forked from extern/shorewall_code
b58b15d018
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7670 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
458 lines
9.3 KiB
Plaintext
458 lines
9.3 KiB
Plaintext
Changes in 4.0.6
|
|
|
|
1) Fix hyphenated service names in DNAT/REDIRECT rules.
|
|
|
|
2) Fix long dest ports list bug.
|
|
|
|
3) Fix many day-one bugs in REDIRECT port handling.
|
|
|
|
4) Add support for '--physdev-is-bridged'.
|
|
|
|
5) Add support for embedded shell and Perl scripts.
|
|
|
|
6) Add support for manual chains.
|
|
|
|
7) Don't require GATEWAY in tunnels file.
|
|
|
|
8) Fix HIGH_ROUTE_MARKS fsck-up.
|
|
|
|
9) Fix Makefiles for VARDIR
|
|
|
|
10) Add -t option to hits command.
|
|
|
|
11) Add DONT_LOAD option
|
|
|
|
12) Add support for --random.
|
|
|
|
12) Add experimental support for multi-ISP through a single interface
|
|
|
|
Changes in 4.0.5
|
|
|
|
1) Delete 'detectnets' from Shorewall-perl
|
|
|
|
2) Use get_config() for processing secondary shorewall.conf
|
|
|
|
3) Add 'broadcast' and 'destonly' options to hosts file.
|
|
|
|
4) Allow "$FW::<port>" in the DEST column of a redirect rule"
|
|
|
|
5) Add MULTICAST option in shorewall.conf.
|
|
|
|
6) Allow port range for server port in NAT rules.
|
|
|
|
7) Validate server IP address and port(-range) in NAT rules.
|
|
|
|
8) Allow server port(s) to be specified as service names.
|
|
|
|
9) Split large DEST PORT(S) lists.
|
|
|
|
10) Fix TCP/UDP in rules file.
|
|
|
|
10) Add new semantics to 'debug' with Shorewall-perl
|
|
|
|
11) Satisfy the distros.
|
|
|
|
12) Change module versions to V-strings.
|
|
|
|
13) Fix ipsets.
|
|
|
|
Changes in 4.0.4
|
|
|
|
1) Fix 'refresh' with light-weight shells.
|
|
|
|
2) Various fixes for proxyarp.
|
|
|
|
3) Fix 'refresh' run-time error.
|
|
|
|
4) Cleaner behavior if module-init-tools not installed.
|
|
|
|
5) Fix [re-]initialization problems in Shorewall::Tc.
|
|
|
|
6) Make compile-time check for iptables-restore.
|
|
|
|
7) Fix dup chain name test for actions.
|
|
|
|
8) Improve KLUDGEFREE detection.
|
|
|
|
9) Remove unused functions from Chains module.
|
|
|
|
10) Allow 'TC_ENABLED=internal' as specified (Only 'Internal' is
|
|
currently allowed).
|
|
|
|
11) Correct 'loose' handling.
|
|
|
|
12) Correct handling of 'bridge' and accounting.
|
|
|
|
13) Fix SHOREWALL_DIR fiasco.
|
|
|
|
14) Avoid deleting wrong routing rule.
|
|
|
|
15) Allow provider number in route_rules with Shorewall-shell.
|
|
|
|
16) Add DELETE_THEN_ADD option.
|
|
|
|
17) Add warning about 'detectnets' going away.
|
|
|
|
18) Fix off-by-one bug in Tc.pm
|
|
|
|
19) Correct problems found in pre-testing.
|
|
|
|
20) Fix REDIRECT with Macros.
|
|
|
|
Changes in 4.0.3
|
|
|
|
1) Streamline the checking for builtin chains in the accounting file.
|
|
|
|
2) Don't try to write/restore /etc/iproute2/rt_tables if it isn't
|
|
writable.
|
|
|
|
3) Allow Shorewall-perl compiler and libraries to be installed
|
|
anywhere.
|
|
|
|
4) Add KEEP_RT_TABLES option.
|
|
|
|
5) Other provider changes.
|
|
|
|
6) Fix LOG target in Shorewall-shell.
|
|
|
|
7) Faster log processing.
|
|
|
|
8) Tweak handling of CLASSID in process_tc_rule().
|
|
|
|
9) Restore 3.4 'stop/clear/reset' behavior and make new behavior
|
|
optional.
|
|
|
|
10) Add act_police to modules file.
|
|
|
|
11) Add 'mss' interface option.
|
|
|
|
12) Add TCPMSS_MATCH to show capabilities -f.
|
|
|
|
13) Insure a space between log prefix and IN=.
|
|
|
|
14) Provide ESTABLISHED,RELATED rules for inappropriate CONTINUE policy
|
|
|
|
15) Add hashlimit match detection.
|
|
|
|
16) Fix 'add' and 'delete' when interface name contains special char.
|
|
|
|
17) Fix PREROUTING track fiasco.
|
|
|
|
18) Add NFQUEUE support.
|
|
|
|
19) Allow refresh of chains other than 'blacklst'.
|
|
|
|
20) Allow INCLUDE in run-time extension scripts.
|
|
|
|
21) Fix zone sort.
|
|
|
|
Changes in 4.0.2
|
|
|
|
1) Another ECN fix in Shorewall-perl.
|
|
|
|
2) Make 'state match' detection in Shorewall-perl quiet.
|
|
|
|
3) Detect port range in list without XMULTIPORT.
|
|
|
|
4) Move lockfile handling from 'firewall' to 'shorewall' and lib.cli.
|
|
|
|
5) Don't detect routed networks and interfaces addresses during
|
|
'restore'.
|
|
|
|
6) Upcase some global variables in the generated script.
|
|
|
|
7) Remove some 'chain_base' mapping.
|
|
|
|
8) Eliminate a couple of global variables in the Chains module.
|
|
|
|
9) Cosmetic change to generated script.
|
|
|
|
10) Allow tc configuration on bridge ports.
|
|
|
|
11) Fix add/delete problem when Shorewall-shell is not installed.
|
|
|
|
12) Don't overwrite ${VARDIR}/chains and ${VARDIR}/zones during
|
|
'refresh'.
|
|
|
|
13) Correct some error messages.
|
|
|
|
14) Correct calculations involving number of keys in a hash.
|
|
|
|
15) Load xt_multiport.
|
|
|
|
16) Apply Günter Niedermeier's patch for multiport.
|
|
|
|
17) Honor the BROADCAST column when address type match is not
|
|
available.
|
|
|
|
18) Fix accounting.
|
|
|
|
Changes in 4.0.1
|
|
|
|
1) Add EXPAND_POLICIES.
|
|
|
|
2) Fix uninstallers.
|
|
|
|
3) Correct handling of 'ipsec' option in the hosts file.
|
|
|
|
4) Corrent handling of 'PATH' in Shorewall-perl.
|
|
|
|
5) Correct handling of ECN with MANGLE_FORWARD.
|
|
|
|
6) Relax ADDRTYPE restriction.
|
|
|
|
7) Be sure that chkconfig runs after upgrade from < 4.0.0
|
|
|
|
8) Better out-of-order policy detection.
|
|
|
|
9) Fix dropBcast/allowBcast logging and other logging
|
|
fixes/improvements.
|
|
|
|
10) Cleaner way to handle quotes in rules.
|
|
|
|
11) Allow '/min' in RATE/BURST column.
|
|
|
|
12) Check for state match
|
|
|
|
13) Fix stale lock problems.
|
|
|
|
Changes in 4.0.0 Final
|
|
|
|
1) Fix lite install.sh manpage problem.
|
|
|
|
2) Fix shorewall-shell .spec to modify SHOREWALL_COMPILER.
|
|
|
|
3) Shuffle code in Providers.pm.
|
|
|
|
4) Consolicate Common.pm + Config.pm and Interfaces.pm + Hosts.pm +
|
|
Zones.pm.
|
|
|
|
5) Validate log level in policy file.
|
|
|
|
Changes in 4.0.0 RC 2
|
|
|
|
1) Fix zone type check in Tunnels File.
|
|
|
|
2) Remove -f as default start OPTIONS.
|
|
|
|
3) Remove 3.4 compatibility hacks.
|
|
|
|
4) Fix install.sh manpage problem.
|
|
|
|
5) Fix LITEDIR mess.
|
|
|
|
6) Fix IPSEC.
|
|
|
|
7) Add Tunneling Macros from Tuomo Soini.
|
|
|
|
Changes in 4.0.0 RC 1
|
|
|
|
1) shorewall-perl RPM no longer installable under shorewall 3.4.
|
|
|
|
2) Fix limited broadcast and detectnets/routeback interfaces.
|
|
|
|
3) Use optimized 'split' for faster compilation.
|
|
|
|
4) Validate host part in hosts file entry.
|
|
|
|
5) Fix IPSECFILE=ipsec.
|
|
|
|
6) Make ':noah' the default.
|
|
|
|
7) Work around SELinux nonsense.
|
|
|
|
8) Restore the 'refresh' command.
|
|
|
|
9) Allow ipsec zone in GATEWAY ZONE column of the tunnels file.
|
|
|
|
10) Raise error on chmod failure.
|
|
|
|
11) Handle shell variables with zero value correctly.
|
|
|
|
Changes in 4.0.0 Beta 6
|
|
|
|
1) First step to adding compiler debugging facility.
|
|
|
|
2) Assume that iptables-restore is in the same directory as $IPTABLES
|
|
|
|
3) Fix buildports.pm to handle bogus entries in /etc/protocols and
|
|
/etc/services.
|
|
|
|
4) Allow COMMENT in the accounting file.
|
|
|
|
Changes in 4.0.0 Beta 6
|
|
|
|
1) Validate the DISPOSITION in /etc/shorewall/maclist entries.
|
|
|
|
2) Add versioning to capabilities files.
|
|
|
|
3) Improve compiler selection.
|
|
|
|
4) DYNAMIC_ZONES=Yes and bridges.
|
|
|
|
5) Implement port validation.
|
|
|
|
Changes in 4.0.0 Beta 5
|
|
|
|
1) Fix undefined function call when both an input interface and an
|
|
output interface are present.
|
|
|
|
2) Externalize compiler and Compile.pm.
|
|
|
|
Changes in 4.0.0 Beta 4
|
|
|
|
1) Fix the 'Modules' output of 'dump'
|
|
|
|
2) Fix FW=xxx with IPSECFILE=ipsec.
|
|
|
|
3) Fix wildcard-rule/NONE-policy interaction.
|
|
|
|
4) Clean up generation of user-exit jacket functions.
|
|
|
|
5) Add new bridge code.
|
|
|
|
6) Fix bad bug in exclusion.
|
|
|
|
Changes in 4.0.0 Beta 2
|
|
|
|
1) Fix screwup in get_routed_networks().
|
|
|
|
2) Some minor tweaks.
|
|
|
|
3) Fix synflood chain jumps.
|
|
|
|
4) Simplify synflood handling and improve error diagnostics.
|
|
|
|
Changes in 4.0.0 Beta 1
|
|
|
|
1) Fix add/delete <interface>.
|
|
|
|
2) Fix do_proto() and 'use IPConfig' in Providers.pm.
|
|
|
|
3) Implement dynamic host group detection.
|
|
|
|
Changes in 3.9.7
|
|
|
|
1) Clean up release notes.
|
|
|
|
2) Fix several bugs having to do with exclusion in the hosts file.
|
|
|
|
3) Use '-m addrtype' in detectnet interface output rules.
|
|
|
|
4) Fix find_hosts_by_option().
|
|
|
|
5) Fix more hosts file bugs.
|
|
|
|
6) Fix 'detect' in GATEWAY column of providers file.
|
|
|
|
8) Other bug fixes (see release notes).
|
|
|
|
7) Fix action in 'logreject'.
|
|
|
|
8) Allow macros to invoke macros outside of action bodies.
|
|
|
|
|
|
Changes in 3.9.6
|
|
|
|
1) Fix parsing problems in protocol handling.
|
|
|
|
2) Fix bugs in handling of the MARK column.
|
|
|
|
3) Fix bug in routing table copying
|
|
|
|
4) Fix bug in ipset handling.
|
|
|
|
5) Fix bug in handling of CONTINUE in the tcrules file.
|
|
|
|
6) Add RCP_COMMAND and RSH_COMMAND options in shorewall.conf
|
|
|
|
7) Apply Luigi's MARK patch.
|
|
|
|
Changes in 3.9.5
|
|
|
|
1) Fix dynamic zone problem.
|
|
|
|
2) Fix LOGALLNEW.
|
|
|
|
3) Implement log level, protocol and port validation.
|
|
|
|
4) Fix MACLIST log rule generation problem.
|
|
|
|
Changes in 3.9.4
|
|
|
|
1) Fix port 0 problem (again!).
|
|
|
|
2) Fix log_martians.
|
|
|
|
3) Make LOG_MARTIANS and ROUTE_FILTER tri-valued.
|
|
|
|
4) Fix arp_ignore.
|
|
|
|
5) Re-work ROUTE_FILTER and LOG_MARTIANS.
|
|
|
|
6) Fix handling of interface options.
|
|
|
|
7) Fix handling of zone ipsec options.
|
|
|
|
8) Fix 'routeback' on multi-zone interface.
|
|
|
|
9) Fix 'check -d'.
|
|
|
|
10) Fix intra-zone policies.
|
|
|
|
11) Fix typo in maclist validation.
|
|
|
|
12) Allow 'optional' to work with 'maclist'.
|
|
|
|
Changes in 3.9.3
|
|
|
|
1) Apply Steven Springl's patch for port checking.
|
|
|
|
2) Implement 'optional' interface option.
|
|
|
|
3) Fix a couple of bugs in 'owner' handling.
|
|
|
|
4) Fix several bugs in address/network detection.
|
|
|
|
5) Make a number of interface options binary.
|
|
|
|
6) Add wildcard edits in interface processing.
|
|
|
|
7) Fix dropInvalid.
|
|
|
|
8) Fix 'none'.
|
|
|
|
9) Fix SAME with SOURCE $FW
|
|
|
|
10) Fix tcp:syn.
|
|
|
|
11) Fix all->z rules with 'NONE' policy.
|
|
|
|
12) Check for reserved zone names.
|
|
|
|
13) Add check for firewall zone existance.
|
|
|
|
14) Add checks for zone existance in 'all' processing.
|
|
|
|
Changes in 3.9.2
|
|
|
|
1) Implement '-C {shell|perl}'.
|
|
|
|
2) Implement LOCKFILE
|
|
|
|
3) Fix typo in prog.footer.
|
|
|
|
4) Fix Shorewall-perl hosts and tcclasses errors.
|
|
|
|
5) Add IPPserver macro.
|
|
|
|
6) Fix problem with 'stop' and 'clear' when shorewall-shell not
|
|
installed.
|
|
|
|
7) Moved lib.dynamiczones to Shorewall.
|
|
|
|
8) Fix silly bug in lib.base.
|
|
|
|
9) Apply Steven Springl's patch for ICMP.
|
|
|