Correct 'show bl|blacklists' syntax

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/Shorewall-core-targetname

@@ -1 +1 @@
-5.2.8-Beta1
+5.2.8-RC1

Shorewall-core/lib.cli

@@ -3605,7 +3605,7 @@ status_command() {
 
     [ $# -eq 0 ] || missing_argument
 
-    [ $VERBOSITY -ge 1 ] && echo "${g_product}-$SHOREWALL_VERSION Status at $g_hostname - $(date)" && echo
+    [ $VERBOSITY -ge 1 ] && echo "${g_product} $SHOREWALL_VERSION Status at $g_hostname - $(date)" && echo
     show_status
     [ -n "$interfaces" ] && show_interfaces
     exit $status
@@ -4019,9 +4019,15 @@ setup_dbl() {
 # the Standard CLI by loading lib.cli-std
 ################################################################################
 #
-# Set the configuration variables from shorewall[6]-lite.conf.
+# Set the configuration variables from shorewall[6]-lite.conf. This function
+# is replaced by the one in lib.cli-std (Shorewall product) when Shorewall or
+# Shorewall6 is being run.
 #
-get_config() {
+#     $1 = Yes: read the params file
+#     $2 = Yes: check for STARTUP_ENABLED
+#     $3 = Yes: Check for LOGFILE
+#
+lite_get_config() {
     local config
     local lib
 
@@ -4170,7 +4176,7 @@ get_config() {
 
 	    [ -x "$g_pager" ] || fatal_error "PAGER $g_pager is not executable"
 
-	    g_pager="| $g_pager"
+	    g_pager="2>&1 | $g_pager"
 	fi
     fi
 
@@ -4183,10 +4189,22 @@ get_config() {
     [ -f $lib ] && . $lib
 
 }
+
+#
+# get_config() -- calls the appropriate xxx_get_config()
+#
+get_config() {
+    if [ -z "$g_lite" ]; then
+	std_get_config $@
+    else
+	lite_get_config $@
+    fi
+}
+
 #
 # Start Command Executor
 #
-start_command() {
+lite_start_command() {
     local finished
     finished=0
 
@@ -4273,10 +4291,21 @@ start_command() {
     do_it
 }
 
+#
+# start_command() -- calls the appropriate xxx_start_command()
+#
+start_command() {
+    if [ -z "$g_lite" ]; then
+	std_start_command $@
+    else
+	lite_start_command $@
+    fi
+}
+
 #
 # Reload/Restart Command Executor
 #
-restart_command() {
+lite_restart_command() {
     local finished
     finished=0
     local rc
@@ -4345,6 +4374,17 @@ restart_command() {
     return $rc
 }
 
+#
+# restart_command() -- calls the appropriate xxx_restart_command()
+#
+restart_command() {
+    if [ -z "$g_lite" ]; then
+	std_restart_command $@
+    else
+	lite_restart_command $@
+    fi
+}
+
 run_command() {
     if [ -x $g_firewall ] ; then
 	run_it $g_firewall $@
@@ -4713,7 +4753,7 @@ shorewall_cli() {
 	exit 1
     fi
 
-    banner="${g_product}-${SHOREWALL_VERSION} Status at $g_hostname -"
+    banner="${g_product} ${SHOREWALL_VERSION} Status at $g_hostname -"
 
     COMMAND=$1
 
@@ -4803,7 +4843,7 @@ shorewall_cli() {
 	logwatch)
 	    only_root
 	    get_config Yes Yes Yes
-	    banner="${g_product}-$SHOREWALL_VERSION Logwatch at $g_hostname -"
+	    banner="${g_product} $SHOREWALL_VERSION Logwatch at $g_hostname -"
 	    logwatch_command $@
 	    ;;
 	drop)

Shorewall-core/manpages/shorewall.xml

@@ -981,7 +981,22 @@
               <td><command>shorewall -6</command> or <command>shorewall
               -6l</command></td>
             </tr>
+
+            <tr>
+              <td><command>shorewall</command></td>
+
+              <td><command>shorewall -l</command></td>
+            </tr>
           </table>
+
+          <para>Note that when Shorewall isn't installed, the 'shorewall'
+          command behaves like shorewall-lite. The same is not true with
+          respect to Shorewall6, "shorewall6" and 'shorewall6-lite". You can
+          make 'shorewall6' behave like 'shorewallt-lite' by adding the
+          following command to root's .profile file (or to .bashrc, if root's
+          shell is bash):</para>
+
+          <programlisting>    alias shorewall6=shorewall6-lite</programlisting>
         </listitem>
       </varlistentry>
 
@@ -2458,8 +2473,8 @@
             </varlistentry>
 
             <varlistentry>
-              <term><emphasis role="bold">bl|blacklists</emphasis>
-              [-<option>x</option>]</term>
+              <term><emphasis role="bold">[-<option>x</option>]
+              bl|blacklists</emphasis></term>
 
               <listitem>
                 <para>Added in Shorewall 4.6.2. Displays the dynamic chain

Shorewall-core/uninstall.sh

@@ -134,6 +134,7 @@ fi
 
 remove_directory ${SHAREDIR}/shorewall
 remove_file ~/.shorewallrc
+remove_file ${SBINDIR}/shorewall
 
 #
 # Report Success

Shorewall/Macros/macro.NFS

@@ -0,0 +1,12 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.NFS
+#
+# This macro handles NFS v4.1+ traffic with default ports.
+# You should only allow NFS traffic between hosts you fully trust.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+PARAM	-	-	tcp	111		# portmapper, rpcbind
+PARAM	-	-	tcp	2049		# nfs
+PARAM	-	-	tcp	20048		# mountd

Shorewall/Perl/Shorewall/Chains.pm

@@ -7478,9 +7478,9 @@ sub have_address_variables() {
 #
 # Generate setting of run-time global shell variables
 #
-sub set_global_variables( $$ ) {
+sub set_global_variables( $$$ ) {
 
-    my ( $setall, $conditional ) = @_;
+    my ( $setall, $conditional, $call_generate_all_acasts ) = @_;
 
     if ( $conditional ) {
 	my ( $interface, @interfaces );
@@ -7513,16 +7513,17 @@ sub set_global_variables( $$ ) {
     }
 
     if ( $setall ) {
-	emit $interfaceaddr{$_}         for sortkeysiftest %interfaceaddr;
-	emit $interfacenets{$_}         for sortkeysiftest %interfacenets;
+	if ( $conditional ) {
+	    emit $interfaceaddr{$_}         for sortkeysiftest %interfaceaddr;
+	    emit $interfacenets{$_}         for sortkeysiftest %interfacenets;
+	}
 
 	unless ( have_capability( 'ADDRTYPE' ) ) {
-
 	    if ( $family == F_IPV4 ) {
 		emit 'ALL_BCASTS="$(get_all_bcasts) 255.255.255.255"';
 		emit $interfacebcasts{$_} for sortkeysiftest %interfacebcasts;
 	    } else {
-		generate_all_acasts;
+		emit $call_generate_all_acasts;
 		emit $interfaceacasts{$_} for sortkeysiftest %interfaceacasts;
 	    }
 	}

Shorewall/Perl/Shorewall/Compiler.pm

@@ -276,12 +276,18 @@ sub generate_script_2() {
 
     emit "}\n"; # End of initialize()
 
+    #
+    # Conditionally emit the 'generate_all_acasts() function
+    #
+    my $call_generate_all_acasts = $family == F_IPV6 && ! have_capability( 'ADDRTYPE' ) ? generate_all_acasts : '';
+
     emit( '' ,
 	  '#' ,
 	  '# Set global variables holding detected IP information' ,
 	  '#' ,
 	  'detect_configuration()',
-	  '{' );
+	  '{'
+	);
 
     my $global_variables    = have_global_variables;
     my $optional_interfaces = find_interfaces_by_option( 'optional' );
@@ -312,7 +318,7 @@ sub generate_script_2() {
 
 	    if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {
 		verify_required_interfaces(0);
-		set_global_variables(0, 0);
+		set_global_variables( $family == F_IPV6, 0, $call_generate_all_acasts );
 		handle_optional_interfaces;
 	    }
 
@@ -326,7 +332,7 @@ sub generate_script_2() {
 	}
 
 	verify_required_interfaces(1);
-	set_global_variables(1,1);
+	set_global_variables(1, 1, $call_generate_all_acasts );
 	handle_optional_interfaces;
 
 	if ( $global_variables & NOT_RESTORE ) {

Shorewall/Perl/Shorewall/Config.pm

@@ -884,7 +884,7 @@ sub initialize($;$$$$) {
 		    TC_SCRIPT               => '',
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
-		    VERSION                 => '5.2.7-Beta1',
+		    VERSION                 => '5.2.8-RC1',
 		    CAPVERSION              => 50207 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
@@ -5683,6 +5683,11 @@ sub process_shorewall_conf( $$ ) {
 	$globals{CONFIGDIR} =  $configfile = $file;
 	$globals{CONFIGDIR} =~ s/$product.conf//;
 
+	if ( $export ) {
+	    use Sys::Hostname;
+	    $globals{CONFIGDIR} = join( ':', hostname, $globals{CONFIGDIR} );
+	}
+
 	if ( -r _ ) {
 	    open_file $file;
 

Shorewall/Perl/Shorewall/Tc.pm

@@ -72,6 +72,9 @@ our %flow_keys = ( 'src'            => 1,
 #                              out_bandwidth => <value> ,
 #                              number        => <number>,
 #                              classify      => 0|1
+#                              flow          => Comma-separated flow tupple
+#                              classify      => 0|1
+#                              pfifo         => 0|1
 #                              tablenumber   => <next u32 table to be allocated for this device>
 #                              default       => <default class mark value>
 #                              redirected    => [ <dev1>, <dev2>, ... ]
@@ -80,6 +83,13 @@ our %flow_keys = ( 'src'            => 1,
 #                              qdisc         => htb|hfsc
 #                              guarantee     => <total RATE of classes seen so far>
 #                              name          => <interface>
+#                              filters       => [ filter, ... ]
+#                              linklayer     => <type> (optional)
+#                              overhead      => <number>
+#                              mtu           => <number>
+#                              tsize         => <number>
+#                              filterpri     => <number> (initially 0)
+#                              connmark      => 0|1
 #                                               }
 #
 our @tcdevices;
@@ -2392,7 +2402,6 @@ sub setup_tc( $ ) {
     }
 
     if ( $config{MANGLE_ENABLED} ) {
-
 	if ( $convert ) {
 	    my $have_tcrules;
 

Shorewall/Perl/Shorewall/Zones.pm

@@ -75,7 +75,6 @@ our @EXPORT = ( qw( NOTHING
 		    all_interfaces
 		    all_real_interfaces
 		    all_plain_interfaces
-		    interface_is_plain
 		    all_bridges
 		    managed_interfaces
 		    unmanaged_interfaces
@@ -178,7 +177,8 @@ our %reservedName = ( all => 1,
 #				      number	  => <ordinal position in the interfaces file>
 #				      physical	  => <physical interface name>
 #				      base	  => <shell variable base representing this interface>
-#				      wildcard	  => undef|1 # Wildcard Name
+#				      wildcard	  => undef|1 # Wildcard Logical Name
+#				      physwild	  => undef|1 # Wildcard Physical Name
 #				      zones	  => { zone1 => 1, ... }
 #				      origin	  => <where defined>
 #				    }
@@ -431,9 +431,9 @@ sub initialize( $$ ) {
 				    loopback    => BINARY_IF_OPTION,
 				    maclist     => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
-				    noanycast	=> SIMPLE_IF_OPTION + IF_OPTION_WILDOK,
 				    nodbl       => SIMPLE_IF_OPTION,
 				    nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
+				    omitanycast	=> SIMPLE_IF_OPTION + IF_OPTION_WILDOK,
 				    optional    => SIMPLE_IF_OPTION,
 				    proxyndp    => BINARY_IF_OPTION,
 				    required    => SIMPLE_IF_OPTION,
@@ -1374,7 +1374,7 @@ sub process_interface( $$ ) {
 		$hostoptions{$option} = $value if $hostopt;
 	    } elsif ( $type == ENUM_IF_OPTION ) {
 		if ( $option eq 'arp_ignore' ) {
-		    fatal_error q(The 'arp_ignore' option may not be used with a wild-card interface name) if $wildcard;
+		    fatal_error q(The 'arp_ignore' option may not be used with a wild-card interface name) if $physwild;
 		    if ( defined $value ) {
 			if ( $value =~ /^[1-3,8]$/ ) {
 			    $options{arp_ignore} = $value;
@@ -1491,7 +1491,7 @@ sub process_interface( $$ ) {
 
 	if ( $options{bridge} ) {
 	    require_capability( 'PHYSDEV_MATCH', 'The "bridge" option', 's');
-	    fatal_error "Bridges may not have wildcard names" if $wildcard;
+	    fatal_error "Bridges may not have wildcard names" if $physwild;
 	    $hostoptions{routeback} = $options{routeback} = 1 unless supplied $options{routeback};
 	}
 
@@ -1721,6 +1721,7 @@ sub known_interface($)
 					       physical => $physical ,
 					       base     => $interfaceref->{base} ,
 					       wildcard => $interfaceref->{wildcard} ,
+					       physwild => $interfaceref->{physwild} ,
 					       zones    => $interfaceref->{zones} ,
 		                              };
 		return $interfaceref;
@@ -2400,10 +2401,13 @@ sub generate_all_acasts() {
 	my $interfaceref = $interfaces{$interface};
 	my $physical     = $interfaceref->{physical};
 
+	next if ( $interfaceref->{options}{port} ||
+		  $interfaceref->{options}{unmanaged} );
+
 	if ( $interfaceref->{physwild} ) {
 	    $physical =~ s/\+/*/;
 
-	    if ( $interfaceref->{options}{noanycast} ) {
+	    if ( $interfaceref->{options}{omitanycast} ) {
 		if ( $physical eq '*' ) {
 		    @wildnoacasts = ( '*' );
 		} else {
@@ -2417,7 +2421,7 @@ sub generate_all_acasts() {
 		}
 	    }
 	} else {
-	    if ( $interfaceref->{options}{noanycast} ) {
+	    if ( $interfaceref->{options}{omitanycast} ) {
 		push @noacasts, $physical;
 	    } else {
 		push @acasts, $physical;
@@ -2425,16 +2429,16 @@ sub generate_all_acasts() {
 	}
     }
 
-    unless( @noacasts || @wildnoacasts ) {
-	emit( 'ALL_ACASTS="$(get_all_acasts)"' );
-	return;
-    }
+    return 'ALL_ACASTS="$(get_all_acasts)"' unless @noacasts || @wildnoacasts;
 
     @wildacasts = '*' unless @wildacasts;
 
-    emit( 'local iface',
-	  '',
-	  'ALL_ACASTS=',
+    emit( "#\n# Populate the ALL_ACASTS variable\n#",
+	  'generate_all_acasts()',
+	  '{' );
+    push_indent;
+
+    emit( 'ALL_ACASTS=',
 	  '',
 	  'for iface in $(find_all_interfaces1); do' );
 
@@ -2461,27 +2465,35 @@ sub generate_all_acasts() {
 		  '        ALL_ACASTS="$ALL_ACASTS $(get_interface_acasts $iface)"',
 		  '    else',
 		  '        ALL_ACASTS="$(get_interface_acasts $iface)"',
+		  '    fi',
 		  '    ;;' );
 	}
 
 	emit( join( '|', @wildnoacasts) . ')',
 	      '    ;;' );
+
     } else {
 	@wildacasts = ( '*' );
     }
 
-    emit( join( '|', @wildacasts ) . ')',
-	  '    if [ -n "$ALL_ACASTS" ]; then',
-	  '        ALL_ACASTS="$ALL_ACASTS $(get_interface_acasts $iface)"',
-	  '    else',
-	  '        ALL_ACASTS="$(get_interface_acasts $iface)"',
-	  '    ;;' );
+    if ( @wildacasts ) {
+	emit( join( '|', @wildacasts ) . ')',
+	      '    if [ -n "$ALL_ACASTS" ]; then',
+	      '        ALL_ACASTS="$ALL_ACASTS $(get_interface_acasts $iface)"',
+	      '    else',
+	      '        ALL_ACASTS="$(get_interface_acasts $iface)"',
+	      '    fi',
+	      '    ;;' );
+    }
 
     pop_indent;
+    emit( 'esac');
     pop_indent;
-    emit( 'esac',
-	  '' );
+    emit( 'done');
+    pop_indent;
+    emit( "}\n" );
 
+    return 'generate_all_acasts';
 }
 
 1;

Shorewall/Perl/compiler.pl

@@ -47,7 +47,7 @@
 #
 use strict;
 use FindBin;
-use lib "$FindBin::Bin";
+use lib "$FindBin::Bin"; # Required to allow modules to reside in ${BASEDIR}/Shorewall/
 use Shorewall::Compiler;
 use Getopt::Long;
 

Shorewall/Shorewall-targetname

@@ -1 +1 @@
-5.2.8-Beta1
+5.2.8-base

Shorewall/lib.cli-std

@@ -29,7 +29,7 @@
 #     $2 = Yes: check for STARTUP_ENABLED
 #     $3 = Yes: Check for LOGFILE
 #
-get_config() {
+std_get_config() {
     local prog
     local lib
 
@@ -216,6 +216,8 @@ get_config() {
 		echo "   WARNING: The program specified in SHOREWALL_SHELL does not exist or is not executable; falling back to /bin/sh" >&2
 		SHOREWALL_SHELL=/bin/sh
 	    fi
+	else
+	    SHOREWALL_SHELL=/bin/sh
 	fi
 
 	if [ -n "$IP" ]; then
@@ -332,7 +334,7 @@ get_config() {
 
 	    [ -x "$g_pager" ] || fatal_error "PAGER $g_pager is not executable"
 
-	    g_pager="| $g_pager"
+	    g_pager="2>&1 | $g_pager"
 	fi
     fi
 
@@ -566,7 +568,7 @@ compiler() {
 #
 # Start Command Executor
 #
-start_command() {
+std_start_command() {
     local finished
     finished=0
     local rc
@@ -965,7 +967,7 @@ update_command() {
 #
 # Reload/Restart Command Executor
 #
-restart_command() {
+std_restart_command() {
     local finished
     finished=0
     local rc

Shorewall/manpages/shorewall-interfaces.xml

@@ -627,18 +627,6 @@ loc     eth2            -</programlisting>
               </listitem>
             </varlistentry>
 
-            <varlistentry>
-              <term>noanycast</term>
-
-              <listitem>
-                <para>IPv6 only. Added in Shorewall 5.2.8. Shorewall6 normally
-                generates rules to silently drop anycast packets for subnets
-                on all available interfaces. This can be inhibited for
-                individual interfaces by specifying <emphasis
-                role="bold">noanycast</emphasis> for those interfaces.</para>
-              </listitem>
-            </varlistentry>
-
             <varlistentry>
               <term><emphasis role="bold">nodbl</emphasis></term>
 
@@ -665,6 +653,56 @@ loc     eth2            -</programlisting>
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term>omitanycast</term>
+
+              <listitem>
+                <para>IPv6 only. Added in Shorewall 5.2.8.</para>
+
+                <para>Shorewall6 has traditionally generated rules for IPv6
+                <emphasis>anycast</emphasis> addresses. These rules
+                include:</para>
+
+                <orderedlist numeration="loweralpha">
+                  <listitem>
+                    <para>Packets with these destination IP addresses are
+                    dropped by REJECT rules.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>Packets with these source IP addresses are dropped
+                    by the 'nosmurfs' interface option and by the 'dropSmurfs'
+                    action.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>Packets with these destination IP addresses are not
+                    logged during policy enforcement.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>Packets with these destination IP addresses are
+                    processes by the 'Broadcast' action.</para>
+                  </listitem>
+                </orderedlist>
+
+                <para>This can be inhibited for individual interfaces by
+                specifying <emphasis role="bold">noanycast</emphasis> for
+                those interfaces.</para>
+
+                <note>
+                  <para>RFC 2526 describes IPv6 subnet anycast addresses. The
+                  RFC makes a distinction between subnets with "IPv6 address
+                  types required to have 64-bit interface identifiers in
+                  EUI-64 format" and all other subnets. When generating these
+                  anycast addresses, the Shorewall compiler does not make this
+                  distinction and unconditionally assumes that the last 128
+                  addresses in the subnet are reserved as anycast
+                  addresses.</para>
+                </note>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">optional</emphasis></term>
 

Shorewall/manpages/shorewall-snat.xml

@@ -207,9 +207,6 @@
                 the IP addresses configured on the interface named in the DEST
                 column and substitute them in this column.</para>
 
-                <para>Finally, you may also specify a comma-separated list of
-                ranges and/or addresses in this column.</para>
-
                 <para>DNS Names names are not allowed.</para>
 
                 <para>Normally, Netfilter will attempt to retain the source
@@ -805,21 +802,16 @@
         <term>IPv4 Example 6:</term>
 
         <listitem>
-          <para>SNAT outgoing connections on eth0 from 192.168.1.0/24 in
-          round-robin fashion between addresses 1.1.1.1, 1.1.1.3, and 1.1.1.9
-          (Shorewall 4.5.9 and later).</para>
+          <para>SNAT outgoing connections on eth0 from 192.168.1.0/24 randomly
+          to addresses 1.1.1.1, 1.1.1.3, and 1.1.1.9 (Shorewall 5.0.0 and
+          later).</para>
 
-          <programlisting>/etc/shorewall/tcrules:
-
-       #ACTION   SOURCE         DEST         PROTO   DPORT         SPORT    USER    TEST
-       1-3:CF    192.168.1.0/24 eth0 ; state=NEW
-
-/etc/shorewall/snat:
+          <programlisting>/etc/shorewall/snat:
 
        #ACTION                 SOURCE          DEST
-       SNAT(1.1.1.1)           192.168.1.0/24  eth0  { mark=1:C }
-       SNAT(1.1.1.3)           192.168.1.0/24  eth0  { mark=2:C }
-       SNAT(1.1.1.9)           192.168.1.0/24  eth0  { mark=3:C }</programlisting>
+       SNAT(1.1.1.1)           192.168.1.0/24  eth0  { probability=0.33 }
+       SNAT(1.1.1.3)           192.168.1.0/24  eth0  { probability=0.50 }
+       SNAT(1.1.1.9)           192.168.1.0/24  eth0</programlisting>
         </listitem>
       </varlistentry>
 

Shorewall/uninstall.sh

@@ -149,7 +149,9 @@ if [ $configure -eq 1 ]; then
     fi
 fi
 
-remove_file ${SBINDIR}/$PRODUCT
+if [ $PRODUCT = shorewall6 ]; then
+    remove_file ${SBINDIR}/shorewall6
+fi
 
 if [ -h ${SHAREDIR}/$PRODUCT/init ]; then
     FIREWALL=$(readlink -m -q ${SHAREDIR}/$PRODUCT/init)

docs/Shorewall-Lite.xml

@@ -547,6 +547,18 @@
             <command>remote-reload</command> command (e.g., <command>shorewall
             remote-reload -c gateway</command>).</para>
           </listitem>
+
+          <listitem>
+            <para>Shorewall6-lite works with Shorewall6 in the same way that
+            Shorewall-lite works with Shorewall. Beginning with Shorewall
+            5.0.0, running 'shorewall &lt;cmd&gt;" is the same as running
+            "shorewall-lite &lt;cmd&gt;" when Shorewall is not installed.. To
+            continue to use the "shorewall6" command after switching to
+            Shoerwall6-lite, you need to add this to your .profile (or to
+            .bashrc if root's shell is bash):</para>
+
+            <programlisting>    alias shorewall6=shorewall6-lite</programlisting>
+          </listitem>
         </orderedlist>
       </section>
     </section>

docs/docs-targetname

@@ -1 +1 @@
-5.2.8-Beta1
+5.2.8-RC1