Changes in Shorewall 4.4.14.1 None. Changes in Shorewall 4.4.14 1) Support ipset lists. 2) Use conntrack in 'shorewall connections' 3) Clean up Shorewall6 error messages when running on a kernel < 2.6.24 4) Clean up ipset related error reporting out of validate_net(). 5) Dramatically reduce the amount of CPU time spent in optimization. 6) Add 'scfilter' script. 7) Fix -lite init scripts. 8) Clamp VERBOSITY to valid range. 9) Delete obsolete options from shorewall.conf. 10) Change value of FORWARD_CLEAR_MARK in *.conf. 11) Use update-rc.d to install init symlinks. 12) Fix split_list(). 13) Fix 10+ TC Interfaces. 14) Insure that VERBOSITY=0 when interrogating compiled script's version Changes in Shorewall 4.4.13 1) Allow zone lists in rules SOURCE and DEST. 2) Fix exclusion in the blacklist file. 3) Correct several old exclusion bugs. 4) Fix exclusion with CONTINUE/NONAT/ACCEPT+ 5) Re-implement optional interface handling. 6) Add secmark config file. 7) Split in and out blacklisting. 8) Correct handling of [{src|dst},...] in ipset invocation 9) Correct SAME. 10) TC Enhancements: in IN-BANDWIDTH columns. OUT-BANDWIDTH column in tcinterfaces. 11) Create dynamic zone ipsets on 'start'. 12) Remove new blacklisting implementation. 13) Implement an alternative blacklisting scheme. 14) Use '-m state' for UNTRACKED. 15) Clear raw table on 'clear' 16) Correct port-range check in tcfilters. 17) Disallow '*' in interface names. Changes in Shorewall 4.4.12 1) Fix IPv6 shorecap program. 2) Eradicate incorrect IPv6 Multicast Network 3) Add ADD/DEL support. 4) Allow :random to work with REDIRECT 5) Add per-ip log rate limiting. 6) Use new hashlimit match syntax if available. 7) Add Universal sample. 8) Add COMPLETE option. 9) Make ICMP a synonym for IPV6-ICMP in ipv6 configs. 10) Support new set match syntax. 11) Blacklisting by DEST IP. 12) Fix duplicate rule generation with 'any'. 13) Fix port range editing problem. 14) Display the .conf file directory in response to the status command. 15) Correct AUTOMAKE Changes in Shorewall 4.4.11 1) Apply patch from Gabriel. 2) Fix IPSET match detection when a pathname is specified for IPSET. 3) Fix start priority of shorewall-init on Debian 4) Make IPv6 log and connections output readable. 5) Add REQUIRE_INTERFACE to shorewall*.conf 6) Avoid run-time warnings when options are not listed in shorewall.conf. 7) Implement Vserver zones. 8) Make find_hosts_by_option() work correctly where ALL_IP appears in hosts file. 9) Add CLEAR_FORWARD_MARK option. 10) Avoid missing closing quote when REQUIRE_INTERFACE=Yes. 11) Add PERL option. 12) Fix nets= in Shorewall6 Changes in Shorewall 4.4.10 1) Fix regression with scripts. 2) Log startup errors. 3) Implement Shorewall-init. 4) Add SAFESTOP option to /etc/default/shorewall* 5) Restore -a functionality to the version command. 6) Correct Optimization issue 7) Rename PREFIX to DESTDIR in install scripts 8) Correct handling of optional/required interfaces with wildcard names. Changes in Shorewall 4.4.9 1) Auto-detection of bridges. 2) Correct handling of a logical interface name in the EXTERNAL column of proxyarp. 3) More robust 'trace'. 4) Added IPv6 mDNS macro. 5) Fix find_first_interface_address() error reporting. 6) Fix propagation of zero-valued config variables. 7) Fix OPTIMIZE 4 bug. 8) Deallocate unused rules. 9) Keep rule arrays compressed during optimization. 10) Remove remaining fallback scripts. 11) Rationalize startup logs. 12) Optimize 8. 13) Don't create output chains for BPORT zones. 14) Implement 'show log ip-addr' in /sbin/shorewall and /sbin/shorewall-lite/ 15) Restore lone ACCEPT rule to the OUTPUT chain under OPTIMIZE 2. 16) Change chain policy on OUTPUT chain with lone ACCEPT rule. 17) Set IP before sourcing the params file. 18) Fix rare optimization bug. 19) Allow definition of an addressless bridge without a zone. 20) In the routestopped file, assume 'routeback' if the interface has 'routeback'. 21) Make Shorewall and Shorewall6 installable on OS X. Changes in Shorewall 4.4.8 1) Correct handling of RATE LIMIT on NAT rules. 2) Don't create a logging chain for rules with '-j RETURN'. 3) Avoid duplicate SFQ class numbers. 4) Fix low per-IP rate limits. 5) Fix Debian init script exit status 6) Fix NFQUEUE(queue-num) in policy 7) Implement -s option in install.sh 8) Add HKP Macro 9) Fix multiple policy matches with OPTIMIZE 4 and not KLUDGEFREE 10) Eliminate up-cased variable names that aren't documented options. 11) Don't show 'OLD' capabilities if they are not available. 12) Attempt to flag use of '-' as a port-range separator. 13) Add undocumented OPTIMIZE=-1 setting. 14) Replace OPTIMIZE=-1 with undocumented optimize 4096 which DISABLES default optimizations. 15) Add support for UDPLITE 16) Distinguish between 'Started' and 'Restored' in ${VARDIR}/state 17) Issue warnings when 'blacklist' but no blacklist file entries. 18) Don't optimize 'blacklst'. Changes in Shorewall 4.4.7 1) Backport optimization changes from 4.5. 2) Backport two new options from 4.5. 3) Backport TPROXY from 4.5 4) Add TC_PRIOMAP to shorewall*.conf 5) Implement LOAD_HELPERS_ONLY 6) Avoid excessive module loading with LOAD_HELPERS_ONLY=Yes 7) Fix case where MARK target is unavailable. 8) Change default to ADD_IP_ALIASES=No 9) Correct defects in generate_matrix(). 10) Fix and optimize 'nosmurfs'. 11) Use 'OLD_HL_MATCH' to suppress use of 'flow' in Simple TC. Changes in Shorewall 4.4.6 1) Fix for rp_filter and kernel 2.6.31. 2) Add a hack to work around a bug in Lenny + xtables-addons 3) Re-enable SAVE_IPSETS 4) Allow both <...> and [...] for IPv6 Addresses. 5) Port mark geometry change from 4.5. 6) Add Macro patch from Tuomo Soini 7) Add 'show macro' command. 8) Add -r option to check. 9) Port simplified TC from 4.5. Changes in Shorewall 4.4.5 1) Fix 15-port limit removal change. 2) Fix handling of interfaces with the 'bridge' option. 3) Generate error for port number 0 4) Allow zone::serverport in rules DEST column. 5) Fix 'show policies' in Shorewall6. 6) Auto-load tc modules. 7) Allow LOGFILE=/dev/null 8) Fix shorewall6-lite/shorecap 9) Fix MODULE_SUFFIX. 10) Fix ENHANCED_REJECT detection for IPv4. 11) Fix DONT_LOAD vs 'reload -c' 12) Fix handling of SOURCE and DEST vs macros. 13) Remove silly logic in expand_rule(). 14) Add current and limit to Conntrack Table Heading. Changes in Shorewall 4.4.4 1) Change STARTUP_LOG and LOG_VERBOSITY in default shorewall6.conf. 2) Fix access to uninitialized variable. 3) Add logrotate scripts. 4) Allow long port lists in /etc/shorewall/routestopped. 5) Implement 'physical' interface option. 6) Implement ZONE2ZONE option. 7) Suppress duplicate COMMENT warnings. 8) Implement 'show policies' command. 9) Fix route_rule suppression for down provider. 10) Suppress redundant tests for provider availability in route rules processing. 11) Implement the '-l' option to the 'show' command. 12) Fix class number assignment when WIDE_TC_MARKS=Yes 13) Allow wide marks in tcclasses when WIDE_TC_MARKS=Yes Changes in Shorewall 4.4.3 1) Move Debian INITLOG initialization to /etc/default/shorewall 2) Fix 'routeback' in /etc/shorewall/routestopped. 3) Rename 'object' to 'script' in compiler and config modules. 4) Correct RETAIN_ALIASES=No. 5) Fix detection of IP config. 6) Fix nested zones. 7) Move all function declarations from prog.footer to prog.header 8) Remove superfluous variables from generated script 9) Make 'track' the default. 10) Add TRACK_PROVIDERS option. 11) Fix IPv6 address parsing bug. 12) Add hack to work around iproute IPv6 bug in route handling 13) Correct messages issued when an optional provider is not usable. 14) Fix optional interfaces. 15) Add 'limit' option to tcclasses. Changes in Shorewall 4.4.2 1) BUGFIX: Correct detection of Persistent SNAT support 2) BUGFIX: Fix chain table initialization 3) BUGFIX: Validate routestopped file on 'check' 4) Let the Actions module add the builtin actions to %Shorewall::Chains::targets. Much better modularization that way. 5) Some changes to make Lenny->Squeeze less painful. 6) Allow comments at the end of continued lines. 7) Call process_routestopped() during 'check' rather than 'compile_stop_firewall()'. 8) Don't look for an extension script for built-in actions. 9) Apply Jesse Shrieve's patch for SNAT range. 10) Add - to 'ip route del default' command. 11) Add three new columns to macro body. 12) Change 'wait4ifup' so that it requires no PATH 13) Allow extension scripts for accounting chains. 14) Allow per-ip LIMIT to work on ancient iptables releases. 15) Add 'MARK' column to action body. Changes in Shorewall 4.4.1 1) Deleted extra 'use ...IPAddrs.pm' from Nat.pm. 2) Deleted superfluous export from Chains.pm. 3) Added support for --persistent. 4) Don't do module initialization in an INIT block. 5) Minor performance improvements. 6) Add 'clean' target to Makefile. 7) Redefine 'full' for sub-classes. 8) Fix log level in rules at the end of INPUT and OUTPUT chains. 9) Fix nested ipsec zones. 10) Change one-interface sample to IP_FORWARDING=Off. 11) Allow multicast to non-dynamic zones defined with nets=. 12) Allow zones with nets= to be extended by /etc/shorewall/hosts entries. 13) Don't allow nets= in a multi-zone interface definition. 14) Fix rule generated by MULTICAST=Yes 15) Fix silly hole in zones file parsing. 16) Tighen up zone membership checking. 17) Combine portlist-spitting routines into a single function. Changes in Shorewall 4.4.0 1) Fix 'compile ... -' so that it no longer requires '-v-1' 2) Fix rule generation for logging nat rules with no exclusion. 3) Fix log record formatting. 4) Restore ipset binding 5) Fix 'upnpclient' with required interfaces. 6) Fix provider number in masq file. Changes in Shorewall 4.4.0-RC2 1) Fix capabilities file with Shorewall6. 2) Allow Shorewall6 to recognize TC, IP and IPSET 3) Make 'any' a reserved zone name. 4) Correct handling of an ipsec zone nested in a non-ipsec zone. Changes in Shorewall 4.4.0-RC1 1) Delete duplicate Git macro. 2) Fix routing when no providers. 3) Add 'any' as a SOURCE/DEST in rules. 4) Fix NONAT on child zone. 5) Fix rpm -U from earlier versions 6) Generate error on 'status' by non-root. 7) Get rid of prog.functions and prog.functions6 Changes in Shorewall 4.4.0-Beta4 1) Add more macros. 2) Correct broadcast address detection 3) Fix 'show dynamic' 4) Fix BGP and OSFP macros. 5) Change DISABLE_IPV6 default and use 'correct' ip6tables. Changes in Shorewall 4.4.0-Beta3 1) Add new macros. 2) Work around mis-configured interfaces. 3) Fix 'show dynamic'. 4) Check for xt_LOG. 5) Fix 'findgw' Changes in Shorewall 4.4.0-Beta2 1) The 'find_first_interface_address()' and 'find_first_interface_address_if_any()' functions have been restored to lib.base. 2) Integerize r2q before inserting it into 'tc qdisc add root' command. 3) Remove '-h' from the help text for install.sh in Shorewall and Shorewall6. 4) Delete the 'continue' file from the Shorewall package. 5) Add 'upnpclient' interface option. 6) Fix handling of optional interfaces. 7) Add 'iptrace' and 'noiptrace' command. 8) Add 'USER/GROUP' column to masq file. 9) Added lib.private. Changes in Shorewall 4.4.0-Beta1 1) Correct typo in Shorewall6 two-interface sample shorewall.conf. 2) Fix TOS mnemonic handling in /etc/shorewall/tcfilters. Changes in Shorewall 4.3.12 1) Eliminate 'large quantum' warnings. 2) Add HFSC support. 3) Delete support for ipset binding. Jozsef has removed the capability from ipset. 4) Add TOS and LENGTH columns to tcfilters file. 5) Fix 'reset' command. 6) Fix 'findgw'. 7) Remove 'norfc1918' support. Changes in Shorewall 4.3.11 1) Reduce the number of arguments passed in may cases. 2) Fix SCTP source port handling in tcfilters. 3) Add 'findgw' user exit. 4) Add macro.Trcrt Changes in Shorewall 4.3.10 1) Fix handling of shared optional providers. 2) Add WIDE_TC_MARKS option. 3) Allow compile to STDOUT. 4) Fix handling of class IDs. 5) Deprecate use of an interface in the SOURCE column of /etc/shorewall/masq. 6) Fix handling of 'all' in the SOURCE of DNAT- rules. 7) Fix compile for export. 8) Optimize IPMARK. 9) Implement nested HTB classes. 10) Fix 'iprange' command. 11) Make traffic shaping work better with IPv6. 12) Externalize 'flow'. 13) Fix 'start' with AUTOMAKE=Yes Changes in Shorewall 4.3.9 1) Logging rules now create separate chain. 2) Fix netmask genereation in tcfilters. 3) Allow Shorewall6 with kernel 2.6.24 4) Avoid 'Invalid BROADCAST address' errors. 5) Allow Shorewall6 on kernel 4.2.24:Shorewall/changelog.txt 6) Add IP, TC and IPSET options in shorewall.conf and shorewall6.conf. 7) Add IPMARK support Changes in Shorewall 4.3.8 1) Apply Tuomo Soini's patch for USE_DEFAULT_RT. 2) Use 'startup_error' for those errors caught early. 3) Fix swping 4) Detect gateway via dhclient leases file. 5) Suppress leading whitespace on certain continuation lines. 6) Use iptables[6]-restore to stop the firewall. 7) Add AUTOMAKE option 8) Remove SAME support. 9) Allow 'compile' without a pathname. 10) Fix LOG_MARTIANS=Yes. 11) Adapt I. Buijs's hashlimit patch. Changes in Shorewall 4.3.7 1) Fix forward treatment of interface options. 2) Replace $VARDIR/.restore with $VARDIR/firewall 3) Fix DNAT- parsing of DEST column. 4) Implement dynamic zones 5) Allow 'HOST' options on bridge ports. 6) Deprecate old macro parameter syntax. Changes in Shorewall 4.3.6 1) Add SAME tcrules target. 2) Make 'dump' display the raw table. Fix shorewall6 dump anomalies. 3) Fix split_list1() 4) Fix Shorewall6 file location bugs. Changes in Shorewall 4.3.5 1) Remove support for shorewall-shell. 2) Combine shorewall-common and shorewall-perl to produce shorewall. 3) Add nets= OPTION in interfaces file.