Shorewall devel - Jan 2010 - Shorewall 4.5.3

For your weekend testing enjoyment, 4.5.3 is available for download.

The release notes in the release packages do not mention the TPROXY
support included in 4.5.3 (see New Feature #2 below). That feature is
very lightly tested; I''ve verified that the correct rules are being
generated and that iptables/kernel with TPROXY support load a TPROXY
configuration okay but I don''t have a Squid3 test environment to try it
out. I encourage those of you who do have such an environment to test
this feature and let me know the result.

Squid information may be found at
http://wiki.squid-cache.org/Features/Tproxy4.

----------------------------------------------------------------------------
          P R O B L E M S   C O R R E C T E D   I N   4 . 5 . 3
----------------------------------------------------------------------------

1)  Previously, Shorewall generated invalid iptables-restore input if
    logging was specified on a NONAT rule.

2)  The fw2fw (fw-fw) chain could be incorrectly deleted with optimize
    4.

3)  Entries in /etc/shorewall/tcpri generated an iptables-restore error
    on CentOS 5.3.

----------------------------------------------------------------------------
             K N O W N   P R O B L E M S   R E M A I N I N G
----------------------------------------------------------------------------

None.

----------------------------------------------------------------------------
                N E W   F E A T U R E S   I N   4 . 5 . 3
----------------------------------------------------------------------------

1)  Non-empty rules chains (those of the form zoneA2zoneB or
    zoneA-zoneB) are no longer optimized out of existence by optimize 4.

2)  TPROXY support has been added. See
    http://www.shorewall.net/Shorewall_Squid_Usage.html#TPROXY.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon''s best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev

Tom

The tcrules manual page suggests that the order of the TPROXY parameters is:
mark  address  port

However, Shorewall requires the order:
mark  port  address

Steven.

------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon''s best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev

Steven Jan Springl wrote:
> Tom
> 
> The tcrules manual page suggests that the order of the TPROXY parameters
is:
> mark  address  port
> 
> However, Shorewall requires the order:
> mark  port  address
Thanks, Steven!

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon''s best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev

Tom Eastep wrote:
> Steven Jan Springl wrote:
>> Tom
>>
>> The tcrules manual page suggests that the order of the TPROXY
parameters is:
>> mark  address  port
>>
>> However, Shorewall requires the order:
>> mark  port  address
> 
> Thanks, Steven!
The column syntax description showed the correct order but the list in
the TPROXY description listed the parameters in a different order.

7413d2a045bdb6ae1ef681ff1b13fb877d58c044 adjusts the list order to match
the syntax.

Thanks again,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon''s best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev