Shorewall users - May 2011 - Shorewall 4.4.19.4

Shorewall 4.4.19.4 is now available.

Problems corrected in this update:

1)  Previously, the compiler would allow a degenerate entry (only the
    BAND specified) in /etc/shorewall/tcpri. Such an entry now raises a
    compilation error.

2)  Previously, it was possible to specify tcfilters and tcrules that
    classified traffic with the class-id of a non-leaf HFSC class. Such
    classes are not capabable of handling packets.

    Shorewall now generates a compile-time warning in this case and
    ignores the entry.

    If a non-leaf class is specified as the default class, then
    Shorewall now generates a compile-time error since that
    configuration allows no network traffic to flow.

3)  Traditionally, Shorewall has not checked for the existance of
    ipsets mentioned in the configuration, potentially resulting in a
    run-time start/restart failure. Now, the compiler will issue a
    WARNING if:

    a) The compiler is being run by root.
    b) The compilation isn''t producing a script to run on a remote
       system under a -lite product.
    c) An ipset appearing in the configuration does not exist on the
       local system.

4)  As previously implemented, the ''refresh'' command could
fail or
    could result in a ruleset other than what was intended. If there
    had been changes in the ruleset since it was originally
    started/restarted/restored that added or deleted sequenced chains
    (chains such as ~lognnn and ~exclnnn), the resulting ruleset could
    jump to the wrong such chains or could fail to ''refresh''
    successfully.

    This issue has been corrected as follows. When a ''refresh''
is done
    and individual chains are involved, then each table that contains
    both sequenced chains and one of the chains being refreshed is
    refreshed in its entirety.

    For example, if ''shorwall refresh foo'' is issued and the
filter
    table (which is the default) contains any sequenced chains, then
    the entire table is reloaded. Note that this reload operation is
    atomic so no packets are passed through an inconsistent
    configuration.

5)  When ''shorewall6 refresh'' was run previously, a harmless
    ''ip6tables: Chain exists'' message was generated.

Thank you for using Shorewall,
-Tom

Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
What Every C/C++ and Fortran developer Should Know!
Read this article and learn how Intel has extended the reach of its 
next-generation tools to help Windows* and Linux* C/C++ and Fortran 
developers boost performance applications - including clusters. 
http://p.sf.net/sfu/intel-dev2devmay

The known problem lists distributed with 4.4.19.1 through 4.4.19.4
incorrectly indicate that the first problem was corrected in 4.4.19.1.
This is not the case, and the following problem still exists:

1)  On systems running Upstart, shorewall-init cannot reliably secure
    the firewall before interfaces are brought up.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
What Every C/C++ and Fortran developer Should Know!
Read this article and learn how Intel has extended the reach of its 
next-generation tools to help Windows* and Linux* C/C++ and Fortran 
developers boost performance applications - including clusters. 
http://p.sf.net/sfu/intel-dev2devmay