diff -Nru shorewall6-5.1.12.1/changelog.txt shorewall6-5.1.12.2/changelog.txt --- shorewall6-5.1.12.1/changelog.txt 2018-02-09 21:10:31.000000000 +0000 +++ shorewall6-5.1.12.2/changelog.txt 2018-02-21 20:03:42.000000000 +0000 @@ -1,3 +1,19 @@ +Changes in 5.1.12.2 + +1) Update release documents. + +2) Alter documentation to prefer ';;' over ';' in INLINE and + IP[6]TABLES rules. + +3) Make 'update' convert ';' to ';;' in INLINE, IPTABLES and IP6TABLES + rules. + +4) Correct typo that resulted in an "unknown function" Perl diagnostic. + +4) Correct "Invalid policy" message. + +5) Fix omitted SYN limiting. + Changes in 5.1.12.1 1) Update release documents. diff -Nru shorewall6-5.1.12.1/configfiles/conntrack.annotated shorewall6-5.1.12.2/configfiles/conntrack.annotated --- shorewall6-5.1.12.1/configfiles/conntrack.annotated 2018-02-09 21:10:34.000000000 +0000 +++ shorewall6-5.1.12.2/configfiles/conntrack.annotated 2018-02-21 20:03:46.000000000 +0000 @@ -44,7 +44,8 @@ # # ACTION - {NOTRACK|CT:helper:name[(arg=val[,...])|CT:ctevents:event[,...]| # CT:expevents:new|CT:notrack|DROP|LOG|ULOG(ulog-parameters):NFLOG( -# nflog-parameters)|IPTABLES(target)}[log-level[:log-tag]][:chain-designator] +# nflog-parameters)|IP[6]TABLES(target)}[log-level[:log-tag]][: +# chain-designator] # # This column is only present when FORMAT >= 2. Values other than NOTRACK or # DROP require CT Target support in your iptables and kernel. @@ -135,8 +136,24 @@ # Added in Shorewall 4.5.10. Silently discard the packet. If a log-level # is specified, the packet will also be logged at that level. # +# □ IP6TABLES(target) +# +# IPv6 only. +# +# Added in Shorewall 4.6.0. Allows you to specify any iptables target +# with target options (e.g., "IP6TABLES(AUDIT --type drop)"). If the +# target is not one recognized by Shorewall, the following error message +# will be issued: +# +# ERROR: Unknown target (target) +# +# This error message may be eliminated by adding target as a builtin +# action in shorewall-actions(5). +# # □ IPTABLES(target) # +# IPv4 only. +# # Added in Shorewall 4.6.0. Allows you to specify any iptables target # with target options (e.g., "IPTABLES(AUDIT --type drop)"). If the # target is not one recognized by Shorewall, the following error message diff -Nru shorewall6-5.1.12.1/configfiles/mangle.annotated shorewall6-5.1.12.2/configfiles/mangle.annotated --- shorewall6-5.1.12.1/configfiles/mangle.annotated 2018-02-09 21:10:36.000000000 +0000 +++ shorewall6-5.1.12.2/configfiles/mangle.annotated 2018-02-21 20:03:48.000000000 +0000 @@ -233,30 +233,21 @@ # INLINE[(action)] # # Allows you to place your own ip[6]tables matches at the end of the line -# following a semicolon (";"). If an action is specified, the compiler -# proceeds as if that action had been specified in this column. If no -# action is specified, then you may include your own jump ("-j target [ -# option] ...") after any matches specified at the end of the rule. If -# the target is not one known to Shorewall, then it must be defined as a -# builtin action in shorewall-actions (5). +# following two semicolons (";;") (preferred) or a single semicolon (";") +# (deprecated). If an action is specified, the compiler proceeds as if +# that action had been specified in this column. If no action is +# specified, then you may include your own jump ("-j target [option] +# ...") after any matches specified at the end of the rule. If the target +# is not one known to Shorewall, then it must be defined as a builtin +# action in shorewall-actions (5). # # The following rules are equivalent: # # 2:P eth0 - tcp 22 # INLINE(MARK(2)):P eth0 - tcp 22 -# INLINE(MARK(2)):P eth0 - ; -p tcp -# INLINE eth0 - tcp 22 ; -j MARK --set-mark 2 -# INLINE eth0 - ; -p tcp -j MARK --set-mark 2 -# -# If INLINE_MATCHES=Yes in shorewall6.conf(5) then the third rule above -# can be specified as follows: -# -# MARK(2):P eth0 - ; -p tcp -# -# Beginning with Shorewall 5.0.0, the rule may also be written this way, -# irrespective of the setting of INLINE_MATCHES: -# -# MARK(2):P eth0 - ;; -p tcp +# INLINE(MARK(2)):P eth0 - ;; -p tcp +# INLINE eth0 - tcp 22 ;; -j MARK --set-mark 2 +# INLINE eth0 - ;; -p tcp -j MARK --set-mark 2 # # IPMARK # @@ -328,8 +319,24 @@ # as in the example above so that all of your minor classes will have a # value > 256. # +# IP6TABLES({target [option ...]) +# +# IPv6 only. +# +# This action allows you to specify an iptables target with options +# (e.g., 'IP6TABLES(MARK --set-xmark 0x01/0xff)'. If the target is not +# one recognized by Shorewall, the following error message will be +# issued: +# +# ERROR: Unknown target (target) +# +# This error message may be eliminated by adding the target as a builtin +# action in shorewall-actions(5). +# # IPTABLES({target [option ...]) # +# IPv4 only. +# # This action allows you to specify an iptables target with options # (e.g., 'IPTABLES(MARK --set-xmark 0x01/0xff)'. If the target is not one # recognized by Shorewall, the following error message will be issued: diff -Nru shorewall6-5.1.12.1/configfiles/rules.annotated shorewall6-5.1.12.2/configfiles/rules.annotated --- shorewall6-5.1.12.1/configfiles/rules.annotated 2018-02-09 21:10:41.000000000 +0000 +++ shorewall6-5.1.12.2/configfiles/rules.annotated 2018-02-21 20:03:53.000000000 +0000 @@ -262,10 +262,11 @@ # # Added in Shorewall 4.5.16. This action allows you to construct most of # the rule yourself using iptables syntax. The part that you specify must -# follow a semicolon (';') and is completely free-form. If the target of -# the rule (the part following 'j') is something that Shorewall supports -# in the ACTION column, then you may enclose it in parentheses (e.g., -# INLINE(ACCEPT)). Otherwise, you can include it after the semicolon. In +# follow two semicolons (';;') (preferred) or a single semicolon (';') +# (deprecated) and is completely free-form. If the target of the rule +# (the part following 'j') is something that Shorewall supports in the +# ACTION column, then you may enclose it in parentheses (e.g., INLINE +# (ACCEPT)). Otherwise, you can include it after the semicolon(s). In # this case, you must declare the target as a builtin action in # shorewall-actions(5). # @@ -280,7 +281,7 @@ # but they will not necessarily be at the end of the generated rule. # For example, if addresses are specified in the SOURCE and/or DEST # columns, their generated matches will appear after those specified -# using ';'. +# using ';;' or ';'. # # IPTABLES({iptables-target [option ...]) # diff -Nru shorewall6-5.1.12.1/configure shorewall6-5.1.12.2/configure --- shorewall6-5.1.12.1/configure 2018-02-09 21:10:31.000000000 +0000 +++ shorewall6-5.1.12.2/configure 2018-02-21 20:03:42.000000000 +0000 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=5.1.12.1 +VERSION=5.1.12.2 case "$BASH_VERSION" in [4-9].*) diff -Nru shorewall6-5.1.12.1/configure.pl shorewall6-5.1.12.2/configure.pl --- shorewall6-5.1.12.1/configure.pl 2018-02-09 21:10:31.000000000 +0000 +++ shorewall6-5.1.12.2/configure.pl 2018-02-21 20:03:42.000000000 +0000 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '5.1.12.1' + VERSION => '5.1.12.2' }; my %params; diff -Nru shorewall6-5.1.12.1/debian/changelog shorewall6-5.1.12.2/debian/changelog --- shorewall6-5.1.12.1/debian/changelog 2018-02-10 12:04:11.000000000 +0000 +++ shorewall6-5.1.12.2/debian/changelog 2018-02-23 02:00:27.000000000 +0000 @@ -1,3 +1,9 @@ +shorewall6 (5.1.12.2-1) unstable; urgency=medium + + * New Upstream Version + + -- Roberto C. Sanchez Thu, 22 Feb 2018 21:00:27 -0500 + shorewall6 (5.1.12.1-1) unstable; urgency=medium * New Upstream Version diff -Nru shorewall6-5.1.12.1/install.sh shorewall6-5.1.12.2/install.sh --- shorewall6-5.1.12.1/install.sh 2018-02-09 21:10:31.000000000 +0000 +++ shorewall6-5.1.12.2/install.sh 2018-02-21 20:03:42.000000000 +0000 @@ -22,7 +22,7 @@ # along with this program; if not, see . # -VERSION=5.1.12.1 +VERSION=5.1.12.2 usage() # $1 = exit status { diff -Nru shorewall6-5.1.12.1/manpages/shorewall6.8 shorewall6-5.1.12.2/manpages/shorewall6.8 --- shorewall6-5.1.12.1/manpages/shorewall6.8 2018-02-09 21:10:32.000000000 +0000 +++ shorewall6-5.1.12.2/manpages/shorewall6.8 2018-02-21 20:03:43.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: shorewall6 .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 -.\" Date: 02/09/2018 +.\" Date: 02/21/2018 .\" Manual: Administrative Commands .\" Source: Administrative Commands .\" Language: English .\" -.TH "SHOREWALL6" "8" "02/09/2018" "Administrative Commands" "Administrative Commands" +.TH "SHOREWALL6" "8" "02/21/2018" "Administrative Commands" "Administrative Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru shorewall6-5.1.12.1/releasenotes.txt shorewall6-5.1.12.2/releasenotes.txt --- shorewall6-5.1.12.1/releasenotes.txt 2018-02-09 21:10:31.000000000 +0000 +++ shorewall6-5.1.12.2/releasenotes.txt 2018-02-21 20:03:42.000000000 +0000 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 5 . 1 . 1 2 . 1 + S H O R E W A L L 5 . 1 . 1 2 . 2 ------------------------------- - F e b r u a r y 0 9 , 2 0 1 8 + F e b r u a r y 2 1 , 2 0 1 8 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,6 +14,36 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- +5.1.12.2 + +1) The 5.1.12 change that emits warnings when INLINE_MATCHES=Yes did + not issue a warning when a single semicolon was used to introduce + inline matches in INLINE, IPTABLES and IP6TABLES rules. That has + been corrected. Additionally, 'shorewall[6] update' now replaces + ';' with ';;' in those rules. + + As part of that change, the documentation has been modified to + prefer ';;' over ';' to introduce inline matches in those rules. + +2) The 'shorewall[6] update' command now replaces a single semicolon + with double semicolons in INLINE, IPTABLES and IP6TABLES rules. + +3) A typo has been corrected so that the following error message is + now printed correctly. + + ERROR: The REJECT_ACTION () is not terminating + + Previously, an "unknown function" Perl diagnostic was issued in its + place. + +4) Previously, if a policy action specification in shorewall[6].conf + or in the policy file included a log tag, a garbled error message + was issued. That has been corrected. + +5) Under rare rare circumstances, syn flood limiting specified in a + policy was previously not enforced by the generated ruleset. That + has been corrected. + 5.1.12.1 1) The macro SSDPServer released in 5.1.12 inadvertently contained the diff -Nru shorewall6-5.1.12.1/Samples6/one-interface/rules.annotated shorewall6-5.1.12.2/Samples6/one-interface/rules.annotated --- shorewall6-5.1.12.1/Samples6/one-interface/rules.annotated 2018-02-09 21:10:49.000000000 +0000 +++ shorewall6-5.1.12.2/Samples6/one-interface/rules.annotated 2018-02-21 20:04:01.000000000 +0000 @@ -266,10 +266,11 @@ # # Added in Shorewall 4.5.16. This action allows you to construct most of # the rule yourself using iptables syntax. The part that you specify must -# follow a semicolon (';') and is completely free-form. If the target of -# the rule (the part following 'j') is something that Shorewall supports -# in the ACTION column, then you may enclose it in parentheses (e.g., -# INLINE(ACCEPT)). Otherwise, you can include it after the semicolon. In +# follow two semicolons (';;') (preferred) or a single semicolon (';') +# (deprecated) and is completely free-form. If the target of the rule +# (the part following 'j') is something that Shorewall supports in the +# ACTION column, then you may enclose it in parentheses (e.g., INLINE +# (ACCEPT)). Otherwise, you can include it after the semicolon(s). In # this case, you must declare the target as a builtin action in # shorewall-actions(5). # @@ -284,7 +285,7 @@ # but they will not necessarily be at the end of the generated rule. # For example, if addresses are specified in the SOURCE and/or DEST # columns, their generated matches will appear after those specified -# using ';'. +# using ';;' or ';'. # # IPTABLES({iptables-target [option ...]) # diff -Nru shorewall6-5.1.12.1/Samples6/three-interfaces/rules.annotated shorewall6-5.1.12.2/Samples6/three-interfaces/rules.annotated --- shorewall6-5.1.12.1/Samples6/three-interfaces/rules.annotated 2018-02-09 21:10:53.000000000 +0000 +++ shorewall6-5.1.12.2/Samples6/three-interfaces/rules.annotated 2018-02-21 20:04:04.000000000 +0000 @@ -266,10 +266,11 @@ # # Added in Shorewall 4.5.16. This action allows you to construct most of # the rule yourself using iptables syntax. The part that you specify must -# follow a semicolon (';') and is completely free-form. If the target of -# the rule (the part following 'j') is something that Shorewall supports -# in the ACTION column, then you may enclose it in parentheses (e.g., -# INLINE(ACCEPT)). Otherwise, you can include it after the semicolon. In +# follow two semicolons (';;') (preferred) or a single semicolon (';') +# (deprecated) and is completely free-form. If the target of the rule +# (the part following 'j') is something that Shorewall supports in the +# ACTION column, then you may enclose it in parentheses (e.g., INLINE +# (ACCEPT)). Otherwise, you can include it after the semicolon(s). In # this case, you must declare the target as a builtin action in # shorewall-actions(5). # @@ -284,7 +285,7 @@ # but they will not necessarily be at the end of the generated rule. # For example, if addresses are specified in the SOURCE and/or DEST # columns, their generated matches will appear after those specified -# using ';'. +# using ';;' or ';'. # # IPTABLES({iptables-target [option ...]) # diff -Nru shorewall6-5.1.12.1/Samples6/two-interfaces/rules.annotated shorewall6-5.1.12.2/Samples6/two-interfaces/rules.annotated --- shorewall6-5.1.12.1/Samples6/two-interfaces/rules.annotated 2018-02-09 21:10:57.000000000 +0000 +++ shorewall6-5.1.12.2/Samples6/two-interfaces/rules.annotated 2018-02-21 20:04:08.000000000 +0000 @@ -266,10 +266,11 @@ # # Added in Shorewall 4.5.16. This action allows you to construct most of # the rule yourself using iptables syntax. The part that you specify must -# follow a semicolon (';') and is completely free-form. If the target of -# the rule (the part following 'j') is something that Shorewall supports -# in the ACTION column, then you may enclose it in parentheses (e.g., -# INLINE(ACCEPT)). Otherwise, you can include it after the semicolon. In +# follow two semicolons (';;') (preferred) or a single semicolon (';') +# (deprecated) and is completely free-form. If the target of the rule +# (the part following 'j') is something that Shorewall supports in the +# ACTION column, then you may enclose it in parentheses (e.g., INLINE +# (ACCEPT)). Otherwise, you can include it after the semicolon(s). In # this case, you must declare the target as a builtin action in # shorewall-actions(5). # @@ -284,7 +285,7 @@ # but they will not necessarily be at the end of the generated rule. # For example, if addresses are specified in the SOURCE and/or DEST # columns, their generated matches will appear after those specified -# using ';'. +# using ';;' or ';'. # # IPTABLES({iptables-target [option ...]) # diff -Nru shorewall6-5.1.12.1/Samples6/Universal/rules.annotated shorewall6-5.1.12.2/Samples6/Universal/rules.annotated --- shorewall6-5.1.12.1/Samples6/Universal/rules.annotated 2018-02-09 21:11:01.000000000 +0000 +++ shorewall6-5.1.12.2/Samples6/Universal/rules.annotated 2018-02-21 20:04:12.000000000 +0000 @@ -262,10 +262,11 @@ # # Added in Shorewall 4.5.16. This action allows you to construct most of # the rule yourself using iptables syntax. The part that you specify must -# follow a semicolon (';') and is completely free-form. If the target of -# the rule (the part following 'j') is something that Shorewall supports -# in the ACTION column, then you may enclose it in parentheses (e.g., -# INLINE(ACCEPT)). Otherwise, you can include it after the semicolon. In +# follow two semicolons (';;') (preferred) or a single semicolon (';') +# (deprecated) and is completely free-form. If the target of the rule +# (the part following 'j') is something that Shorewall supports in the +# ACTION column, then you may enclose it in parentheses (e.g., INLINE +# (ACCEPT)). Otherwise, you can include it after the semicolon(s). In # this case, you must declare the target as a builtin action in # shorewall-actions(5). # @@ -280,7 +281,7 @@ # but they will not necessarily be at the end of the generated rule. # For example, if addresses are specified in the SOURCE and/or DEST # columns, their generated matches will appear after those specified -# using ';'. +# using ';;' or ';'. # # IPTABLES({iptables-target [option ...]) # diff -Nru shorewall6-5.1.12.1/shorewall6.spec shorewall6-5.1.12.2/shorewall6.spec --- shorewall6-5.1.12.1/shorewall6.spec 2018-02-09 21:10:31.000000000 +0000 +++ shorewall6-5.1.12.2/shorewall6.spec 2018-02-21 20:03:42.000000000 +0000 @@ -1,6 +1,6 @@ %define name shorewall6 %define version 5.1.12 -%define release 1 +%define release 2 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems. Name: %{name} @@ -114,6 +114,8 @@ %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6 %changelog +* Sat Feb 10 2018 Tom Eastep tom@shorewall.net +- Updated to 5.1.12-2 * Fri Feb 09 2018 Tom Eastep tom@shorewall.net - Updated to 5.1.12-1 * Tue Feb 06 2018 Tom Eastep tom@shorewall.net diff -Nru shorewall6-5.1.12.1/uninstall.sh shorewall6-5.1.12.2/uninstall.sh --- shorewall6-5.1.12.1/uninstall.sh 2018-02-09 21:10:31.000000000 +0000 +++ shorewall6-5.1.12.2/uninstall.sh 2018-02-21 20:03:42.000000000 +0000 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=5.1.12.1 +VERSION=5.1.12.2 usage() # $1 = exit status {