1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
|
diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12.1/Perl/Shorewall/Chains.pm shorewall-4.4.12.2/Perl/Shorewall/Chains.pm
--- shorewall-4.4.12.1/Perl/Shorewall/Chains.pm 2010-08-24 13:15:35.000000000 -0700
+++ shorewall-4.4.12.2/Perl/Shorewall/Chains.pm 2010-09-04 07:30:24.000000000 -0700
@@ -687,7 +687,7 @@
# deleting elements from the array over which we are iterating.
#
for ( my $rule = 0; $rule <= $#{$rules}; $rule++ ) {
- if ( $rules->[$rule] =~ / -[gj] ${to}( -m comment .*)?\s*$/ ) {
+ if ( $rules->[$rule] =~ / -[gj] ${to}(\s+-m comment .*)?\s*$/ ) {
trace( $fromref, 'D', $rule + 1, $rules->[$rule] ) if $debug;
splice( @$rules, $rule, 1 );
last unless --$refs > 0;
@@ -3392,7 +3392,7 @@
#
# We have non-trivial exclusion -- need to create an exclusion chain
#
- fatal_error "Exclusion is not possible in ACCEPT+/CONTINUE/NONAT rules" if $disposition eq 'RETURN';
+ fatal_error "Exclusion is not possible in ACCEPT+/CONTINUE/NONAT rules" if $disposition eq 'RETURN' || $disposition eq 'CONTINUE';
#
# Create the Exclusion Chain
diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12.1/Perl/Shorewall/Config.pm shorewall-4.4.12.2/Perl/Shorewall/Config.pm
--- shorewall-4.4.12.1/Perl/Shorewall/Config.pm 2010-08-24 13:15:35.000000000 -0700
+++ shorewall-4.4.12.2/Perl/Shorewall/Config.pm 2010-09-04 07:30:24.000000000 -0700
@@ -345,7 +345,7 @@
EXPORT => 0,
STATEMATCH => '-m state --state',
UNTRACKED => 0,
- VERSION => "4.4.12.1",
+ VERSION => "4.4.12.2",
CAPVERSION => 40411 ,
);
diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12.1/Perl/Shorewall/Rules.pm shorewall-4.4.12.2/Perl/Shorewall/Rules.pm
--- shorewall-4.4.12.1/Perl/Shorewall/Rules.pm 2010-08-24 13:15:35.000000000 -0700
+++ shorewall-4.4.12.2/Perl/Shorewall/Rules.pm 2010-09-04 07:30:24.000000000 -0700
@@ -303,7 +303,7 @@
my $target = source_exclusion( $hostref->[3], $chainref );
for my $chain ( first_chains $interface ) {
- add_jump $filter_table->{$chain} , $chainref, 0, "${source}${state}${policy}";
+ add_jump $filter_table->{$chain} , $target, 0, "${source}${state}${policy}";
}
set_interface_option $interface, 'use_input_chain', 1;
@@ -675,12 +675,12 @@
for $interface ( @$list ) {
my $chainref = $filter_table->{input_chain $interface};
- my $base = uc chain_base $interface;
+ my $base = uc chain_base get_physical $interface;
my $variable = get_interface_gateway $interface;
if ( interface_is_optional $interface ) {
add_commands( $chainref,
- qq(if [ -n "\$${base}_IS_USABLE" -a -n "$variable" ]; then) ,
+ qq(if [ -n "\$SW_${base}_IS_USABLE" -a -n "$variable" ]; then) ,
' echo "-A ' . match_source_dev( $interface ) . qq(-s $variable -p udp -j ACCEPT" >&3) ,
qq(fi) );
} else {
diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12.1/changelog.txt shorewall-4.4.12.2/changelog.txt
--- shorewall-4.4.12.1/changelog.txt 2010-08-24 13:15:35.000000000 -0700
+++ shorewall-4.4.12.2/changelog.txt 2010-09-04 07:30:24.000000000 -0700
@@ -1,9 +1,17 @@
+Changes in Shorewall 4.4.12.2
+
+1) Add tweak to 4.4.12.1 optimization fix.
+
+2) Fix exclusion in the blacklist file.
+
Changes in Shorewall 4.4.12.1
1) Fix optimization bugs.
2) Fix detection of old ipset match capability
+3) Fix REQUIRE_INTERFACE=Yes
+
Changes in Shorewall 4.4.12
1) Fix IPv6 shorecap program.
diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12.1/install.sh shorewall-4.4.12.2/install.sh
--- shorewall-4.4.12.1/install.sh 2010-08-24 13:15:35.000000000 -0700
+++ shorewall-4.4.12.2/install.sh 2010-09-04 07:30:24.000000000 -0700
@@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
-VERSION=4.4.12.1
+VERSION=4.4.12.2
usage() # $1 = exit status
{
diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12.1/known_problems.txt shorewall-4.4.12.2/known_problems.txt
--- shorewall-4.4.12.1/known_problems.txt 2010-08-24 13:15:35.000000000 -0700
+++ shorewall-4.4.12.2/known_problems.txt 2010-09-04 07:30:24.000000000 -0700
@@ -5,9 +5,33 @@
to rules, OPTIMIZE 8 through 15 can result in invalid
iptables-restore (ip6tables-restore) input.
- Workaround: Don't use optimizaiton levels greater than 7.
+ Corrected in Shorewall 4.4.12.1.
3) Under rare circumstances unvolving exclusion, OPTIMIZE 8 through 15
canresult in invalid iptables-restore (ip6tables-restore) input.
- Workaround: Don't use optimizaiton levels greater than 7.
+ Corrected in Shorewall 4.4.12.1.
+
+4) The change in 4.4.12 to detect and use the new ipset match syntax
+ broke the ability to detect the old ipset match capability.
+
+ Corrected in Shorewall 4.4.12.1.
+
+5) If REQUIRE_INTERFACE=Yes then start/restart will fail
+ if the last optional interface tested is not available.
+
+ Corrected in Shorewall 4.4.12.1.
+
+6) The fix for COMMENT and optimization in 4.4.12.1 is incomplete.
+
+ Corrected in Shorewall 4.4.12.2
+
+7) Exclusion in the blacklist file is correctly validated but is then
+ ignored when generating iptables (ip6tables) rules.
+
+ Corrected in Shorewall 4.4.12.2.
+
+8) Shorewall allows CONTINUE rules with exclusion. These rules
+ generate valid but incorrect iptables (ip6tables) input.
+
+ Corrected in Shorewall 4.4.12.2 -- these rules are now disallowed.
diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12.1/releasenotes.txt shorewall-4.4.12.2/releasenotes.txt
--- shorewall-4.4.12.1/releasenotes.txt 2010-08-24 13:15:35.000000000 -0700
+++ shorewall-4.4.12.2/releasenotes.txt 2010-09-04 07:30:24.000000000 -0700
@@ -1,5 +1,5 @@
----------------------------------------------------------------------------
- S H O R E W A L L 4 . 4 . 1 2 . 1
+ S H O R E W A L L 4 . 4 . 1 2 . 2
----------------------------------------------------------------------------
I. RELEASE 4.4 HIGHLIGHTS
@@ -224,21 +224,38 @@
I I I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
+4.4.12.2
+
+1) Earlier releases allowed CONTINUE rules with exclusion. These rules
+ generated valid but incorrect iptables (ip6tables) input. Such
+ rules are now disallowed.
+
+2) The fix for COMMENT and OPTIMIZE 8-15 in 4.4.12.1 missed one case
+ which has now been corrected.
+
+3) Previously, exclusion in the blacklist file was correctly validated
+ but was then ignored when generating iptables (ip6tables) rules.
+
+4) Previously, the interface option combination of 'optional' and
+ 'upnpclient' did not work correctly.
+
4.4.12.1
1) Under rare circumstances where COMMENT is used to attach comments
to rules, OPTIMIZE 8 through 15 could result in invalid
iptables-restore (ip6tables-restore) input.
-2) Under rare circumstances unvolving exclusion, OPTIMIZE 8 through 15
+2) Under rare circumstances involving exclusion, OPTIMIZE 8 through 15
could result in invalid iptables-restore (ip6tables-restore) input.
3) The change in 4.4.12 to detect and use the new ipset match syntax
broke the ability to detect the old ipset match capability. Now,
both versions of the capability can be correctly detected.
-4.4.12
+4) Previously, if REQUIRE_INTERFACE=Yes then start/restart would fail
+ if the last optional interface tested was not available.
+4.4.12
1) Previously, the Shorewall6-lite version of shorecap was using
iptables rather than ip6tables, with the result that many capabilities
diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12.1/shorewall.spec shorewall-4.4.12.2/shorewall.spec
--- shorewall-4.4.12.1/shorewall.spec 2010-08-24 13:15:35.000000000 -0700
+++ shorewall-4.4.12.2/shorewall.spec 2010-09-04 07:30:24.000000000 -0700
@@ -1,6 +1,6 @@
%define name shorewall
%define version 4.4.12
-%define release 1
+%define release 2
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
Name: %{name}
@@ -108,6 +108,8 @@
%doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples
%changelog
+* Sat Sep 04 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-2
* Mon Aug 23 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.12-1
* Sun Aug 15 2010 Tom Eastep tom@shorewall.net
diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12.1/uninstall.sh shorewall-4.4.12.2/uninstall.sh
--- shorewall-4.4.12.1/uninstall.sh 2010-08-24 13:15:35.000000000 -0700
+++ shorewall-4.4.12.2/uninstall.sh 2010-09-04 07:30:24.000000000 -0700
@@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
-VERSION=4.4.12.1
+VERSION=4.4.12.2
usage() # $1 = exit status
{
|