diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12.1/Perl/Shorewall/Chains.pm shorewall-4.4.12.2/Perl/Shorewall/Chains.pm --- shorewall-4.4.12.1/Perl/Shorewall/Chains.pm 2010-08-24 13:15:35.000000000 -0700 +++ shorewall-4.4.12.2/Perl/Shorewall/Chains.pm 2010-09-04 07:30:24.000000000 -0700 @@ -687,7 +687,7 @@ # deleting elements from the array over which we are iterating. # for ( my $rule = 0; $rule <= $#{$rules}; $rule++ ) { - if ( $rules->[$rule] =~ / -[gj] ${to}( -m comment .*)?\s*$/ ) { + if ( $rules->[$rule] =~ / -[gj] ${to}(\s+-m comment .*)?\s*$/ ) { trace( $fromref, 'D', $rule + 1, $rules->[$rule] ) if $debug; splice( @$rules, $rule, 1 ); last unless --$refs > 0; @@ -3392,7 +3392,7 @@ # # We have non-trivial exclusion -- need to create an exclusion chain # - fatal_error "Exclusion is not possible in ACCEPT+/CONTINUE/NONAT rules" if $disposition eq 'RETURN'; + fatal_error "Exclusion is not possible in ACCEPT+/CONTINUE/NONAT rules" if $disposition eq 'RETURN' || $disposition eq 'CONTINUE'; # # Create the Exclusion Chain diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12.1/Perl/Shorewall/Config.pm shorewall-4.4.12.2/Perl/Shorewall/Config.pm --- shorewall-4.4.12.1/Perl/Shorewall/Config.pm 2010-08-24 13:15:35.000000000 -0700 +++ shorewall-4.4.12.2/Perl/Shorewall/Config.pm 2010-09-04 07:30:24.000000000 -0700 @@ -345,7 +345,7 @@ EXPORT => 0, STATEMATCH => '-m state --state', UNTRACKED => 0, - VERSION => "4.4.12.1", + VERSION => "4.4.12.2", CAPVERSION => 40411 , ); diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12.1/Perl/Shorewall/Rules.pm shorewall-4.4.12.2/Perl/Shorewall/Rules.pm --- shorewall-4.4.12.1/Perl/Shorewall/Rules.pm 2010-08-24 13:15:35.000000000 -0700 +++ shorewall-4.4.12.2/Perl/Shorewall/Rules.pm 2010-09-04 07:30:24.000000000 -0700 @@ -303,7 +303,7 @@ my $target = source_exclusion( $hostref->[3], $chainref ); for my $chain ( first_chains $interface ) { - add_jump $filter_table->{$chain} , $chainref, 0, "${source}${state}${policy}"; + add_jump $filter_table->{$chain} , $target, 0, "${source}${state}${policy}"; } set_interface_option $interface, 'use_input_chain', 1; @@ -675,12 +675,12 @@ for $interface ( @$list ) { my $chainref = $filter_table->{input_chain $interface}; - my $base = uc chain_base $interface; + my $base = uc chain_base get_physical $interface; my $variable = get_interface_gateway $interface; if ( interface_is_optional $interface ) { add_commands( $chainref, - qq(if [ -n "\$${base}_IS_USABLE" -a -n "$variable" ]; then) , + qq(if [ -n "\$SW_${base}_IS_USABLE" -a -n "$variable" ]; then) , ' echo "-A ' . match_source_dev( $interface ) . qq(-s $variable -p udp -j ACCEPT" >&3) , qq(fi) ); } else { diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12.1/changelog.txt shorewall-4.4.12.2/changelog.txt --- shorewall-4.4.12.1/changelog.txt 2010-08-24 13:15:35.000000000 -0700 +++ shorewall-4.4.12.2/changelog.txt 2010-09-04 07:30:24.000000000 -0700 @@ -1,9 +1,17 @@ +Changes in Shorewall 4.4.12.2 + +1) Add tweak to 4.4.12.1 optimization fix. + +2) Fix exclusion in the blacklist file. + Changes in Shorewall 4.4.12.1 1) Fix optimization bugs. 2) Fix detection of old ipset match capability +3) Fix REQUIRE_INTERFACE=Yes + Changes in Shorewall 4.4.12 1) Fix IPv6 shorecap program. diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12.1/install.sh shorewall-4.4.12.2/install.sh --- shorewall-4.4.12.1/install.sh 2010-08-24 13:15:35.000000000 -0700 +++ shorewall-4.4.12.2/install.sh 2010-09-04 07:30:24.000000000 -0700 @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.12.1 +VERSION=4.4.12.2 usage() # $1 = exit status { diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12.1/known_problems.txt shorewall-4.4.12.2/known_problems.txt --- shorewall-4.4.12.1/known_problems.txt 2010-08-24 13:15:35.000000000 -0700 +++ shorewall-4.4.12.2/known_problems.txt 2010-09-04 07:30:24.000000000 -0700 @@ -5,9 +5,33 @@ to rules, OPTIMIZE 8 through 15 can result in invalid iptables-restore (ip6tables-restore) input. - Workaround: Don't use optimizaiton levels greater than 7. + Corrected in Shorewall 4.4.12.1. 3) Under rare circumstances unvolving exclusion, OPTIMIZE 8 through 15 canresult in invalid iptables-restore (ip6tables-restore) input. - Workaround: Don't use optimizaiton levels greater than 7. + Corrected in Shorewall 4.4.12.1. + +4) The change in 4.4.12 to detect and use the new ipset match syntax + broke the ability to detect the old ipset match capability. + + Corrected in Shorewall 4.4.12.1. + +5) If REQUIRE_INTERFACE=Yes then start/restart will fail + if the last optional interface tested is not available. + + Corrected in Shorewall 4.4.12.1. + +6) The fix for COMMENT and optimization in 4.4.12.1 is incomplete. + + Corrected in Shorewall 4.4.12.2 + +7) Exclusion in the blacklist file is correctly validated but is then + ignored when generating iptables (ip6tables) rules. + + Corrected in Shorewall 4.4.12.2. + +8) Shorewall allows CONTINUE rules with exclusion. These rules + generate valid but incorrect iptables (ip6tables) input. + + Corrected in Shorewall 4.4.12.2 -- these rules are now disallowed. diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12.1/releasenotes.txt shorewall-4.4.12.2/releasenotes.txt --- shorewall-4.4.12.1/releasenotes.txt 2010-08-24 13:15:35.000000000 -0700 +++ shorewall-4.4.12.2/releasenotes.txt 2010-09-04 07:30:24.000000000 -0700 @@ -1,5 +1,5 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 4 . 1 2 . 1 + S H O R E W A L L 4 . 4 . 1 2 . 2 ---------------------------------------------------------------------------- I. RELEASE 4.4 HIGHLIGHTS @@ -224,21 +224,38 @@ I I I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- +4.4.12.2 + +1) Earlier releases allowed CONTINUE rules with exclusion. These rules + generated valid but incorrect iptables (ip6tables) input. Such + rules are now disallowed. + +2) The fix for COMMENT and OPTIMIZE 8-15 in 4.4.12.1 missed one case + which has now been corrected. + +3) Previously, exclusion in the blacklist file was correctly validated + but was then ignored when generating iptables (ip6tables) rules. + +4) Previously, the interface option combination of 'optional' and + 'upnpclient' did not work correctly. + 4.4.12.1 1) Under rare circumstances where COMMENT is used to attach comments to rules, OPTIMIZE 8 through 15 could result in invalid iptables-restore (ip6tables-restore) input. -2) Under rare circumstances unvolving exclusion, OPTIMIZE 8 through 15 +2) Under rare circumstances involving exclusion, OPTIMIZE 8 through 15 could result in invalid iptables-restore (ip6tables-restore) input. 3) The change in 4.4.12 to detect and use the new ipset match syntax broke the ability to detect the old ipset match capability. Now, both versions of the capability can be correctly detected. -4.4.12 +4) Previously, if REQUIRE_INTERFACE=Yes then start/restart would fail + if the last optional interface tested was not available. +4.4.12 1) Previously, the Shorewall6-lite version of shorecap was using iptables rather than ip6tables, with the result that many capabilities diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12.1/shorewall.spec shorewall-4.4.12.2/shorewall.spec --- shorewall-4.4.12.1/shorewall.spec 2010-08-24 13:15:35.000000000 -0700 +++ shorewall-4.4.12.2/shorewall.spec 2010-09-04 07:30:24.000000000 -0700 @@ -1,6 +1,6 @@ %define name shorewall %define version 4.4.12 -%define release 1 +%define release 2 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. Name: %{name} @@ -108,6 +108,8 @@ %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples %changelog +* Sat Sep 04 2010 Tom Eastep tom@shorewall.net +- Updated to 4.4.12-2 * Mon Aug 23 2010 Tom Eastep tom@shorewall.net - Updated to 4.4.12-1 * Sun Aug 15 2010 Tom Eastep tom@shorewall.net diff -Naur -X /Users/teastep/bin/exclude.txt shorewall-4.4.12.1/uninstall.sh shorewall-4.4.12.2/uninstall.sh --- shorewall-4.4.12.1/uninstall.sh 2010-08-24 13:15:35.000000000 -0700 +++ shorewall-4.4.12.2/uninstall.sh 2010-09-04 07:30:24.000000000 -0700 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.12.1 +VERSION=4.4.12.2 usage() # $1 = exit status {