Given the size of the changes included in this version, I decided to
have one more Beta before RC1.
Problems Corrected:
1) Previously, under very rare circumstances, a chain would be
optimized away while there were still jumps to the chain. This
caused Shorewall start/restart to fail during iptables-restore.
2) Previously, the setting of BLACKLIST_DISPOSITION was not
validated. Now, an error is raised unless the value is DROP or
REJECT.
New Features:
1) (Updated) Action processing has been largely re-implemented in this
release. The prior implementation contained a lot of duplicated
code which made maintenance difficult. The old implementation
pre-processed all action files early in the compilation process and
then post-processed the ones that had been actually used after the
rules file had been read. The new algorithm generates the chain for
each unique action invocation at the time that the invocation is
encountered in the rules file.
Consideration was given to eliminating the
/usr/share/shorewall/actions.std and /etc/shorewall/actions files,
since it is possible to discover actions "on the fly" in the same
way as macros are discovered. That change was ultimately rejected
because it could cause migration issues for users with macros and
actions with the same name (e.g., action.xxx and macro.xxx). If a
new major release of Shorewall (e.g., 4.6) is created, that change
will be reconsidered for inclusion at that time.
There is now support for parameterized actions. The parameters are
a comma-separated list enclosed in parentheses following the
action name (e.g., ACT(REDIRECT,192.168.1.4)). Within the action
body, the parameter values are available in $1, $2, etc.
You can ''omit'' a parameter in the list by using
''-'' (e,g,
REDIRECT,-.info) would omit the second parameter (within the action
body, $2 would expand to nothing). If you want to specify
''-'' as a
parameter value, use ''--''.
Parameter values are also available to extensions scripts. See
http://www.shorewall.net/Actions.html#Extension for more
information.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and,
should the need arise, upgrade to a full multi-node Oracle RAC database
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl
On 12/30/10 9:08 AM, Tom Eastep wrote:> Given the size of the changes included in this version, I decided to > have one more Beta before RC1.This change has broken the ability to detect action recursion. Will be fixed in RC1 (the patch doesn''t apply on Beta 8). -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl
On 1/1/11 8:25 AM, Tom Eastep wrote:> On 12/30/10 9:08 AM, Tom Eastep wrote: >> Given the size of the changes included in this version, I decided to >> have one more Beta before RC1. > > This change has broken the ability to detect action recursion. Will be > fixed in RC1 (the patch doesn''t apply on Beta 8).Turned out to be easy to make the patch work on Beta 8. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl
Tom If I code the following rules file entry: extensions(DROP,length,ne,100:200) lan tst tcp 80 In the extensions script @params contains: DROP length ne 100 Is this expected? I have attached a minimal config. to demonstrate this. Steven. ------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl
On 1/3/11 11:49 AM, Steven Jan Springl wrote:> If I code the following rules file entry: > > extensions(DROP,length,ne,100:200) lan tst tcp 80 > > In the extensions script @params contains: > > DROP length ne 100 > > Is this expected?No.> > I have attached a minimal config. to demonstrate this. >Patch attached. I''ve uploaded RC1 which also requires this patch. Thanks, Steven! -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl
On Monday 03 January 2011 20:14:01 Tom Eastep wrote:> Patch attached. I''ve uploaded RC1 which also requires this patch. > > Thanks, Steven! > -TomTom I can confirm the patch fixes the problem with RC1. Thanks. Steven. ------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl
On 1/3/11 12:39 PM, Steven Jan Springl wrote:> I can confirm the patch fixes the problem with RC1. Thanks.Thanks for confirming, Steven -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl