I''m pleased to announce the availability of Shorewall 4.0.4. This release is focused on defect removal so there is only one new feature. That new feature works around a Multi-ISP problem in recent Fedora releases. Problems Corrected in Shorewall 4.0.4 1) If no interface had the ''blacklist'' option, then when using Shorewall-perl, the ''start'' and ''restart'' command failed: ERROR: No filter chain found with name blacklst New Shorewall-perl 4.0.3 packages were released that corrected this problem; it is included here for completeness. 2) If no interface had the ''blacklist'' option, then when using Shorewall-perl, the generated script would issue this harmless message during ''shorewall refresh'': chainlist_reload: Not found 3) If /bin/sh was a light-weight shell such as ash or dash, then ''shorewall refresh'' failed. 4) During start/restart, the script generated by Shorewall-perl was clearing the proxy_arp flag on all interfaces; that is not the documented behavior. 5) If the module-init-tools package was not installed and /etc/shorewall/modules did not exist or was non-empty, then Shorewall-perl would fail with the message: ERROR: Can''t run lsmod : /etc/shorewall/modules (line 0) 6) Shorewall-perl now makes a compile-time check to insure that iptables-restore exists and is executable. This check is made when the compiler is being run by root and the -e option is not given. Note that iptables-restore must reside in the same directory as the iptables executable specified by IPTABLES in shorewall.conf or located by the PATH in the event that IPTABLES is not specified. 7) When using Shorewall-perl, if an action was invoked with more than 10 different combinations of log-levels/tags, some of those invocations would have incorrect logging. 8) Previously, when ''shorewall restore'' was executed, the iptables-restore utility was always located using the PATH setting rather than the IPTABLES setting. With Shorewall-perl, the IPTABLES setting is now used to locate this utility during ''restore'' as it is during the processing of other commands. 9) Although the shorewall.conf manpage indicates that the value ''internal'' is allowed for TC_ENABLED, that value was previously rejected (''Internal'' was accepted). 10) The meaning of the ''loose'' provider option was accidentally reversed in Shorewall-perl. Rather than causing certain routing rules to be omitted when specified, it actually caused them to be added (these rules were omitted when the option was NOT specified). 11) If the ''bridge'' option was specified on an interface but there were no bport zones, then traffic originating on the firewall was not passed through the accounting chain. 12) In commands such as: shorewall compile <directory> shorewall restart <directory> shorewall check <directory> if the name of the <directory> contained a period ("."), then Shorewall-perl would incorrectly substitute the current working directory for the name. 13) Previously, if the following sequence of routing rules was specified, then the first rule would always be omitted. #SOURCE DEST PROVIDER PRIORITY $SRC_A $DESTIP1 ISP1 1000 $SRC_A $DESTIP2 SOMEISP 1000 $SRC_A - ISP2 1000 The reason for this omission was that Shorewall uses a delete-before-add approach and attempting to delete the third rule resulted in the deletion of the first one instead. This problem occurred with both compilers. 14) When using Shorewall-shell, provider numbers were not recognized in the PROVIDER column of /etc/shorewall/route_rules. 15) An off-by-one problem in Shorewall-perl caused the value 255 to be rejected in the MARK column of /etc/shorewall/tcclasses. 16) When HIGH_ROUTE_MARKS=Yes, marks with values > 255 must be a multiple of 256. That restriction was being enforced by Shorewall-shell but not by Shorewall-perl. Shorewall-perl now also enforces this restriction. 17) Using REDIRECT with a parameterized macro (e.g., DNS/REDIRECT) failed with an "Unknown interface" error when using Shorewall-perl. Other Changes in Shorewall 4.0.4 1) The detection of ''Repeat Match'' has been improved. ''Repeat Match'' is not a match at all but rather is a feature of recent versions of iptables that allows a particular match to be used multiple times within a single rule. Example: -A foo -m physdev --physdev-in eth0 -m physdev --physdev-out ... When using Shorewall-shell, the availability of ''Repeat Match'' can speed up compilation very slightly. 2) Apparently recent Fedora releases are broken. The following sequence of commands demonstrates the problem: ip rule add from 1.1.1.1 to 10.0.0.0/8 priority 1000 table 5 ip rule add from 1.1.1.1 to 0.0.0.0/0 priority 1000 table main ip rule del from 1.1.1.1 to 0.0.0.0/0 priority 1000 The third command should fail but doesn''t; instead, it incorrectly removes the rule added by the first command. To work around this issue, you can set DELETE_THEN_ADD=No in shorewall.conf which prevents Shorewall from deleting ip rules before attempting to add a similar rule. 3) When using Shorewall-perl, the following message is now issued if the ''detectnets'' option is specified in /etc/shorewall/interfaces: WARNING: Support for the ''detectnets'' option will be removed from Shorewall-perl in version 4.0.5; better to use ''routefilter'' and ''logmartians The ''detect'' options has always been rather silly. On input, it duplicates the function of ''routefilter''. On output, it is a no-op since traffic that doesn''t match a route out of an interface won''t be sent through that interface (duh!). Beginning with Shorewall 4.0.5, the warning message will read: WARNING: Support for the ''detectnets'' option has been removed -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/