environment - is used. If the variable does not appear in either place, an error - message is generated. - -5) Shared IPv4/IPv6 traffic shaping configuraiton is now - available. The device and class configuration can be included in - either the Shorewall or the Shorewall6 configuration. To place it - in the Shorewall configuration: - - a) Set TC_ENABLED=Internal in shorewall.conf - b) Set TC_ENABLED=Shared in shorewall6.conf - c) Create symbolic link /etc/shorewall6/tcdevices pointing to - /etc/shorewall/tcdevices. - d) Create symbolic link /etc/shorewall6/tcclasses pointing to - /etc/shorewall/tcclasses. - e) Entries for both IPv4 and IPv6 can be included in - /etc/shorewall/tcfilters. This file has been extended to allow - both IPv4 and IPv6 entries to be included in a single file. - f) Packet marking rules are included in both configurations' - tcrules file as needed. CLASSIFY rules in - /etc/shorewall6/tcrules are validated against the Shorewall TC - configuration. - - In this setup, the tcdevices and tcclasses will only be updated - when Shorewall is restarted. The IPv6 marking rules are updated - when Shorewall6 is restarted. - - The above configuration may be reversed to allow Shorewall6 to - control the TC configuration. +None. ---------------------------------------------------------------------------- I V. R E L E A S E 4 . 4 H I G H L I G H T S @@ -377,6 +247,148 @@ d hop-by-hop hop 0 ---------------------------------------------------------------------------- V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S I N P R I O R R E L E A S E S +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 4 . 1 5 +---------------------------------------------------------------------------- + +1) Previously, if + + a) syn flood protection was enabled in a policy that + specified 'all' for the SOURCE or DEST, and + b) there was only one pair of zones matching that policy, and + c) PROPAGATE_POLICIES=Yes in shorewall.conf, and + d) logging was specified on the policy + + then the chain implementing the chain had "all" in its name while + the logging rule did not. + + Example + + On a simple standalone configuration, /etc/shorewall/policy + has: + + #SOURCE DEST POLICY LOGGING + net all DROP info + + then the chain implementing syn flood protection would be named + @net2all while the logging rule would indicate net2fw. + + Now, the chain will be named @net2fw. + +2) If the current environment exported the VERBOSE variable with a + non-zero value, then startup would fail. + +3) If a route existed for an entire RFC1918 subnet (10.0.0.0/8, + 172.20.0.0/12 or 192.168.0.0/16), then setting + NULL_ROUTE_RFC1918=Yes would cause the route to be replaced with an + 'unreachable' one. + +4) Shorewall6 failed to start correctly if all the following were true: + + - Shorewall was installed using the tarball. It may have + subsequently been installed using a distribution-specific package + or the rpm from shorewall.net without first unstalling the + tarball components. + + - Shorewall6 was installed using a distribution-specific package or + the rpm from shorewall.net. + + - The file /etc/shorewall6/init was not created. + +5) If an interface with physical='+' is given the 'optional' or + 'required' option, then invalid shell variables names were + generated by the compiler. + +6) The contributed macro macro.JAP generated a fatal error when used. + The root cause was a defect in parameter processing in nested + macros (if 'PARAM' was passed to an nested macro invocation, it was + not expanded to the current parameter value). + +7) Previously, if find_first_interface_address() failed when running + shorewall-lite or shoreawll6-lite, the following unhelpful message + was issued: + + /usr/share/shorewall-lite/lib.common: line 449: startup_error: command + not found + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 4 . 1 5 +---------------------------------------------------------------------------- + +1) Munin and Squid macros have been contributed by Tuomo Soini. + +2) The Shorewall6 accounting, tcrules and rules files now include a + HEADERS column which allows matching based on the IPv6 extension and + protocol headers included in a packet. + + The contents of the column are: + + [any:|exactly:]
+ + where
is a comma-separated list of headers from the + following: + + Long Name Short Name Number + -------------------------------------- + auth ah 51 + esp esp 50 +d hop-by-hop hop 0 + route ipv6-route 41 + frag ipv6-frag 44 + none ipv6-nonxt 59 + protocol proto 255 + + If 'any:' is specified, the rule will match if any of the listed + headers are present. If 'exactly:' is specified, the will match + packets that exactly include all specified headers. If neither is + given, 'any:' is assumed. + + This change adds a new capability (Header Match) so if you use a + capabilities file, you will need to regenerate using this release. + +3) It is now possible to add explicit routes to individual provider + routing tables using the /etc/shorewall/routes (/etc/shorewall6/routes) + file. + + See the shorewall-routes (5) and/or the shorewall6-routes (5) manpage. + +4) Previously, /usr/share/shorewall/compiler.pl expected the contents + of the params file to be passed in the environment. Now, the + compiler invokes a small shell program + (/usr/share/shorewall/getparams) to process the file and to pass + the (variable,value) pairs back to the compiler. + + Shell variable expansion uses the value from the params file if the + parameter was set in that file. Otherwise the current environment + is used. If the variable does not appear in either place, an error + message is generated. + +5) Shared IPv4/IPv6 traffic shaping configuraiton is now + available. The device and class configuration can be included in + either the Shorewall or the Shorewall6 configuration. To place it + in the Shorewall configuration: + + a) Set TC_ENABLED=Internal in shorewall.conf + b) Set TC_ENABLED=Shared in shorewall6.conf + c) Create symbolic link /etc/shorewall6/tcdevices pointing to + /etc/shorewall/tcdevices. + d) Create symbolic link /etc/shorewall6/tcclasses pointing to + /etc/shorewall/tcclasses. + e) Entries for both IPv4 and IPv6 can be included in + /etc/shorewall/tcfilters. This file has been extended to allow + both IPv4 and IPv6 entries to be included in a single file. + f) Packet marking rules are included in both configurations' + tcrules file as needed. CLASSIFY rules in + /etc/shorewall6/tcrules are validated against the Shorewall TC + configuration. + + In this setup, the tcdevices and tcclasses will only be updated + when Shorewall is restarted. The IPv6 marking rules are updated + when Shorewall6 is restarted. + + The above configuration may be reversed to allow Shorewall6 to + control the TC configuration. + ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 4 . 1 4 ---------------------------------------------------------------------------- diff --git a/Shorewall/shorewall.spec b/Shorewall/shorewall.spec index 7210e6f43..bee94d4d8 100644 --- a/Shorewall/shorewall.spec +++ b/Shorewall/shorewall.spec @@ -1,6 +1,6 @@ %define name shorewall -%define version 4.4.15 -%define release 0base +%define version 4.4.16 +%define release 0Beta1 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. Name: %{name} @@ -109,6 +109,8 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples %changelog +* Tue Nov 30 2010 Tom Eastep tom@shorewall.net +- Updated to 4.4.16-0Beta1 * Fri Nov 26 2010 Tom Eastep tom@shorewall.net - Updated to 4.4.15-0base * Mon Nov 22 2010 Tom Eastep tom@shorewall.net diff --git a/Shorewall/uninstall.sh b/Shorewall/uninstall.sh index 64e038531..5efebe508 100755 --- a/Shorewall/uninstall.sh +++ b/Shorewall/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.15 +VERSION=4.4.16-Beta1 usage() # $1 = exit status { diff --git a/Shorewall6-lite/install.sh b/Shorewall6-lite/install.sh index ba292a470..51540f742 100755 --- a/Shorewall6-lite/install.sh +++ b/Shorewall6-lite/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.15 +VERSION=4.4.16-Beta1 usage() # $1 = exit status { diff --git a/Shorewall6-lite/shorewall6-lite.spec b/Shorewall6-lite/shorewall6-lite.spec index 53d2b5e7a..3e8cbf21b 100644 --- a/Shorewall6-lite/shorewall6-lite.spec +++ b/Shorewall6-lite/shorewall6-lite.spec @@ -1,6 +1,6 @@ %define name shorewall6-lite -%define version 4.4.15 -%define release 0base +%define version 4.4.16 +%define release 0Beta1 Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems. Name: %{name} @@ -93,6 +93,8 @@ fi %doc COPYING changelog.txt releasenotes.txt %changelog +* Tue Nov 30 2010 Tom Eastep tom@shorewall.net +- Updated to 4.4.16-0Beta1 * Fri Nov 26 2010 Tom Eastep tom@shorewall.net - Updated to 4.4.15-0base * Mon Nov 22 2010 Tom Eastep tom@shorewall.net diff --git a/Shorewall6-lite/uninstall.sh b/Shorewall6-lite/uninstall.sh index abd28d08e..a0844c9b9 100755 --- a/Shorewall6-lite/uninstall.sh +++ b/Shorewall6-lite/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.15 +VERSION=4.4.16-Beta1 usage() # $1 = exit status { diff --git a/Shorewall6/install.sh b/Shorewall6/install.sh index 4b151ba0a..bc5c01559 100755 --- a/Shorewall6/install.sh +++ b/Shorewall6/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.15 +VERSION=4.4.16-Beta1 usage() # $1 = exit status { diff --git a/Shorewall6/shorewall6.spec b/Shorewall6/shorewall6.spec index 2a78f98ea..f3f25adf4 100644 --- a/Shorewall6/shorewall6.spec +++ b/Shorewall6/shorewall6.spec @@ -1,6 +1,6 @@ %define name shorewall6 -%define version 4.4.15 -%define release 0base +%define version 4.4.16 +%define release 0Beta1 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems. Name: %{name} @@ -98,6 +98,8 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6 %changelog +* Tue Nov 30 2010 Tom Eastep tom@shorewall.net +- Updated to 4.4.16-0Beta1 * Fri Nov 26 2010 Tom Eastep tom@shorewall.net - Updated to 4.4.15-0base * Mon Nov 22 2010 Tom Eastep tom@shorewall.net diff --git a/Shorewall6/uninstall.sh b/Shorewall6/uninstall.sh index 1da23a5e2..b3096db05 100755 --- a/Shorewall6/uninstall.sh +++ b/Shorewall6/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.15 +VERSION=4.4.16-Beta1 usage() # $1 = exit status {