diff -Nru shorewall6-5.2.1.4/changelog.txt shorewall6-5.2.2/changelog.txt --- shorewall6-5.2.1.4/changelog.txt 2018-12-16 18:10:51.000000000 +0000 +++ shorewall6-5.2.2/changelog.txt 2019-01-17 20:37:22.000000000 +0000 @@ -1,3 +1,37 @@ +Changes in 5.2.2 Final + +1) Update release documents. + +2) Increase the 'wait' interface option setting limit. + +2Changes in 5.2.2 RC 1 + +1) Update release documents. + +2) Allow inline matches in the conntrack file. + +3) Tighten check for early matches. + +4) Support '+' in INLINE() accounting rules. + +Changes in 5.2.2 Beta 2 + +1) Update release documents. + +2) Add comments to the Provider, Zones and Misc Perl modules. + +3) Add NetManager gateway detection. + +Changes in 5.2.2 Beta 1 + +1) Update release documents. + +2) New macros from Vincas Dargis. + +3) Config.pm cleanup. + +4) Deprecate ULOG. + Changes in 5.2.1.4 1) Update release documents. @@ -24,7 +58,7 @@ 2) Fix an assertion failure during 'check -r' when DOCKER=Yes. -3) Implement SW_CONFDIR support. +3) Implement SWCONFDIR upport. 4) Correct HELPER requires message. @@ -55,7 +89,7 @@ 1) Update release documents. 2) Apply rate limiting in the nat table rather than in the filter -table. + table. 3) Apply fix for Perl 5.23. diff -Nru shorewall6-5.2.1.4/configfiles/providers.annotated shorewall6-5.2.2/configfiles/providers.annotated --- shorewall6-5.2.1.4/configfiles/providers.annotated 2018-12-16 18:11:01.000000000 +0000 +++ shorewall6-5.2.2/configfiles/providers.annotated 2019-01-17 20:37:31.000000000 +0000 @@ -214,7 +214,8 @@ # routing table and into the provider's routing table. hostroute is # required for older distributions but nohostroute (below) is appropriate # for recent distributions. hostroute may interfere with Zebra's ability -# to add routes on some distributions such as Debian 7. +# to add routes on some distributions such as Debian 7. This option +# defaults to on when BALANCE_PROVIDERS=Yes, in shorewall.conf(5). # # nohostroute # @@ -223,7 +224,8 @@ # and into the provider's routing table. nohostroute is not appropriate # for older distributions but is appropriate for recent distributions. # nohostroute allows Zebra's to correctly add routes on some -# distributions such as Debian 7. +# distributions such as Debian 7. This option defaults to off when +# BALANCE_PROVIDERS=Yes, in shorewall.conf(5). # # persistent # diff -Nru shorewall6-5.2.1.4/configure shorewall6-5.2.2/configure --- shorewall6-5.2.1.4/configure 2018-12-16 18:10:51.000000000 +0000 +++ shorewall6-5.2.2/configure 2019-01-17 20:37:22.000000000 +0000 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=5.2.1.4 +VERSION=5.2.2 case "$BASH_VERSION" in [4-9].*) diff -Nru shorewall6-5.2.1.4/configure.pl shorewall6-5.2.2/configure.pl --- shorewall6-5.2.1.4/configure.pl 2018-12-16 18:10:51.000000000 +0000 +++ shorewall6-5.2.2/configure.pl 2019-01-17 20:37:22.000000000 +0000 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '5.2.1.4' + VERSION => '5.2.2' }; my %params; diff -Nru shorewall6-5.2.1.4/debian/changelog shorewall6-5.2.2/debian/changelog --- shorewall6-5.2.1.4/debian/changelog 2018-12-16 20:17:51.000000000 +0000 +++ shorewall6-5.2.2/debian/changelog 2019-01-18 12:59:46.000000000 +0000 @@ -1,3 +1,10 @@ +shorewall6 (5.2.2-1) unstable; urgency=medium + + * New Upstream Version + * Update to Standards-Version 4.3.0 (no changes) + + -- Roberto C. Sanchez Fri, 18 Jan 2019 07:59:46 -0500 + shorewall6 (5.2.1.4-1) unstable; urgency=medium * New Upstream Version diff -Nru shorewall6-5.2.1.4/debian/control shorewall6-5.2.2/debian/control --- shorewall6-5.2.1.4/debian/control 2018-12-16 20:17:51.000000000 +0000 +++ shorewall6-5.2.2/debian/control 2019-01-18 12:59:46.000000000 +0000 @@ -4,7 +4,7 @@ Maintainer: Roberto C. Sanchez Homepage: http://www.shorewall.net Build-Depends: debhelper (>= 9), po-debconf -Standards-Version: 4.2.1 +Standards-Version: 4.3.0 Vcs-Browser: https://sourceforge.net/p/shorewall/debian/ci/shorewall6/master/~/tree/ Vcs-Git: git://git.code.sf.net/p/shorewall/debian diff -Nru shorewall6-5.2.1.4/install.sh shorewall6-5.2.2/install.sh --- shorewall6-5.2.1.4/install.sh 2018-12-16 18:10:51.000000000 +0000 +++ shorewall6-5.2.2/install.sh 2019-01-17 20:37:22.000000000 +0000 @@ -22,7 +22,7 @@ # along with this program; if not, see . # -VERSION=5.2.1.4 +VERSION=5.2.2 usage() # $1 = exit status { diff -Nru shorewall6-5.2.1.4/manpages/shorewall6.8 shorewall6-5.2.2/manpages/shorewall6.8 --- shorewall6-5.2.1.4/manpages/shorewall6.8 2018-12-16 18:10:53.000000000 +0000 +++ shorewall6-5.2.2/manpages/shorewall6.8 2019-01-17 20:37:24.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: shorewall6 .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 -.\" Date: 12/16/2018 +.\" Date: 01/17/2019 .\" Manual: Administrative Commands .\" Source: Administrative Commands .\" Language: English .\" -.TH "SHOREWALL6" "8" "12/16/2018" "Administrative Commands" "Administrative Commands" +.TH "SHOREWALL6" "8" "01/17/2019" "Administrative Commands" "Administrative Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru shorewall6-5.2.1.4/releasenotes.txt shorewall6-5.2.2/releasenotes.txt --- shorewall6-5.2.1.4/releasenotes.txt 2018-12-16 18:10:51.000000000 +0000 +++ shorewall6-5.2.2/releasenotes.txt 2019-01-17 20:37:22.000000000 +0000 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 5 . 2 . 1 . 4 + S H O R E W A L L 5 . 2 . 2 ------------------------------- - D E C E M B E R 1 6 , 2 0 1 8 + J A N U A R Y 1 7 , 2 0 1 9 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,141 +14,12 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -5.2.1.4 - -1) A change in 5.2.0.5 that corrected an ip[6]tables error in the - UNTRACKED section of the rules file, changed the name of the chain - used to hold UNTRACKED rules. Previously, the chain was named - &z1-z2, where 'z1' is the source zone and 'z2' is the - destination; after the change, the chain was named =z1-z2. - Unfortunately, some log messages generated out of these chains - still referred to &z1-z2; that has been corrected. - -2) Some dead/silly code has been removed from two functions in - the Chains.pm Perl module. The two functions have been combined - into a single function. - -3) When the RATE column contains both a source and a destination rate, - it was previously impossible to specifiy a netmask (VLSM) on either - rate. Attempting to specify a mask would result in: - - ERROR: Invalid rate (...) - - That has been corrected. Note that when specifying a - netmask, the leading 's' or 'd' may not be omitted. - -4) Several typos in the man pages have been corrected (Roberto - Sánchez). - -5.2.1.3 - -1) When a configuration had optional interfaces but no providers, the - 'status -i' command previously would fail to show interface status - for interfaces that had not been disabled or enabled since the - last start, restart or reload. That has been corrected. - -5.2.1.2 - -1) The fix for DOCKER=Yes in 5.2.1.1 inadvertantly results in an - assertion failure when processing a 'check -r' command when - DOCKER=Yes. That has been corrected. As part of that change, - empty 'cat' commands in the generated script were eliminated. - -2) When the HELPER target is used with an empty HELPER column, the - error message produced previously incorrectly read: - - ERROR: HELPER require requires that ... - - That has been corrected so that the message now reads: - - ERROR: HELPER requires that ... - -3) On Centos 7, the following journal message appeared when Shorewall - attempted to load kernel modules: - - nf_log: can't load ipt_ULOG, conflicting nfnetlink_log already - loaded - - To eliminate that message, Shorewall no longer attempts to load - ipt_ULOG. Note that most current distributions no longer support - ULOG. Current users of ULOG should convert to using NFLOG at the - earliest opportunity. - -5.2.1.1 - -1) The Perl module versions were not updated for the 5.2.1 - release. That has been corrected. - -2) The lib.common file previously confused Emacs such that editing the - file in shell mode was awkward. Because lib.common is included in - compiled scripts, this defect also made editing a compiled script - awkward. The issue has been resolved, so that the file now renders - properly in Emacs's shell mode. - -3) Previously, if ip6tables-restore failed during Shorewall6 start, - restart or reload, the resulting error message indicated that - iptables-load had failed. That has been corrected. - -4) Setting Docker=Yes did not work correctly with Docker version - 18.03.1-ce. In that version, the DOCKER-ISOLATION chain was - replaced by a pair of chains: DOCKER-ISOLATION-STAGE-1 and - DOCKER-ISOLATION-STAGE-2. That has been corrected. As part of this - change, Shorewall now correctly handles the DOCKER-USER chain as - well as the two new isolation chains. - -5) Previously, if there were multiple 'balance' providers and more - than one of them were experiencing carrier loss, then the 'enable' and - 'disable' operations could fail. That has been corrected. - -5.2.1 - -1) This release contains defect repair up through Shorewall 5.2.0.5. - -2) Previously, if: - - a) IP[6]TABLES was not set in shorewall[6].conf; and - b) The ip[6]tables binary was not found on the PATH. - - then a shell 'not found' error on 'fatal-error' was generated. That - has been corrected (Matt Darfeuille) +1) This release includes defect repair through Shorewall 5.2.1.4. -3) A number of files in the Shorewall-common package have had their - heading version updated to version 5.2 (Matt Darfeuille). - -4) Previously, if statistical load balancing ('load=' in - provider OPTIONS) was configured on providers that shared an - interface, then the compiler would die with an assertion - failure. That has been corrected so that this combination now works - as expected. - -5) Where two or more providers share a network interface, the - 'optional' interface/provider option has never worked correctly. - Beginning with this release, the 'optional' option is disallowed - on such interfaces and providers. - -6) Previously, when rate limiting was applied to a DNAT or - REDIRECT rule, rate limiting was applied to the accompanying - ACCEPT rule. Since logging is applied in the DNAT/REDIRECT rule, if - the connection failed the rate limit then the connection attempt - could be logged twice - once in the nat table and once when the - applicable policy was applied. Beginning with this release, rate - limiting is applied to the DNAT/REDIRECT rule so that no nat-table - logging occurs if the connection attempt exceeds the rate limit. - -7) Some regular expressions used in Shorewall's Perl code will be - disallowed by Perl version 5.23. These have been changed to be - acceptable to that version of Perl. - -8) Previously, if SNAT(detect) was used on an optional interface and - the resulting ip[6]tables rule was unreachable, then invalid shell - code similar to the following was generated: - - if [ "$SW_PPP1_ADDRESS" != 0.0.0.0 ]; then - fi - - That has been corrected such that the above code is not generated - and a warning message is issued, indicating that the entry generated - no ip[6]tables rule. +2) When processing inline matches, the compiler previously inserted + the matches before the column-generated matches if there was a plus + sign ("+") anywhere in the matches. Now, it only does so if the + first non-blank character in the matches is a plus sign. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -173,77 +44,34 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -5.2.1.2 +1) New macros have been contributed by Vincas Dargis: -1) A new variable SW_CONFDIR has been added. $SW_CONFDIR evaluates to - $CONFDIR/shorewall[6] if no directory name is passed to a compile, - check, start, restart or reload command. If a directory name is - passed to one of these commands, then $SW_CONFDIR expands to that - directory name. + Bitcoin + Tor + ONCRPC -5.2.1 + Additionally, Tuomo Soini has contributed a WUDO (Windows Update + Delivery Optimization) macro. -1) New macros for IPFS (https://ipfs.io/) have been contributed by - Răzvan Sandu. +2) The Perl modules have undergone some cleanup/optimization. -2) Several new man pages have been added: +3) Given that recent kernels have dropped ULOG support, use of ULOG in + Shorewall is now deprecated and results in a warning message. The + warning can be eliminated by switching to NFLOG and ulogd2. - - shorewall-addresses(5) describes specification of addresses in - shorewall configuration files. - - - shorewall-files(5) describes the shorewall configuration files - together with features common to multiple files. - - - shorewall-logging(5) describes shorewall's logging facilities. - - - shorewall-names(5) describes restrictions on names used in - Shorewall configuration files. - - Additional man pages will be included in future 5.2.1 pre-releases. - -3) In the SOURCE and DEST columns, it is now possible to exclude an - interface by preceding the interface name with '!'. This is useful - for excluding the loopback interface (lo). +4) Shorewall can now detect interface default gateways configured by + Network Manager. - Example from the mangle file: +5) Inline matches are now supported in the 'conntrack' file. - #ACTION SOURCE DEST - DROP:T 127.0.0.0/8 !lo +6) In the 'accounting' file, Inline matches in an INLINE(...) rule now + allow a leading '+' to cause the matches to be evaluated before + those generated by the column specifications. -4) The MARK, CONNMARK, SAVE and RESTORE commands may now be placed in - the nat table through used of new chain designators in the mangle - file: - - NP - nat table PREROUTING chain - NI - nat table INPUT chain - NO - nat table OUTPUT chain - NT - nat table POSTROUTING chain - -5) When TC_EXPERT=Yes, it is now possible to specify any mark/mask - values that are displayed by the 'show marks' command, including - the Exclusion and TPROXY values. - -6) The configure and install scripts now support ALT Linux (Alexey - Shabalin). - -7) The verbosity of the 'remote-*' CLI commands has been increased - (Matt Darfeuille). - -8) You may now specify a VLSM in the RATE columns of the policy and - rules files, when per-IP limiting is used. This results in one hash - table entry per subnet rather than one entry per hosts, and applies - the limit to the subnet. See shorewall-policy(5) and - shorewall-rules(5) for details. This provides a means for reducing - the size of the hash tables. - -9) You man now specify the number of hash table buckets and the - maximum number of hash table entries in the RATE columns of the - policy and rules files, when per-IP limiting is used. This allows - you to increase the size of the tables to more fully handle DDOS - attacks. See shorewall-policy(5) and shorewall-rules(5) for - details. - -10) Eric Teeter has contributed a macro for Cockpit. +7) If view of the fact that some modems take an eternity to recover + from a power failure, the limit of the 'wait' interface option + setting has been increased from 120 seconds (2 minutes) to 300 + seconds (5 minutes). ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -632,116 +460,224 @@ ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 5 . 2 R E L E A S E S ---------------------------------------------------------------------------- - P R O B L E M S C O R R E C T E D I N 5 . 2 . 0 + P R O B L E M S C O R R E C T E D I N 5 . 2 . 1 ---------------------------------------------------------------------------- -5.2.0.5 +5.2.1.4 -1) Including rules in the UNTRACKED section of the rules file may - result in errors such as the following: +1) A change in 5.2.0.5 that corrected an ip[6]tables error in the + UNTRACKED section of the rules file, changed the name of the chain + used to hold UNTRACKED rules. Previously, the chain was named + &z1-z2, where 'z1' is the source zone and 'z2' is the + destination; after the change, the chain was named =z1-z2. + Unfortunately, some log messages generated out of these chains + still referred to &z1-z2; that has been corrected. - ERROR: Command "/sbin/iptables --wait -t filter -A &loc-fw -m - addrtype --dst-type BROADCAST -j ACCEPT" Failed - iptables v1.8.0 (legacy): option "-A" requires an argument - Try `iptables -h' or 'iptables --help' for more information. » +2) Some dead/silly code has been removed from two functions in + the Chains.pm Perl module. The two functions have been combined + into a single function. - That has been corrected. +3) When the RATE column contains both a source and a destination rate, + it was previously impossible to specifiy a netmask (VLSM) on either + rate. Attempting to specify a mask would result in: -2) Where Shorewall-lite was deployed on OpenWRT (LEDE), stale 'lock' - processes could be left running after 'shorewall-lite' exits. That - has been corrected. + ERROR: Invalid rate (...) -3) Previously, when the 'ipcalc' command was invoked with no - arguments, a misleading "too many arguments" message was issued. - Now, an appropriate 'missing argument' message is produced - (Matt Darfeuille). + That has been corrected. Note that when specifying a + netmask, the leading 's' or 'd' may not be omitted. -5.2.0.4 +4) Several typos in the man pages have been corrected (Roberto + Sánchez). -1) The 'lost carrier' change in 5.0.2.3 did not play well with link - monitors like FooLSM. When carrier was restored, the link monitor - could be unable to detect that the interface was working - again. This has been corrected so that the monitor can detect the - availability of the link. +5.2.1.3 -2) If +1) When a configuration had optional interfaces but no providers, the + 'status -i' command previously would fail to show interface status + for interfaces that had not been disabled or enabled since the + last start, restart or reload. That has been corrected. - - DYNAMIC_BLACKLIST=ipset...,src-dst... with logging specified - - dbl=src_dst appears in the OPTIONS column of an interface +5.2.1.2 - then compilation previously produced a series of Perl runtime - diagnostics +1) The fix for DOCKER=Yes in 5.2.1.1 inadvertantly results in an + assertion failure when processing a 'check -r' command when + DOCKER=Yes. That has been corrected. As part of that change, + empty 'cat' commands in the generated script were eliminated. +2) When the HELPER target is used with an empty HELPER column, the + error message produced previously incorrectly read: - Use of uninitialized value $to in split at - /usr/share/shorewall/Shorewall/Chains.pm line 2769. - Use of uninitialized value $target in hash element at - /usr/share/Shorewall/Chains.pm line 2770. - Use of uninitialized value $target in hash element at - /usr/share/shorewall/Shorewall/Chains.pm line 2771. - Use of uninitialized value $to in concatenation (.) or string at - /usr/share/shorewall/Shorewall/Chains.pm line 2771. + ERROR: HELPER require requires that ... - and possibly the message + That has been corrected so that the message now reads: - ERROR: Unknown rule target () ... + ERROR: HELPER requires that ... - That problem has been corrected. +3) On Centos 7, the following journal message appeared when Shorewall + attempted to load kernel modules: + nf_log: can't load ipt_ULOG, conflicting nfnetlink_log already + loaded -5.2.0.3 + To eliminate that message, Shorewall no longer attempts to load + ipt_ULOG. Note that most current distributions no longer support + ULOG. Current users of ULOG should convert to using NFLOG at the + earliest opportunity. -1) The 'update' command previously did not replace 'Drop' or 'Reject' - in the setting of BLACKLIST_DEFAULT. That has been corrected. +5.2.1.1 -2) The 'update' command (and automatic conversion of the masq file) - previously failed to handle variables of the form ${...} - correctly, resulting in "Invalid column/value pair" errors. That - has been corrected. Note, however, that the converted file will - have the braces ("{" and "}") removed. +1) The Perl module versions were not updated for the 5.2.1 + release. That has been corrected. -3) If AUTOMAKE was not specified in shorewall[6].conf, the following - Perl diagnostic was issued: +2) The lib.common file previously confused Emacs such that editing the + file in shell mode was awkward. Because lib.common is included in + compiled scripts, this defect also made editing a compiled script + awkward. The issue has been resolved, so that the file now renders + properly in Emacs's shell mode. - Use of uninitialized value $val in pattern match (m//) at - /usr/share/shorewall/Shorewall/Config.pm line 6602 - - That has been corrected. +3) Previously, if ip6tables-restore failed during Shorewall6 start, + restart or reload, the resulting error message indicated that + iptables-load had failed. That has been corrected. -4) Previously, if an ethernet provider interface lost carrier, an - attempt to disable the interface could result in an error similar - to this: +4) Setting Docker=Yes did not work correctly with Docker version + 18.03.1-ce. In that version, the DOCKER-ISOLATION chain was + replaced by a pair of chains: DOCKER-ISOLATION-STAGE-1 and + DOCKER-ISOLATION-STAGE-2. That has been corrected. As part of this + change, Shorewall now correctly handles the DOCKER-USER chain as + well as the two new isolation chains. - Error: "nexthop" or end of line is expected instead of "linkdown" - ERROR: Command "ip -4 route replace table 250 default - nexthop via 192.168.0.1 dev eth2 weight 1 linkdown" Failed +5) Previously, if there were multiple 'balance' providers and more + than one of them were experiencing carrier loss, then the 'enable' and + 'disable' operations could fail. That has been corrected. - That has been corrected. +5.2.1 -5.2.0.2 +1) This release contains defect repair up through Shorewall 5.2.0.5. -1) The 'show saves' command previously failed when there were no saved - configurations. That has been corrected. - -2) The 'safe-' commands previously failed with the error: +2) Previously, if: - /usr/sbin/shorewall: 1194: /usr/sbin/shorewall: - read_yesno_with_timeout: not found + a) IP[6]TABLES was not set in shorewall[6].conf; and + b) The ip[6]tables binary was not found on the PATH. - That has been corrected. + then a shell 'not found' error on 'fatal-error' was generated. That + has been corrected (Matt Darfeuille) -3) When the -c option was specified with the 'compile' command, and - 'AUTOMAKE=No' or 'AUTOMAKE=', the command previously failed with - errors such as: +3) A number of files in the Shorewall-common package have had their + heading version updated to version 5.2 (Matt Darfeuille). - usr/sbin/shorewall: 415: [: =: unexpected operator - /usr/bin/find: Expected a positive decimal integer argument to - -maxdepth, but got "-type" - /usr/sbin/shorewall: 415: [: =: unexpected operator - /usr/bin/find: Expected a positive decimal integer argument to - -maxdepth, but got "-type" +4) Previously, if statistical load balancing ('load=' in + provider OPTIONS) was configured on providers that shared an + interface, then the compiler would die with an assertion + failure. That has been corrected so that this combination now works + as expected. - This failure has been eliminated. +5) Where two or more providers share a network interface, the + 'optional' interface/provider option has never worked correctly. + Beginning with this release, the 'optional' option is disallowed + on such interfaces and providers. + +6) Previously, when rate limiting was applied to a DNAT or + REDIRECT rule, rate limiting was applied to the accompanying + ACCEPT rule. Since logging is applied in the DNAT/REDIRECT rule, if + the connection failed the rate limit then the connection attempt + could be logged twice - once in the nat table and once when the + applicable policy was applied. Beginning with this release, rate + limiting is applied to the DNAT/REDIRECT rule so that no nat-table + logging occurs if the connection attempt exceeds the rate limit. + +7) Some regular expressions used in Shorewall's Perl code will be + disallowed by Perl version 5.23. These have been changed to be + acceptable to that version of Perl. + +8) Previously, if SNAT(detect) was used on an optional interface and + the resulting ip[6]tables rule was unreachable, then invalid shell + code similar to the following was generated: + + if [ "$SW_PPP1_ADDRESS" != 0.0.0.0 ]; then + fi + + That has been corrected such that the above code is not generated + and a warning message is issued, indicating that the entry generated + no ip[6]tables rule. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 5 . 2 . 1 +---------------------------------------------------------------------------- + +5.2.1.2 + +1) A new variable SW_CONFDIR has been added. $SW_CONFDIR evaluates to + $CONFDIR/shorewall[6] if no directory name is passed to a compile, + check, start, restart or reload command. If a directory name is + passed to one of these commands, then $SW_CONFDIR expands to that + directory name. + +5.2.1 + +1) New macros for IPFS (https://ipfs.io/) have been contributed by + Răzvan Sandu. + +2) Several new man pages have been added: + + - shorewall-addresses(5) describes specification of addresses in + shorewall configuration files. + + - shorewall-files(5) describes the shorewall configuration files + together with features common to multiple files. + + - shorewall-logging(5) describes shorewall's logging facilities. + + - shorewall-names(5) describes restrictions on names used in + Shorewall configuration files. + + Additional man pages will be included in future 5.2.1 pre-releases. + +3) In the SOURCE and DEST columns, it is now possible to exclude an + interface by preceding the interface name with '!'. This is useful + for excluding the loopback interface (lo). + + Example from the mangle file: + + #ACTION SOURCE DEST + DROP:T 127.0.0.0/8 !lo + +4) The MARK, CONNMARK, SAVE and RESTORE commands may now be placed in + the nat table through used of new chain designators in the mangle + file: + + NP - nat table PREROUTING chain + NI - nat table INPUT chain + NO - nat table OUTPUT chain + NT - nat table POSTROUTING chain + +5) When TC_EXPERT=Yes, it is now possible to specify any mark/mask + values that are displayed by the 'show marks' command, including + the Exclusion and TPROXY values. + +6) The configure and install scripts now support ALT Linux (Alexey + Shabalin). + +7) The verbosity of the 'remote-*' CLI commands has been increased + (Matt Darfeuille). + +8) You may now specify a VLSM in the RATE columns of the policy and + rules files, when per-IP limiting is used. This results in one hash + table entry per subnet rather than one entry per hosts, and applies + the limit to the subnet. See shorewall-policy(5) and + shorewall-rules(5) for details. This provides a means for reducing + the size of the hash tables. + +9) You man now specify the number of hash table buckets and the + maximum number of hash table entries in the RATE columns of the + policy and rules files, when per-IP limiting is used. This allows + you to increase the size of the tables to more fully handle DDOS + attacks. See shorewall-policy(5) and shorewall-rules(5) for + details. + +10) Eric Teeter has contributed a macro for Cockpit. + +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 5 . 2 . 0 +---------------------------------------------------------------------------- 5.2.0.1 diff -Nru shorewall6-5.2.1.4/shorewall6.spec shorewall6-5.2.2/shorewall6.spec --- shorewall6-5.2.1.4/shorewall6.spec 2018-12-16 18:10:51.000000000 +0000 +++ shorewall6-5.2.2/shorewall6.spec 2019-01-17 20:37:22.000000000 +0000 @@ -1,6 +1,6 @@ %define name shorewall6 -%define version 5.2.1 -%define release 4 +%define version 5.2.2 +%define release 0base Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems. Name: %{name} @@ -114,14 +114,14 @@ %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6 %changelog -* Fri Dec 14 2018 Tom Eastep tom@shorewall.net -- Updated to 5.2.1-4 -* Tue Dec 11 2018 Tom Eastep tom@shorewall.net -- Updated to 5.2.1-3 -* Fri Nov 02 2018 Tom Eastep tom@shorewall.net -- Updated to 5.2.1-2 -* Tue Oct 09 2018 Tom Eastep tom@shorewall.net -- Updated to 5.2.1-1 +* Wed Jan 16 2019 Tom Eastep tom@shorewall.net +- Updated to 5.2.2-0base +* Tue Jan 08 2019 Tom Eastep tom@shorewall.net +- Updated to 5.2.2-0RC1 +* Fri Jan 04 2019 Tom Eastep tom@shorewall.net +- Updated to 5.2.2-0Beta2 +* Tue Oct 02 2018 Tom Eastep tom@shorewall.net +- Updated to 5.2.2-0Beta1 * Fri Sep 28 2018 Tom Eastep tom@shorewall.net - Updated to 5.2.1-0base * Thu Aug 23 2018 Tom Eastep tom@shorewall.net diff -Nru shorewall6-5.2.1.4/uninstall.sh shorewall6-5.2.2/uninstall.sh --- shorewall6-5.2.1.4/uninstall.sh 2018-12-16 18:10:51.000000000 +0000 +++ shorewall6-5.2.2/uninstall.sh 2019-01-17 20:37:22.000000000 +0000 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=5.2.1.4 +VERSION=5.2.2 usage() # $1 = exit status {