diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.7/changelog.txt shorewall-4.4.7.1/changelog.txt --- shorewall-4.4.7/changelog.txt 2010-02-11 07:29:41.000000000 -0800 +++ shorewall-4.4.7.1/changelog.txt 2010-02-13 07:28:22.000000000 -0800 @@ -1,3 +1,7 @@ +Changes in Shorewall 4.4.7-1 + +1) Don't apply rate limiting twice in NAT rules. + Changes in Shorewall 4.4.7 1) Backport optimization changes from 4.5. diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.7/install.sh shorewall-4.4.7.1/install.sh --- shorewall-4.4.7/install.sh 2010-02-11 07:29:41.000000000 -0800 +++ shorewall-4.4.7.1/install.sh 2010-02-13 07:28:22.000000000 -0800 @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.7 +VERSION=4.4.7.1 usage() # $1 = exit status { diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.7/known_problems.txt shorewall-4.4.7.1/known_problems.txt --- shorewall-4.4.7/known_problems.txt 2010-02-11 07:29:41.000000000 -0800 +++ shorewall-4.4.7.1/known_problems.txt 2010-02-13 07:28:22.000000000 -0800 @@ -1 +1,5 @@ -There are no known problems in Shorewall 4.4.7. +1) All versions of Shorewall-perl mishandle per-IP rate limiting in + REDIRECT and DNAT rules. The effective rate and burst are 1/2 of + the values given in the rule. + + Corrected in 4.4.7.1 diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.7/Perl/Shorewall/Config.pm shorewall-4.4.7.1/Perl/Shorewall/Config.pm --- shorewall-4.4.7/Perl/Shorewall/Config.pm 2010-02-11 07:29:41.000000000 -0800 +++ shorewall-4.4.7.1/Perl/Shorewall/Config.pm 2010-02-13 07:28:22.000000000 -0800 @@ -337,7 +337,7 @@ TC_SCRIPT => '', EXPORT => 0, UNTRACKED => 0, - VERSION => "4.4.7", + VERSION => "4.4.7.1", CAPVERSION => 40407 , ); diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.7/Perl/Shorewall/Rules.pm shorewall-4.4.7.1/Perl/Shorewall/Rules.pm --- shorewall-4.4.7/Perl/Shorewall/Rules.pm 2010-02-11 07:29:41.000000000 -0800 +++ shorewall-4.4.7.1/Perl/Shorewall/Rules.pm 2010-02-13 07:28:22.000000000 -0800 @@ -1182,13 +1182,25 @@ # # Generate Fixed part of the rule # - $rule = join( '', - do_proto($proto, $ports, $sports), - do_ratelimit( $ratelimit, $basictarget ) , - do_user( $user ) , - do_test( $mark , $globals{TC_MASK} ) , - do_connlimit( $connlimit ), - do_time( $time ) ); + if ( ( $actiontype & ( NATRULE | NATONLY ) ) == NATRULE ) { + # + # Don't apply rate limiting twice + # + $rule = join( '', + do_proto($proto, $ports, $sports), + do_user( $user ) , + do_test( $mark , $globals{TC_MASK} ) , + do_connlimit( $connlimit ), + do_time( $time ) ); + } else { + $rule = join( '', + do_proto($proto, $ports, $sports), + do_ratelimit( $ratelimit, $basictarget ) , + do_user( $user ) , + do_test( $mark , $globals{TC_MASK} ) , + do_connlimit( $connlimit ), + do_time( $time ) ); + } unless ( $section eq 'NEW' ) { fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" if $config{FASTACCEPT}; diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.7/releasenotes.txt shorewall-4.4.7.1/releasenotes.txt --- shorewall-4.4.7/releasenotes.txt 2010-02-11 07:29:41.000000000 -0800 +++ shorewall-4.4.7.1/releasenotes.txt 2010-02-13 07:28:22.000000000 -0800 @@ -1,4 +1,4 @@ -Shorewall 4.4.7 +Shorewall 4.4.7 Patch Release 1. ---------------------------------------------------------------------------- R E L E A S E 4 . 4 H I G H L I G H T S @@ -184,7 +184,15 @@ one from the release (not recommended). ---------------------------------------------------------------------------- - P R O B L E M S C O R R E C T E D I N 4 . 4 . 7 + P R O B L E M S C O R R E C T E D I N 4 . 4 . 7 . 1 +---------------------------------------------------------------------------- + +1) All versions of Shorewall-perl mishandle per-IP rate limiting in + REDIRECT and DNAT rules. The effective rate and burst are 1/2 of + the values given in the rule. + +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 4 . 7 ---------------------------------------------------------------------------- 1) The tcinterfaces and tcpri files are now installed by the @@ -211,12 +219,19 @@ 5) Previously, specifying a TYPE in /etc/shorewall/tcinterfaces would cause start/restart to fail on systems lacking 'flow' classifier - support. While we currently know of no safe way to test for that - support, in Shorewall 4.4.7 we use other hints to surmise that the - installed toolset is likely to be too old to support 'flow' and - simply ignore the TYPE setting. In particular, RHEL5 and - derivatives no lonter experience a startup failure when TYPE is - specified. + support. In Shorewall 4.4.7, we detect the ability of the 'tc' + utility to support that classifier. + + There are two caveats: + + - 'tc' may support 'flow' but the kernel does not. In that case, + start/restart will still fail. + + - If you use a capabilities file, you will need to regenerate the + file using shorewall-lite 4.4.7 in order for 'flow' to be + accurately detected. If you do not regenerate the file, the + compiler will use other hints to try to determine if 'flow' is + available. ---------------------------------------------------------------------------- K N O W N P R O B L E M S R E M A I N I N G diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.7/shorewall.spec shorewall-4.4.7.1/shorewall.spec --- shorewall-4.4.7/shorewall.spec 2010-02-11 07:29:41.000000000 -0800 +++ shorewall-4.4.7.1/shorewall.spec 2010-02-13 07:28:22.000000000 -0800 @@ -1,6 +1,6 @@ %define name shorewall %define version 4.4.7 -%define release 0base +%define release 1 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. Name: %{name} @@ -107,6 +107,10 @@ %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples %changelog +* Sat Feb 13 2010 Tom Eastep tom@shorewall.net +- Updated to 4.4.7-1 +* Thu Feb 11 2010 Tom Eastep tom@shorewall.net +- Updated to 4.4.7-0base * Fri Feb 05 2010 Tom Eastep tom@shorewall.net - Updated to 4.4.7-0base * Tue Feb 02 2010 Tom Eastep tom@shorewall.net diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.7/uninstall.sh shorewall-4.4.7.1/uninstall.sh --- shorewall-4.4.7/uninstall.sh 2010-02-11 07:29:41.000000000 -0800 +++ shorewall-4.4.7.1/uninstall.sh 2010-02-13 07:28:22.000000000 -0800 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.7 +VERSION=4.4.7.1 usage() # $1 = exit status {