From ecf6a0ec4ac4217a2835b2535a3d0106b370a18a Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 21 Nov 2009 11:08:50 -0800 Subject: [PATCH] Open 4.4.5 --- Shorewall-lite/fallback.sh | 2 +- Shorewall-lite/install.sh | 2 +- Shorewall-lite/shorewall-lite.spec | 4 +- Shorewall-lite/uninstall.sh | 2 +- Shorewall/Perl/Shorewall/Config.pm | 2 +- Shorewall/changelog.txt | 4 + Shorewall/install.sh | 2 +- Shorewall/known_problems.txt | 2 +- Shorewall/releasenotes.txt | 269 ++++++++++++++------------- Shorewall/shorewall.spec | 4 +- Shorewall/uninstall.sh | 2 +- Shorewall6-lite/fallback.sh | 2 +- Shorewall6-lite/install.sh | 2 +- Shorewall6-lite/shorewall6-lite.spec | 4 +- Shorewall6-lite/uninstall.sh | 2 +- Shorewall6/fallback.sh | 2 +- Shorewall6/install.sh | 2 +- Shorewall6/shorewall6.spec | 4 +- Shorewall6/uninstall.sh | 2 +- 19 files changed, 169 insertions(+), 146 deletions(-) diff --git a/Shorewall-lite/fallback.sh b/Shorewall-lite/fallback.sh index cf95458ad..f2fa3734a 100755 --- a/Shorewall-lite/fallback.sh +++ b/Shorewall-lite/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=4.4.4 +VERSION=4.4.5 usage() # $1 = exit status { diff --git a/Shorewall-lite/install.sh b/Shorewall-lite/install.sh index dee26dd9e..4950867dc 100755 --- a/Shorewall-lite/install.sh +++ b/Shorewall-lite/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.4 +VERSION=4.4.5 usage() # $1 = exit status { diff --git a/Shorewall-lite/shorewall-lite.spec b/Shorewall-lite/shorewall-lite.spec index 88c607506..55181c591 100644 --- a/Shorewall-lite/shorewall-lite.spec +++ b/Shorewall-lite/shorewall-lite.spec @@ -1,5 +1,5 @@ %define name shorewall-lite -%define version 4.4.4 +%define version 4.4.5 %define release 0base Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems. @@ -100,6 +100,8 @@ fi %doc COPYING changelog.txt releasenotes.txt %changelog +* Sat Nov 21 2009 Tom Eastep tom@shorewall.net +- Updated to 4.4.5-0base * Fri Nov 13 2009 Tom Eastep tom@shorewall.net - Updated to 4.4.4-0base * Fri Nov 13 2009 Tom Eastep tom@shorewall.net diff --git a/Shorewall-lite/uninstall.sh b/Shorewall-lite/uninstall.sh index 451fcd52f..0760c5657 100755 --- a/Shorewall-lite/uninstall.sh +++ b/Shorewall-lite/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.4 +VERSION=4.4.5 usage() # $1 = exit status { diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 57a16ca38..9f8689615 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -327,7 +327,7 @@ sub initialize( $ ) { TC_SCRIPT => '', EXPORT => 0, UNTRACKED => 0, - VERSION => "4.4.4", + VERSION => "4.4.5", CAPVERSION => 40402 , ); diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index a9c8ac12a..d3b7d0abb 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -1,3 +1,7 @@ +Changes in Shorewall 4.4.5 + +None. + Changes in Shorewall 4.4.4 1) Change STARTUP_LOG and LOG_VERBOSITY in default shorewall6.conf. diff --git a/Shorewall/install.sh b/Shorewall/install.sh index f94ad71ba..914407f67 100755 --- a/Shorewall/install.sh +++ b/Shorewall/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.4 +VERSION=4.4.5 usage() # $1 = exit status { diff --git a/Shorewall/known_problems.txt b/Shorewall/known_problems.txt index 697586326..23cd7fc32 100644 --- a/Shorewall/known_problems.txt +++ b/Shorewall/known_problems.txt @@ -1 +1 @@ -There are no known problems in Shorewall version 4.4.3 +There are no known problems in Shorewall version 4.4.5 diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index e4c37dbf0..d14f06602 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -1,4 +1,4 @@ -Shorewall 4.4.4 +Shorewall 4.4.5 ---------------------------------------------------------------------------- R E L E A S E 4 . 4 H I G H L I G H T S @@ -174,41 +174,10 @@ Shorewall 4.4.4 'notrack' for the provider. ---------------------------------------------------------------------------- - P R O B L E M S C O R R E C T E D I N 4 . 4 . 4 + P R O B L E M S C O R R E C T E D I N 4 . 4 . 5 ---------------------------------------------------------------------------- -1) In some simple one-interface configurations, the following Perl - run-time error messages were issued: - - Generating Rule Matrix... - Use of uninitialized value in concatenation (.) or string at - /usr/share/shorewall/Shorewall/Chains.pm line 649. - Use of uninitialized value in concatenation (.) or string at - /usr/share/shorewall/Shorewall/Chains.pm line 649. - Creating iptables-restore input... - -2) The Shorewall operations log (specified by STARTUP_LOG) is now - secured 0600. - -3) Previously, the compiler generated an incorrect test for interface - availability in the generated code for adding route rules. The - result was that the rules were always added, regardless of the - state of the provider's interface. Now, the rules are only added - when the interface is available. - -4) When TC_WIDE_MARKS=Yes and class numbers are not explicitly - specified in /etc/shorewall/tcclasses, duplicate class numbers - result. A typical error message is: - - ERROR: Command "tc class add dev eth3 parent 1:1 classid - 1:1 htb rate 1024kbit ceil 100000kbit prio 1 quantum 1500" - Failed - - Note that the class ID of the class being added is a duplicate of - the parent's class ID. - - Also, when TC_WIDE_MARKS=Yes, values > 255 in the MARK column of - /etc/shorewall/tcclasses were rejected. +None. ---------------------------------------------------------------------------- K N O W N P R O B L E M S R E M A I N I N G @@ -217,103 +186,10 @@ Shorewall 4.4.4 None. ---------------------------------------------------------------------------- - N E W F E A T U R E S I N 4 . 4 . 4 + N E W F E A T U R E S I N 4 . 4 . 5 ---------------------------------------------------------------------------- -1) The Shorewall packages now include a logrotate configuration file. - -2) The limit of 15 entries in a port list has been relaxed in - /etc/shorewall/routestopped. - -3) The following seemingly valid configuration produces a fatal - error reporting "Duplicate interface name (p+)" - - /etc/shorewall/zones: - - #ZONE TYPE - fw firewall - world ipv4 - z1:world bport4 - z2:world bport4 - - /etc/shorewall/interfaces: - - #ZONE INTERFACE BROADCAST OPTIONS - world br0 - bridge - world br1 - bridge - z1 br0:p+ - z2 br1:p+ - - This error occurs because the Shorewall implementation requires - that each bridge port must have a unique name. - - To work around this problem, a new 'physical' interface option has - been created. The above configuration may be defined using the - following in /etc/shorewall/interfaces: - - #ZONE INTERFACE BROADCAST OPTIONS - world br0 - bridge - world br1 - bridge - z1 br0:x+ - physical=p+ - z2 br1:y+ - physical=p+ - - In this configuration, 'x+' is the logical name for ports p+ on - bridge br0 while 'y+' is the logical name for ports p+ on bridge - br1. - - If you need to refer to a particular port on br1 (for example - p1023), you write it as y1023; Shorewall will translate that name - to p1023 when needed. - - It is allowed to have a physical name ending in '+' with a logical - name that does not end with '+'. The reverse is not allowed; if the - logical name ends in '+' then the physical name must also end in - '+'. - - This feature is not restricted to bridge ports. Beginning with this - release, the interface name in the INTERFACE column can be - considered a logical name for the interface, and the actual - interface name is specified using the 'physical' option. If no - 'physical' option is present, then the physical name is assumed to - be the same as the logical name. As before, the logical interface - name is used throughout the rest of the configuration to refer to - the interface. - -4) Previously, Shorewall has used the character '2' to form the name - of chains involving zones and/or the word 'all' (e.g., fw2net, - all2all). When zones names are given numeric suffixes, these - generated names are hard to read (e.g., foo1232bar). To make these - names clearer, a ZONE2ZONE option has been added. - - ZONE2ZONE has a default value of "2" but can also be given the - value "-" (e.g., ZONE2ZONE="-") which causes Shorewall to separate - the two parts of the name with a hyphen (e.g., foo123-bar). - -5) Only one instance of the following warning is now generated; - previously, one instance of a similar warning was generated for - each COMMENT encountered. - - COMMENTs ignored -- require comment support in iptables/Netfilter - -6) The shorewall and shorewall6 utilities now support a 'show - policies' command. Once Shorewall or Shorewall6 has been restarted - using a script generated by this version, the 'show policies' - command will list each pair of zones and give the applicable - policy. If the policy is enforced in a chain, the name of the chain - is given. - - Example: - - net => loc DROP using chain net2all - - Note that implicit intrazone ACCEPT policies are not displayed for - zones associated with a single network where that network - doesn't specify 'routeback'. - -7) The 'show' and 'dump' commands now support an '-l' option which - causes chain displays to include the rule number of each rule. - - (Type 'iptables -h' and look for '--line-number') +None. ---------------------------------------------------------------------------- N E W F E A T U R E S I N 4 . 4 . 0 @@ -1215,3 +1091,138 @@ None. exceeding this limit are dropped. The default value is 127 which is the value that earlier versions of Shorewall used. The option is ignored with a warning if the 'pfifo' option has been specified. +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 4 . 4 +---------------------------------------------------------------------------- + +1) In some simple one-interface configurations, the following Perl + run-time error messages were issued: + + Generating Rule Matrix... + Use of uninitialized value in concatenation (.) or string at + /usr/share/shorewall/Shorewall/Chains.pm line 649. + Use of uninitialized value in concatenation (.) or string at + /usr/share/shorewall/Shorewall/Chains.pm line 649. + Creating iptables-restore input... + +2) The Shorewall operations log (specified by STARTUP_LOG) is now + secured 0600. + +3) Previously, the compiler generated an incorrect test for interface + availability in the generated code for adding route rules. The + result was that the rules were always added, regardless of the + state of the provider's interface. Now, the rules are only added + when the interface is available. + +4) When TC_WIDE_MARKS=Yes and class numbers are not explicitly + specified in /etc/shorewall/tcclasses, duplicate class numbers + result. A typical error message is: + + ERROR: Command "tc class add dev eth3 parent 1:1 classid + 1:1 htb rate 1024kbit ceil 100000kbit prio 1 quantum 1500" + Failed + + Note that the class ID of the class being added is a duplicate of + the parent's class ID. + + Also, when TC_WIDE_MARKS=Yes, values > 255 in the MARK column of + /etc/shorewall/tcclasses were rejected. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 4 . 4 +---------------------------------------------------------------------------- + +1) The Shorewall packages now include a logrotate configuration file. + +2) The limit of 15 entries in a port list has been relaxed in + /etc/shorewall/routestopped. + +3) The following seemingly valid configuration produces a fatal + error reporting "Duplicate interface name (p+)" + + /etc/shorewall/zones: + + #ZONE TYPE + fw firewall + world ipv4 + z1:world bport4 + z2:world bport4 + + /etc/shorewall/interfaces: + + #ZONE INTERFACE BROADCAST OPTIONS + world br0 - bridge + world br1 - bridge + z1 br0:p+ + z2 br1:p+ + + This error occurs because the Shorewall implementation requires + that each bridge port must have a unique name. + + To work around this problem, a new 'physical' interface option has + been created. The above configuration may be defined using the + following in /etc/shorewall/interfaces: + + #ZONE INTERFACE BROADCAST OPTIONS + world br0 - bridge + world br1 - bridge + z1 br0:x+ - physical=p+ + z2 br1:y+ - physical=p+ + + In this configuration, 'x+' is the logical name for ports p+ on + bridge br0 while 'y+' is the logical name for ports p+ on bridge + br1. + + If you need to refer to a particular port on br1 (for example + p1023), you write it as y1023; Shorewall will translate that name + to p1023 when needed. + + It is allowed to have a physical name ending in '+' with a logical + name that does not end with '+'. The reverse is not allowed; if the + logical name ends in '+' then the physical name must also end in + '+'. + + This feature is not restricted to bridge ports. Beginning with this + release, the interface name in the INTERFACE column can be + considered a logical name for the interface, and the actual + interface name is specified using the 'physical' option. If no + 'physical' option is present, then the physical name is assumed to + be the same as the logical name. As before, the logical interface + name is used throughout the rest of the configuration to refer to + the interface. + +4) Previously, Shorewall has used the character '2' to form the name + of chains involving zones and/or the word 'all' (e.g., fw2net, + all2all). When zones names are given numeric suffixes, these + generated names are hard to read (e.g., foo1232bar). To make these + names clearer, a ZONE2ZONE option has been added. + + ZONE2ZONE has a default value of "2" but can also be given the + value "-" (e.g., ZONE2ZONE="-") which causes Shorewall to separate + the two parts of the name with a hyphen (e.g., foo123-bar). + +5) Only one instance of the following warning is now generated; + previously, one instance of a similar warning was generated for + each COMMENT encountered. + + COMMENTs ignored -- require comment support in iptables/Netfilter + +6) The shorewall and shorewall6 utilities now support a 'show + policies' command. Once Shorewall or Shorewall6 has been restarted + using a script generated by this version, the 'show policies' + command will list each pair of zones and give the applicable + policy. If the policy is enforced in a chain, the name of the chain + is given. + + Example: + + net => loc DROP using chain net2all + + Note that implicit intrazone ACCEPT policies are not displayed for + zones associated with a single network where that network + doesn't specify 'routeback'. + +7) The 'show' and 'dump' commands now support an '-l' option which + causes chain displays to include the rule number of each rule. + + (Type 'iptables -h' and look for '--line-number') diff --git a/Shorewall/shorewall.spec b/Shorewall/shorewall.spec index 75bc70aee..668bbbadc 100644 --- a/Shorewall/shorewall.spec +++ b/Shorewall/shorewall.spec @@ -1,5 +1,5 @@ %define name shorewall -%define version 4.4.4 +%define version 4.4.5 %define release 0base Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. @@ -106,6 +106,8 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples %changelog +* Sat Nov 21 2009 Tom Eastep tom@shorewall.net +- Updated to 4.4.5-0base * Fri Nov 13 2009 Tom Eastep tom@shorewall.net - Updated to 4.4.4-0base * Fri Nov 13 2009 Tom Eastep tom@shorewall.net diff --git a/Shorewall/uninstall.sh b/Shorewall/uninstall.sh index 785e95cc6..2f80c28c6 100755 --- a/Shorewall/uninstall.sh +++ b/Shorewall/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.4 +VERSION=4.4.5 usage() # $1 = exit status { diff --git a/Shorewall6-lite/fallback.sh b/Shorewall6-lite/fallback.sh index cf95458ad..f2fa3734a 100755 --- a/Shorewall6-lite/fallback.sh +++ b/Shorewall6-lite/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=4.4.4 +VERSION=4.4.5 usage() # $1 = exit status { diff --git a/Shorewall6-lite/install.sh b/Shorewall6-lite/install.sh index aec0c7220..704fe4927 100755 --- a/Shorewall6-lite/install.sh +++ b/Shorewall6-lite/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.4 +VERSION=4.4.5 usage() # $1 = exit status { diff --git a/Shorewall6-lite/shorewall6-lite.spec b/Shorewall6-lite/shorewall6-lite.spec index 17d4e1615..34fce938d 100644 --- a/Shorewall6-lite/shorewall6-lite.spec +++ b/Shorewall6-lite/shorewall6-lite.spec @@ -1,5 +1,5 @@ %define name shorewall6-lite -%define version 4.4.4 +%define version 4.4.5 %define release 0base Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems. @@ -91,6 +91,8 @@ fi %doc COPYING changelog.txt releasenotes.txt %changelog +* Sat Nov 21 2009 Tom Eastep tom@shorewall.net +- Updated to 4.4.5-0base * Fri Nov 13 2009 Tom Eastep tom@shorewall.net - Updated to 4.4.4-0base * Fri Nov 13 2009 Tom Eastep tom@shorewall.net diff --git a/Shorewall6-lite/uninstall.sh b/Shorewall6-lite/uninstall.sh index 697bc0aaf..1bbece353 100755 --- a/Shorewall6-lite/uninstall.sh +++ b/Shorewall6-lite/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.4 +VERSION=4.4.5 usage() # $1 = exit status { diff --git a/Shorewall6/fallback.sh b/Shorewall6/fallback.sh index c6f3db765..ffb328691 100755 --- a/Shorewall6/fallback.sh +++ b/Shorewall6/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=4.4.4 +VERSION=4.4.5 usage() # $1 = exit status { diff --git a/Shorewall6/install.sh b/Shorewall6/install.sh index f877befa2..a76a57f73 100755 --- a/Shorewall6/install.sh +++ b/Shorewall6/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.4 +VERSION=4.4.5 usage() # $1 = exit status { diff --git a/Shorewall6/shorewall6.spec b/Shorewall6/shorewall6.spec index 6b5427e4a..5130f9288 100644 --- a/Shorewall6/shorewall6.spec +++ b/Shorewall6/shorewall6.spec @@ -1,5 +1,5 @@ %define name shorewall6 -%define version 4.4.4 +%define version 4.4.5 %define release 0base Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems. @@ -95,6 +95,8 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6 %changelog +* Sat Nov 21 2009 Tom Eastep tom@shorewall.net +- Updated to 4.4.5-0base * Fri Nov 13 2009 Tom Eastep tom@shorewall.net - Updated to 4.4.4-0base * Fri Nov 13 2009 Tom Eastep tom@shorewall.net diff --git a/Shorewall6/uninstall.sh b/Shorewall6/uninstall.sh index 2aad50c49..680368b84 100755 --- a/Shorewall6/uninstall.sh +++ b/Shorewall6/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.4 +VERSION=4.4.5 usage() # $1 = exit status {