With the discovery yesterday of a serious problem with Shorewall-perl''s processing of /etc/shorewall/accounting, I''ve decided to go ahead and release 4.0.2. Problems corrected in 4.0.2 1) The Shorewall-perl compiler was still generating invalid iptables-restore input from entries in /etc/shorewall/ecn. 2) When using Shorewall-perl, unless an interface was specified as ''optional'' in the interfaces file, the ''restore'' command would fail if the routes through the interface or the addresses on the interface could not be detected. Route detection occurs when the interface is named in the SOURCE column of the masq file. Address detection occurs when DETECT_DNAT_IPADDRS=Yes and the interface is the SOURCE for a DNAT or REDIRECT rule or when ''maclist'' is specified for the interface. Since the ''restore'' command doesn''t use the detected information, detection is now skipped if the command is ''restore''. 3) It was not previously possible to define traffic shaping on a bridge port; the generated script complained that the interface was not up and configured. 4) When Shorewall-shell was not installed, certain options in /etc/shorewall/interfaces and /etc/shorewall/hosts would cause the ''add'' and ''delete'' commands to fail with a missing library error. OPTION FILE maclist interfaces,hosts proxyarp interfaces 5) The /var/lib/shorewall/zones file was being overwritten during processing of the ''refresh'' command by a script generated with Shorewall-perl. The result was that hosts previously added to dynamic zones could not be deleted after the ''refresh''. 6) If the file named as the output file in a Shorewall-perl ''compile'' command was a symbolic link, the generated error message erroneously stated that the file''s parent directory was a symbolic link. As part of this change, cosmetic changes were made to a number of other error messages. 7) Some intra-zone rules were missing when a zone involved multiple interfaces or when a zone included both IPSEC and non-IPSEC networks. 8) Shorewall was not previously loading the xt_multiport kernel module. 9) The Russian and French translations no longer have English headings on notes, cautions, etc.. 10) Previously, using a port list in the DEST PORT(S) column of the rules file or in an action file could cause an invalid iptables command to be generated by Shorewall-shell. 11) If there were no bridges in a configuration, Shorewall-perl would ignore the CHAIN column in /etc/shorewall/accounting. Other changes in 4.0.2 1) Shorewall-perl now detects when a port range is included in a list of ports and iptables/kernel support for Extended Multi-port Match is not available. This avoids an iptables-restore failure at run-time. 2) Most chains created by Shorewall-shell have names that can be embedded within shell variable names. This is a workaround for limitations in the shell programming language which has no equivalent to Perl hashes. Often chain names must have the name of a network interface encoded in them. Given that interface names can contain characters that are invalid in a shell variable name, Shorewall-shell performs a name mapping which was carried forward to Shorewall-perl: - Trailing ''+'' is dropped. - The characters ".", "-", "%'' and "@" are translated to "_". This mapping has been elminated in the 4.0.2 release of Shorewall- perl. So where before you would see chain "eth0_0_in", you may now see the same chain named "eth0.0_in". Similarly, a chain previously named "ppp_fwd" may now be called "ppp+_fwd". 3) Shorewall-perl now uses the contents of the BROADCAST column in /etc/shorewall/interfaces when the Address Type match capability is not available. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/