diff -Nru shorewall6-5.2.2/changelog.txt shorewall6-5.2.3.2/changelog.txt --- shorewall6-5.2.2/changelog.txt 2019-01-17 20:37:22.000000000 +0000 +++ shorewall6-5.2.3.2/changelog.txt 2019-03-18 01:42:25.000000000 +0000 @@ -1,3 +1,45 @@ +Changes in 5.2.3.2 + +1) Update release documents. + +2) Document fix for masq file auto-update. + +Changes in 5.2.3.1 + +1) Update release documents. + +2) Correct issue with policy file zone exclusion. + +Changes in 5.2.3 Final + +1) Update release documents. + +2) Correct problem corrected (mention helper). + +Changes in 5.2.3 RC 1 + +1) Update release documents. + +2) Delete pre-2.6.20 modules from the helpers file + +3) Delete modules* during install + +Changes in 5.2.3 Beta 2 + +1) Update release documents. + +2) Remove LOAD_HELPERS_ONLY option. + +Changes in 5.2.3 Beta 1 + +1) Update release documents. + +2) Support zone exclusion in the policy file. + +3) Deprecate all/any[+]-. + +4) Document 'test' argument to compiler.pl + Changes in 5.2.2 Final 1) Update release documents. diff -Nru shorewall6-5.2.2/configfiles/policy.annotated shorewall6-5.2.3.2/configfiles/policy.annotated --- shorewall6-5.2.2/configfiles/policy.annotated 2019-01-17 20:37:30.000000000 +0000 +++ shorewall6-5.2.3.2/configfiles/policy.annotated 2019-03-18 01:42:32.000000000 +0000 @@ -38,20 +38,23 @@ # different name in parentheses, the different name is used in the alternate # specification syntax). # -# SOURCE - zone[,...[+]]|$FW|all|all+ +# SOURCE - zone[,...[+]]|$FW|all[+][!ezone[,...]] # # Source zone. Must be the name of a zone defined in shorewall-zones(5), $FW, # "all" or "all+". # -# Support for "all+" was added in Shorewall 4.5.17. "all" does not override -# the implicit intra-zone ACCEPT policy while "all+" does. +# Support for all+ was added in Shorewall 4.5.17. all does not override the +# implicit intra-zone ACCEPT policy while all+ does. # # Beginning with Shorewall 5.0.12, multiple zones may be listed separated by # commas. As above, if '+' is specified after two or more zone names, then # the policy overrides the implicit intra-zone ACCEPT policy if the same zone # appears in both the SOURCE and DEST columns. # -# DEST - zone[,...[+]]|$FW|all|all+ +# Beginning with Shorewall 5.2.3, a comma-separated list of excluded zones +# preceded by "!" may follow all or all+. +# +# DEST - zone[,...[+]]|$FW|all[+][!ezone[,...]] # # Destination zone. Must be the name of a zone defined in shorewall-zones(5), # $FW, "all" or "all+". If the DEST is a bport zone, then the SOURCE must be @@ -66,6 +69,9 @@ # the policy overrides the implicit intra-zone ACCEPT policy if the same zone # appears in both the SOURCE and DEST columns. # +# Beginning with Shorewall 5.2.3, a comma-separated list of excluded zones +# preceded by "!" may follow all or all+. +# # POLICY - {ACCEPT|DROP|REJECT|BLACKLIST|CONTINUE|QUEUE|NFQUEUE[(queuenumber1[: # queuenumber2])]|NONE}[:{[+]policy-action[:level][,...]|None}] # diff -Nru shorewall6-5.2.2/configfiles/providers.annotated shorewall6-5.2.3.2/configfiles/providers.annotated --- shorewall6-5.2.2/configfiles/providers.annotated 2019-01-17 20:37:31.000000000 +0000 +++ shorewall6-5.2.3.2/configfiles/providers.annotated 2019-03-18 01:42:33.000000000 +0000 @@ -250,7 +250,7 @@ # # Important # -# RESTORE_DEFAULT_OPTION=Yes in shorewall[6].conf is not recommended when +# RESTORE_DEFAULT_ROUTE=Yes in shorewall[6].conf is not recommended when # the persistent option is used, as restoring default routes to the main # routing table can prevent link status monitors such as foolsm from # correctly detecting non-working providers. diff -Nru shorewall6-5.2.2/configfiles/rules.annotated shorewall6-5.2.3.2/configfiles/rules.annotated --- shorewall6-5.2.2/configfiles/rules.annotated 2019-01-17 20:37:33.000000000 +0000 +++ shorewall6-5.2.3.2/configfiles/rules.annotated 2019-03-18 01:42:35.000000000 +0000 @@ -567,14 +567,13 @@ # # zone may also be one of the following: # -# all[+][-] +# all[+] # # all, without the "-" means "All Zones, including the firewall -# zone". If the "-" is included, the firewall zone is omitted. -# Normally all omits intra-zone traffic, but intra-zone traffic can -# be included specifying "+". +# zone". Normally all omits intra-zone traffic, but intra-zone +# traffic can be included specifying "+". # -# any[+][-] +# any[+] # # any is equivalent to all when there are no nested zones. When there # are nested zones, any only refers to top-level zones (those with no @@ -703,6 +702,10 @@ # # All but the dmz zone. # +# all+!$FW +# +# All but the firewall zone and applies to intrazone traffic. +# # net:^CN # # China. @@ -747,14 +750,13 @@ # # zone may also be one of the following: # -# all[+][-] +# all[+] # # all, without the "-" means "All Zones, including the firewall -# zone". If the "-" is included, the firewall zone is omitted. -# Normally all omits intra-zone traffic, but intra-zone traffic can -# be included specifying "+". +# zone". Normally all omits intra-zone traffic, but intra-zone +# traffic can be included specifying "+". # -# any[+][-] +# any[+] # # any is equivalent to all when there are no nested zones. When there # are nested zones, any only refers to top-level zones (those with no @@ -864,7 +866,7 @@ # # If the DEST zone is a bport zone, then either: # -# a. the SOURCE must be all[+][-], or +# a. the SOURCE must be all[+], or # # b. the SOURCE zone must be another bport zone associated with the same # bridge, or diff -Nru shorewall6-5.2.2/configfiles/shorewall6.conf shorewall6-5.2.3.2/configfiles/shorewall6.conf --- shorewall6-5.2.2/configfiles/shorewall6.conf 2019-01-16 21:09:42.000000000 +0000 +++ shorewall6-5.2.3.2/configfiles/shorewall6.conf 2019-03-17 15:02:53.000000000 +0000 @@ -178,8 +178,6 @@ KEEP_RT_TABLES=Yes -LOAD_HELPERS_ONLY=Yes - MACLIST_TABLE=filter MACLIST_TTL= diff -Nru shorewall6-5.2.2/configfiles/shorewall6.conf.annotated shorewall6-5.2.3.2/configfiles/shorewall6.conf.annotated --- shorewall6-5.2.2/configfiles/shorewall6.conf.annotated 2019-01-17 20:37:34.000000000 +0000 +++ shorewall6-5.2.3.2/configfiles/shorewall6.conf.annotated 2019-03-18 01:42:36.000000000 +0000 @@ -1170,15 +1170,6 @@ # # The default is KEEP_RT_TABLES=No. # -LOAD_HELPERS_ONLY=Yes -# -# LOAD_HELPERS_ONLY={Yes|No} -# -# Added in Shorewall 4.4.7. When set to Yes, restricts the set of modules -# loaded by shorewall to those listed in /var/lib/shorewall[6]/helpers and -# those that are actually used. When not set, or set to the empty value, -# LOAD_HELPERS_ONLY=No is assumed. -# MACLIST_TABLE=filter # # MACLIST_TABLE=[filter|mangle] diff -Nru shorewall6-5.2.2/configure shorewall6-5.2.3.2/configure --- shorewall6-5.2.2/configure 2019-01-17 20:37:22.000000000 +0000 +++ shorewall6-5.2.3.2/configure 2019-03-18 01:42:25.000000000 +0000 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=5.2.2 +VERSION=5.2.3.2 case "$BASH_VERSION" in [4-9].*) diff -Nru shorewall6-5.2.2/configure.pl shorewall6-5.2.3.2/configure.pl --- shorewall6-5.2.2/configure.pl 2019-01-17 20:37:22.000000000 +0000 +++ shorewall6-5.2.3.2/configure.pl 2019-03-18 01:42:25.000000000 +0000 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '5.2.2' + VERSION => '5.2.3.2' }; my %params; diff -Nru shorewall6-5.2.2/debian/changelog shorewall6-5.2.3.2/debian/changelog --- shorewall6-5.2.2/debian/changelog 2019-01-18 12:59:46.000000000 +0000 +++ shorewall6-5.2.3.2/debian/changelog 2019-03-24 01:41:29.000000000 +0000 @@ -1,3 +1,21 @@ +shorewall6 (5.2.3.2-1) unstable; urgency=medium + + * New Upstream Version + + -- Roberto C. Sanchez Sat, 23 Mar 2019 21:41:29 -0400 + +shorewall6 (5.2.3.1-1) unstable; urgency=medium + + * New Upstream Version + + -- Roberto C. Sanchez Thu, 28 Feb 2019 17:59:14 -0500 + +shorewall6 (5.2.3-1) unstable; urgency=medium + + * New Upstream Version + + -- Roberto C. Sanchez Fri, 22 Feb 2019 23:31:39 -0500 + shorewall6 (5.2.2-1) unstable; urgency=medium * New Upstream Version diff -Nru shorewall6-5.2.2/install.sh shorewall6-5.2.3.2/install.sh --- shorewall6-5.2.2/install.sh 2019-01-17 20:37:22.000000000 +0000 +++ shorewall6-5.2.3.2/install.sh 2019-03-18 01:42:25.000000000 +0000 @@ -22,7 +22,7 @@ # along with this program; if not, see . # -VERSION=5.2.2 +VERSION=5.2.3.2 usage() # $1 = exit status { @@ -467,17 +467,6 @@ fi # -# Install the Modules file -# -run_install $OWNERSHIP -m 0644 modules ${DESTDIR}${SHAREDIR}/${PRODUCT}/modules -echo "Modules file installed as ${DESTDIR}${SHAREDIR}/${PRODUCT}/modules" - -for f in modules.*; do - run_install $OWNERSHIP -m 0644 $f ${DESTDIR}${SHAREDIR}/${PRODUCT}/$f - echo "Modules file $f installed as ${DESTDIR}${SHAREDIR}/${PRODUCT}/$f" -done - -# # Install the Module Helpers file # run_install $OWNERSHIP -m 0644 helpers ${DESTDIR}${SHAREDIR}/${PRODUCT}/helpers @@ -1252,6 +1241,14 @@ rm -f ${DESTDIR}${SHAREDIR}/${PRODUCT}/deprecated/macro.SMTPTraps fi +# +# Remove unneeded modules files +# + +if [ -n "$first_install" ]; then + rm -f ${DESTDIR}${SHAREDIR}/${PRODUCT}/modules* +fi + if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then if [ -n "$SERVICEDIR" ]; then if systemctl enable ${PRODUCT}.service; then diff -Nru shorewall6-5.2.2/manpages/shorewall6.8 shorewall6-5.2.3.2/manpages/shorewall6.8 --- shorewall6-5.2.2/manpages/shorewall6.8 2019-01-17 20:37:24.000000000 +0000 +++ shorewall6-5.2.3.2/manpages/shorewall6.8 2019-02-11 22:48:21.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: shorewall6 .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 -.\" Date: 01/17/2019 +.\" Date: 02/11/2019 .\" Manual: Administrative Commands .\" Source: Administrative Commands .\" Language: English .\" -.TH "SHOREWALL6" "8" "01/17/2019" "Administrative Commands" "Administrative Commands" +.TH "SHOREWALL6" "8" "02/11/2019" "Administrative Commands" "Administrative Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru shorewall6-5.2.2/modules shorewall6-5.2.3.2/modules --- shorewall6-5.2.2/modules 2019-01-16 21:09:42.000000000 +0000 +++ shorewall6-5.2.3.2/modules 1970-01-01 00:00:00.000000000 +0000 @@ -1,39 +0,0 @@ -# -# Shorewall6 version 5 - Modules File -# -# /usr/share/shorewall6/modules -# -# This file loads the modules that may be needed by the firewall. -# -# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in -# dependency order. i.e., if M2 depends on M1 then you must load M1 -# before you load M2. -# -# If you need to modify this file, copy it to /etc/shorewall and modify the -# copy. -# -############################################################################### -# -# Essential Modules -# -INCLUDE modules.essential -# -# Other xtables modules -# -INCLUDE modules.xtables -# -# Helpers -# -INCLUDE helpers -# -# Ipset -# -INCLUDE modules.ipset -# -# Traffic Shaping -# -INCLUDE modules.tc -# -# Extensions -# -INCLUDE modules.extensions diff -Nru shorewall6-5.2.2/modules.essential shorewall6-5.2.3.2/modules.essential --- shorewall6-5.2.2/modules.essential 2019-01-16 21:09:42.000000000 +0000 +++ shorewall6-5.2.3.2/modules.essential 1970-01-01 00:00:00.000000000 +0000 @@ -1,28 +0,0 @@ -# -# Shorewall6 -- /usr/share/shorewall6/modules.essential -# -# Essential Modules File -# -# This file loads the modules that may be needed by the firewall. -# -# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in -# dependency order. i.e., if M2 depends on M1 then you must load M1 -# before you load M2. -# -# If you need to modify this file, copy it to /etc/shorewall and modify the -# copy. -# -############################################################################### -loadmodule nfnetlink -loadmodule x_tables -loadmodule ip6_tables -loadmodule ip6table_filter -loadmodule ip6table_mangle -loadmodule ip6table_raw -loadmodule xt_conntrack -loadmodule nf_conntrack_ipv6 -loadmodule nf_nat -loadmodule nf_nat_ipv6 -loadmodule xt_state -loadmodule xt_tcpudp -loadmodule ip6t_REJECT diff -Nru shorewall6-5.2.2/modules.extensions shorewall6-5.2.3.2/modules.extensions --- shorewall6-5.2.2/modules.extensions 2019-01-16 21:09:42.000000000 +0000 +++ shorewall6-5.2.3.2/modules.extensions 1970-01-01 00:00:00.000000000 +0000 @@ -1,16 +0,0 @@ -# -# Shorewall6 -- /usr/share/shorewall6/modules.extension -# -# Extensions Modules File -# -# This file loads the modules that may be needed by the firewall. -# -# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in -# dependency order. i.e., if M2 depends on M1 then you must load M1 -# before you load M2. -# -# If you need to modify this file, copy it to /etc/shorewall and modify the -# copy. -# -############################################################################### -loadmodule ip6_queue diff -Nru shorewall6-5.2.2/modules.ipset shorewall6-5.2.3.2/modules.ipset --- shorewall6-5.2.2/modules.ipset 2019-01-16 21:09:42.000000000 +0000 +++ shorewall6-5.2.3.2/modules.ipset 1970-01-01 00:00:00.000000000 +0000 @@ -1,27 +0,0 @@ -# -# Shorewall6 -- /usr/share/shorewall6/modules.ipset -# -# IP Set Modules File -# -# This file loads the modules that may be needed by the firewall. -# -# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in -# dependency order. i.e., if M2 depends on M1 then you must load M1 -# before you load M2. -# -# If you need to modify this file, copy it to /etc/shorewall6 and modify the -# copy. -# -############################################################################### -loadmodule xt_set -loadmodule ip_set -loadmodule ip_set_iphash -loadmodule ip_set_ipmap -loadmodule ip_set_ipporthash -loadmodule ip_set_iptree -loadmodule ip_set_iptreemap -loadmodule ip_set_macipmap -loadmodule ip_set_nethash -loadmodule ip_set_portmap -loadmodule ipt_SET -loadmodule ipt_set diff -Nru shorewall6-5.2.2/modules.tc shorewall6-5.2.3.2/modules.tc --- shorewall6-5.2.2/modules.tc 2019-01-16 21:09:42.000000000 +0000 +++ shorewall6-5.2.3.2/modules.tc 1970-01-01 00:00:00.000000000 +0000 @@ -1,27 +0,0 @@ -# -# Shorewall6 -- /usr/share/shorewall6/modules.tc -# -# Traffic Shaping Modules File -# -# This file loads the modules that may be needed by the firewall. -# -# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in -# dependency order. i.e., if M2 depends on M1 then you must load M1 -# before you load M2. -# -# If you need to modify this file, copy it to /etc/shorewall and modify the -# copy. -# -############################################################################### -loadmodule sch_sfq -loadmodule sch_ingress -loadmodule sch_htb -loadmodule sch_hfsc -loadmodule sch_prio -loadmodule sch_tbf -loadmodule sch_fq_codel -loadmodule cls_u32 -loadmodule cls_fw -loadmodule cls_flow -loadmodule cls_basic -loadmodule act_police diff -Nru shorewall6-5.2.2/modules.xtables shorewall6-5.2.3.2/modules.xtables --- shorewall6-5.2.2/modules.xtables 2019-01-16 21:09:42.000000000 +0000 +++ shorewall6-5.2.3.2/modules.xtables 1970-01-01 00:00:00.000000000 +0000 @@ -1,51 +0,0 @@ -# -# Shorewall6 -- /usr/share/shorewall6/modules.xtables -# -# Xtables Modules File -# -# This file loads the modules that may be needed by the firewall. -# -# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in -# dependency order. i.e., if M2 depends on M1 then you must load M1 -# before you load M2. -# -# If you need to modify this file, copy it to /etc/shorewall and modify the -# copy. -# -############################################################################### -loadmodule xt_AUDIT -loadmodule xt_CLASSIFY -loadmodule xt_connmark -loadmodule xt_CONNMARK -loadmodule xt_conntrack -loadmodule xt_dccp -loadmodule xt_dscp -loadmodule xt_DSCP -loadmodule xt_hashlimit -loadmodule xt_helper -loadmodule xt_iprange -loadmodule xt_length -loadmodule xt_limit -loadmodule xt_mac -loadmodule xt_mark -loadmodule xt_MARK -loadmodule xt_multiport -loadmodule xt_NFQUEUE -loadmodule xt_owner -loadmodule xt_physdev -loadmodule xt_pkttype -loadmodule xt_policy -loadmodule xt_sctp -loadmodule xt_tcpmss -loadmodule xt_TCPMSS -loadmodule xt_time -loadmodule xt_IPMARK -loadmodule xt_TPROXY -# -# From xtables-addons -# -loadmodule xt_condition -loadmodule xt_geoip -loadmodule xt_ipp2p -loadmodule xt_LOGMARK -loadmodule xt_RAWNAT diff -Nru shorewall6-5.2.2/releasenotes.txt shorewall6-5.2.3.2/releasenotes.txt --- shorewall6-5.2.2/releasenotes.txt 2019-01-17 20:37:22.000000000 +0000 +++ shorewall6-5.2.3.2/releasenotes.txt 2019-03-18 01:42:25.000000000 +0000 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 5 . 2 . 2 + S H O R E W A L L 5 . 2 . 3 . 2 ------------------------------- - J A N U A R Y 1 7 , 2 0 1 9 + M A R C H 1 7 , 2 0 1 9 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,12 +14,38 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) This release includes defect repair through Shorewall 5.2.1.4. +5.2.3.2 -2) When processing inline matches, the compiler previously inserted - the matches before the column-generated matches if there was a plus - sign ("+") anywhere in the matches. Now, it only does so if the - first non-blank character in the matches is a plus sign. +1) Shorewall 5.2 automatically converts and existing 'masq' file to an + equivalent 'snat' file. Regrettably, Shorewall 5.2.3 broke that + automatic update, such that the following error message was issued: + + Use of uninitialized value $Shorewall::Nat::raw::currentline in + pattern match (m//) at /usr/share/shorewall/Shorewall/Nat.pm + line 511, <$currentfile> line nnn. + + and the generted 'masq' file contains only initial comments. + + That has been corrected. + +5.2.3.1 + +1) An issue in the implementation of policy file zone exclusion, + released in 5.2.3 has been resolved. In the original release, + if more than one zone was excluded, then the following error was + raised: + + ERROR: 'all' is not allowed in a source zone list + etc/shorewall/policy (line ...) + +5.2.3 + +1) To prevent a helper kernel module from being loaded, it was + previously necessary to list both its current name and its + pre-kernel-2.6.20 name in the DONT_LOAD option in + /etc/shorewall[6].conf. For example, to prevent nf_conntrack_sip + from being loaded, it was necessary to also list ip_conntrack_sip + in DONT_LOAD. That is no longer necessary. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -44,34 +70,23 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) New macros have been contributed by Vincas Dargis: - - Bitcoin - Tor - ONCRPC - - Additionally, Tuomo Soini has contributed a WUDO (Windows Update - Delivery Optimization) macro. - -2) The Perl modules have undergone some cleanup/optimization. +1) Zone exclusion (e.g., "all!z2,z2,...") is now supported in the + policy file. -3) Given that recent kernels have dropped ULOG support, use of ULOG in - Shorewall is now deprecated and results in a warning message. The - warning can be eliminated by switching to NFLOG and ulogd2. - -4) Shorewall can now detect interface default gateways configured by - Network Manager. - -5) Inline matches are now supported in the 'conntrack' file. - -6) In the 'accounting' file, Inline matches in an INLINE(...) rule now - allow a leading '+' to cause the matches to be evaluated before - those generated by the column specifications. - -7) If view of the fact that some modems take an eternity to recover - from a power failure, the limit of the 'wait' interface option - setting has been increased from 120 seconds (2 minutes) to 300 - seconds (5 minutes). +2) With the availability of zone exclusion in the rules file, 'all[+]-' + and 'any[+]-' are equivalent to 'all[+]!$FW' and 'any[+]!$FW' + respectively. Beginning with this release, the former are + deprecated in favor of the latter and will result in a warning + message, if used. + +3) Internal documentaton of the undocumented 'test' parameter to + compiler.pl has been added (it is used by the regression test + library to suppress versions and date/times from the generated + script). + +4) The LOAD_HELPERS_ONLY option has been removed from + shorewall[6].conf. Hereafter, Shorewall[6] will behave as if + LOAD_HELPERS_ONLY=Yes had been specified. ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -419,7 +434,7 @@ instances will generate an error which must be corrected manually. It should also be noted that, in prior releases, Drop and Reject - silently dropped more traffic than thir replacements. As a + silently dropped more traffic than their replacements. As a consequence, you will see more traffic being logged with Shorewall 5.2 than you did on earlier releases. The translations performed by 'update' can be extended after the update to drop additional @@ -457,9 +472,64 @@ Beginning with Shorewall 5.2.1, the 'optional' option is disallowed on such interfaces and providers. +8) With the availability of zone exclusion in the rules file, 'all[+]-' + and 'any[+]-' are equivalent to 'all[+]!$FW' and 'any[+]!$FW' + respectively. Beginning with Shorewall 5.2.3, the former are + deprecated in favor of the latter and will result in a warning + message, if used. + +9) Beginning with Shorewall 5.2.3, the LOAD_HELPERS_ONLY option in + shorewall[6].conf has been removed, and the behavior is as if + LOAD_HELPERS_ONLY=Yes had been specified. 'shorewall[6] update' + will remove the option from shorewall[6].conf. + ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 5 . 2 R E L E A S E S ---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 5 . 2 . 2 +---------------------------------------------------------------------------- + +1) This release includes defect repair through Shorewall 5.2.1.4. + +2) When processing inline matches, the compiler previously inserted + the matches before the column-generated matches if there was a plus + sign ("+") anywhere in the matches. Now, it only does so if the + first non-blank character in the matches is a plus sign. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 5 . 2 . 1 +---------------------------------------------------------------------------- + +1) New macros have been contributed by Vincas Dargis: + + Bitcoin + Tor + ONCRPC + + Additionally, Tuomo Soini has contributed a WUDO (Windows Update + Delivery Optimization) macro. + +2) The Perl modules have undergone some cleanup/optimization. + +3) Given that recent kernels have dropped ULOG support, use of ULOG in + Shorewall is now deprecated and results in a warning message. The + warning can be eliminated by switching to NFLOG and ulogd2. + +4) Shorewall can now detect interface default gateways configured by + Network Manager. + +5) Inline matches are now supported in the 'conntrack' file. + +6) In the 'accounting' file, Inline matches in an INLINE(...) rule now + allow a leading '+' to cause the matches to be evaluated before + those generated by the column specifications. + +7) If view of the fact that some modems take an eternity to recover + from a power failure, the limit of the 'wait' interface option + setting has been increased from 120 seconds (2 minutes) to 300 + seconds (5 minutes). + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 5 . 2 . 1 ---------------------------------------------------------------------------- diff -Nru shorewall6-5.2.2/Samples6/one-interface/policy.annotated shorewall6-5.2.3.2/Samples6/one-interface/policy.annotated --- shorewall6-5.2.2/Samples6/one-interface/policy.annotated 2019-01-17 20:37:40.000000000 +0000 +++ shorewall6-5.2.3.2/Samples6/one-interface/policy.annotated 2019-03-18 01:42:42.000000000 +0000 @@ -43,20 +43,23 @@ # different name in parentheses, the different name is used in the alternate # specification syntax). # -# SOURCE - zone[,...[+]]|$FW|all|all+ +# SOURCE - zone[,...[+]]|$FW|all[+][!ezone[,...]] # # Source zone. Must be the name of a zone defined in shorewall-zones(5), $FW, # "all" or "all+". # -# Support for "all+" was added in Shorewall 4.5.17. "all" does not override -# the implicit intra-zone ACCEPT policy while "all+" does. +# Support for all+ was added in Shorewall 4.5.17. all does not override the +# implicit intra-zone ACCEPT policy while all+ does. # # Beginning with Shorewall 5.0.12, multiple zones may be listed separated by # commas. As above, if '+' is specified after two or more zone names, then # the policy overrides the implicit intra-zone ACCEPT policy if the same zone # appears in both the SOURCE and DEST columns. # -# DEST - zone[,...[+]]|$FW|all|all+ +# Beginning with Shorewall 5.2.3, a comma-separated list of excluded zones +# preceded by "!" may follow all or all+. +# +# DEST - zone[,...[+]]|$FW|all[+][!ezone[,...]] # # Destination zone. Must be the name of a zone defined in shorewall-zones(5), # $FW, "all" or "all+". If the DEST is a bport zone, then the SOURCE must be @@ -71,6 +74,9 @@ # the policy overrides the implicit intra-zone ACCEPT policy if the same zone # appears in both the SOURCE and DEST columns. # +# Beginning with Shorewall 5.2.3, a comma-separated list of excluded zones +# preceded by "!" may follow all or all+. +# # POLICY - {ACCEPT|DROP|REJECT|BLACKLIST|CONTINUE|QUEUE|NFQUEUE[(queuenumber1[: # queuenumber2])]|NONE}[:{[+]policy-action[:level][,...]|None}] # diff -Nru shorewall6-5.2.2/Samples6/one-interface/rules.annotated shorewall6-5.2.3.2/Samples6/one-interface/rules.annotated --- shorewall6-5.2.2/Samples6/one-interface/rules.annotated 2019-01-17 20:37:41.000000000 +0000 +++ shorewall6-5.2.3.2/Samples6/one-interface/rules.annotated 2019-03-18 01:42:42.000000000 +0000 @@ -571,14 +571,13 @@ # # zone may also be one of the following: # -# all[+][-] +# all[+] # # all, without the "-" means "All Zones, including the firewall -# zone". If the "-" is included, the firewall zone is omitted. -# Normally all omits intra-zone traffic, but intra-zone traffic can -# be included specifying "+". +# zone". Normally all omits intra-zone traffic, but intra-zone +# traffic can be included specifying "+". # -# any[+][-] +# any[+] # # any is equivalent to all when there are no nested zones. When there # are nested zones, any only refers to top-level zones (those with no @@ -707,6 +706,10 @@ # # All but the dmz zone. # +# all+!$FW +# +# All but the firewall zone and applies to intrazone traffic. +# # net:^CN # # China. @@ -751,14 +754,13 @@ # # zone may also be one of the following: # -# all[+][-] +# all[+] # # all, without the "-" means "All Zones, including the firewall -# zone". If the "-" is included, the firewall zone is omitted. -# Normally all omits intra-zone traffic, but intra-zone traffic can -# be included specifying "+". +# zone". Normally all omits intra-zone traffic, but intra-zone +# traffic can be included specifying "+". # -# any[+][-] +# any[+] # # any is equivalent to all when there are no nested zones. When there # are nested zones, any only refers to top-level zones (those with no @@ -868,7 +870,7 @@ # # If the DEST zone is a bport zone, then either: # -# a. the SOURCE must be all[+][-], or +# a. the SOURCE must be all[+], or # # b. the SOURCE zone must be another bport zone associated with the same # bridge, or diff -Nru shorewall6-5.2.2/Samples6/one-interface/shorewall6.conf shorewall6-5.2.3.2/Samples6/one-interface/shorewall6.conf --- shorewall6-5.2.2/Samples6/one-interface/shorewall6.conf 2019-01-16 21:09:42.000000000 +0000 +++ shorewall6-5.2.3.2/Samples6/one-interface/shorewall6.conf 2019-03-17 15:02:53.000000000 +0000 @@ -179,8 +179,6 @@ KEEP_RT_TABLES=Yes -LOAD_HELPERS_ONLY=Yes - MACLIST_TABLE=filter MACLIST_TTL= diff -Nru shorewall6-5.2.2/Samples6/one-interface/shorewall6.conf.annotated shorewall6-5.2.3.2/Samples6/one-interface/shorewall6.conf.annotated --- shorewall6-5.2.2/Samples6/one-interface/shorewall6.conf.annotated 2019-01-17 20:37:42.000000000 +0000 +++ shorewall6-5.2.3.2/Samples6/one-interface/shorewall6.conf.annotated 2019-03-18 01:42:43.000000000 +0000 @@ -1171,15 +1171,6 @@ # # The default is KEEP_RT_TABLES=No. # -LOAD_HELPERS_ONLY=Yes -# -# LOAD_HELPERS_ONLY={Yes|No} -# -# Added in Shorewall 4.4.7. When set to Yes, restricts the set of modules -# loaded by shorewall to those listed in /var/lib/shorewall[6]/helpers and -# those that are actually used. When not set, or set to the empty value, -# LOAD_HELPERS_ONLY=No is assumed. -# MACLIST_TABLE=filter # # MACLIST_TABLE=[filter|mangle] diff -Nru shorewall6-5.2.2/Samples6/three-interfaces/policy.annotated shorewall6-5.2.3.2/Samples6/three-interfaces/policy.annotated --- shorewall6-5.2.2/Samples6/three-interfaces/policy.annotated 2019-01-17 20:37:44.000000000 +0000 +++ shorewall6-5.2.3.2/Samples6/three-interfaces/policy.annotated 2019-03-18 01:42:45.000000000 +0000 @@ -42,20 +42,23 @@ # different name in parentheses, the different name is used in the alternate # specification syntax). # -# SOURCE - zone[,...[+]]|$FW|all|all+ +# SOURCE - zone[,...[+]]|$FW|all[+][!ezone[,...]] # # Source zone. Must be the name of a zone defined in shorewall-zones(5), $FW, # "all" or "all+". # -# Support for "all+" was added in Shorewall 4.5.17. "all" does not override -# the implicit intra-zone ACCEPT policy while "all+" does. +# Support for all+ was added in Shorewall 4.5.17. all does not override the +# implicit intra-zone ACCEPT policy while all+ does. # # Beginning with Shorewall 5.0.12, multiple zones may be listed separated by # commas. As above, if '+' is specified after two or more zone names, then # the policy overrides the implicit intra-zone ACCEPT policy if the same zone # appears in both the SOURCE and DEST columns. # -# DEST - zone[,...[+]]|$FW|all|all+ +# Beginning with Shorewall 5.2.3, a comma-separated list of excluded zones +# preceded by "!" may follow all or all+. +# +# DEST - zone[,...[+]]|$FW|all[+][!ezone[,...]] # # Destination zone. Must be the name of a zone defined in shorewall-zones(5), # $FW, "all" or "all+". If the DEST is a bport zone, then the SOURCE must be @@ -70,6 +73,9 @@ # the policy overrides the implicit intra-zone ACCEPT policy if the same zone # appears in both the SOURCE and DEST columns. # +# Beginning with Shorewall 5.2.3, a comma-separated list of excluded zones +# preceded by "!" may follow all or all+. +# # POLICY - {ACCEPT|DROP|REJECT|BLACKLIST|CONTINUE|QUEUE|NFQUEUE[(queuenumber1[: # queuenumber2])]|NONE}[:{[+]policy-action[:level][,...]|None}] # diff -Nru shorewall6-5.2.2/Samples6/three-interfaces/rules.annotated shorewall6-5.2.3.2/Samples6/three-interfaces/rules.annotated --- shorewall6-5.2.2/Samples6/three-interfaces/rules.annotated 2019-01-17 20:37:44.000000000 +0000 +++ shorewall6-5.2.3.2/Samples6/three-interfaces/rules.annotated 2019-03-18 01:42:46.000000000 +0000 @@ -571,14 +571,13 @@ # # zone may also be one of the following: # -# all[+][-] +# all[+] # # all, without the "-" means "All Zones, including the firewall -# zone". If the "-" is included, the firewall zone is omitted. -# Normally all omits intra-zone traffic, but intra-zone traffic can -# be included specifying "+". +# zone". Normally all omits intra-zone traffic, but intra-zone +# traffic can be included specifying "+". # -# any[+][-] +# any[+] # # any is equivalent to all when there are no nested zones. When there # are nested zones, any only refers to top-level zones (those with no @@ -707,6 +706,10 @@ # # All but the dmz zone. # +# all+!$FW +# +# All but the firewall zone and applies to intrazone traffic. +# # net:^CN # # China. @@ -751,14 +754,13 @@ # # zone may also be one of the following: # -# all[+][-] +# all[+] # # all, without the "-" means "All Zones, including the firewall -# zone". If the "-" is included, the firewall zone is omitted. -# Normally all omits intra-zone traffic, but intra-zone traffic can -# be included specifying "+". +# zone". Normally all omits intra-zone traffic, but intra-zone +# traffic can be included specifying "+". # -# any[+][-] +# any[+] # # any is equivalent to all when there are no nested zones. When there # are nested zones, any only refers to top-level zones (those with no @@ -868,7 +870,7 @@ # # If the DEST zone is a bport zone, then either: # -# a. the SOURCE must be all[+][-], or +# a. the SOURCE must be all[+], or # # b. the SOURCE zone must be another bport zone associated with the same # bridge, or diff -Nru shorewall6-5.2.2/Samples6/three-interfaces/shorewall6.conf shorewall6-5.2.3.2/Samples6/three-interfaces/shorewall6.conf --- shorewall6-5.2.2/Samples6/three-interfaces/shorewall6.conf 2019-01-16 21:09:42.000000000 +0000 +++ shorewall6-5.2.3.2/Samples6/three-interfaces/shorewall6.conf 2019-03-17 15:02:53.000000000 +0000 @@ -178,8 +178,6 @@ KEEP_RT_TABLES=Yes -LOAD_HELPERS_ONLY=Yes - MACLIST_TABLE=filter MACLIST_TTL= diff -Nru shorewall6-5.2.2/Samples6/three-interfaces/shorewall6.conf.annotated shorewall6-5.2.3.2/Samples6/three-interfaces/shorewall6.conf.annotated --- shorewall6-5.2.2/Samples6/three-interfaces/shorewall6.conf.annotated 2019-01-17 20:37:45.000000000 +0000 +++ shorewall6-5.2.3.2/Samples6/three-interfaces/shorewall6.conf.annotated 2019-03-18 01:42:46.000000000 +0000 @@ -1170,15 +1170,6 @@ # # The default is KEEP_RT_TABLES=No. # -LOAD_HELPERS_ONLY=Yes -# -# LOAD_HELPERS_ONLY={Yes|No} -# -# Added in Shorewall 4.4.7. When set to Yes, restricts the set of modules -# loaded by shorewall to those listed in /var/lib/shorewall[6]/helpers and -# those that are actually used. When not set, or set to the empty value, -# LOAD_HELPERS_ONLY=No is assumed. -# MACLIST_TABLE=filter # # MACLIST_TABLE=[filter|mangle] diff -Nru shorewall6-5.2.2/Samples6/two-interfaces/policy.annotated shorewall6-5.2.3.2/Samples6/two-interfaces/policy.annotated --- shorewall6-5.2.2/Samples6/two-interfaces/policy.annotated 2019-01-17 20:37:47.000000000 +0000 +++ shorewall6-5.2.3.2/Samples6/two-interfaces/policy.annotated 2019-03-18 01:42:49.000000000 +0000 @@ -42,20 +42,23 @@ # different name in parentheses, the different name is used in the alternate # specification syntax). # -# SOURCE - zone[,...[+]]|$FW|all|all+ +# SOURCE - zone[,...[+]]|$FW|all[+][!ezone[,...]] # # Source zone. Must be the name of a zone defined in shorewall-zones(5), $FW, # "all" or "all+". # -# Support for "all+" was added in Shorewall 4.5.17. "all" does not override -# the implicit intra-zone ACCEPT policy while "all+" does. +# Support for all+ was added in Shorewall 4.5.17. all does not override the +# implicit intra-zone ACCEPT policy while all+ does. # # Beginning with Shorewall 5.0.12, multiple zones may be listed separated by # commas. As above, if '+' is specified after two or more zone names, then # the policy overrides the implicit intra-zone ACCEPT policy if the same zone # appears in both the SOURCE and DEST columns. # -# DEST - zone[,...[+]]|$FW|all|all+ +# Beginning with Shorewall 5.2.3, a comma-separated list of excluded zones +# preceded by "!" may follow all or all+. +# +# DEST - zone[,...[+]]|$FW|all[+][!ezone[,...]] # # Destination zone. Must be the name of a zone defined in shorewall-zones(5), # $FW, "all" or "all+". If the DEST is a bport zone, then the SOURCE must be @@ -70,6 +73,9 @@ # the policy overrides the implicit intra-zone ACCEPT policy if the same zone # appears in both the SOURCE and DEST columns. # +# Beginning with Shorewall 5.2.3, a comma-separated list of excluded zones +# preceded by "!" may follow all or all+. +# # POLICY - {ACCEPT|DROP|REJECT|BLACKLIST|CONTINUE|QUEUE|NFQUEUE[(queuenumber1[: # queuenumber2])]|NONE}[:{[+]policy-action[:level][,...]|None}] # diff -Nru shorewall6-5.2.2/Samples6/two-interfaces/rules.annotated shorewall6-5.2.3.2/Samples6/two-interfaces/rules.annotated --- shorewall6-5.2.2/Samples6/two-interfaces/rules.annotated 2019-01-17 20:37:48.000000000 +0000 +++ shorewall6-5.2.3.2/Samples6/two-interfaces/rules.annotated 2019-03-18 01:42:49.000000000 +0000 @@ -571,14 +571,13 @@ # # zone may also be one of the following: # -# all[+][-] +# all[+] # # all, without the "-" means "All Zones, including the firewall -# zone". If the "-" is included, the firewall zone is omitted. -# Normally all omits intra-zone traffic, but intra-zone traffic can -# be included specifying "+". +# zone". Normally all omits intra-zone traffic, but intra-zone +# traffic can be included specifying "+". # -# any[+][-] +# any[+] # # any is equivalent to all when there are no nested zones. When there # are nested zones, any only refers to top-level zones (those with no @@ -707,6 +706,10 @@ # # All but the dmz zone. # +# all+!$FW +# +# All but the firewall zone and applies to intrazone traffic. +# # net:^CN # # China. @@ -751,14 +754,13 @@ # # zone may also be one of the following: # -# all[+][-] +# all[+] # # all, without the "-" means "All Zones, including the firewall -# zone". If the "-" is included, the firewall zone is omitted. -# Normally all omits intra-zone traffic, but intra-zone traffic can -# be included specifying "+". +# zone". Normally all omits intra-zone traffic, but intra-zone +# traffic can be included specifying "+". # -# any[+][-] +# any[+] # # any is equivalent to all when there are no nested zones. When there # are nested zones, any only refers to top-level zones (those with no @@ -868,7 +870,7 @@ # # If the DEST zone is a bport zone, then either: # -# a. the SOURCE must be all[+][-], or +# a. the SOURCE must be all[+], or # # b. the SOURCE zone must be another bport zone associated with the same # bridge, or diff -Nru shorewall6-5.2.2/Samples6/two-interfaces/shorewall6.conf shorewall6-5.2.3.2/Samples6/two-interfaces/shorewall6.conf --- shorewall6-5.2.2/Samples6/two-interfaces/shorewall6.conf 2019-01-16 21:09:42.000000000 +0000 +++ shorewall6-5.2.3.2/Samples6/two-interfaces/shorewall6.conf 2019-03-17 15:02:53.000000000 +0000 @@ -178,8 +178,6 @@ KEEP_RT_TABLES=Yes -LOAD_HELPERS_ONLY=Yes - MACLIST_TABLE=filter MACLIST_TTL= diff -Nru shorewall6-5.2.2/Samples6/two-interfaces/shorewall6.conf.annotated shorewall6-5.2.3.2/Samples6/two-interfaces/shorewall6.conf.annotated --- shorewall6-5.2.2/Samples6/two-interfaces/shorewall6.conf.annotated 2019-01-17 20:37:49.000000000 +0000 +++ shorewall6-5.2.3.2/Samples6/two-interfaces/shorewall6.conf.annotated 2019-03-18 01:42:50.000000000 +0000 @@ -1170,15 +1170,6 @@ # # The default is KEEP_RT_TABLES=No. # -LOAD_HELPERS_ONLY=Yes -# -# LOAD_HELPERS_ONLY={Yes|No} -# -# Added in Shorewall 4.4.7. When set to Yes, restricts the set of modules -# loaded by shorewall to those listed in /var/lib/shorewall[6]/helpers and -# those that are actually used. When not set, or set to the empty value, -# LOAD_HELPERS_ONLY=No is assumed. -# MACLIST_TABLE=filter # # MACLIST_TABLE=[filter|mangle] diff -Nru shorewall6-5.2.2/Samples6/Universal/policy.annotated shorewall6-5.2.3.2/Samples6/Universal/policy.annotated --- shorewall6-5.2.2/Samples6/Universal/policy.annotated 2019-01-17 20:37:51.000000000 +0000 +++ shorewall6-5.2.3.2/Samples6/Universal/policy.annotated 2019-03-18 01:42:52.000000000 +0000 @@ -38,20 +38,23 @@ # different name in parentheses, the different name is used in the alternate # specification syntax). # -# SOURCE - zone[,...[+]]|$FW|all|all+ +# SOURCE - zone[,...[+]]|$FW|all[+][!ezone[,...]] # # Source zone. Must be the name of a zone defined in shorewall-zones(5), $FW, # "all" or "all+". # -# Support for "all+" was added in Shorewall 4.5.17. "all" does not override -# the implicit intra-zone ACCEPT policy while "all+" does. +# Support for all+ was added in Shorewall 4.5.17. all does not override the +# implicit intra-zone ACCEPT policy while all+ does. # # Beginning with Shorewall 5.0.12, multiple zones may be listed separated by # commas. As above, if '+' is specified after two or more zone names, then # the policy overrides the implicit intra-zone ACCEPT policy if the same zone # appears in both the SOURCE and DEST columns. # -# DEST - zone[,...[+]]|$FW|all|all+ +# Beginning with Shorewall 5.2.3, a comma-separated list of excluded zones +# preceded by "!" may follow all or all+. +# +# DEST - zone[,...[+]]|$FW|all[+][!ezone[,...]] # # Destination zone. Must be the name of a zone defined in shorewall-zones(5), # $FW, "all" or "all+". If the DEST is a bport zone, then the SOURCE must be @@ -66,6 +69,9 @@ # the policy overrides the implicit intra-zone ACCEPT policy if the same zone # appears in both the SOURCE and DEST columns. # +# Beginning with Shorewall 5.2.3, a comma-separated list of excluded zones +# preceded by "!" may follow all or all+. +# # POLICY - {ACCEPT|DROP|REJECT|BLACKLIST|CONTINUE|QUEUE|NFQUEUE[(queuenumber1[: # queuenumber2])]|NONE}[:{[+]policy-action[:level][,...]|None}] # diff -Nru shorewall6-5.2.2/Samples6/Universal/rules.annotated shorewall6-5.2.3.2/Samples6/Universal/rules.annotated --- shorewall6-5.2.2/Samples6/Universal/rules.annotated 2019-01-17 20:37:52.000000000 +0000 +++ shorewall6-5.2.3.2/Samples6/Universal/rules.annotated 2019-03-18 01:42:53.000000000 +0000 @@ -567,14 +567,13 @@ # # zone may also be one of the following: # -# all[+][-] +# all[+] # # all, without the "-" means "All Zones, including the firewall -# zone". If the "-" is included, the firewall zone is omitted. -# Normally all omits intra-zone traffic, but intra-zone traffic can -# be included specifying "+". +# zone". Normally all omits intra-zone traffic, but intra-zone +# traffic can be included specifying "+". # -# any[+][-] +# any[+] # # any is equivalent to all when there are no nested zones. When there # are nested zones, any only refers to top-level zones (those with no @@ -703,6 +702,10 @@ # # All but the dmz zone. # +# all+!$FW +# +# All but the firewall zone and applies to intrazone traffic. +# # net:^CN # # China. @@ -747,14 +750,13 @@ # # zone may also be one of the following: # -# all[+][-] +# all[+] # # all, without the "-" means "All Zones, including the firewall -# zone". If the "-" is included, the firewall zone is omitted. -# Normally all omits intra-zone traffic, but intra-zone traffic can -# be included specifying "+". +# zone". Normally all omits intra-zone traffic, but intra-zone +# traffic can be included specifying "+". # -# any[+][-] +# any[+] # # any is equivalent to all when there are no nested zones. When there # are nested zones, any only refers to top-level zones (those with no @@ -864,7 +866,7 @@ # # If the DEST zone is a bport zone, then either: # -# a. the SOURCE must be all[+][-], or +# a. the SOURCE must be all[+], or # # b. the SOURCE zone must be another bport zone associated with the same # bridge, or diff -Nru shorewall6-5.2.2/Samples6/Universal/shorewall6.conf shorewall6-5.2.3.2/Samples6/Universal/shorewall6.conf --- shorewall6-5.2.2/Samples6/Universal/shorewall6.conf 2019-01-16 21:09:42.000000000 +0000 +++ shorewall6-5.2.3.2/Samples6/Universal/shorewall6.conf 2019-03-17 15:02:53.000000000 +0000 @@ -178,8 +178,6 @@ KEEP_RT_TABLES=Yes -LOAD_HELPERS_ONLY=Yes - MACLIST_TABLE=filter MACLIST_TTL= diff -Nru shorewall6-5.2.2/Samples6/Universal/shorewall6.conf.annotated shorewall6-5.2.3.2/Samples6/Universal/shorewall6.conf.annotated --- shorewall6-5.2.2/Samples6/Universal/shorewall6.conf.annotated 2019-01-17 20:37:53.000000000 +0000 +++ shorewall6-5.2.3.2/Samples6/Universal/shorewall6.conf.annotated 2019-03-18 01:42:53.000000000 +0000 @@ -1170,15 +1170,6 @@ # # The default is KEEP_RT_TABLES=No. # -LOAD_HELPERS_ONLY=Yes -# -# LOAD_HELPERS_ONLY={Yes|No} -# -# Added in Shorewall 4.4.7. When set to Yes, restricts the set of modules -# loaded by shorewall to those listed in /var/lib/shorewall[6]/helpers and -# those that are actually used. When not set, or set to the empty value, -# LOAD_HELPERS_ONLY=No is assumed. -# MACLIST_TABLE=filter # # MACLIST_TABLE=[filter|mangle] diff -Nru shorewall6-5.2.2/shorewall6.spec shorewall6-5.2.3.2/shorewall6.spec --- shorewall6-5.2.2/shorewall6.spec 2019-01-17 20:37:22.000000000 +0000 +++ shorewall6-5.2.3.2/shorewall6.spec 2019-03-18 01:42:25.000000000 +0000 @@ -1,6 +1,6 @@ %define name shorewall6 -%define version 5.2.2 -%define release 0base +%define version 5.2.3 +%define release 2 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems. Name: %{name} @@ -102,7 +102,6 @@ %attr(- ,root,root) /usr/share/shorewall6/functions %attr(0644,root,root) /usr/share/shorewall6/lib.base %attr(0644,root,root) /usr/share/shorewall6/macro.* -%attr(0644,root,root) /usr/share/shorewall6/modules* %attr(0644,root,root) /usr/share/shorewall6/helpers %attr(0644,root,root) /usr/share/shorewall6/configpath @@ -114,6 +113,18 @@ %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6 %changelog +* Sun Mar 17 2019 Tom Eastep tom@shorewall.net +- Updated to 5.2.3-2 +* Tue Feb 26 2019 Tom Eastep tom@shorewall.net +- Updated to 5.2.3-1 +* Mon Feb 11 2019 Tom Eastep tom@shorewall.net +- Updated to 5.2.3-0base +* Wed Feb 06 2019 Tom Eastep tom@shorewall.net +- Updated to 5.2.3-0RC1 +* Sun Feb 03 2019 Tom Eastep tom@shorewall.net +- Updated to 5.2.3-0Beta2 +* Tue Jan 22 2019 Tom Eastep tom@shorewall.net +- Updated to 5.2.3-0Beta1 * Wed Jan 16 2019 Tom Eastep tom@shorewall.net - Updated to 5.2.2-0base * Tue Jan 08 2019 Tom Eastep tom@shorewall.net diff -Nru shorewall6-5.2.2/uninstall.sh shorewall6-5.2.3.2/uninstall.sh --- shorewall6-5.2.2/uninstall.sh 2019-01-17 20:37:22.000000000 +0000 +++ shorewall6-5.2.3.2/uninstall.sh 2019-03-18 01:42:25.000000000 +0000 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=5.2.2 +VERSION=5.2.3.2 usage() # $1 = exit status {