Shorewall 4.4.14 is now available for download.
----------------------------------------------------------------------------
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) Previously, messages to the STARTUP_LOG had inconsistent date
formats.
2) The blacklisting change in 4.4.13 was broken in some simple
configurations with the effect that blacklisting was not enabled.
3) Previously, Shorewall6 produced an untidy sequence of error
messages when an attempt was made to start it on a system running a
kernel older than 2.6.24:
[root@localhost shorewall6]# shorewall6 start
Compiling...
Processing /etc/shorewall6/shorewall6.conf...
Loading Modules...
Compiling /etc/shorewall6/zones...
...
Shorewall configuration compiled to /var/lib/shorewall6/.start
ERROR: Shorewall6 requires Linux kernel 2.6.24 or later
/usr/share/shorewall6/lib.common: line 73:
[: -lt: unary operator expected
ERROR: Shorewall6 requires Linux kernel 2.6.24 or later
[root@localhost shorewall6]#
This has been corrected so that a single ERROR message is
generated.
4) Previously, an ipset name appearing in the /etc/shorewall/hosts
file could be qualified with a list of ''src'' and/or
''dst'' enclosed
in quotes. This was virtually guaranteed not to work since the set
must match when used to verify both a packet source and a
packet destination. Now, the following error is raised:
ERROR: ipset name qualification is disallowed in this file
As part of this change, the ipset name is now verified to begin
with a letter and be composed of letters, digits, underscores
("_")
and hyphens ("-").
5) The Shorewall-lite and Shorewall6-lite Debian init scripts
contained a syntax error.
6) If the -v or -q options were used in /sbin/shorewall-lite or
/sbin/shorewall6-lite commands that involve the compiled firewall
script and the resulting effective VERBOSITY was > 2 or < -1, then
the command would fail.
7) The log reading commands (show log, logwatch, and dump) returned no
log records when run on one of the -lite products.
8) To avoid future confusion, the following obsolete options have been
deleted from the sample shorewall.conf files:
BRIDGING
DELAYBLACKLISTLOAD
PKTTYPE
They will still be recognized by the rules compiler.
9) All sample .conf files have been changed to specify
FORWARD_CLEAR_MARK
rather than
FORWARD_CLEAR_MARK=Yes
That way, systems without MARK support will still be able to
install the sample configurations and FORWARD_CLEAR_MARK will
default to Yes on systems with MARK support.
10) The install scripts in the tarballs now correctly create init
symlinks on recent Ubuntu releases.
11) Previously, this entry in the OPTIONS column of
/etc/shorewall/interfaces incorrectly generated a syntax error.
nets=(1.2.3.0/24)
The error was:
ERROR: Invalid VLSM (24))
12) Previously, if 10 or more interfaces were configured in Complex
Traffic Shaping (/etc/shorewall/tcdevices), the following
compilation diagnostic was generated:
Argument "a" isn''t numeric in sprintf at
/usr/share/shorewall/Shorewall/Config.pm line 893.
and an invalid TC configuration was generated.
13) If the current environment exported the VERBOSITY variable with a
non-zero value, startup would fail.
----------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G
----------------------------------------------------------------------------
1) On systems running Upstart, shorewall-init cannot reliably secure
the firewall before interfaces are brought up.
----------------------------------------------------------------------------
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) Multiple source or destination ipset matches can be generated by
enclosing the ipset list in +[...].
Example (/etc/shorewall/rules):
ACCEPT $FW net:+[dest-ip-map,dest-port-map]
2) Shorewall now uses the ''conntrack'' utility for
''show connections''
if that utility is installed. Going forward, the Netfilter team
will be enhancing this interface rather than the /proc interface.
3) The CPU time required for optimization has been reduced by 2/3.
4) An ''scfilter'' extension script has been added. This
extension
script differs from other such scripts in that it is invoked by the
command line tools (/sbin/shorewall, /sbin/shorewall6,
/sbin/shorewall-lite and /sbin/shorewall6-lite).
The script acts as a filter for the output of the ''show
connections'' command. Each connection is piped through the filter
which can modify and/or drop information as desired.
Example:
#!/bin/sh
sed ''s/secmark=0 //''
That script will remove ''secmark=0 '' from each line.
The default script is:
#!/bin/sh
cat -
which passes the output through unmodified.
If you are using Shorewall-lite and/or Shorewall6-lite, the
scfilter file is kept on the administrative system. The compiler
encapsulates the script into a shell function that is copied
into the generated auxillary configuration file
(firewall.conf). That function is then invoked by the ''show
connections'' command.
-The Shorewall Team
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
http://p.sf.net/sfu/nokia-dev2dev