Shorewall 4.4.15 is now available for download.
----------------------------------------------------------------------------
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) Previously, if
a) syn flood protection was enabled in a policy that
specified ''all'' for the SOURCE or DEST, and
b) there was only one pair of zones matching that policy, and
c) PROPAGATE_POLICIES=Yes in shorewall.conf, and
d) logging was specified on the policy
then the chain implementing the chain had "all" in its name while
the logging rule did not.
Example
On a simple standalone configuration, /etc/shorewall/policy
has:
#SOURCE DEST POLICY LOGGING
net all DROP info
then the chain implementing syn flood protection would be named
@net2all while the logging rule would indicate net2fw.
Now, the chain will be named @net2fw.
2) If the current environment exported the VERBOSE variable with a
non-zero value, then startup would fail.
3) If a route existed for an entire RFC1918 subnet (10.0.0.0/8,
172.20.0.0/12 or 192.168.0.0/16), then setting
NULL_ROUTE_RFC1918=Yes would cause the route to be replaced with an
''unreachable'' one.
4) Shorewall6 failed to start correctly if all the following were true:
- Shorewall was installed using the tarball. It may have
subsequently been installed using a distribution-specific package
or the rpm from shorewall.net without first unstalling the
tarball components.
- Shorewall6 was installed using a distribution-specific package or
the rpm from shorewall.net.
- The file /etc/shorewall6/init was not created.
5) If an interface with physical=''+'' is given the
''optional'' or
''required'' option, then invalid shell variables names were
generated by the compiler.
6) The contributed macro macro.JAP generated a fatal error when used.
The root cause was a defect in parameter processing in nested
macros (if ''PARAM'' was passed to an nested macro
invocation, it was
not expanded to the current parameter value).
----------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G
----------------------------------------------------------------------------
1) On systems running Upstart, shorewall-init cannot reliably secure
the firewall before interfaces are brought up.
----------------------------------------------------------------------------
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) Munin and Squid macros have been contributed by Tuomo Soini.
2) The Shorewall6 accounting, tcrules and rules files now include a
HEADERS column which allows matching based on the IPv6 extension
and protocol headers included in a packet.
The contents of the column are:
[any:|exactly:]<header list>
where <header list> is a comma-separated list of headers from the
following:
Long Name Short Name Number
--------------------------------------
auth ah 51
esp esp 50
hop-by-hop hop 0
route ipv6-route 41
frag ipv6-frag 44
none ipv6-nonxt 59
protocol proto 255
If ''any:'' is specified, the rule will match if any of the
listed
headers are present. If ''exactly:'' is specified, the will
match
packets that exactly include all specified headers. If neither is
given, ''any:'' is assumed.
This change adds a new capability (Header Match) so if you use a
capabilities file, you will need to regenerate using this release.
3) It is now possible to add explicit routes to individual provider
routing tables using the /etc/shorewall/routes
(/etc/shorewall6/routes) file.
See the shorewall-routes (5) and/or the shorewall6-routes (5)
manpage.
4) Previously, /usr/share/shorewall/compiler.pl expected the contents
of the params file to be passed in the environment. Now, the
compiler invokes a small shell program
(/usr/share/shorewall/getparams) to process the file and to pass
the (variable,value) pairs back to the compiler.
Shell variable expansion uses the value from the params file if the
parameter was set in that file. Otherwise the current environment
is used. If the variable does not appear in either place, an error
message is generated.
5) Shared IPv4/IPv6 traffic shaping configuraton is now
available. The device and class configuration can be included in
either the Shorewall or the Shorewall6 configuration. To place it
in the Shorewall configuration:
a) Set TC_ENABLED=Internal in shorewall.conf
b) Set TC_ENABLED=Shared in shorewall6.conf
c) Create symbolic link /etc/shorewall6/tcdevices pointing to
/etc/shorewall/tcdevices.
d) Create symbolic link /etc/shorewall6/tcclasses pointing to
/etc/shorewall/tcclasses.
e) Entries for both IPv4 and IPv6 can be included in
/etc/shorewall/tcfilters. This file has been extended to allow
both IPv4 and IPv6 entries to be included in a single file.
f) Packet marking rules are included in both configurations''
tcrules file as needed. CLASSIFY rules in
/etc/shorewall6/tcrules are validated against the Shorewall TC
configuration.
In this setup, the tcdevices and tcclasses will only be updated
when Shorewall is restarted. The IPv6 marking rules are updated
when Shorewall6 is restarted.
The above configuration may be reversed to allow Shorewall6 to
control the TC configuration.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
Increase Visibility of Your 3D Game App & Earn a Chance To Win $500!
Tap into the largest installed PC base & get more eyes on your game by
optimizing for Intel(R) Graphics Technology. Get started today with the
Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs.
http://p.sf.net/sfu/intelisp-dev2dev