Changes in 4.0.15
1) Fix iptables conntrack syntax when using newer versions of
iptables.
2) Apply Lennart Sorensen's patch to finish LENGTH matching.
3) Prevent invalid rules when KLUDGEFREE is not set.
4) Document DISABLE_IPV6 in shorewall.conf man page.
5) Fix nonat rules with destination IP address.
6) Change ipp2p detection to support latest version.
Changes in 4.0.14
1) Fix handling of 'all-' in shorewall-shell.
2) Fix bashism in handling of options in Debian init script.
Changes in 4.0.13
1) Fix ip forwarding handling with 'restore'
2) Fix handling of COPY.
3) Add macro.RNDC.
Changes in 4.0.12
1) Only issue a warning on RFC 1918 violation.
2) Fix divide by zero.
3) Allow !+setname
4) Fix /var/lib/xxx/chains content.
Changes in 4.0.11
1) Defer enabling of forwarding until rules are in place.
2) Fix silly duplicate-rule error.
3) Fix IPSEC host entry with DYNAMIC_ZONES=Yes
4) Fix VARDIR in /usr/share/shorewall/firewall.
5) Allow 'bps' in rates. Use integer arithmatic to convert it to kbits.
6) Fix ADMINISABSENTMINDED=No in Shorewall-perl
7) Use the OPTIONS variable from /etc/default/shorewall[-lite] on Debian.
8) Allow upper-case A-F in hex representation of MARK in tcclasses.
Changes in 4.0.10
1) Fix KLUDGEFREE test.
2) Changed Samples to set LOG_MARTIANS=keep.
3) Allow IP ranges in routestopped and ecn.
4) Fixed ACCEPT_DEFAULT and QUEUE_DEFAULT in Shorewall-shell.
5) Fix empty action.
6) Generate error on non-existent variables.
7) Fix hole in rules file parsing.
8) Add L2TP tunnel support.
9) Fix ":" parsing errors.
Changes in 4.0.9
1) Fix handling of exclusion in zone definition.
2) Fix macro handling of 'SOURCE:' and 'DEST:'.
3) Catch unprintable junk in configuration files.
4) Fix !user
5) Restore 3.4 code to work around busybox limination.
6) Update modules file for 2.6.25.
7) Add restriction handling in tcrules file.
8) Fix designator table in Tc.pm.
9) Fix <interface>:<address> in tcrules DEST column.
10) Fix rule preference value when HIGH_ROUTE_MARKS=Yes
11) Add BROKEN_ROUTING option.
12) Make KLUDGEFREE error message clearer.
Changes in 4.0.8
1) Fix do_test() handling of the value zero and make the default mask
compatible with Shorewall-shell.
2) Fix mangled date in firewall.conf.
3) Restore ability to specify DEST IP range in DNAT rules.
4) Add 'sourceonly' hosts option.
Changes in 4.0.7
1) Fix undefined value when config file missing.
2) Handle exit status 4 from iptables.
3) Allow upper case log levels
4) Fix formatting of macro headings (again).
5) Update sample shorewall.conf files with new options.
6) Correct Jabber macro names.
7) Fix problem with ADD_IP_ALIASES.
8) Fall back to /bin/sh if SHOREWALL_SHELL isn't viable.
9) Add better diagnostic when not running as root.
8) Detect lack of interfaces and IPv4 zones.
Changes in 4.0.6
1) Fix hyphenated service names in DNAT/REDIRECT rules.
2) Fix long dest ports list bug.
3) Fix many day-one bugs in REDIRECT port handling.
4) Add support for '--physdev-is-bridged'.
5) Add support for embedded shell and Perl scripts.
6) Add support for manual chains.
7) Don't require GATEWAY in tunnels file.
8) Fix HIGH_ROUTE_MARKS fsck-up.
9) Fix Makefiles for VARDIR
10) Add -t option to hits command.
11) Add DONT_LOAD option
12) Add support for --random.
13) Fix USER/GROUP in tcrules.
14) Disallow refresh of built-in chains.
Changes in 4.0.5
1) Delete 'detectnets' from Shorewall-perl
2) Use get_config() for processing secondary shorewall.conf
3) Add 'broadcast' and 'destonly' options to hosts file.
4) Allow "$FW::<port>" in the DEST column of a redirect rule"
5) Add MULTICAST option in shorewall.conf.
6) Allow port range for server port in NAT rules.
7) Validate server IP address and port(-range) in NAT rules.
8) Allow server port(s) to be specified as service names.
9) Split large DEST PORT(S) lists.
10) Fix TCP/UDP in rules file.
10) Add new semantics to 'debug' with Shorewall-perl
11) Satisfy the distros.
12) Change module versions to V-strings.
13) Fix ipsets.
Changes in 4.0.4
1) Fix 'refresh' with light-weight shells.
2) Various fixes for proxyarp.
3) Fix 'refresh' run-time error.
4) Cleaner behavior if module-init-tools not installed.
5) Fix [re-]initialization problems in Shorewall::Tc.
6) Make compile-time check for iptables-restore.
7) Fix dup chain name test for actions.
8) Improve KLUDGEFREE detection.
9) Remove unused functions from Chains module.
10) Allow 'TC_ENABLED=internal' as specified (Only 'Internal' is
currently allowed).
11) Correct 'loose' handling.
12) Correct handling of 'bridge' and accounting.
13) Fix SHOREWALL_DIR fiasco.
14) Avoid deleting wrong routing rule.
15) Allow provider number in route_rules with Shorewall-shell.
16) Add DELETE_THEN_ADD option.
17) Add warning about 'detectnets' going away.
18) Fix off-by-one bug in Tc.pm
19) Correct problems found in pre-testing.
20) Fix REDIRECT with Macros.
Changes in 4.0.3
1) Streamline the checking for builtin chains in the accounting file.
2) Don't try to write/restore /etc/iproute2/rt_tables if it isn't
writable.
3) Allow Shorewall-perl compiler and libraries to be installed
anywhere.
4) Add KEEP_RT_TABLES option.
5) Other provider changes.
6) Fix LOG target in Shorewall-shell.
7) Faster log processing.
8) Tweak handling of CLASSID in process_tc_rule().
9) Restore 3.4 'stop/clear/reset' behavior and make new behavior
optional.
10) Add act_police to modules file.
11) Add 'mss' interface option.
12) Add TCPMSS_MATCH to show capabilities -f.
13) Insure a space between log prefix and IN=.
14) Provide ESTABLISHED,RELATED rules for inappropriate CONTINUE policy
15) Add hashlimit match detection.
16) Fix 'add' and 'delete' when interface name contains special char.
17) Fix PREROUTING track fiasco.
18) Add NFQUEUE support.
19) Allow refresh of chains other than 'blacklst'.
20) Allow INCLUDE in run-time extension scripts.
21) Fix zone sort.
Changes in 4.0.2
1) Another ECN fix in Shorewall-perl.
2) Make 'state match' detection in Shorewall-perl quiet.
3) Detect port range in list without XMULTIPORT.
4) Move lockfile handling from 'firewall' to 'shorewall' and lib.cli.
5) Don't detect routed networks and interfaces addresses during
'restore'.
6) Upcase some global variables in the generated script.
7) Remove some 'chain_base' mapping.
8) Eliminate a couple of global variables in the Chains module.
9) Cosmetic change to generated script.
10) Allow tc configuration on bridge ports.
11) Fix add/delete problem when Shorewall-shell is not installed.
12) Don't overwrite ${VARDIR}/chains and ${VARDIR}/zones during
'refresh'.
13) Correct some error messages.
14) Correct calculations involving number of keys in a hash.
15) Load xt_multiport.
16) Apply Günter Niedermeier's patch for multiport.
17) Honor the BROADCAST column when address type match is not
available.
18) Fix accounting.
Changes in 4.0.1
1) Add EXPAND_POLICIES.
2) Fix uninstallers.
3) Correct handling of 'ipsec' option in the hosts file.
4) Corrent handling of 'PATH' in Shorewall-perl.
5) Correct handling of ECN with MANGLE_FORWARD.
6) Relax ADDRTYPE restriction.
7) Be sure that chkconfig runs after upgrade from < 4.0.0
8) Better out-of-order policy detection.
9) Fix dropBcast/allowBcast logging and other logging
fixes/improvements.
10) Cleaner way to handle quotes in rules.
11) Allow '/min' in RATE/BURST column.
12) Check for state match
13) Fix stale lock problems.
Changes in 4.0.0 Final
1) Fix lite install.sh manpage problem.
2) Fix shorewall-shell .spec to modify SHOREWALL_COMPILER.
3) Shuffle code in Providers.pm.
4) Consolicate Common.pm + Config.pm and Interfaces.pm + Hosts.pm +
Zones.pm.
5) Validate log level in policy file.
Changes in 4.0.0 RC 2
1) Fix zone type check in Tunnels File.
2) Remove -f as default start OPTIONS.
3) Remove 3.4 compatibility hacks.
4) Fix install.sh manpage problem.
5) Fix LITEDIR mess.
6) Fix IPSEC.
7) Add Tunneling Macros from Tuomo Soini.
Changes in 4.0.0 RC 1
1) shorewall-perl RPM no longer installable under shorewall 3.4.
2) Fix limited broadcast and detectnets/routeback interfaces.
3) Use optimized 'split' for faster compilation.
4) Validate host part in hosts file entry.
5) Fix IPSECFILE=ipsec.
6) Make ':noah' the default.
7) Work around SELinux nonsense.
8) Restore the 'refresh' command.
9) Allow ipsec zone in GATEWAY ZONE column of the tunnels file.
10) Raise error on chmod failure.
11) Handle shell variables with zero value correctly.
Changes in 4.0.0 Beta 6
1) First step to adding compiler debugging facility.
2) Assume that iptables-restore is in the same directory as $IPTABLES
3) Fix buildports.pm to handle bogus entries in /etc/protocols and
/etc/services.
4) Allow COMMENT in the accounting file.
Changes in 4.0.0 Beta 6
1) Validate the DISPOSITION in /etc/shorewall/maclist entries.
2) Add versioning to capabilities files.
3) Improve compiler selection.
4) DYNAMIC_ZONES=Yes and bridges.
5) Implement port validation.
Changes in 4.0.0 Beta 5
1) Fix undefined function call when both an input interface and an
output interface are present.
2) Externalize compiler and Compile.pm.
Changes in 4.0.0 Beta 4
1) Fix the 'Modules' output of 'dump'
2) Fix FW=xxx with IPSECFILE=ipsec.
3) Fix wildcard-rule/NONE-policy interaction.
4) Clean up generation of user-exit jacket functions.
5) Add new bridge code.
6) Fix bad bug in exclusion.
Changes in 4.0.0 Beta 2
1) Fix screwup in get_routed_networks().
2) Some minor tweaks.
3) Fix synflood chain jumps.
4) Simplify synflood handling and improve error diagnostics.
Changes in 4.0.0 Beta 1
1) Fix add/delete <interface>.
2) Fix do_proto() and 'use IPConfig' in Providers.pm.
3) Implement dynamic host group detection.
Changes in 3.9.7
1) Clean up release notes.
2) Fix several bugs having to do with exclusion in the hosts file.
3) Use '-m addrtype' in detectnet interface output rules.
4) Fix find_hosts_by_option().
5) Fix more hosts file bugs.
6) Fix 'detect' in GATEWAY column of providers file.
8) Other bug fixes (see release notes).
7) Fix action in 'logreject'.
8) Allow macros to invoke macros outside of action bodies.
Changes in 3.9.6
1) Fix parsing problems in protocol handling.
2) Fix bugs in handling of the MARK column.
3) Fix bug in routing table copying
4) Fix bug in ipset handling.
5) Fix bug in handling of CONTINUE in the tcrules file.
6) Add RCP_COMMAND and RSH_COMMAND options in shorewall.conf
7) Apply Luigi's MARK patch.
Changes in 3.9.5
1) Fix dynamic zone problem.
2) Fix LOGALLNEW.
3) Implement log level, protocol and port validation.
4) Fix MACLIST log rule generation problem.
Changes in 3.9.4
1) Fix port 0 problem (again!).
2) Fix log_martians.
3) Make LOG_MARTIANS and ROUTE_FILTER tri-valued.
4) Fix arp_ignore.
5) Re-work ROUTE_FILTER and LOG_MARTIANS.
6) Fix handling of interface options.
7) Fix handling of zone ipsec options.
8) Fix 'routeback' on multi-zone interface.
9) Fix 'check -d'.
10) Fix intra-zone policies.
11) Fix typo in maclist validation.
12) Allow 'optional' to work with 'maclist'.
Changes in 3.9.3
1) Apply Steven Springl's patch for port checking.
2) Implement 'optional' interface option.
3) Fix a couple of bugs in 'owner' handling.
4) Fix several bugs in address/network detection.
5) Make a number of interface options binary.
6) Add wildcard edits in interface processing.
7) Fix dropInvalid.
8) Fix 'none'.
9) Fix SAME with SOURCE $FW
10) Fix tcp:syn.
11) Fix all->z rules with 'NONE' policy.
12) Check for reserved zone names.
13) Add check for firewall zone existance.
14) Add checks for zone existance in 'all' processing.
Changes in 3.9.2
1) Implement '-C {shell|perl}'.
2) Implement LOCKFILE
3) Fix typo in prog.footer.
4) Fix Shorewall-perl hosts and tcclasses errors.
5) Add IPPserver macro.
6) Fix problem with 'stop' and 'clear' when shorewall-shell not
installed.
7) Moved lib.dynamiczones to Shorewall.
8) Fix silly bug in lib.base.
9) Apply Steven Springl's patch for ICMP.
