The Shorewall team is pleased to announce the availability of Shorewall 4.4.13. ---------------------------------------------------------------------------- I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- 1) Under rare circumstances where COMMENT is used to attach comments to rules, OPTIMIZE 8 through 15 could result in invalid iptables-restore (ip6tables-restore) input. 2) Under rare circumstances involving exclusion, OPTIMIZE 8 through 15 could result in invalid iptables-restore (ip6tables-restore) input. 3) The change in 4.4.12 to detect and use the new ipset match syntax broke the ability to detect the old ipset match capability. Now, both versions of the capability can be correctly detected. 4) Previously, if REQUIRE_INTERFACE=Yes then start/restart would fail if the last optional interface tested was not available. 5) Exclusion in the blacklist file was correctly validated but was then ignored when generating iptables (ip6tables) rules. 6) Previously, non-trivial exclusion (more than one excluded address/net) in CONTINUE, NONAT and ACCEPT+ rules generated valid but incorrect iptables input. This has been corrected but requires that your iptables/kernel support marking rules in any Netfilter table (CONTINUE in the tcrules file does not require this support). This fix implements a new ''Mark in any table'' capability; those who utilize a capabilities file should re-generate the file using this release. 7) Interface handling has been extensively modified in this release to correct a number of problems with the earlier implementation. Among those problems: - Invalid shell variable names could be generated in the firewall script. The generated firewall script uses shell variables to track the availability of optional and required interfaces and to record detected gateways, detected addresses, etc. - The same shell variable name could be generated by two different interface names. - Entries in the interfaces file with a wildcard physical name (physical name ends with "+") and with the ''optional'' option were handled strangely. o If there were references to specific interfaces that matched the wildcard, those entries were handled as if they had been defined as optional in the interfaces file. o If there were no references matching the wildcard, then the ''optional'' option was effectively ignored. The new implementation: - Insures valid shell variable names. - Insures that shell variable names are unique. - Handles interface names appearing in the INTERFACE column of the providers file as a special case for ''optional''. If the name matches a wildcard entry in the interfaces file then the usability of the specific interface is tracked individually. - Handles the availabilty of other interfaces matching a wildcard as a group; if there is one useable interface in the group then the wildcard itself is considered usable. The following example illustrates this use case: /etc/shorewall/interfaces net ppp+ - optional /etc/shorewall/shorewall.conf REQUIRE_INTERFACE=Yes If there is any usable PPP interface then the firewall will be allowed to start. Previously, the firewall would never be allowed to start. 8) When a comma-separated list of ''src'' and/or ''dst'' was specified in an ipset invocation (e.g., "+fooset[src,src]), all but the first ''src'' or ''dst'' was previously ignored when generating the resulting iptables rule. 9) Beginning with Shorewall 4.4.9, the SAME target in tcrules has generated invalid iptables (ip6tables) input. That target now generates correct input. 10) Ipsets associated with ''dynamic'' zones were being created during ''restart'' but not during ''start''. 11) To work around an issue in Netfilter/iptables, Shorewall now uses state match rather than conntrack match for UNTRACKED state matching. 12) If the routestopped files contains NOTRACK rules, ''shorewall* clear'' did not clear the raw table. 13) An error message was incorrectly generated if a port range of the form :<port> (e.g., :22) appeared. 14) An error is now generated if ''*'' appears in an interface name. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G ---------------------------------------------------------------------------- 1) On systems running Upstart, shorewall-init cannot reliably start the firewall before interfaces are brought up. ---------------------------------------------------------------------------- I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- 1) Entries in the rules file (both Shorewall and Shorewall6) may now contain zone lists in the SOURCE and DEST column. A zone list is a comma-separated list of zone names where each name appears in the zones file. A zone list may be optionally followed by a plus sign ("+") to indicate that the rule should apply to intra-zone traffic as well as to inter-zone traffic. Zone lists behave like ''all'' and ''any'' with respect to Optimization 1. If the rule matches the applicable policy for a given (source zone, dest zone), then the rule will be suppessed for that pair of zones unless overridden by the ''!'' suffix on the target in the ACTION column (e.g., ACCEPT!, DROP!:info, etc.). Additionally, ''any'', ''all'' and zone lists may be qualified in the same way as a single zone. Examples: fw,dmz:90.90.191.120/29 all:+blacklist The ''all'' and ''any'' keywords now support exclusion in the form of a comma-separated list of excluded zones. Examples: all!fw (same as all-). any+!dmz,loc (All zones except ''dmz'' and ''loc'' and include intra-zone rules). 2) An IPSEC column has been added to the accounting file, allowing you to segregate IPSEC traffic from non-IPSEC traffic. See ''man shorewall-accounting'' (man shorewall6-accounting) for details. With this change, there are now three trees of accounting chains: - The one rooted in the ''accounting'' chain. - The one rooted in the ''accipsecin'' chain. This tree handles traffic that has been decrypted on the firewall. Rules in this tree cannot specify an interface name in the DEST column. - The one rooted in the ''accipsecout'' chain. This tree handles traffic that will be encrypted on the firewall. Rules in this tree cannot specify an interface name in the SOURCE column. In reality, when there are bridges defined in the configuration, there is a fourth tree rooted in the ''accountout'' chain. That chain handles traffic that originates on the firewall (both IPSEC and non-IPSEC). This change also implements a couple of new warnings: - WARNING: Adding rule to unreferenced accounting chain <name> The first reference to user-defined accounting chain <name> is not a JUMP or COUNT from an already-defined chain. - WARNING: Accounting chain <name> has o references The named chain contains accounting rules but no JUMP or COUNT specifies that chain as the target. 3) Shorewall now supports the SECMARK and CONNSECMARK targets for manipulating the SELinux context of packets. See the shorewall-secmarks and shorewall6-secmarks manpages for details. As part of this change, the tcrules file now accepts $FW in the DEST column for marking packets in the INPUT chain. 4) Blacklisting has undergone considerable change in Shorewall 4.4.13. a) Blacklisting is now based on zones rather than on interfaces and host groups. b) Near compatibility with earlier releases is maintained. c) The keywords ''src'' and ''dst'' are now preferred in the OPTIONS column in /etc/shoreawll/blacklist, replacing ''from'' and ''to'' respectively. The old keywords are still supported. d) The ''blacklist'' keyword may now appear in the OPTIONS, IN_OPTIONS and OUT_OPTIONS fields in /etc/shorewall/zones. i) In the IN_OPTIONS column, it indicates that packets received on the interface are checked against the ''src'' entries in /etc/shorewall/blacklist. ii) In the OUT_OPTIONS column, it indicates that packets being sent to the interface are checked against the ''dst'' entries. iii) Placing ''blacklist'' in the OPTIONS column is equivalent to placing in in both the IN_OPTIONS and OUT_OPTIONS columns. e) The ''blacklist'' option in the OPTIONS column of /etc/shorewall/interfaces or /etc/shorewall/hosts is now equivalent to placing it in the IN_OPTIONS column of the associates record in /etc/shorewall/zones. If no zone is given in the ZONE column of /etc/shorewall/interfaces, the ''blacklist'' option is ignored with a warning (it was previously ignored silently). f) The ''blacklist'' option in the /etc/shorewall/interfaces and /etc/shorewall/hosts files is now deprecated but will continue to be supported for several releases. A warning will be added at least one release before support is removed. 5) There is now an OUT-BANDWIDTH column in /etc/shorewall/tcinterfaces. The format of this column is: <rate>[:[<burst>][:[<latency>][:[<peak>][:[<minburst>]]]]] These terms are described in tc-tbf(8). Shorewall supplies default values as follows: <burst> = 10kb <latency> = 200ms The remaining options are defaulted by tc. 6) The IN-BANDWIDTH column in both /etc/shorewall/tcdevices and /etc/shorewall/tcinterfaces now accepts an optional burst parameter. <rate>[:<burst>] The default <burst> is 10kb. A larger <burst> can help make the <rate> more accurate; often for fast lines, the enforced rate is well below the specified <rate>. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev
shorewall.net still shows 4.4.13 RC1, is that right? ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev
On 9/21/10 9:53 AM, Mr Dash Four wrote:> shorewall.net still shows 4.4.13 RC1, is that right?Look in the ''Current Stable Release'' line -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev
> The Shorewall team is pleased to announce the availability of Shorewall > 4.4.13. >Hi Tom and all, I''ve just updated some systems to 4.4.13 and I see a new log message on RHEL4 (yes I know it''s ancient): MARK: can only be called from "mangle" table, not "filter" Does it hurt? Do you know a solution? (it does not happen with 4.4.12.2) Thanks for all your hard work! Simon ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev
On 9/21/10 11:47 PM, Simon Matter wrote:> I''ve just updated some systems to 4.4.13 and I see a new log message on > RHEL4 (yes I know it''s ancient): > > MARK: can only be called from "mangle" table, not "filter" > Does it hurt? Do you know a solution? (it does not happen with 4.4.12.2)Hi Simon, The message is harmless. Shorewall is just probing the system to determine which capabilities it supports. You should be able to eliminate the message by setting LOAD_HELPERS_ONLY=Yes. That way, Shorewall won''t probe for the ''Mark in any chain'' capability unless the configuration requires that capability. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev
> On 9/21/10 11:47 PM, Simon Matter wrote: > >> I''ve just updated some systems to 4.4.13 and I see a new log message on >> RHEL4 (yes I know it''s ancient): >> >> MARK: can only be called from "mangle" table, not "filter" >> Does it hurt? Do you know a solution? (it does not happen with 4.4.12.2) > > Hi Simon, > > The message is harmless. Shorewall is just probing the system to > determine which capabilities it supports.Thanks Tom, that''s what I hoped to hear. Simon ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev
Hi Shorewall team; Am Dienstag, 21. September 2010, 17:50:31 schrieb Tom Eastep:> The Shorewall team is pleased to announce the availability of Shorewall > 4.4.13.I''ve build a new 4.4.13 based package for the LEAF distribution and did some preliminary tests in my qemu test environment. I see a small annoyance with date in shorewall.log (pls note: I''ve seen this with earlier shorewall versions as well, so it''s nothing new to 4.4.13): "Sep 22 23:40:57 Shorewall configuration compiled to /var/lib/shorewall/.start Sep %_d 23:40:57 Processing /etc/shorewall/params..." No big deal, just in case if you have a quick hint/idea/fix. thx very much for all your work, it''s just outstanding! kp ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev
On 9/22/10 4:52 PM, KP Kirchdoerfer wrote:> Hi Shorewall team; > > Am Dienstag, 21. September 2010, 17:50:31 schrieb Tom Eastep: >> The Shorewall team is pleased to announce the availability of Shorewall >> 4.4.13. > > I''ve build a new 4.4.13 based package for the LEAF distribution and did some > preliminary tests in my qemu test environment. > > I see a small annoyance with date in shorewall.log (pls note: I''ve seen this > with earlier shorewall versions as well, so it''s nothing new to 4.4.13): > > "Sep 22 23:40:57 Shorewall configuration compiled to /var/lib/shorewall/.start > Sep %_d 23:40:57 Processing /etc/shorewall/params..." > > No big deal, just in case if you have a quick hint/idea/fix.KP, Try the attached patch... -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev
On 9/22/10 5:37 PM, Tom Eastep wrote:> On 9/22/10 4:52 PM, KP Kirchdoerfer wrote: >> Hi Shorewall team; >> >> Am Dienstag, 21. September 2010, 17:50:31 schrieb Tom Eastep: >>> The Shorewall team is pleased to announce the availability of Shorewall >>> 4.4.13. >> >> I''ve build a new 4.4.13 based package for the LEAF distribution and did some >> preliminary tests in my qemu test environment. >> >> I see a small annoyance with date in shorewall.log (pls note: I''ve seen this >> with earlier shorewall versions as well, so it''s nothing new to 4.4.13): >> >> "Sep 22 23:40:57 Shorewall configuration compiled to /var/lib/shorewall/.start >> Sep %_d 23:40:57 Processing /etc/shorewall/params..." >> >> No big deal, just in case if you have a quick hint/idea/fix. > > KP, > > Try the attached patch...Although I must say that I''m unable to reproduce this error, even when using the busybox-based ''date'' function. On your LEAF box, what does "echo $(date +''%b %_d %T'')" produce? Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev
Am Donnerstag, 23. September 2010, 16:22:14 schrieb Tom Eastep:> On 9/22/10 5:37 PM, Tom Eastep wrote: > > On 9/22/10 4:52 PM, KP Kirchdoerfer wrote: > >> Hi Shorewall team; > >> > >> Am Dienstag, 21. September 2010, 17:50:31 schrieb Tom Eastep: > >>> The Shorewall team is pleased to announce the availability of Shorewall > >>> 4.4.13. > >> > >> I''ve build a new 4.4.13 based package for the LEAF distribution and did > >> some preliminary tests in my qemu test environment. > >> > >> I see a small annoyance with date in shorewall.log (pls note: I''ve seen > >> this with earlier shorewall versions as well, so it''s nothing new to > >> 4.4.13): > >> > >> "Sep 22 23:40:57 Shorewall configuration compiled to > >> /var/lib/shorewall/.start Sep %_d 23:40:57 Processing > >> /etc/shorewall/params..." > >> > >> No big deal, just in case if you have a quick hint/idea/fix. > > > > KP, > > > > Try the attached patch... > > Although I must say that I''m unable to reproduce this error, even when > using the busybox-based ''date'' function. > > On your LEAF box, what does "echo $(date +''%b %_d %T'')" produce?Sep %_d 15:28:40 It''s busybox... kp ------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev
On 09/23/2010 08:29 AM, KP Kirchdoerfer wrote:> Am Donnerstag, 23. September 2010, 16:22:14 schrieb Tom Eastep: >> On 9/22/10 5:37 PM, Tom Eastep wrote: >>> On 9/22/10 4:52 PM, KP Kirchdoerfer wrote: >>>> Hi Shorewall team; >>>> >>>> Am Dienstag, 21. September 2010, 17:50:31 schrieb Tom Eastep: >>>>> The Shorewall team is pleased to announce the availability of Shorewall >>>>> 4.4.13. >>>> >>>> I''ve build a new 4.4.13 based package for the LEAF distribution and did >>>> some preliminary tests in my qemu test environment. >>>> >>>> I see a small annoyance with date in shorewall.log (pls note: I''ve seen >>>> this with earlier shorewall versions as well, so it''s nothing new to >>>> 4.4.13): >>>> >>>> "Sep 22 23:40:57 Shorewall configuration compiled to >>>> /var/lib/shorewall/.start Sep %_d 23:40:57 Processing >>>> /etc/shorewall/params..." >>>> >>>> No big deal, just in case if you have a quick hint/idea/fix. >>> >>> KP, >>> >>> Try the attached patch... >> >> Although I must say that I''m unable to reproduce this error, even when >> using the busybox-based ''date'' function. >> >> On your LEAF box, what does "echo $(date +''%b %_d %T'')" produce? > > Sep %_d 15:28:40 > > It''s busybox...Which busybox version? I tried this on a box running Lenny with busybox 1:1.14.2-2 and it works correctly: gateway:~# ln -s /bin/busybox date gateway:~# echo $(./date +''%b %_d %T'') Sep 23 08:57:55 gateway:~# -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev
Date: Thu, 23 Sep 2010 08:59:36 -0700> Which busybox version? I tried this on a box running Lenny with busybox > 1:1.14.2-2 and it works correctly:> gateway:~# ln -s /bin/busybox date > gateway:~# echo $(./date +''%b %_d %T'') > Sep 23 08:57:55 > gateway:~# hi tom, i have the same issue on openwrt (0.9), which is pretty old: root@router:~$ busybox BusyBox v1.4.2 (2007-08-08 08:29:39 CDT) multi-call binary [...] root@router:~$ echo $SHELL /bin/ash root@router:~$ ls -l `which ash` lrwxrwxrwx 1 root root 7 Jan 1 2000 /bin/ash -> busybox root@router:~$ ls -l `which date` lrwxrwxrwx 1 root root 7 Jan 1 2000 /bin/date -> busybox root@router:~$ echo $(date +''%b %_d %T'') Sep %_d 18:20:19 root@router:~$ echo $(date +''%b %d %T'') Sep 23 18:20:23 best regards felix ------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev
Am Donnerstag, 23. September 2010, 17:59:36 schrieb Tom Eastep:> On 09/23/2010 08:29 AM, KP Kirchdoerfer wrote: > > Am Donnerstag, 23. September 2010, 16:22:14 schrieb Tom Eastep: > >> On 9/22/10 5:37 PM, Tom Eastep wrote: > >>> On 9/22/10 4:52 PM, KP Kirchdoerfer wrote: > >>>> Hi Shorewall team; > >>>> > >>>> Am Dienstag, 21. September 2010, 17:50:31 schrieb Tom Eastep: > >>>>> The Shorewall team is pleased to announce the availability of > >>>>> Shorewall 4.4.13. > >>>> > >>>> I''ve build a new 4.4.13 based package for the LEAF distribution and > >>>> did some preliminary tests in my qemu test environment. > >>>> > >>>> I see a small annoyance with date in shorewall.log (pls note: I''ve > >>>> seen this with earlier shorewall versions as well, so it''s nothing > >>>> new to 4.4.13): > >>>> > >>>> "Sep 22 23:40:57 Shorewall configuration compiled to > >>>> /var/lib/shorewall/.start Sep %_d 23:40:57 Processing > >>>> /etc/shorewall/params..." > >>>> > >>>> No big deal, just in case if you have a quick hint/idea/fix. > >>> > >>> KP, > >>> > >>> Try the attached patch... > >> > >> Although I must say that I''m unable to reproduce this error, even when > >> using the busybox-based ''date'' function. > >> > >> On your LEAF box, what does "echo $(date +''%b %_d %T'')" produce? > > > > Sep %_d 15:28:40 > > > > It''s busybox... > > Which busybox version? I tried this on a box running Lenny with busybox > 1:1.14.2-2 and it works correctly: > > gateway:~# ln -s /bin/busybox date > gateway:~# echo $(./date +''%b %_d %T'') > Sep 23 08:57:55 > gateway:~# > > -TomIt''s version 1.17.1 kp ------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev
On 09/23/2010 10:06 AM, KP Kirchdoerfer wrote:>> >> Which busybox version? I tried this on a box running Lenny with busybox >> 1:1.14.2-2 and it works correctly: >> >> gateway:~# ln -s /bin/busybox date >> gateway:~# echo $(./date +''%b %_d %T'') >> Sep 23 08:57:55 >> gateway:~# >> >> -Tom > > It''s version 1.17.1So it looks as though there has been a busybox regression. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev