forked from extern/shorewall_code
560 lines
12 KiB
Plaintext
560 lines
12 KiB
Plaintext
Changes in Shorewall 4.4.10.3
|
|
|
|
1) Fix 'debug' and 'trace' handling.
|
|
|
|
2) Make find_hosts_by_option() work correctly where ALL_IP appears in
|
|
hosts file.
|
|
|
|
3) Correct syntax error in the generated script when REQUIRE_INTERFACE=Yes.
|
|
|
|
Changes in Shorewall 4.4.10.2
|
|
|
|
1) Make IPv6 log and connections output readable.
|
|
|
|
2) Add REQUIRE_INTERFACE to shorewall*.conf
|
|
|
|
3) Avoid run-time diagnostic when options are omitted from
|
|
shorewall*.conf.
|
|
|
|
4) On Debian, run insserv when it is installed.
|
|
|
|
Changes in Shorewall 4.4.10.1
|
|
|
|
1) Apply patch from Gabriel.
|
|
|
|
2) Fix IPSET match detection when a pathname is specified for IPSET.
|
|
|
|
Changes in Shorewall 4.4.10
|
|
|
|
1) Fix regression with scripts.
|
|
|
|
2) Log startup errors.
|
|
|
|
3) Implement Shorewall-init.
|
|
|
|
4) Add SAFESTOP option to /etc/default/shorewall*
|
|
|
|
5) Restore -a functionality to the version command.
|
|
|
|
6) Correct Optimization issue
|
|
|
|
7) Rename PREFIX to DESTDIR in install scripts
|
|
|
|
8) Correct handling of optional/required interfaces with wildcard names.
|
|
|
|
Changes in Shorewall 4.4.9
|
|
|
|
1) Auto-detection of bridges.
|
|
|
|
2) Correct handling of a logical interface name in the EXTERNAL column
|
|
of proxyarp.
|
|
|
|
3) More robust 'trace'.
|
|
|
|
4) Added IPv6 mDNS macro.
|
|
|
|
5) Fix find_first_interface_address() error reporting.
|
|
|
|
6) Fix propagation of zero-valued config variables.
|
|
|
|
7) Fix OPTIMIZE 4 bug.
|
|
|
|
8) Deallocate unused rules.
|
|
|
|
9) Keep rule arrays compressed during optimization.
|
|
|
|
10) Remove remaining fallback scripts.
|
|
|
|
11) Rationalize startup logs.
|
|
|
|
12) Optimize 8.
|
|
|
|
13) Don't create output chains for BPORT zones.
|
|
|
|
14) Implement 'show log ip-addr' in /sbin/shorewall and
|
|
/sbin/shorewall-lite/
|
|
|
|
15) Restore lone ACCEPT rule to the OUTPUT chain under OPTIMIZE 2.
|
|
|
|
16) Change chain policy on OUTPUT chain with lone ACCEPT rule.
|
|
|
|
17) Set IP before sourcing the params file.
|
|
|
|
18) Fix rare optimization bug.
|
|
|
|
19) Allow definition of an addressless bridge without a zone.
|
|
|
|
20) In the routestopped file, assume 'routeback' if the interface has
|
|
'routeback'.
|
|
|
|
21) Make Shorewall and Shorewall6 installable on OS X.
|
|
|
|
Changes in Shorewall 4.4.8
|
|
|
|
1) Correct handling of RATE LIMIT on NAT rules.
|
|
|
|
2) Don't create a logging chain for rules with '-j RETURN'.
|
|
|
|
3) Avoid duplicate SFQ class numbers.
|
|
|
|
4) Fix low per-IP rate limits.
|
|
|
|
5) Fix Debian init script exit status
|
|
|
|
6) Fix NFQUEUE(queue-num) in policy
|
|
|
|
7) Implement -s option in install.sh
|
|
|
|
8) Add HKP Macro
|
|
|
|
9) Fix multiple policy matches with OPTIMIZE 4 and not KLUDGEFREE
|
|
|
|
10) Eliminate up-cased variable names that aren't documented options.
|
|
|
|
11) Don't show 'OLD' capabilities if they are not available.
|
|
|
|
12) Attempt to flag use of '-' as a port-range separator.
|
|
|
|
13) Add undocumented OPTIMIZE=-1 setting.
|
|
|
|
14) Replace OPTIMIZE=-1 with undocumented optimize 4096 which DISABLES
|
|
default optimizations.
|
|
|
|
15) Add support for UDPLITE
|
|
|
|
16) Distinguish between 'Started' and 'Restored' in ${VARDIR}/state
|
|
|
|
17) Issue warnings when 'blacklist' but no blacklist file entries.
|
|
|
|
18) Don't optimize 'blacklst'.
|
|
|
|
Changes in Shorewall 4.4.7
|
|
|
|
1) Backport optimization changes from 4.5.
|
|
|
|
2) Backport two new options from 4.5.
|
|
|
|
3) Backport TPROXY from 4.5
|
|
|
|
4) Add TC_PRIOMAP to shorewall*.conf
|
|
|
|
5) Implement LOAD_HELPERS_ONLY
|
|
|
|
6) Avoid excessive module loading with LOAD_HELPERS_ONLY=Yes
|
|
|
|
7) Fix case where MARK target is unavailable.
|
|
|
|
8) Change default to ADD_IP_ALIASES=No
|
|
|
|
9) Correct defects in generate_matrix().
|
|
|
|
10) Fix and optimize 'nosmurfs'.
|
|
|
|
11) Use 'OLD_HL_MATCH' to suppress use of 'flow' in Simple TC.
|
|
|
|
Changes in Shorewall 4.4.6
|
|
|
|
1) Fix for rp_filter and kernel 2.6.31.
|
|
|
|
2) Add a hack to work around a bug in Lenny + xtables-addons
|
|
|
|
3) Re-enable SAVE_IPSETS
|
|
|
|
4) Allow both <...> and [...] for IPv6 Addresses.
|
|
|
|
5) Port mark geometry change from 4.5.
|
|
|
|
6) Add Macro patch from Tuomo Soini
|
|
|
|
7) Add 'show macro' command.
|
|
|
|
8) Add -r option to check.
|
|
|
|
9) Port simplified TC from 4.5.
|
|
|
|
Changes in Shorewall 4.4.5
|
|
|
|
1) Fix 15-port limit removal change.
|
|
|
|
2) Fix handling of interfaces with the 'bridge' option.
|
|
|
|
3) Generate error for port number 0
|
|
|
|
4) Allow zone::serverport in rules DEST column.
|
|
|
|
5) Fix 'show policies' in Shorewall6.
|
|
|
|
6) Auto-load tc modules.
|
|
|
|
7) Allow LOGFILE=/dev/null
|
|
|
|
8) Fix shorewall6-lite/shorecap
|
|
|
|
9) Fix MODULE_SUFFIX.
|
|
|
|
10) Fix ENHANCED_REJECT detection for IPv4.
|
|
|
|
11) Fix DONT_LOAD vs 'reload -c'
|
|
|
|
12) Fix handling of SOURCE and DEST vs macros.
|
|
|
|
13) Remove silly logic in expand_rule().
|
|
|
|
14) Add current and limit to Conntrack Table Heading.
|
|
|
|
Changes in Shorewall 4.4.4
|
|
|
|
1) Change STARTUP_LOG and LOG_VERBOSITY in default shorewall6.conf.
|
|
|
|
2) Fix access to uninitialized variable.
|
|
|
|
3) Add logrotate scripts.
|
|
|
|
4) Allow long port lists in /etc/shorewall/routestopped.
|
|
|
|
5) Implement 'physical' interface option.
|
|
|
|
6) Implement ZONE2ZONE option.
|
|
|
|
7) Suppress duplicate COMMENT warnings.
|
|
|
|
8) Implement 'show policies' command.
|
|
|
|
9) Fix route_rule suppression for down provider.
|
|
|
|
10) Suppress redundant tests for provider availability in route rules
|
|
processing.
|
|
|
|
11) Implement the '-l' option to the 'show' command.
|
|
|
|
12) Fix class number assignment when WIDE_TC_MARKS=Yes
|
|
|
|
13) Allow wide marks in tcclasses when WIDE_TC_MARKS=Yes
|
|
|
|
Changes in Shorewall 4.4.3
|
|
|
|
1) Move Debian INITLOG initialization to /etc/default/shorewall
|
|
|
|
2) Fix 'routeback' in /etc/shorewall/routestopped.
|
|
|
|
3) Rename 'object' to 'script' in compiler and config modules.
|
|
|
|
4) Correct RETAIN_ALIASES=No.
|
|
|
|
5) Fix detection of IP config.
|
|
|
|
6) Fix nested zones.
|
|
|
|
7) Move all function declarations from prog.footer to prog.header
|
|
|
|
8) Remove superfluous variables from generated script
|
|
|
|
9) Make 'track' the default.
|
|
|
|
10) Add TRACK_PROVIDERS option.
|
|
|
|
11) Fix IPv6 address parsing bug.
|
|
|
|
12) Add hack to work around iproute IPv6 bug in route handling
|
|
|
|
13) Correct messages issued when an optional provider is not usable.
|
|
|
|
14) Fix optional interfaces.
|
|
|
|
15) Add 'limit' option to tcclasses.
|
|
|
|
Changes in Shorewall 4.4.2
|
|
|
|
1) BUGFIX: Correct detection of Persistent SNAT support
|
|
|
|
2) BUGFIX: Fix chain table initialization
|
|
|
|
3) BUGFIX: Validate routestopped file on 'check'
|
|
|
|
4) Let the Actions module add the builtin actions to
|
|
%Shorewall::Chains::targets. Much better modularization that way.
|
|
|
|
5) Some changes to make Lenny->Squeeze less painful.
|
|
|
|
6) Allow comments at the end of continued lines.
|
|
|
|
7) Call process_routestopped() during 'check' rather than
|
|
'compile_stop_firewall()'.
|
|
|
|
8) Don't look for an extension script for built-in actions.
|
|
|
|
9) Apply Jesse Shrieve's patch for SNAT range.
|
|
|
|
10) Add -<family> to 'ip route del default' command.
|
|
|
|
11) Add three new columns to macro body.
|
|
|
|
12) Change 'wait4ifup' so that it requires no PATH
|
|
|
|
13) Allow extension scripts for accounting chains.
|
|
|
|
14) Allow per-ip LIMIT to work on ancient iptables releases.
|
|
|
|
15) Add 'MARK' column to action body.
|
|
|
|
Changes in Shorewall 4.4.1
|
|
|
|
1) Deleted extra 'use ...IPAddrs.pm' from Nat.pm.
|
|
|
|
2) Deleted superfluous export from Chains.pm.
|
|
|
|
3) Added support for --persistent.
|
|
|
|
4) Don't do module initialization in an INIT block.
|
|
|
|
5) Minor performance improvements.
|
|
|
|
6) Add 'clean' target to Makefile.
|
|
|
|
7) Redefine 'full' for sub-classes.
|
|
|
|
8) Fix log level in rules at the end of INPUT and OUTPUT chains.
|
|
|
|
9) Fix nested ipsec zones.
|
|
|
|
10) Change one-interface sample to IP_FORWARDING=Off.
|
|
|
|
11) Allow multicast to non-dynamic zones defined with nets=.
|
|
|
|
12) Allow zones with nets= to be extended by /etc/shorewall/hosts
|
|
entries.
|
|
|
|
13) Don't allow nets= in a multi-zone interface definition.
|
|
|
|
14) Fix rule generated by MULTICAST=Yes
|
|
|
|
15) Fix silly hole in zones file parsing.
|
|
|
|
16) Tighen up zone membership checking.
|
|
|
|
17) Combine portlist-spitting routines into a single function.
|
|
|
|
Changes in Shorewall 4.4.0
|
|
|
|
1) Fix 'compile ... -' so that it no longer requires '-v-1'
|
|
|
|
2) Fix rule generation for logging nat rules with no exclusion.
|
|
|
|
3) Fix log record formatting.
|
|
|
|
4) Restore ipset binding
|
|
|
|
5) Fix 'upnpclient' with required interfaces.
|
|
|
|
6) Fix provider number in masq file.
|
|
|
|
Changes in Shorewall 4.4.0-RC2
|
|
|
|
1) Fix capabilities file with Shorewall6.
|
|
|
|
2) Allow Shorewall6 to recognize TC, IP and IPSET
|
|
|
|
3) Make 'any' a reserved zone name.
|
|
|
|
4) Correct handling of an ipsec zone nested in a non-ipsec zone.
|
|
|
|
Changes in Shorewall 4.4.0-RC1
|
|
|
|
1) Delete duplicate Git macro.
|
|
|
|
2) Fix routing when no providers.
|
|
|
|
3) Add 'any' as a SOURCE/DEST in rules.
|
|
|
|
4) Fix NONAT on child zone.
|
|
|
|
5) Fix rpm -U from earlier versions
|
|
|
|
6) Generate error on 'status' by non-root.
|
|
|
|
7) Get rid of prog.functions and prog.functions6
|
|
|
|
Changes in Shorewall 4.4.0-Beta4
|
|
|
|
1) Add more macros.
|
|
|
|
2) Correct broadcast address detection
|
|
|
|
3) Fix 'show dynamic'
|
|
|
|
4) Fix BGP and OSFP macros.
|
|
|
|
5) Change DISABLE_IPV6 default and use 'correct' ip6tables.
|
|
|
|
Changes in Shorewall 4.4.0-Beta3
|
|
|
|
1) Add new macros.
|
|
|
|
2) Work around mis-configured interfaces.
|
|
|
|
3) Fix 'show dynamic'.
|
|
|
|
4) Check for xt_LOG.
|
|
|
|
5) Fix 'findgw'
|
|
|
|
Changes in Shorewall 4.4.0-Beta2
|
|
|
|
1) The 'find_first_interface_address()' and
|
|
'find_first_interface_address_if_any()' functions have been restored to
|
|
lib.base.
|
|
|
|
2) Integerize r2q before inserting it into 'tc qdisc add root'
|
|
command.
|
|
|
|
3) Remove '-h' from the help text for install.sh in Shorewall and
|
|
Shorewall6.
|
|
|
|
4) Delete the 'continue' file from the Shorewall package.
|
|
|
|
5) Add 'upnpclient' interface option.
|
|
|
|
6) Fix handling of optional interfaces.
|
|
|
|
7) Add 'iptrace' and 'noiptrace' command.
|
|
|
|
8) Add 'USER/GROUP' column to masq file.
|
|
|
|
9) Added lib.private.
|
|
|
|
Changes in Shorewall 4.4.0-Beta1
|
|
|
|
1) Correct typo in Shorewall6 two-interface sample shorewall.conf.
|
|
|
|
2) Fix TOS mnemonic handling in /etc/shorewall/tcfilters.
|
|
|
|
Changes in Shorewall 4.3.12
|
|
|
|
1) Eliminate 'large quantum' warnings.
|
|
|
|
2) Add HFSC support.
|
|
|
|
3) Delete support for ipset binding. Jozsef has removed the capability
|
|
from ipset.
|
|
|
|
4) Add TOS and LENGTH columns to tcfilters file.
|
|
|
|
5) Fix 'reset' command.
|
|
|
|
6) Fix 'findgw'.
|
|
|
|
7) Remove 'norfc1918' support.
|
|
|
|
Changes in Shorewall 4.3.11
|
|
|
|
1) Reduce the number of arguments passed in may cases.
|
|
|
|
2) Fix SCTP source port handling in tcfilters.
|
|
|
|
3) Add 'findgw' user exit.
|
|
|
|
4) Add macro.Trcrt
|
|
|
|
Changes in Shorewall 4.3.10
|
|
|
|
1) Fix handling of shared optional providers.
|
|
|
|
2) Add WIDE_TC_MARKS option.
|
|
|
|
3) Allow compile to STDOUT.
|
|
|
|
4) Fix handling of class IDs.
|
|
|
|
5) Deprecate use of an interface in the SOURCE column of
|
|
/etc/shorewall/masq.
|
|
|
|
6) Fix handling of 'all' in the SOURCE of DNAT- rules.
|
|
|
|
7) Fix compile for export.
|
|
|
|
8) Optimize IPMARK.
|
|
|
|
9) Implement nested HTB classes.
|
|
|
|
10) Fix 'iprange' command.
|
|
|
|
11) Make traffic shaping work better with IPv6.
|
|
|
|
12) Externalize 'flow'.
|
|
|
|
13) Fix 'start' with AUTOMAKE=Yes
|
|
|
|
Changes in Shorewall 4.3.9
|
|
|
|
1) Logging rules now create separate chain.
|
|
|
|
2) Fix netmask genereation in tcfilters.
|
|
|
|
3) Allow Shorewall6 with kernel 2.6.24
|
|
|
|
4) Avoid 'Invalid BROADCAST address' errors.
|
|
|
|
5) Allow Shorewall6 on kernel 4.2.24:Shorewall/changelog.txt
|
|
|
|
6) Add IP, TC and IPSET options in shorewall.conf and shorewall6.conf.
|
|
|
|
7) Add IPMARK support
|
|
|
|
Changes in Shorewall 4.3.8
|
|
|
|
1) Apply Tuomo Soini's patch for USE_DEFAULT_RT.
|
|
|
|
2) Use 'startup_error' for those errors caught early.
|
|
|
|
3) Fix swping
|
|
|
|
4) Detect gateway via dhclient leases file.
|
|
|
|
5) Suppress leading whitespace on certain continuation lines.
|
|
|
|
6) Use iptables[6]-restore to stop the firewall.
|
|
|
|
7) Add AUTOMAKE option
|
|
|
|
8) Remove SAME support.
|
|
|
|
9) Allow 'compile' without a pathname.
|
|
|
|
10) Fix LOG_MARTIANS=Yes.
|
|
|
|
11) Adapt I. Buijs's hashlimit patch.
|
|
|
|
Changes in Shorewall 4.3.7
|
|
|
|
1) Fix forward treatment of interface options.
|
|
|
|
2) Replace $VARDIR/.restore with $VARDIR/firewall
|
|
|
|
3) Fix DNAT- parsing of DEST column.
|
|
|
|
4) Implement dynamic zones
|
|
|
|
5) Allow 'HOST' options on bridge ports.
|
|
|
|
6) Deprecate old macro parameter syntax.
|
|
|
|
Changes in Shorewall 4.3.6
|
|
|
|
1) Add SAME tcrules target.
|
|
|
|
2) Make 'dump' display the raw table. Fix shorewall6 dump anomalies.
|
|
|
|
3) Fix split_list1()
|
|
|
|
4) Fix Shorewall6 file location bugs.
|
|
|
|
Changes in Shorewall 4.3.5
|
|
|
|
1) Remove support for shorewall-shell.
|
|
|
|
2) Combine shorewall-common and shorewall-perl to produce shorewall.
|
|
|
|
3) Add nets= OPTION in interfaces file.
|
|
|
|
|