Shorewall 4.0.3 is available for download.
Problems Corrected in 4.0.3
1) Using the LOG target in the rules file could result in two LOG
rules being generated by Shorewall-shell. Additionally, using an IP
address range in a rule that performed logging could result in an
invalid iptables command.
2) Shorewall now loads the act_police kernel module needed by traffic
shaping.
3) Previously, "shorewall show -f capabilities" and
"shorecap" omitted
the "TCPMSS Match" capability. This made it appear to a compiler
using a capabilities file that the TCPMSS Match capability was not
available.
4) Previously, Shorewall would truncate long log prefixes to 29
characters. This resulted in there being no space between the log
prefix and the IN= part of the message.
Example: fw2net:LOG:HTTPSoutIN= OUT=eth0
Beginning with this release, Shorewall will truncate the prefix to
28 bytes and add a trailing space.
Example: fw2net:LOG:HTTPSou IN= OUT=eth0
5) Previously, if:
- FASTACCEPT=No
- The policy from Z1 to Z2 was CONTINUE
- Neither Z1 nor Z2 had parent zones
- There were no Z1->Z2 rules
then connections from Z2->Z1 would fail even if there were
rules/policies allowing them. This has been
corrected.
6) The ''shorewall add'' and ''shorewall
delete'' command would fail when:
- The running configuration was compiled with Shorewall-perl.
- The name of the interface specified in the command contained an
embedded special character such as ''.'' or
''-''.
This problem was the result of the change in Shorewall 4.0.2 that
removed the legacy mapping of interface names when embedding such
names in a Netfilter chain name. To correct the problem, the
pre-4.0.2 name mapping is restored when DYNAMIC_ZONES=Yes.
5) A bug in Shorewall-shell prevented proper handling of PREROUTING
marks when HIGH_ROUTE_MARKS=No and the track option was specified
in /etc/shorewall/providers.
6) With Shorewall-perl, if EXPORTPARAMS=Yes then INCLUDE directives in
the params file would fail at script execution time with "INCLUDE:
not found". This has been corrected.
7) Shorewall-perl was mis-sorting the zone list when zones were nested
more than one deep.
8) Stale references to http://www.shorewall.net/Documentation.htm have
been removed from the config files (including samples). That URL
has been replaced by the online manpages.
Other Changes in 4.0.3
1) A script generated by Shorewall-perl now tries to modify/restore
/etc/iproute2/rt_tables only if the file is writable. This prevents
run-time errors when /etc is mounted read-only.
A new KEEP_RT_TABLES option has been added to shorewall.conf. When
set to Yes, this option prevents Shorewall from altering the
/etc/iproute2/rt_tables database. The KEEP_RT_TABLES option is only
recognized by Shorewall-perl and is ignored by Shorewall-shell.
2) Shorewall-perl now requires the FindBin Perl module.
3) When an optional provider is not available, a script generated by
Shorewall-perl will no longer add the corresponding
routing rules.
4) A new ''isusable'' extension script has been added. This
script
allows you to extend the availability test that Shorewall performs
on optional providers.
Here''s an example that uses ping to ensure that the default
gateways through eth0 and eth1 are reachable:
case $1 in
eth0)
ping -c 4 -I eth0 206.124.146.254 > /dev/null 2>&1
return
;;
eth1)
ping -c 4 -I eth1 192.168.12.254 > /dev/null 2>&1
return
;;
*)
# Assume we don''t need to do any additional testing
# for this interface beyond Shorewall''s
return 0
;;
esac
Additional information is available at
http://www.shorewall.net/shorewall_extension_scripts.htm.
5) Processing of the message log in the ''show log'',
''logwatch'' and
''dump'' commands has been speeded up thanks to a suggestion
by
Andrew Suffield.
6) Beginning with Shorewall 4.0, the shorewall ''stop'', and
''clear''
commands were processed by the generated script from the
last successful ''start'', ''restart'' or
''refresh'' command. This had
the side effect that updates to the /etc/shorewall/routestopped
file did not take effect until one of those three commands was
successfully processed.
Beginning with Shorewall 4.0.3, the old 3.x behavior is restored as
the default and the 4.0 behavior is enabled using the ''-f''
command
option.
Example: shorewall stop -f
7) An ''mss'' option has been added to the interfaces file.
This option
is only recognized by Shorewall-perl and causes Shorewall to set
the MSS field in forwarded TCP SYN packets going in or out the
interface to the value that you specify.
Example:
#ZONE INTERFACE BROADCAST OPTIONS
vpn ppp0 - mss=1400
The mss option only affects incoming traffic that has not been
decrypted by IPSEC and outgoing traffic that will not subsequently
be encrypted by IPSEC. The MSS for IPSEC traffic is managed by the
''mss'' option in /etc/shorewall/zones.
8) Shorewall now detects the presence of the ''hashlimit
match''
capability. There is no builtin support yet for hashlimit but
detection allows extension scripts for user-supplied actions to
determine if the capability exists.
With Shorewall-shell, $HASHLIMIT_MATCH will be non-empty if the
capability exists.
With Shorewall-perl, $capabilities{HASHLIMIT_MATCH} will be true in
a boolean context if the capability exists. Shorewall-perl users
may also code the following in their extension script:
use Shorewall::Config;
require_capability( ''HASHLIMIT_MATCH'', #Capability
''My hashlimit action'' , #Feature
requiring
#capability
''s'' ); #Feature is singular
#(if plural, pass the
empty string)
That call would procduce the following fatal error if the
capability isn''t available:
ERROR: My hashlimit action requires the Hashlimit match capability
in your kernel and iptables
9) NFQUEUE support has been added to Shorewall-perl.
NFQUEUE may appear in actions, macros, rules and as a policy.
When NFQUEUE is used by itself, queue number zero is assumed. To
specify a queue number, follow NFQUEUE by a slash ("/") and the
queue number.
Examples (/etc/shorewall/rules):
NFQUEUE loc net tcp #Queue number 0
NFQUEUE/22 loc net udp #Queue number 22
NFQUEUE/22:info loc net gre #With logging
An NFQUEUE_DEFAULT option has been added to shorewall.conf for
specifying the default action to use with NFQUEUE policies.
Use of NFQUEUE requires the NFQUEUE Target capability in your
kernel/iptables. If you intend to use NFQUEUE with Shorewall-lite,
then you must install Shorewall-lite 4.0.3 in order to build a
capabilities file that includes NFQUEUE Target. If your
capabilities file was generated by a Shorewall/Shorewall-lite
version earlier that 4.0.3, you will receive a warning during
compilation.
10) The ''refresh'' command can now refresh chains other than
''blacklst''.
The syntax of the command is now:
shorewall refresh [ <chain> ... ]
If no <chain> is given then ''blacklst'' is assumed.
Otherwise, the
Shorewall-perl compiler compiles a script whose ''refresh''
command
refreshes the listed <chain>(s).
The listed chains are assumed to be in the filter table. You can
refresh chains in other tables by prefixing the chain name with the
table name followed by ":" (e.g., nat:net_dnat). Chain names which
follow are assumed to be in that table until the end of the list or
until an entry in the list names another table.
This feature requires Shorewall-perl 4.0.3 as well as
Shorewall-common 4.0.3.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/