Shorewall users - May 2010 - Shorewall 4.4.9

The Shorewall team is pleased to announce the availability of Shorewall 4.4.9

----------------------------------------------------------------------------
    P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
----------------------------------------------------------------------------

1)  Logical interface names in the EXTERNAL column of
    /etc/shorewall/proxyarp were previously not mapped to their
    corresponding physical interface names. This could cause
''start'' or
    ''restart'' to fail.

2)  If find_first_interface_address() was unable to detect an address,
    then Shorewall 4.4.8 would issue an obscure message
    (startup_error: command not found) and continue.

    Now, a meaningful error message is produced and the calling process
    stops.

3)  If LOG_VERBOSITY=0 in shorewall.conf, then when the compiled script
    was executed, messages such as the following would be issued:

       /var/lib/shorewall6/.restart: line 65: [: -gt: unary operator
                                              expected

4)  With optimize 4, if an unnecessary NONAT rule was included in
    /etc/shorewall/rules (there was no DNAT or REDIRECT rule with the
    same source zone), then ''shorewall start'' and/or
''shorewall restart''
    could fail with invalid iptables-restore input.

5)  The tarball installers now check for the presence of the CLI
    program (/sbin/shorewall, /sbin/shorewall6, etc) to determine if a
    fresh install or an upgrade should be performed. Previously, the
    installers used the presense of the configuration directory
    (/etc/shorewall, /etc/shorewall6, etc.) which led to incomplete
    installations where there was an existing configuration directory.

6)  The fallback.sh scripts have been removed from Shorewall-lite,
    Shorewall6, and Shorewall6-lite. These scripts no longer work and
    should have been removed in 4.4.0.

7)  The -lite products previously were inconsistent in how they
    referred to their startup log. Some references included
''-lite''
    where some did not. This was particularly bad in the case of the
    Shorewall-lite logrotate file which duplicated the name used by the
    Shorewall package. This inconsistency could cause logrotate to
    fail if both packages were installed.

8)  Two additional problems with optimize 4 have been corrected. One
    manifested as invalid iptables-restore input involving the
''tcpre''
    mangle chain. The other involved wildcard interface names (those
    ending in ''+'') and would likely also result in invalid
    iptables-restore input.

9)  Previously, Shorewall would set up infrastructure to handle traffic
    from the firewall to bport zones. Such infrastructure could never
    be used. Now, Shorewall avoids setting up these unneeded chains
    and/or rules.

10) If optimization level 2 and there were no OUTPUT rules and the only
    effective output policy was $FW->all ACCEPT, then the OUTPUT chain
    was empty and no packets could be sent.

11) If find_first_interface_address() was called in the params file, a
    fatal error occured on start/restart.

12) The following valid configuration produced invalid
    iptables-restore input with optimization level 4.

    /etc/shorewall/interfaces:

    #ZONE      INTERFACE       BROADCAST      OPTIONS
    vpn        tun+            -

    /etc/shorewall/masq:
    #INTERFACE  SOURCE          ADDRESS         PROTO   PORT
    tun0        192.168.1.0/24

    Use of tunN in the nat and netmap files also produced invalid
    iptables-restore input.

----------------------------------------------------------------------------
            N E W   F E A T U R E S   I N   T H I S  R E L E A S E
----------------------------------------------------------------------------

1)  The compiler now auto-detects bridges for the purpose of setting
    the ''routeback'' option. Auto-detection is disabled when
compiling
    for export (-e option); note that -e is implicit in the
''load'' and
    ''reload'' commands.

2)  When ''trace'' is specified on a command that involves the
compiler
    (e.g., shorewall trace check), the compiler now creates a trace to
    standard output.

    Trace entries are of three types:

    Input  --- begin with IN===>.     Input read from configuration
                                      files. Comments have been
                                      stripped, continuation lines
                                      combined and shell variables
                                      expanded.

    Output --- begin with GS----->.   Text written to the generated
                                      script.

    Netfilter -- begin with NF-(x)->. Updates to the compiler''s
chain
                                      table, where ''x'' is one
of the
                                      following:

        N - Create a chain.
        A - Append a rule to a chain.
        R - Replace a rule in a chain.
        I - Inserted a rule into a chain.
        T - Shell source text appended/inserted into a chain --
            converted into rules at run-time.
        D - Deleted Rule from a chain; note that this causes the
            following rules to be renumbered.
        X - Deleted a chain
        P - Change a built-in chains policy. Chains in the filter table
            are created with a DROP policy. All other builtin chains
            have policy ACCEPT.
        !   Followed by one or more of the following to indicate that
            the operation is not allowed on the chain.

            O - Optimize
            D - Delete
            M - Move rules

    Netfilter trace records indicate the table and chain being
    changed. If the change involves a particular rule, then the rule
    number is also included.

    Example (append the first rule to the filter FORWARD chain):

        NF-(A)-> filter:FORWARD:1 ...

    If the trace record involves the chain itself, then no rule number
    is present.

    Example (Delete the mangle tcpost chain):

        NF-(X)-> mangle:tcpost

3)  Thanks to Vincent Smeets, there is now an IPv6 mDNS macro.

4)  Optimize 8 has been added. This optimization level eliminates
    duplicate chains. So to set all possible optimizations, specify
    OPTIMIZE=15.

5)  The command-line tools now support ''show log
<regex>'' where <regex>
    is a regular expression to search for in the LOGFILE. The command
    searches the current LOGFILE for Netfilter messages matching the
    supplied regex.

6)  There are some instances where a bridge with no IP address is
    configured. Prior to Shorewall 4.4.9, this required the following:

    /etc/shorewall/interfaces:
    #ZONE       INTERFACE       BROADCAST       OPTIONS
    dummy       br0             -               routeback

    /etc/shorewall/policy:
    #SOURCE     DEST            POLICY
    dummy       all             DROP
    all         dummy           DROP

    Beginning in this release, a single entry will suffice:

    /etc/shorewall/interfaces:
    #ZONE       INTERFACE       BROADCAST       OPTIONS
    -           br0             -               bridge

7)  The generated ruleset now uses conntrack match for state matching,
    if it is available.

8)  In /etc/shorewall/routestopped, the ''routeback'' option is
assumed
    if the interface has ''routeback'' specified (either
explicitly or
    detected).

9)  Apple Macs running OS X may now be used as a Shorewall
    administrative system. Simply install using the tarball installer.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------