The Shorewall Team is pleased to announce the availability of Shorewall 4.4.8.
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 4 . 4 . 8
----------------------------------------------------------------------------
1) A CONTINUE rule specifying a log level would cause the compiler to
generate an incorrect rule sequence. The packet would be logged
but the CONTINUE action would not occur.
2) If multiple entries were present in /etc/shorewall/tcdevices and
globally unique class numbers were not explicitly specified in
/etc/shorewall/tcclasses, then ''shorewall start'' would
fail with a
diagnostic such as:
Setting up Traffic Control...
RTNETLINK answers: File exists
ERROR: Command "tc qdisc add dev eth1 parent 2:2 handle 2: sfq
quantum
1500 limit 127 perturb 10" Failed
Processing /etc/shorewall/stop ...
3) Previously, when a low per-IP rate limit (such as 1/hour) was
specified, the effective enforced rate was much higher
(approximately 6/min). The Shorewall compiler now configures the
hashlimit table idle timeout based on the rate units (min, hour,
...) so that the rate is more accurately enforced.
As part of this change, a unique hash table name is assigned to
each per-IP rate limiting rule that does not specify a table name
in the rule. The assigned names are of the form
''shorewallN'' where
N is an integer. Previously, all such rules shared a single
''shorewall'' table which lead to unexpected results.
4) All versions of Shorewall-perl mishandle per-IP rate limiting in
REDIRECT, DNAT and ACCEPT+ rules. The effective rate and burst are
1/2 of the values given in the rule.
5) Detection of the ''Old hashlimit match'' capability was
broken in
/sbin/shorewall, /sbin/shorewall-lite and in the IPv4 version of
shorecap.
6) On older distributions such as RHEL5 and derivatives, Shorewall
would fail to start if a TYPE was specified in
/etc/shorewall/tcinterfaces and LOAD_HELPERS_ONLY had been
specified in /etc/shorewall/shorewall.conf.
7) The Debian init scripts are modified to include $remote_fs in the
Required-start and Required-stop specifications.
8) Previously, when a supported command failed, the Debian Shorewall
init script would still return a success (zero) exit status. It now
returns a failure status (1) when the command fails.
9) Previously, if a queue number was specified in an NFQUEUE policy
(e.g., NFQUEUE(0)), invalid iptables-restore input would be
generated.
10) Previously, with optimization 4, users of ipsec on older releases
such as RHEL5 and CentOS, could encounter an error similar to this
one:
Running /sbin/iptables-restore...
iptables-restore v1.3.5: Unknown arg `out''
Error occurred at line: 93
Try `iptables-restore -h'' or ''iptables-restore
--help'' for more
information.
ERROR: iptables-restore Failed. Input is in
/var/lib/shorewall/.iptables-restore-input
11) Previously, with optimization 4, the ''blacklst'' chain
could be
optimized away. If the blacklist file was then changed and a
''shorewall refresh'' executed, those new changes would not
be included
in the active ruleset.
----------------------------------------------------------------------------
N E W F E A T U R E S I N 4 . 4 . 8
----------------------------------------------------------------------------
1) To avoid variable name collisions, a number of shell variable names
that Shorewall uses and that are in all capital letters have been
changed. The following variables are now safe to use in your
/etc/shorewall/params file and in your extension scripts:
DEBUG
ECHO_E
ECHO_N
EXPORT
FAST
HOSTNAME
IPT_OPTIONS
NOROUTES
PREVIEW
PRODUCT
PROFILE
PURGE
RECOVERING
RESTOREPATH
RING_BELL
STOPPING
TEST
TIMESTAMP
USE_VERBOSITY
VERBOSE
VERBOSE_OFFSET
VERSION
See Migration Issue 14 in the release notes for additional information.
2) The Shorewall and Shorewall6 installers now accept a ''-s''
(sparse)
option. That option causes only shorewall.conf to be installed in
/etc/shorewall/.
3) An OpenPGP HTTP Keyserver Protocol (HKP) macro (macro.HKP) has been
contributed.
4) In an attempt to help those who don''t read the documentation, the
compiler now flags apparent use of ''-'' as a port range
separator
with an error message.
Example:
/etc/shorewall/rules
#ACTION SOURCE DEST PROTO DEST
# PORT(S)
ACCEPT net fw tcp 21-22
Resulting error message
ERROR: The separator for a port range is '':'', not
''-'' (21-22) :
/etc/shorewall/rules (line 3)
5) Support has been added for UDPLITE (proto 136) in that DEST PORT(S)
and SOURCE PORT(S) may now be specified for that protocol.
6) If a runtime error occurs during a ''start'' or
''restart'' operation
but a saved configuration is successfully restored, a subsequent
''status'' command now gives the detailed status as
''Restored from
<filename>'' rather than ''Started'';
<filename> is the saved script
used to restore the configuration.
-The Shorewall Team
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev