http://www.shorewall.net/pub/shorewall/development/4.1/shorewall-4.1.5/
ftp://www.shorewall.net/pub/shorewall/development/4.1/shorewall-4.1.5/
Problems corrected in 4.1.5.
1) An optimization added to Shorewall-shell in 4.0.0 has been backed
out to work around a limitation of Busybox ''sed''.
2) Previously, Shorewall would accept both an interface and an IP
address in tcrules POSTROUTING entries (such as CLASSIFY).
Example:
1:11 eth1:192.168.4.9 - tcp 22
It also allows both a destination interface and address.
Example:
1:P - eth1:192.168.4.9 tcp 22
Because Netfilter does not allow an input interface to be specified
in POSTROUTING or an output interface to be specified in
PREROUTING, Shorewall must use the routing table to generate a list
of networks accessed through any interface specified in these
cases. Given that a specific address (or set of addresses) has
already been specified, it makes no sense qualify it (them) by
another list of addresses.
3) Shorewall-perl incorrectly generated a fatal error when
'':C'',
'':T'' or '':CT'' was used in a tcrules
entry that gave $FW as the
SOURCE.
New Features in 4.1.5.
1) The need for interface-specific chains (such as eth0_in, eth4_fwd,
etc.) in the filter table has been drastically reduced. This has
the effect of reducing the average number of rules that each packet
must traverse.
2) The default value for LOG_MARTIANS is now ''Yes''
(''On'' in
Shorewall-perl). Previously, the default value was ''No''
(''Off'' in
Shorewall-perl). The shorewall.conf file has also been
updated to specify a value of ''Yes'' (which is interpreted
as ''On''
by Shorewall-perl).
3) The /usr/share/shorewall/modules file has been updated to reflect
module renaming in kernel 2.6.25.
4) Some users are experiencing ''File Exists'' errors when
Shorewall
executes ''ip route replace'' commands. I consider this a
bug in
either kernel 2.6.24 or in iproute2 but until the issue is
resolved, I''ve added a hack to work around the problem.
If you are experiencing these problems then add the following line
to your shorewall.conf file:
BROKEN_ROUTING=Yes
Note: This hack is only available in Shorewall-perl.
4) Shorewall-perl now generates an error when a MAC address appears in
a traffic shaping rule in the OUTPUT or POSTROUTING chains.
5) Macros are now self-commenting under control of a new AUTO_COMMENT
option in shorewall.conf. When this option is set, if there is not
a current comment when a macro is invoked, the behavior under
Shorewall-perl is as if the first line of the macro file was
"COMMENT <macro name>".
So, if you have this rule:
SSH/ACCEPT loc fw
then the generated netfilter rule will include "/* SSH */" when
viewed with ''iptables -L'' or ''shorewall show
loc2fw'' or ''shorewall
dump''.
The AUTO_COMMENT option has a default value of ''Yes'' and
is only
available under Shorewall-perl The option is ignored by
Shorewall-shell.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom A "shorewall start" command produces the following error when I use the attached "nonesense" configuration: ERROR: Internal error in create_netfilter_load() The configuration works with Shorewall 4.1.4 kernel 2.6.25-rc2 and both iptables 1.4.0 and xtables 1.5.1 Note: you may want to update your test library with this configuration. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom A "shorewall start" command produces the following error when I use the attached "nonesense" configuration: ERROR: Internal error in create_netfilter_load() The configuration works with Shorewall 4.1.4 kernel 2.6.25-rc2 and both iptables 1.4.0 and xtables 1.5.1 Note: you may want to update your test library with this configuration. There is another version of this email that is greater than 40k, awaiting moderator approval, it should be ignored. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Hi Steven, Steven Jan Springl wrote:> A "shorewall start" command produces the following error when I use the > attached "nonesense" configuration: > > ERROR: Internal error in create_netfilter_load() > > The configuration works with Shorewall 4.1.4 kernel 2.6.25-rc2 and both > iptables 1.4.0 and xtables 1.5.1I don''t understand how it progressed that far -- I had to write a rather large patch just to make the config compile without ''unknown host'' errors on address ranges in the routestopped and ecn file. At any rate, the attached patch corrects all errors for me.> > Note: you may want to update your test library with this configuration.Good idea. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> At any rate, the attached patch corrects all errors for me.Tom The patch fixes the errors for me too. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Steven Jan Springl wrote:> The patch fixes the errors for me too.Thanks, Steven -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/