This time with promised attachments.
On Mon, Dec 08, 2008 at 07:49:06PM -0500, Roberto C. Sánchez wrote:
> I am preparing a new upstream release (4.0.15) of Shorewall (affected Debian
> packages: shorewall-{perl,shell,common,lite,doc}). Nearly all of the changes
> have already been approved, uploaded and migrated to Lenny in the form of
> patches to the 4.0.14 packages. Only the latest fix (I just committed it
> upstream tonight), has not been incorporated. I would like to receive approval
> for upload of the new 4.0.15 (still to be released) packages. This will help
> to avoid user confusion and 4.0.15 is currently planned to be the very last
> release in the 4.0 series of Shorewall releases.
>
> The only substantial change between the current Debian packages in Lenny
> and the 4.0.15 is represented by the attached ipp2p.diff:
>
> Shorewall-common/changelog.txt | 2 ++
> Shorewall-common/lib.base | 2 +-
> Shorewall-common/releasenotes.txt | 8 ++++++++
> Shorewall-perl/Shorewall/Config.pm | 2 +-
> 4 files changed, 12 insertions(+), 2 deletions(-)
>
> The affected packages are shorewall-{perl,common,lite}. You can
> reproduce the diff yourself with this command:
>
> svn diff -r8952:8953 http://shorewall.svn.sourceforge.net/svnroot/shorewall/branches/4.0
>
> The complete upstream changeset between 4.0.14 and 4.0.15 is represented
> by the attached shorewall_4.0.14_to_4.0.15_upstream.diff:
>
> Shorewall-common/changelog.txt | 17 +
> Shorewall-common/fallback.sh | 2
> Shorewall-common/install.sh | 2
> Shorewall-common/lib.base | 10
> Shorewall-common/releasenotes.txt | 497 +++++++++++++++++----------------
> Shorewall-common/shorewall-common.spec | 4
> Shorewall-common/started | 2
> Shorewall-common/uninstall.sh | 2
> Shorewall-lite/fallback.sh | 2
> Shorewall-lite/init.debian.sh | 2
> Shorewall-lite/install.sh | 2
> Shorewall-lite/shorewall-lite.spec | 4
> Shorewall-lite/uninstall.sh | 2
> Shorewall-perl/Shorewall/Chains.pm | 15
> Shorewall-perl/Shorewall/Config.pm | 27 +
> Shorewall-perl/Shorewall/Rules.pm | 7
> Shorewall-perl/Shorewall/Tc.pm | 2
> Shorewall-perl/install.sh | 2
> Shorewall-perl/shorewall-perl.spec | 4
> Shorewall-shell/compiler | 54 +++
> Shorewall-shell/install.sh | 2
> Shorewall-shell/shorewall-shell.spec | 4
> known_problems.txt | 10
> manpages/shorewall-interfaces.xml | 4
> manpages/shorewall.conf.xml | 21 +
> manpages/shorewall.xml | 22 +
> 26 files changed, 449 insertions(+), 273 deletions(-)
>
> The large change in the release notes is a result of a formatting
> cleanup. The manpage changes are typo fixes and addition of missing
> documentation. All of the rest of the changes are already patched
> individually into the affected Debian packages.o
>
> You can reproduce the diff yourself with this command:
>
> svn diff http://shorewall.svn.sourceforge.net/svnroot/shorewall/tags/4.0.14 http://shorewall.svn.sourceforge.net/svnroot/shorewall/branches/4.0
>
> I think that overall it would be far better to have the 4.0.15 packages
> in Debian, rather than patching yet again. However, if needed, I will
> patch in the changes from the attached ipp2p.diff.
>
> Regards,
>
> -Roberto
>
> --
> Roberto C. Sánchez
> http://people.connexer.com/~roberto
> http://www.connexer.com
--
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com
Index: known_problems.txt
===================================================================
--- known_problems.txt (.../tags/4.0.14) (revision 8953)
+++ known_problems.txt (.../branches/4.0) (revision 8953)
@@ -1,10 +0,0 @@
-Problems corrected in Shorewall 4.0.14.2
-
-1) With Shorewall-perl, if a destination port list had exactly 16
- ports, where a port-range counts as two ports, then Shorewall-perl
- would fail to split the rule into multiple rules and an
- iptables-restore error would result.
-
-2) The change to Shorewall in 4.0.14.1 that promised iptables 1.4.1
- compatibility contained a typo that prevented it from working
- correctly.
Index: Shorewall-perl/install.sh
===================================================================
--- Shorewall-perl/install.sh (.../tags/4.0.14) (revision 8953)
+++ Shorewall-perl/install.sh (.../branches/4.0) (revision 8953)
@@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
-VERSION=4.0.14
+VERSION=4.0.15
usage() # $1 = exit status
{
Index: Shorewall-perl/Shorewall/Chains.pm
===================================================================
--- Shorewall-perl/Shorewall/Chains.pm (.../tags/4.0.14) (revision 8953)
+++ Shorewall-perl/Shorewall/Chains.pm (.../branches/4.0) (revision 8953)
@@ -110,6 +110,7 @@
do_test
do_ratelimit
do_user
+ do_length
do_tos
match_source_dev
match_dest_dev
@@ -421,7 +422,7 @@
if ( $expandports && $rule =~ '^(.* --dports\s+)([^ ]+)(.*)$' ) {
my ($first, $ports, $rest) = ( $1, $2, $3 );
- if ( ( $ports =~ tr/:,/:,/ ) > 15 ) {
+ if ( ( $ports =~ tr/:,/:,/ ) > 14 ) {
my @ports = split '([,:])', $ports;
while ( @ports ) {
@@ -1212,6 +1213,16 @@
}
#
+# Create a "-m length" match for the passed TOS
+#
+sub do_length( $ ) {
+ my $length = $_[0];
+
+ require_capability( 'LENGTH_MATCH' , 'A non-empty LENGTH' , 's' );
+ $length ne '-' ? "-m length --length $length " : '';
+}
+
+#
# Match Source Interface
#
sub match_source_dev( $ ) {
@@ -1345,7 +1356,7 @@
if ( $net =~ /^!/ ) {
$net =~ s/!//;
validate_net $net, 1;
- "-m conntrack --ctorigdst ! $net ";
+ $capabilities{NEW_CONNTRACK_MATCH} ? "-m conntrack ! --ctorigdst $net " : "-m conntrack --ctorigdst ! $net ";
} else {
validate_net $net, 1;
$net eq ALLIPv4 ? '' : "-m conntrack --ctorigdst $net ";
Index: Shorewall-perl/Shorewall/Config.pm
===================================================================
--- Shorewall-perl/Shorewall/Config.pm (.../tags/4.0.14) (revision 8953)
+++ Shorewall-perl/Shorewall/Config.pm (.../branches/4.0) (revision 8953)
@@ -162,6 +162,8 @@
MULTIPORT => 'Multi-port Match' ,
XMULTIPORT => 'Extended Multi-port Match',
CONNTRACK_MATCH => 'Connection Tracking Match',
+ NEW_CONNTRACK_MATCH =>
+ 'New Connection Tracking Match syntax',
USEPKTTYPE => 'Packet Type Match',
POLICY_MATCH => 'Policy Match',
PHYSDEV_MATCH => 'Physdev Match',
@@ -244,8 +246,8 @@
ORIGINAL_POLICY_MATCH => '',
LOGPARMS => '',
TC_SCRIPT => '',
- VERSION => "4.0.14",
- CAPVERSION => 40006 ,
+ VERSION => "4.0.15",
+ CAPVERSION => 40015 ,
);
#
# From shorewall.conf file
@@ -357,6 +359,7 @@
MULTIPORT => undef,
XMULTIPORT => undef,
CONNTRACK_MATCH => undef,
+ NEW_CONNTRACK_MATCH => undef,
USEPKTTYPE => undef,
POLICY_MATCH => undef,
PHYSDEV_MATCH => undef,
@@ -1368,6 +1371,10 @@
qt1( "$iptables -N $sillyname" );
$capabilities{CONNTRACK_MATCH} = qt1( "$iptables -A $sillyname -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT" );
+
+ if ( $capabilities{CONNTRACK_MATCH} ) {
+ $capabilities{NEW_CONNTRACK_MATCH} = qt1( "$iptables -A $sillyname -m conntrack ! --ctorigdst 192.168.1.1 -j ACCEPT" );
+ }
if ( qt1( "$iptables -A $sillyname -p tcp -m multiport --dports 21,22 -j ACCEPT" ) ) {
$capabilities{MULTIPORT} = 1;
@@ -1400,7 +1407,7 @@
$capabilities{XCONNMARK_MATCH} = qt1( "$iptables -A $sillyname -m connmark --mark 2/0xFF -j ACCEPT" );
}
- $capabilities{IPP2P_MATCH} = qt1( "$iptables -A $sillyname -p tcp -m ipp2p --ipp2p -j ACCEPT" );
+ $capabilities{IPP2P_MATCH} = qt1( "$iptables -A $sillyname -p tcp -m ipp2p --edk -j ACCEPT" );
$capabilities{LENGTH_MATCH} = qt1( "$iptables -A $sillyname -m length --length 10:20 -j ACCEPT" );
$capabilities{ENHANCED_REJECT} = qt1( "$iptables -A $sillyname -j REJECT --reject-with icmp-host-prohibited" );
$capabilities{COMMENTS} = qt1( qq($iptables -A $sillyname -j ACCEPT -m comment --comment "This is a comment" ) );
@@ -1636,9 +1643,17 @@
$globals{ORIGINAL_POLICY_MATCH} = $capabilities{POLICY_MATCH};
if ( $config{LOGRATE} || $config{LOGBURST} ) {
- $globals{LOGLIMIT} = '-m limit ';
- $globals{LOGLIMIT} .= "--limit $config{LOGRATE} " if $config{LOGRATE};
- $globals{LOGLIMIT} .= "--limit-burst $config{LOGBURST} " if $config{LOGBURST};
+ if ( defined $config{LOGRATE} ) {
+ fatal_error"Invalid LOGRATE ($config{LOGRATE})" unless $config{LOGRATE} =~ /^\d+\/(second|minute)$/;
+ }
+
+ if ( defined $config{LOGBURST} ) {
+ fatal_error"Invalid LOGBURST ($config{LOGBURST})" unless $config{LOGBURST} =~ /^\d+$/;
+ }
+
+ $globals{LOGLIMIT} = '-m limit ';
+ $globals{LOGLIMIT} .= "--limit $config{LOGRATE} " if defined $config{LOGRATE};
+ $globals{LOGLIMIT} .= "--limit-burst $config{LOGBURST} " if defined $config{LOGBURST};
} else {
$globals{LOGLIMIT} = '';
}
Index: Shorewall-perl/Shorewall/Tc.pm
===================================================================
--- Shorewall-perl/Shorewall/Tc.pm (.../tags/4.0.14) (revision 8953)
+++ Shorewall-perl/Shorewall/Tc.pm (.../branches/4.0) (revision 8953)
@@ -271,7 +271,7 @@
if ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) ,
$restrictions{$chain} ,
- do_proto( $proto, $ports, $sports) . do_user( $user ) . do_test( $testval, $mask ) . do_tos( $tos ) ,
+ do_proto( $proto, $ports, $sports) . do_user( $user ) . do_test( $testval, $mask ) . do_length( $length ) . do_tos( $tos ) ,
$source ,
$dest ,
'' ,
Index: Shorewall-perl/Shorewall/Rules.pm
===================================================================
--- Shorewall-perl/Shorewall/Rules.pm (.../tags/4.0.14) (revision 8953)
+++ Shorewall-perl/Shorewall/Rules.pm (.../branches/4.0) (revision 8953)
@@ -1002,6 +1002,11 @@
fatal_error "Missing DEST Qualifier ($dest)" if $2 eq '';
$destzone = $1;
$dest = $2;
+ } elsif ( $dest =~ /.*\..*\./ ) {
+ #
+ # Appears to be an address
+ #
+ $destzone = '-';
} else {
$destzone = $dest;
$dest = ALLIPv4;
@@ -1602,6 +1607,8 @@
if $hostref->{options}{broadcast};
}
+ clearrule;
+
next if $hostref->{options}{destonly};
my $source = match_source_net $net;
Index: Shorewall-perl/shorewall-perl.spec
===================================================================
--- Shorewall-perl/shorewall-perl.spec (.../tags/4.0.14) (revision 8953)
+++ Shorewall-perl/shorewall-perl.spec (.../branches/4.0) (revision 8953)
@@ -1,5 +1,5 @@
%define name shorewall-perl
-%define version 4.0.14
+%define version 4.0.15
%define release 0base
Summary: Shoreline Firewall Perl-based compiler.
@@ -64,6 +64,8 @@
%doc COPYING releasenotes.txt
%changelog
+* Sat Oct 11 2008 Roberto C. Sanchez roberto@connexer.com
+- Updated to 4.0.15-0base
* Mon Sep 22 2008 Tom Eastep tom@shorewall.net
- Updated to 4.0.14-0base
* Sat Jul 26 2008 Tom Eastep tom@shorewall.net
Property changes on: Shorewall-perl
___________________________________________________________________
Name: svn:mergeinfo
-
Property changes on: Samples
___________________________________________________________________
Name: svn:mergeinfo
-
Index: Shorewall-shell/install.sh
===================================================================
--- Shorewall-shell/install.sh (.../tags/4.0.14) (revision 8953)
+++ Shorewall-shell/install.sh (.../branches/4.0) (revision 8953)
@@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
-VERSION=4.0.14
+VERSION=4.0.15
usage() # $1 = exit status
{
Index: Shorewall-shell/shorewall-shell.spec
===================================================================
--- Shorewall-shell/shorewall-shell.spec (.../tags/4.0.14) (revision 8953)
+++ Shorewall-shell/shorewall-shell.spec (.../branches/4.0) (revision 8953)
@@ -1,5 +1,5 @@
%define name shorewall-shell
-%define version 4.0.14
+%define version 4.0.15
%define release 0base
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@@ -81,6 +81,8 @@
%doc COPYING INSTALL
%changelog
+* Sat Oct 11 2008 Roberto C. Sanchez roberto@connexer.com
+- Updated to 4.0.15-0base
* Mon Sep 22 2008 Tom Eastep tom@shorewall.net
- Updated to 4.0.14-0base
* Sat Jul 26 2008 Tom Eastep tom@shorewall.net
Index: Shorewall-shell/compiler
===================================================================
--- Shorewall-shell/compiler (.../tags/4.0.14) (revision 8953)
+++ Shorewall-shell/compiler (.../branches/4.0) (revision 8953)
@@ -1674,8 +1674,18 @@
build_exclusion_chain chain filter "$excludesource" "$excludedest"
if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then
+ match='--ctorigdst'
+ if [ -n "$NEW_CONNTRACK_MATCH" ]; then
+ case $adr in
+ !*)
+ match='!--ctorigdst'
+ adr=${adr#!}
+ ;;
+ esac
+ fi
+
for adr in $(separate_list $addr); do
- run_iptables -A $logchain $state $(fix_bang $proto $multiport $sports $dports) $user -m conntrack --ctorigdst $adr -j $chain
+ run_iptables -A $logchain $state $(fix_bang $proto $multiport $sports $dports) $user -m conntrack $match $adr -j $chain
done
addr=
else
@@ -1891,14 +1901,24 @@
__EOF__
else
for adr in $(separate_list $addr); do
+ match='--ctorigdst'
+ if [ -n "$NEW_CONNTRACK_MATCH" ]; then
+ case $adr in
+ !*)
+ match='!--ctorigdst'
+ adr=${adr#!}
+ ;;
+ esac
+ fi
+
if [ -n "$loglevel" -a -z "$natrule" ]; then
- log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A -m conntrack --ctorigdst $adr \
+ log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A -m conntrack $match $adr \
$user $mrk $(fix_bang $proto $multiport $sports $cli $srv $dports) $state
fi
if [ "$logtarget" != LOG ]; then
run_iptables2 -A $chain $state $proto $ratelimit $multiport $cli $sports \
- $srv $dports -m conntrack --ctorigdst $adr $user $mrk -j $target
+ $srv $dports -m conntrack $match $adr $user $mrk -j $target
fi
done
fi
@@ -1958,20 +1978,30 @@
if [ -n "$addr" ]; then
for adr in $(separate_list $addr); do
+ match='--ctorigdst'
+ if [ -n "$NEW_CONNTRACK_MATCH" ]; then
+ case $adr in
+ !*)
+ match='!--ctorigdst'
+ adr=${adr#!}
+ ;;
+ esac
+ fi
+
if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user $mrk \
- $state $(fix_bang $proto $multiport $cli $dest_interface $sports $dports -m conntrack --ctorigdst $adr)
+ $state $(fix_bang $proto $multiport $cli $dest_interface $sports $dports -m conntrack $match $adr)
fi
if [ "$logtarget" != LOG ]; then
if [ -n "$nonat" ]; then
addnatrule $(dnat_chain $source) $proto $multiport \
- $cli $sports $dports $ratelimit $user $mrk -m conntrack --ctorigdst $adr -j RETURN
+ $cli $sports $dports $ratelimit $user $mrk -m conntrack $match $adr -j RETURN
fi
if [ "$logtarget" != NONAT ]; then
run_iptables2 -A $chain $state $proto $multiport $cli $dest_interface \
- $sports $dports $ratelimit $user $mrk -m conntrack --ctorigdst $adr -j $target
+ $sports $dports $ratelimit $user $mrk -m conntrack $match $adr -j $target
fi
fi
done
@@ -3670,7 +3700,17 @@
#
# We have connection tracking match -- match on the original destination
#
- run_iptables2 -A $chain -m conntrack --ctorigdst $network -j $target
+ match='--ctorigdst'
+ if [ -n "$NEW_CONNTRACK_MATCH" ]; then
+ case $network in
+ !*)
+ match='!--ctorigdst'
+ network=${network#!}
+ ;;
+ esac
+ fi
+
+ run_iptables2 -A $chain -m conntrack $match $network -j $target
elif [ -n "$MANGLE_ENABLED" ]; then
#
# No connection tracking match but we have mangling -- add a rule to
Property changes on: Shorewall-shell
___________________________________________________________________
Name: svn:mergeinfo
-
Index: Shorewall-common/uninstall.sh
===================================================================
--- Shorewall-common/uninstall.sh (.../tags/4.0.14) (revision 8953)
+++ Shorewall-common/uninstall.sh (.../branches/4.0) (revision 8953)
@@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
-VERSION=4.0.14
+VERSION=4.0.15
usage() # $1 = exit status
{
Index: Shorewall-common/changelog.txt
===================================================================
--- Shorewall-common/changelog.txt (.../tags/4.0.14) (revision 8953)
+++ Shorewall-common/changelog.txt (.../branches/4.0) (revision 8953)
@@ -1,3 +1,18 @@
+Changes in 4.0.15
+
+1) Fix iptables conntrack syntax when using newer versions of
+iptables.
+
+2) Apply Lennart Sorensen's patch to finish LENGTH matching.
+
+3) Prevent invalid rules when KLUDGEFREE is not set.
+
+4) Document DISABLE_IPV6 in shorewall.conf man page.
+
+5) Fix nonat rules with destination IP address.
+
+6) Change ipp2p detection to support latest version.
+
Changes in 4.0.14
1) Fix handling of 'all-' in shorewall-shell.
@@ -2,2 +17,4 @@
+2) Fix bashism in handling of options in Debian init script.
+
Changes in 4.0.13
Index: Shorewall-common/started
===================================================================
--- Shorewall-common/started (.../tags/4.0.14) (revision 8953)
+++ Shorewall-common/started (.../branches/4.0) (revision 8953)
@@ -8,7 +8,7 @@
# extension script and /etc/shorewall/start is that this one is invoked
# after delayed loading of the blacklist (DELAYBLACKLISTLOAD=Yes) and
# after the 'shorewall' chain has been created (thus signaling that the
-# firewall is completely up.
+# firewall is completely up).
#
# This script should not change the firewall configuration directly but
# may do so indirectly by running /sbin/shorewall with the 'nolock'
Index: Shorewall-common/install.sh
===================================================================
--- Shorewall-common/install.sh (.../tags/4.0.14) (revision 8953)
+++ Shorewall-common/install.sh (.../branches/4.0) (revision 8953)
@@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
-VERSION=4.0.14
+VERSION=4.0.15
usage() # $1 = exit status
{
Index: Shorewall-common/releasenotes.txt
===================================================================
--- Shorewall-common/releasenotes.txt (.../tags/4.0.14) (revision 8953)
+++ Shorewall-common/releasenotes.txt (.../branches/4.0) (revision 8953)
@@ -1,4 +1,4 @@
-Shorewall 4.0 Patch release 14.
+Shorewall 4.0 Patch release 15.
----------------------------------------------------------------------------
R E L E A S E 4 . 0 H I G H L I G H T S
@@ -26,27 +26,49 @@
Shorewall-perl compiler. This support utilizes the reduced-function
physdev match support available in Linux kernel 2.6.20 and later.
-Problems Corrected in Shorewall-shell 4.0.14.
-1) If 'all-' appears in the DEST column of /etc/shorewall/rules and
- the SOURCE column is not some form of 'all', then $FW was
- incorrectly included in the DEST.
+Problems Corrected in Shorewall 4.0.15.
+1) Beginning with iptables version 1.4.1, the syntax for commands using the
+ conntrack module has changed. Shorewall now detects if the installed
+ version of iptables requires the new syntax.
+
+2) Support for the LENGTH column in /etc/shorewall/tcrules was
+ incomplete in Shorewall-perl with the result that the LENGTH column
+ was ignored. Thanks go to Lennart Sorensen for the patch.
+
+3) When ipranges were used to define zones, Shorewall-perl could
+ generate invalid iptables-restore input if 'Repeat Match' was not
+ available. Repeat Match is not a true match -- it rather is a
+ feature of recent iptables releases that allows a match to be
+ repeated within a rule.
+
+4) The DISABLE_IPV6 option has been documented in the shorewall.conf
+ man page. The option has been there all along, but it was not
+ previously documented in the man page.
+
+5) If a no-NAT rule (DNAT-, ACCEPT+, NONAT) included a destination IP
+ address and no zone name in the DEST column, Shorewall-perl would
+ reject the rule. If a zone name was specified, Shorewall-perl
+ would issue a Warning message.
+
+3) Following the Netfilter tradition, the IPP2P maintainer has made an
+ incompatible syntax change (the --ipp2p option has been
+ removed). Shorewall has always used "-m ipp2p --ipp2p" when
+ detecting the presence of IPP2P support.
+
+ Shorewall-common and Shorewall-perl have been modified to use
+ "-m ipp2p --edk" instead.
+
Known Problems Remaining.
1) The 'refresh' command doesn't refresh the mangle table. So changes
made to /etc/shorewall/providers and/or /etc/shorewall/tcrules may
not be reflected in the running ruleset.
-Other changes in Shorewall 4.0.13.
+Other changes in Shorewall 4.0.15.
-1) Beginning with Shorewall 4.0.0, the -f option was no longer the
- default for '/etc/init.d/shorewall start'. Beginning with 4.0.13,
- this is also true for Shoreawall-lite.
+None.
-2) A macro supporting RNDC (BIND remote management protocol) traffic
- has been added. It can be used as any other macro (e.g., RNDC/ACCEPT)
- in the rules file.
-
Migration Considerations:
1) Beginning with Shorewall 4.0.0, there is no single 'shorewall'
@@ -915,226 +937,27 @@
(compiler, shorewall-common and shorewall-lite) must be version
4.0.0-RC2 or later.
-Problems corrected in Shorewall-perl 4.0.6.
+Problems Corrected in Shorewall 4.0.14.
-1) In a DNAT or REDIRECT rule, if no serverport was given and the DEST
- PORT(S) list contained a service name containing a hyphen ("-") then
- an ERROR was generated.
+1) If 'all-' appears in the DEST column of /etc/shorewall/rules and
+ the SOURCE column is not some form of 'all', then $FW was
+ incorrectly included in the DEST.
- Example -- Rules file:
+2) A bashism has been corrected in the init script shipped for Debian
+ and Debian-like distributions which prevented the proper options
+ from being passed to /sbin/shorewall or /sbin/shorewall-lite in
+ some cases.
- DNAT net loc:$WINDOWS_IP tcp https,pptp,ms-wbt-server,4125
+Other changes in Shorewall 4.0.14.
- Results in:
+1) Beginning with Shorewall 4.0.0, the -f option was no longer the
+ default for '/etc/init.d/shorewall start'. Beginning with 4.0.13,
+ this is also true for Shoreawall-lite.
- ERROR: Invalid port range (ms:wbt:server) : rules (line 49)
+2) A macro supporting RNDC (BIND remote management protocol) traffic
+ has been added. It can be used as any other macro (e.g., RNDC/ACCEPT)
+ in the rules file.
- Problem was introduced in Shorewall 4.0.5 and does not occur in
- earlier releases.
-
-2) If a long destination port list needed to be broken at a port pair,
- the generated rule contained an extra comma which resulted in an
- iptables-restore failure.
-
-3) Several problems involving port ranges and port lists in REDIRECT
- rules have been corrected.
-
-4) Shorewall-perl no longer requires an address in the GATEWAY column
- of /etc/shorewall/tunnels. If the column is left empty (or contains
- '-') then 0.0.0.0/0 is assumed.
-
-5) Previously with Shorewall-perl, redirecting both STDOUT and STDERR
- to the same file descriptor resulted in scrambled output between
- the two. The error messages were often in the middle of the
- regular output far ahead of the point where the error occurred.
-
- This problem was possible in the Debian Shorewall init script
- (/etc/init.d/shorewall) which redirects output to the
- Debian-specific /var/log/shorewall-init.log file in this way:
-
- $SRWL $SRWL_OPTS start >> $INITLOG 2>&1 && ...
-
-6) With both compilers, when HIGH_ROUTE_MARKS=Yes, unpredictable
- results could occur when marking in the PREROUTING or OUTPUT
- chains. When a rule specified a mark value > 255, the compilers
- were using the '--or-mark' operator rather than the '--set-mark'
- operator. Consequently, when a packet matched more than one
- rule, the resulting routing mark was the logical product of the
- mark values in the matching rules rather than the mark value from
- the last matching rule.
-
- Example:
-
- 0x100 192.168.1.44 0.0.0.0/0
- 0x200 0.0.0.0/0 0.0.0.0/0 tcp 25
-
- A TCP packet from 192.168.1.44 with destination port 25 would have
- a mark value of 0x300 rather than the expected value of 0x200.
-
-7) Previously, a 'start -f' on Shorewall Lite would produce the
- following distressing output before starting the firewall:
-
- make: *** No rule to make target `/firewall', needed by
- `/var/lib/shorewall-lite/restore'. Stop.
-
- Furthermore, the Makefile for both Shorewall and Shorewall Lite
- failed to take into account the /etc/shorewall/vardir file.
-
- This has been corrected. As part of the fix, both /sbin/shorewall
- and /sbin/shorewall-lite support a "show vardir" command that
- displays the VARDIR setting.
-
-8) Shorewall-perl was previously ignoring the USER/GROUP column of the
- tcrules file.
-
-9) Supplying the name of a built-in chain in the 'refresh' command
- caused entries in the chain to be duplicated. Since this is a
- feature of iptables-restore with the '-n' option, built-in chains
- in the 'refresh' list will now be rejected.
-
-Other changes in Shorewall 4.0.6.
-
-1) Shorewall-perl now uses the '--physdev-is-bridged' option when it
- is available. This option will suppress messages like the following:
-
- kernel: physdev match: using --physdev-out in the OUTPUT, FORWARD and
- POSTROUTING chains for non-bridged traffic is not supported
- anymore.
-
- This change only affects users who use bport/bport4 zones in a
- briged configuration and requires that capabilities files be
- regenerated using Shorewall-common or Shorewall-lite 4.0.6.
-
-2) Shorewall-perl now allows you to embed Shell or Perl scripts in
- all configuration files except /etc/shorewall/params and
- /etc/shorewall/shorewall.conf (As always, you can continue to
- include arbitrary shell code in /etc/shorewall/params).
-
- To embed a one-line script, use one of the following:
-
- SHELL <shell script>
- PERL <perl script>
-
- For multi-line scripts, use:
-
- BEGIN SHELL
- <shell script>
- END SHELL
-
- BEGIN PERL
- <perl script>
- END PERL
-
- For SHELL scripts, the output from the script is processed as if it
- were part of the file.
-
- Example 1 (Shell): To generate SMTP/ACCEPT rules from zones a b c d
- and e to the firewall:
-
- Either:
-
- BEGIN SHELL
- for z in a b c d e; do
- echo SMTP/ACCEPT $z fw tcp 25
- done
- END SHELL
-
- or
-
- SHELL for z in a b c d e; do echo SMTP/ACCEPT $z fw tcp 25; done
-
- Either is equivalent to:
-
- SMTP/ACCEPT a fw tcp 25
- SMTP/ACCEPT b fw tcp 25
- SMTP/ACCEPT c fw tcp 25
- SMTP/ACCEPT d fw tcp 25
- SMTP/ACCEPT e fw tcp 25
-
- With a Perl script, if you want to output text to be processed as
- if it were part of the file, then pass the text to the shorewall()
- function.
-
- Example 2 (Perl): To generate SMTP/ACCEPT rules from zones a b c d
- and e to the firewall:
-
- BEGIN PERL
- for ( qw/a b c d e/ ) {
- shorewall "SMTP/ACCEPT $_ fw tcp 25";
- }
- END PERL
-
- PERL scripts have access to any context accumulated in earlier PERL
- scripts. All such embedded Perl, as well as conventional Perl
- extension scripts are placed in the Shorewall::User package. That
- way, your global variables and functions won't conflict with any of
- Shorewall's.
-
- To allow you to load Perl modules and initialize any global state,
- a new 'compile' compile-time extension script has been added. It is
- called early in the compilation process.
-
- For additional information, see
-
- - http://www.shorewall.net/configuration_file_basics.html#Embedded
-
-3) To complement Embedded Perl scripts, Shorewall 4.0.6 allows Perl
- scripts to create filter chains using
- Shorewall::Chains::new_manual_chain() and then use the chain as a
- target in subsequent entries in /etc/shorewall/rules.
-
- See http://www.shorewall.net/ManualChains.html for information.
-
-4) The 'hits' command now accepts a -t option which limits the report
- to those log records generated today.
-
-5) A DONT_LOAD option has been added to shorewall.conf. If there are
- kernel modules that you don't wish to have loaded, you can list
- them in this entry as a comma-separated list.
-
- Example:
-
- DONT_LOAD=nf_conntrack_sip,nf_nat_sip
-
-6) Shorewall-perl now supports the --random option of the iptables
- SNAT, MASQUERADE, DNAT and REDIRECT targets. Please note that
- iptables support for this option is currently broken for the DNAT
- and REDIRECT targets; I've sent a patch to the Netfilter team.
-
- For MASQUERADE, simply place the word 'random' in the ADDRESS
- column. This causes Netfilter to randomize the source port seen by
- the remote host.
-
- Example:
-
- #INTERFACE SOURCE ADDRESS
- eth0 eth1 random
-
- For SNAT, follow the port list by ":random".
-
- Example:
-
- #INTERFACE SOURCE ADDRESS
- eth0 eth1 206.124.146.179:10000-10999:random
-
- For DNAT, follow the port list by ":random".
-
- Example:
-
- #ACTION SOURCE DEST PROTO DEST
- # PORT(S)
- DNAT net loc:192.168.1.4:40-50:random tcp 22
-
- For REDIRECT, you must use the fully-qualified form of the DEST:
-
- #ACTION SOURCE DEST PROTO DEST
- # PORT(S)
- REDIRECT net $FW::40-50:random tcp 22
-
- Note that ':random' is only effective with SNAT, DNAT and REDIRECT
- when a port range is specified in the ADDRESS/DEST column. It is
- ignored by iptables/iptables-restore otherwise.
-
Problems corrected in Shorewall 4.0.13.
1) When DYNAMIC_ZONES=Yes, certain configurations would produce an
@@ -1457,6 +1280,226 @@
xxxx eth0:~00-02-02-02-02-02 ...
+Problems corrected in Shorewall-perl 4.0.6.
+
+1) In a DNAT or REDIRECT rule, if no serverport was given and the DEST
+ PORT(S) list contained a service name containing a hyphen ("-") then
+ an ERROR was generated.
+
+ Example -- Rules file:
+
+ DNAT net loc:$WINDOWS_IP tcp https,pptp,ms-wbt-server,4125
+
+ Results in:
+
+ ERROR: Invalid port range (ms:wbt:server) : rules (line 49)
+
+ Problem was introduced in Shorewall 4.0.5 and does not occur in
+ earlier releases.
+
+2) If a long destination port list needed to be broken at a port pair,
+ the generated rule contained an extra comma which resulted in an
+ iptables-restore failure.
+
+3) Several problems involving port ranges and port lists in REDIRECT
+ rules have been corrected.
+
+4) Shorewall-perl no longer requires an address in the GATEWAY column
+ of /etc/shorewall/tunnels. If the column is left empty (or contains
+ '-') then 0.0.0.0/0 is assumed.
+
+5) Previously with Shorewall-perl, redirecting both STDOUT and STDERR
+ to the same file descriptor resulted in scrambled output between
+ the two. The error messages were often in the middle of the
+ regular output far ahead of the point where the error occurred.
+
+ This problem was possible in the Debian Shorewall init script
+ (/etc/init.d/shorewall) which redirects output to the
+ Debian-specific /var/log/shorewall-init.log file in this way:
+
+ $SRWL $SRWL_OPTS start >> $INITLOG 2>&1 && ...
+
+6) With both compilers, when HIGH_ROUTE_MARKS=Yes, unpredictable
+ results could occur when marking in the PREROUTING or OUTPUT
+ chains. When a rule specified a mark value > 255, the compilers
+ were using the '--or-mark' operator rather than the '--set-mark'
+ operator. Consequently, when a packet matched more than one
+ rule, the resulting routing mark was the logical product of the
+ mark values in the matching rules rather than the mark value from
+ the last matching rule.
+
+ Example:
+
+ 0x100 192.168.1.44 0.0.0.0/0
+ 0x200 0.0.0.0/0 0.0.0.0/0 tcp 25
+
+ A TCP packet from 192.168.1.44 with destination port 25 would have
+ a mark value of 0x300 rather than the expected value of 0x200.
+
+7) Previously, a 'start -f' on Shorewall Lite would produce the
+ following distressing output before starting the firewall:
+
+ make: *** No rule to make target `/firewall', needed by
+ `/var/lib/shorewall-lite/restore'. Stop.
+
+ Furthermore, the Makefile for both Shorewall and Shorewall Lite
+ failed to take into account the /etc/shorewall/vardir file.
+
+ This has been corrected. As part of the fix, both /sbin/shorewall
+ and /sbin/shorewall-lite support a "show vardir" command that
+ displays the VARDIR setting.
+
+8) Shorewall-perl was previously ignoring the USER/GROUP column of the
+ tcrules file.
+
+9) Supplying the name of a built-in chain in the 'refresh' command
+ caused entries in the chain to be duplicated. Since this is a
+ feature of iptables-restore with the '-n' option, built-in chains
+ in the 'refresh' list will now be rejected.
+
+Other changes in Shorewall 4.0.6.
+
+1) Shorewall-perl now uses the '--physdev-is-bridged' option when it
+ is available. This option will suppress messages like the following:
+
+ kernel: physdev match: using --physdev-out in the OUTPUT, FORWARD and
+ POSTROUTING chains for non-bridged traffic is not supported
+ anymore.
+
+ This change only affects users who use bport/bport4 zones in a
+ briged configuration and requires that capabilities files be
+ regenerated using Shorewall-common or Shorewall-lite 4.0.6.
+
+2) Shorewall-perl now allows you to embed Shell or Perl scripts in
+ all configuration files except /etc/shorewall/params and
+ /etc/shorewall/shorewall.conf (As always, you can continue to
+ include arbitrary shell code in /etc/shorewall/params).
+
+ To embed a one-line script, use one of the following:
+
+ SHELL <shell script>
+ PERL <perl script>
+
+ For multi-line scripts, use:
+
+ BEGIN SHELL
+ <shell script>
+ END SHELL
+
+ BEGIN PERL
+ <perl script>
+ END PERL
+
+ For SHELL scripts, the output from the script is processed as if it
+ were part of the file.
+
+ Example 1 (Shell): To generate SMTP/ACCEPT rules from zones a b c d
+ and e to the firewall:
+
+ Either:
+
+ BEGIN SHELL
+ for z in a b c d e; do
+ echo SMTP/ACCEPT $z fw tcp 25
+ done
+ END SHELL
+
+ or
+
+ SHELL for z in a b c d e; do echo SMTP/ACCEPT $z fw tcp 25; done
+
+ Either is equivalent to:
+
+ SMTP/ACCEPT a fw tcp 25
+ SMTP/ACCEPT b fw tcp 25
+ SMTP/ACCEPT c fw tcp 25
+ SMTP/ACCEPT d fw tcp 25
+ SMTP/ACCEPT e fw tcp 25
+
+ With a Perl script, if you want to output text to be processed as
+ if it were part of the file, then pass the text to the shorewall()
+ function.
+
+ Example 2 (Perl): To generate SMTP/ACCEPT rules from zones a b c d
+ and e to the firewall:
+
+ BEGIN PERL
+ for ( qw/a b c d e/ ) {
+ shorewall "SMTP/ACCEPT $_ fw tcp 25";
+ }
+ END PERL
+
+ PERL scripts have access to any context accumulated in earlier PERL
+ scripts. All such embedded Perl, as well as conventional Perl
+ extension scripts are placed in the Shorewall::User package. That
+ way, your global variables and functions won't conflict with any of
+ Shorewall's.
+
+ To allow you to load Perl modules and initialize any global state,
+ a new 'compile' compile-time extension script has been added. It is
+ called early in the compilation process.
+
+ For additional information, see
+
+ - http://www.shorewall.net/configuration_file_basics.html#Embedded
+
+3) To complement Embedded Perl scripts, Shorewall 4.0.6 allows Perl
+ scripts to create filter chains using
+ Shorewall::Chains::new_manual_chain() and then use the chain as a
+ target in subsequent entries in /etc/shorewall/rules.
+
+ See http://www.shorewall.net/ManualChains.html for information.
+
+4) The 'hits' command now accepts a -t option which limits the report
+ to those log records generated today.
+
+5) A DONT_LOAD option has been added to shorewall.conf. If there are
+ kernel modules that you don't wish to have loaded, you can list
+ them in this entry as a comma-separated list.
+
+ Example:
+
+ DONT_LOAD=nf_conntrack_sip,nf_nat_sip
+
+6) Shorewall-perl now supports the --random option of the iptables
+ SNAT, MASQUERADE, DNAT and REDIRECT targets. Please note that
+ iptables support for this option is currently broken for the DNAT
+ and REDIRECT targets; I've sent a patch to the Netfilter team.
+
+ For MASQUERADE, simply place the word 'random' in the ADDRESS
+ column. This causes Netfilter to randomize the source port seen by
+ the remote host.
+
+ Example:
+
+ #INTERFACE SOURCE ADDRESS
+ eth0 eth1 random
+
+ For SNAT, follow the port list by ":random".
+
+ Example:
+
+ #INTERFACE SOURCE ADDRESS
+ eth0 eth1 206.124.146.179:10000-10999:random
+
+ For DNAT, follow the port list by ":random".
+
+ Example:
+
+ #ACTION SOURCE DEST PROTO DEST
+ # PORT(S)
+ DNAT net loc:192.168.1.4:40-50:random tcp 22
+
+ For REDIRECT, you must use the fully-qualified form of the DEST:
+
+ #ACTION SOURCE DEST PROTO DEST
+ # PORT(S)
+ REDIRECT net $FW::40-50:random tcp 22
+
+ Note that ':random' is only effective with SNAT, DNAT and REDIRECT
+ when a port range is specified in the ADDRESS/DEST column. It is
+ ignored by iptables/iptables-restore otherwise.
+
Problems corrected in Shorewall 4.0.5.
1) Previously, Shorewall-perl misprocessed $FW::<port> in the DEST
Index: Shorewall-common/lib.base
===================================================================
--- Shorewall-common/lib.base (.../tags/4.0.14) (revision 8953)
+++ Shorewall-common/lib.base (.../branches/4.0) (revision 8953)
@@ -35,7 +35,7 @@
#
SHOREWALL_LIBVERSION=40000
-SHOREWALL_CAPVERSION=40006
+SHOREWALL_CAPVERSION=40015
[ -n "${VARDIR:=/var/lib/shorewall}" ]
[ -n "${SHAREDIR:=/usr/share/shorewall}" ]
@@ -979,6 +979,7 @@
qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
CONNTRACK_MATCH=
+ NEW_CONNTRACK_MATCH=
MULTIPORT=
XMULTIPORT=
POLICY_MATCH=
@@ -1026,6 +1027,10 @@
qt $IPTABLES -A $chain -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
+ if [ -n "$CONNTRACK_MATCH" ]; then
+ qt $IPTABLES -A $chain -m conntrack ! --ctorigdst 192.168.1.1 -j ACCEPT && NEW_CONNTRACK_MATCH=Yes
+ fi
+
if qt $IPTABLES -A $chain -p tcp -m multiport --dports 21,22 -j ACCEPT; then
MULTIPORT=Yes
qt $IPTABLES -A $chain -p tcp -m multiport --sports 60 -m multiport --dports 99 -j ACCEPT && KLUDEFREE=Yes
@@ -1057,7 +1062,7 @@
qt $IPTABLES -A $chain -m connmark --mark 2/0xFF -j ACCEPT && XCONNMARK_MATCH=Yes
fi
- qt $IPTABLES -A $chain -p tcp -m ipp2p --ipp2p -j ACCEPT && IPP2P_MATCH=Yes
+ qt $IPTABLES -A $chain -p tcp -m ipp2p --edk -j ACCEPT && IPP2P_MATCH=Yes
qt $IPTABLES -A $chain -m length --length 10:20 -j ACCEPT && LENGTH_MATCH=Yes
qt $IPTABLES -A $chain -j REJECT --reject-with icmp-host-prohibited && ENHANCED_REJECT=Yes
@@ -1126,6 +1131,7 @@
report_capability "Multi-port Match" $MULTIPORT
[ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT
report_capability "Connection Tracking Match" $CONNTRACK_MATCH
+ report_capability "New Connection Tracking Match Syntax" $NEW_CONNTRACK_MATCH
report_capability "Packet Type Match" $USEPKTTYPE
report_capability "Policy Match" $POLICY_MATCH
report_capability "Physdev Match" $PHYSDEV_MATCH
Index: Shorewall-common/shorewall-common.spec
===================================================================
--- Shorewall-common/shorewall-common.spec (.../tags/4.0.14) (revision 8953)
+++ Shorewall-common/shorewall-common.spec (.../branches/4.0) (revision 8953)
@@ -1,5 +1,5 @@
%define name shorewall-common
-%define version 4.0.14
+%define version 4.0.15
%define release 0base
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@@ -244,6 +244,8 @@
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples
%changelog
+* Sat Oct 11 2008 Roberto C. Sanchez roberto@connexer.com
+- Updated to 4.0.15-0base
* Mon Sep 22 2008 Tom Eastep tom@shorewall.net
- Updated to 4.0.14-0base
* Sat Jul 26 2008 Tom Eastep tom@shorewall.net
Index: Shorewall-common/fallback.sh
===================================================================
--- Shorewall-common/fallback.sh (.../tags/4.0.14) (revision 8953)
+++ Shorewall-common/fallback.sh (.../branches/4.0) (revision 8953)
@@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
-VERSION=4.0.14
+VERSION=4.0.15
usage() # $1 = exit status
{
Property changes on: Shorewall-common
___________________________________________________________________
Name: svn:mergeinfo
-
Property changes on: manpages-lite
___________________________________________________________________
Name: svn:mergeinfo
-
Index: Shorewall-lite/install.sh
===================================================================
--- Shorewall-lite/install.sh (.../tags/4.0.14) (revision 8953)
+++ Shorewall-lite/install.sh (.../branches/4.0) (revision 8953)
@@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
-VERSION=4.0.14
+VERSION=4.0.15
usage() # $1 = exit status
{
Index: Shorewall-lite/uninstall.sh
===================================================================
--- Shorewall-lite/uninstall.sh (.../tags/4.0.14) (revision 8953)
+++ Shorewall-lite/uninstall.sh (.../branches/4.0) (revision 8953)
@@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
-VERSION=4.0.14
+VERSION=4.0.15
usage() # $1 = exit status
{
Index: Shorewall-lite/shorewall-lite.spec
===================================================================
--- Shorewall-lite/shorewall-lite.spec (.../tags/4.0.14) (revision 8953)
+++ Shorewall-lite/shorewall-lite.spec (.../branches/4.0) (revision 8953)
@@ -1,5 +1,5 @@
%define name shorewall-lite
-%define version 4.0.14
+%define version 4.0.15
%define release 0base
Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
@@ -98,6 +98,8 @@
%doc COPYING changelog.txt releasenotes.txt
%changelog
+* Sat Oct 11 2008 Roberto C. Sanchez roberto@connexer.com
+- Updated to 4.0.15-0base
* Mon Sep 22 2008 Tom Eastep tom@shorewall.net
- Updated to 4.0.14-0base
* Sat Jul 26 2008 Tom Eastep tom@shorewall.net
Index: Shorewall-lite/fallback.sh
===================================================================
--- Shorewall-lite/fallback.sh (.../tags/4.0.14) (revision 8953)
+++ Shorewall-lite/fallback.sh (.../branches/4.0) (revision 8953)
@@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
-VERSION=4.0.14
+VERSION=4.0.15
usage() # $1 = exit status
{
Index: Shorewall-lite/init.debian.sh
===================================================================
--- Shorewall-lite/init.debian.sh (.../tags/4.0.14) (revision 8953)
+++ Shorewall-lite/init.debian.sh (.../branches/4.0) (revision 8953)
@@ -66,7 +66,7 @@
if [ -f "/etc/default/shorewall-lite" ]
then
. /etc/default/shorewall-lite
- $SRWL_OPTS+="$OPTIONS"
+ SRWL_OPTS="$SRWL_OPTS $OPTIONS"
if [ "$startup" != "1" ]
then
not_configured
Property changes on: Shorewall-lite
___________________________________________________________________
Name: svn:mergeinfo
-
Index: manpages/shorewall-interfaces.xml
===================================================================
--- manpages/shorewall-interfaces.xml (.../tags/4.0.14) (revision 8953)
+++ manpages/shorewall-interfaces.xml (.../branches/4.0) (revision 8953)
@@ -22,7 +22,7 @@
<title>Description</title>
<para>The interfaces file serves to define the firewall's network
- interfaces to Shorewall.The order of entries in this file is not
+ interfaces to Shorewall. The order of entries in this file is not
significant in determining zone composition.</para>
<para>The columns in the file are as follows.</para>
@@ -73,7 +73,7 @@
<para>Care must be exercised when using wildcards where there is
another zone that uses a matching specific interface. See <ulink
- url="shorewall-nesting.html">shorewall-nesting</ulink>(8) for a
+ url="shorewall-nesting.html">shorewall-nesting</ulink>(5) for a
discussion of this problem.</para>
<para>There is no need to define the loopback interface (lo) in this
Index: manpages/shorewall.conf.xml
===================================================================
--- manpages/shorewall.conf.xml (.../tags/4.0.14) (revision 8953)
+++ manpages/shorewall.conf.xml (.../branches/4.0) (revision 8953)
@@ -1,4 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd";>
<refentry>
<refmeta>
<refentrytitle>shorewall.conf</refentrytitle>
@@ -452,6 +454,21 @@
</varlistentry>
<varlistentry>
+ <term><emphasis role="bold">DISABLE_IPV6=</emphasis>[<emphasis
+ role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+ <listitem>
+ <para>If set to <emphasis role="bold">Yes</emphasis> or <emphasis
+ role="bold">yes</emphasis>, IPv6 traffic to, from and through the
+ firewall system is disabled. If set to <emphasis
+ role="bold">No</emphasis> or <emphasis role="bold">no</emphasis>,
+ Shorewall will take no action with respect to allowing or
+ disallowing IPv6 traffic. If not specified or empty,
+ “DISABLE_IPV6=No” is assumed.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term><emphasis
role="bold">DONT_LOAD=</emphasis>[<emphasis>module</emphasis>[,<emphasis>module</emphasis>]...]</term>
@@ -1469,7 +1486,7 @@
<para>While Shorewall Actions can be very useful, they also require
a sizable amount of code to implement. By setting USE_ACTIONS=No,
embedded Shorewall installations can omit the large library
- /usr/share/shorewall/lib.actions.</para>
+ /usr/share/shorewall-shell/lib.actions.</para>
<note>
<para>USE_ACTIONS=No is not supported by Shorewall-perl.</para>
@@ -1522,4 +1539,4 @@
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
</refsect1>
-</refentry>
\ No newline at end of file
+</refentry>
Index: manpages/shorewall.xml
===================================================================
--- manpages/shorewall.xml (.../tags/4.0.14) (revision 8953)
+++ manpages/shorewall.xml (.../branches/4.0) (revision 8953)
@@ -1,4 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd";>
<refentry>
<refmeta>
<refentrytitle>shorewall</refentrytitle>
@@ -1053,6 +1055,16 @@
SHOREWALL_COMPILER setting in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5) determines the
compiler to use.</para>
+
+ <warning>
+ <para>If you use Shorewall's multi-ISP feature, you are stronly
+ advised against using the -C option of the
+ <command>safe-restart</command> command when switching between
+ Shorewall-shell and Shorewall-perl. The only supported way to
+ switch compilers is to <command>shorewall stop</command> followed
+ by <command>shorewall safe-start -C</command>
+ <replaceable>compiler</replaceable></para>
+ </warning>
</listitem>
</varlistentry>
@@ -1091,6 +1103,16 @@
SHOREWALL_COMPILER setting in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5) determines the
compiler to use.</para>
+
+ <warning>
+ <para>If you use Shorewall's multi-ISP feature, you are stronly
+ advised against using the -C option of the
+ <command>safe-restart</command> command when switching between
+ Shorewall-shell and Shorewall-perl. The only supported way to
+ switch compilers is to <command>shorewall stop</command> followed
+ by <command>shorewall safe-start -C</command>
+ <replaceable>compiler</replaceable></para>
+ </warning>
</listitem>
</varlistentry>
Property changes on: manpages
___________________________________________________________________
Name: svn:mergeinfo
-
Index: Shorewall-perl/Shorewall/Config.pm
===================================================================
--- Shorewall-perl/Shorewall/Config.pm (revision 8952)
+++ Shorewall-perl/Shorewall/Config.pm (revision 8953)
@@ -1407,7 +1407,7 @@
$capabilities{XCONNMARK_MATCH} = qt1( "$iptables -A $sillyname -m connmark --mark 2/0xFF -j ACCEPT" );
}
- $capabilities{IPP2P_MATCH} = qt1( "$iptables -A $sillyname -p tcp -m ipp2p --ipp2p -j ACCEPT" );
+ $capabilities{IPP2P_MATCH} = qt1( "$iptables -A $sillyname -p tcp -m ipp2p --edk -j ACCEPT" );
$capabilities{LENGTH_MATCH} = qt1( "$iptables -A $sillyname -m length --length 10:20 -j ACCEPT" );
$capabilities{ENHANCED_REJECT} = qt1( "$iptables -A $sillyname -j REJECT --reject-with icmp-host-prohibited" );
$capabilities{COMMENTS} = qt1( qq($iptables -A $sillyname -j ACCEPT -m comment --comment "This is a comment" ) );
Index: Shorewall-common/changelog.txt
===================================================================
--- Shorewall-common/changelog.txt (revision 8952)
+++ Shorewall-common/changelog.txt (revision 8953)
@@ -11,6 +11,8 @@
5) Fix nonat rules with destination IP address.
+6) Change ipp2p detection to support latest version.
+
Changes in 4.0.14
1) Fix handling of 'all-' in shorewall-shell.
Index: Shorewall-common/releasenotes.txt
===================================================================
--- Shorewall-common/releasenotes.txt (revision 8952)
+++ Shorewall-common/releasenotes.txt (revision 8953)
@@ -51,6 +51,14 @@
reject the rule. If a zone name was specified, Shorewall-perl
would issue a Warning message.
+3) Following the Netfilter tradition, the IPP2P maintainer has made an
+ incompatible syntax change (the --ipp2p option has been
+ removed). Shorewall has always used "-m ipp2p --ipp2p" when
+ detecting the presence of IPP2P support.
+
+ Shorewall-common and Shorewall-perl have been modified to use
+ "-m ipp2p --edk" instead.
+
Known Problems Remaining.
1) The 'refresh' command doesn't refresh the mangle table. So changes
Index: Shorewall-common/lib.base
===================================================================
--- Shorewall-common/lib.base (revision 8952)
+++ Shorewall-common/lib.base (revision 8953)
@@ -1062,7 +1062,7 @@
qt $IPTABLES -A $chain -m connmark --mark 2/0xFF -j ACCEPT && XCONNMARK_MATCH=Yes
fi
- qt $IPTABLES -A $chain -p tcp -m ipp2p --ipp2p -j ACCEPT && IPP2P_MATCH=Yes
+ qt $IPTABLES -A $chain -p tcp -m ipp2p --edk -j ACCEPT && IPP2P_MATCH=Yes
qt $IPTABLES -A $chain -m length --length 10:20 -j ACCEPT && LENGTH_MATCH=Yes
qt $IPTABLES -A $chain -j REJECT --reject-with icmp-host-prohibited && ENHANCED_REJECT=Yes
Attachment:
signature.asc
Description: Digital signature