Shorewall users - Oct 2009 - Shorewall 4.4.2

The Shorewall team is pleased to announce the availability of Shorewall
4.4.2.  The release is available for download at most mirrors, and all
mirrors should be populated by tomorrow.

4.4.2 Debian packages for Lenny are available in Roberto''s Repository.

----------------------------------------------------------------------------
          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 2
----------------------------------------------------------------------------

1)  Detection of Persistent SNAT was broken in the rules compiler.

2)  Initialization of the compiler''s chain table was occurring before
    shorewall.conf had been read and before the capabilities had been
    determined. This could lead to incorrect rules and Perl runtime
    errors.

3)  The ''shorewall check'' command previously did not detect
errors in
    /etc/shorewall/routestopped.

4)  In earlier versions, if a file with the same name as a built-in
    action were present in the CONFIG_PATH, then the compiler would
    process that file like it was an extension script.

    The compiler now ignores the presence of such files.

----------------------------------------------------------------------------
                N E W   F E A T U R E S   I N   4 . 4 . 2
----------------------------------------------------------------------------

1)  Prior to this release, line continuation has taken precedence over
    #-style comments. This prevented us from doing the following:

            ACCEPT    net:206.124.146.176,\   #Gateway
                          206.124.146.177,\   #Mail
                          206.124.146.178\    #Server
                                              ...

    Now, unless a line ends with ''\'', any trailing comment is
stripped
    off (including any white-space preceding the ''#''). Then if
the line
    ends with ''\'', it is treated as a continuation line as
normal.

2)  Three new columns have been added to FORMAT-2 macro bodies.

          MARK
          CONNLIMIT
          TIME

    These three columns correspond to the similar columns in
    /etc/shorewall/rules and must be empty in macros invoked from an
    action.

3)  Accounting chains may now have extension scripts. Simply place your
    Perl script in the file /etc/shorewall/<chain> and when the
    accounting chain named <chain> is created, your script will be
    invoked.

    As usual, the variable $chainref will contain a reference to the
    chain''s table entry.

5)  Several configuration issues which previously produced an error or
    warning are now handled differently.

    a)  MAPOLDACTIONS=Yes and MAPOLDACTIOSN= in shorewall.conf are now
        handled as they were by the old shell-based compiler. That is,
        they cause pre-3.0 built-in actions to be mapped automatically
        to the corresponding macro invocation.

    b)  SAVE_IPSETS=Yes no longer produces a fatal error -- it is now a
        warning.

    c)  DYNAMIC_ZONES=Yes no longer produces a fatal error -- it is now
        a warning.

    d)  RFC1918_STRICT=Yes no loger produces a fatal error -- it is now
        a warning.

6)  Previously, it was not possible to specify an IP address range in
    the ADDRESS column of /etc/shorewall/masq. Thanks go to Jessee
    Shrieve for the patch.

7)  The ''wait4ifup'' script included for Debian compatibility
now runs
    correctly with no PATH.

8)  The new per-IP LIMIT feature now works with ancient iptables
    releases (e.g., 1.3.5 as found on RHEL 5). This change required
    testing for an additional capability which means that those who use
    a capabilities file should regenerate that file after installing
    4.4.2.

9)  One unintended difference between Shorewall-shell and
    Shorewall-perl was that Shorewall-perl did not support the MARK
    column in action bodies. This has been corrected.

----------------------------------------------------------------------------
                N E W   F E A T U R E S   I N   4 . 4 . 2
----------------------------------------------------------------------------

1)  Prior to this release, line continuation has taken precedence over
    #-style comments. This prevented us from doing the following:

            ACCEPT    net:206.124.146.176,\   #Gateway
                          206.124.146.177,\   #Mail
                          206.124.146.178\    #Server
                                              ...

    Now, unless a line ends with ''\'', any trailing comment is
stripped
    off (including any white-space preceding the ''#''). Then if
the line
    ends with ''\'', it is treated as a continuation line as
normal.

2)  Three new columns have been added to FORMAT-2 macro bodies.

          MARK
          CONNLIMIT
          TIME

    These three columns correspond to the similar columns in
    /etc/shorewall/rules and must be empty in macros invoked from an
    action.

3)  Accounting chains may now have extension scripts. Simply place your
    Perl script in the file /etc/shorewall/<chain> and when the
    accounting chain named <chain> is created, your script will be
    invoked.

    As usual, the variable $chainref will contain a reference to the
    chain''s table entry.

-The Shorewall Team
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9&#45;12, 2009. Register
now&#33;
http://p.sf.net/sfu/devconf