Shorewall devel - Mar 2010 - Shorewall 4.4.8 Beta 2

Beta 2 is now ready for testing. I am particularly interested in having
the new Shorewall and Shorewall6 tested with earlier versions of
Shorewall Lite and Shorewall6 Lite.

http://www.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.8-Beta2/
ftp://ftp.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.8-Beta2/

The main changes in this release are:

a)  There are now only four all-caps variable names reserved in
    addition to option names from shorewall.conf and names beginning
    with SHOREWALL_ or SW_.

	COMMAND
	CONFDIR
	SHAREDIR
	VARDIR

    The contents of these variables is described at
    http://www1.shorewall.net/shorewall_extension_scripts.htm.

b)  There is a new shell function library, lib.common. That library is
    used both by generated scripts and by the command line tool. The
    library is copied into each generated script to avoid dependency
    issues with saved scripts and with the Lite products.

c)  The installers for Shorewall and Shorewall6 support an
''-s'' option
    which causes only the shorewall.conf (shorewall6.conf) to be
    installed in the configuration directory.

d)  A couple of defects are corrected:

	1.  Previously, when a supported command failed, the Debian
	    Shorewall init script would still return a success (zero)
            exit status. It now returns a failure status (1) when the
            command fails.

        2.  Previously, if a queue number was specified in an NFQUEUE
            policy (e.g., NFQUEUE(0)), invalid iptables-restore input
            would be generated.

        3.  Previously, with optimization 4, users of ipsec on older r
            releases such as RHEL5 and CentOS, could encounter an error
            similar to this
            one:

    	    Running /sbin/iptables-restore...
    	    iptables-restore v1.3.5: Unknown arg `out''
    	    Error occurred at line: 93
    	    Try `iptables-restore -h'' or ''iptables-restore
--help'' for
            more information.
            ERROR: iptables-restore Failed. Input is in
               /var/lib/shorewall/.iptables-restore-input
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

Tom Eastep wrote:
> Beta 2 is now ready for testing. I am particularly interested in having
> the new Shorewall and Shorewall6 tested with earlier versions of
> Shorewall Lite and Shorewall6 Lite.
I have just found a potentially serious bug in 4.4.8 Beta2. The
''-p''
option to ''shorewall restart'' and ''shorewall-lite
restart'' does not
work. Rather than purging the conntrack table, it bypasses updating of
the routing configuration.

I''ve attached a patch and have also placed a copy at:

http://www1.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.8-Beta2/Patches/Patch-4.4.8-Beta2-1.diff
ftp://ftp1.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.8-Beta2/Patches/Patch-4.4.8-Beta2-1.diff

To apply the patch:

  patch /usr/share/shorewall/prog.footer < Patch-4.4.8-Beta2-1.diff

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev