Shorewall devel - Jun 2012 - Shorewall 4.5.6 Beta 4

Beta 4 is now available for testing.

Problems Corrected since Beta 3:

1)  When logical interface names were used, an entry in tcrules that
     includes a classid could result in the compiler failing with this
     Perl diagnostic:

       Can''t use an undefined value as an ARRAY reference at
       /usr/share/shorewall/Shorewall/Tc.pm line nnn, <$currentfile>
       line 20.

New Features since Beta 3:

1)  It is now possible to use Perl-compatible expressions in ?IF
     directives. As before, variables must be environmental variables,
     options from shorewall.conf, shell variables set in the params file
     or capabilities. As previously, capabilities may be entered with
     leading ''__'' rather than ''$''.

     Example:

	?IF $BLACKLIST_LOGLEVEL && ! __LOG_OPTIONS

2)  The ?ELSIF directive has been added allowing more convenient
     expression of complex include scenarios.

     Example (column headings abbreviated to fit release notes format):

        #NAME     NUM MARK    DUP  INTERFACE GWAY   OPTIONS
        ?IF $FALLBACK
        ComcastB  1   0x10000 -    COMB_IF   detect fallback
        ComcastC  2   0x20000 -    COMC_IF   detect fallback
        ?ELSIF $STATISTICAL
        ComcastB  1   0x10000 -    COMB_IF   detect load=0.66666667
        ComcastC  2   0x20000 -    COMC_IF   detect load=0.33333333
        ?ELSE
        ComcastB  1   0x10000 -    COMB_IF   detect balance=2
        ComcastC  2   0x20000 -    COMC_IF   detect loose,balance
        ?ENDIF

3)  And ORIGINAL DEST column has been added to the masq file, allowing
     SNAT rules to match only DNAT traffic to a particular original
     source address.

Thank you for testing,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

Tom

Rule:

ACCEPT  fw  dmz  tcp  22  -  -  -  -20

produces the following error message:

iptables-restore v1.4.14: owner: Bad value for "--uid-owner" option:
"-20"

Steven.

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 6/30/12 1:33 PM, Steven Jan Springl wrote:
> Rule:
> 
> ACCEPT  fw  dmz  tcp  22  -  -  -  -20
> 
> produces the following error message:
> 
> iptables-restore v1.4.14: owner: Bad value for "--uid-owner"
option: "-20"
This patch seems to eliminate the problem.

Thanks Steven,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________





------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On Saturday 30 Jun 2012 22:45:12 Tom Eastep wrote:
> On 6/30/12 1:33 PM, Steven Jan Springl wrote:
> > Rule:
> > 
> > ACCEPT  fw  dmz  tcp  22  -  -  -  -20
> > 
> > produces the following error message:
> > 
> > iptables-restore v1.4.14: owner: Bad value for "--uid-owner"
option:
> > "-20"
> 
> This patch seems to eliminate the problem.
> 
> Thanks Steven,
> -Tom
Tom

Confirmed, the patch fixes the issue.

Thanks.

Steven.

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/