Shorewall 4.4.16 is now available for download. --------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- 1) If the output of ''env'' contained a multi-line value, then compilation failed with an Internal Error. The code has been changed so that the compiler now handles multi-line values correctly. 2) In 4.4.15, output to Standard Out (FD 1) generated by /etc/shorewall/params (/etc/shorewall6/params) was redirected to /dev/null. It is now redirected to Standard Error (FD 2). 3) If a params file did not appear in the CONFIG_PATH, compilation failed with the error: .: 31: Can''t open /etc/shorewall6/params ERROR: Processing of /etc/shorewall6/params failed 4) Compilation no longer fails when /bin/sh is an older (e.g., RHEL5.x) bash. 5) Previously, proxy ARP with logical interface names did not work. Symptoms included numerous Perl runtime error messages. 6) Previously, the root of a wildcard name erroneously matched that name. For example ''eth'' matched ''eth+''. Now there must be at least one additional character (e.g., ''eth4''). 7) Use of logical interface names in the notrack and ecn files resulted in perl runtime warning messages. 8) The use of wildcard-matching names in certain contexts would result in anomalous behavior. Among the symptoms were: - Perl run-time messages similar to this one: Use of uninitialized value in numeric comparison (<=>) at /usr/share/shorewall/Shorewall/Zones.pm line 1334. - Failure to treat the interface as optional or required. 9) Where two ISPs share the same interface, if one of the ISPs was not reachable, an iptables-restore error such as this occurred: iptables-restore v1.4.10: Bad mac address "-j" 10) Previously, under very rare circumstances, a chain would be optimized away while there were still jumps to the chain. This caused Shorewall start/restart to fail during iptables-restore. 11) Previously, the setting of BLACKLIST_DISPOSITION was not validated. Now, an error is raised unless the value is DROP or REJECT. ---------------------------------------------------------------------------- K N O W N P R O B L E M S R E M A I N I N G ---------------------------------------------------------------------------- 1) On systems running Upstart, shorewall-init cannot reliably secure the firewall before interfaces are brought up. ---------------------------------------------------------------------------- N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- 1) Shorewall-init now handles ppp devices. 2) To support proxy NDP in a manner similar to Proxy ARP, an /etc/shorewall6/proxyndp file has been added. It should be noted that IPv6 implements a "strong host model" whereas Linux IPv4 implements a "weak host model". In the strong model, IP addresses are associated with interfaces; in the weak model, they are associated with the host. This is relevant with respect to Proxy NDP in that a multi-homed Linux IPv6 host will only respond to neighbor discoverey requests for IPv6 addresses configured on the interface receiving the request. So if eth0 has address 2001:470:b:227::44/128 and eth1 has address 2001:470:b:227::1/64 then in order for eth1 to respond to neighbor discovery requests for 2001:470:b:227::44, the following entry in /etc/shorewall6/proxyndp is required: #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT 2001:470:b:227::44 - eth1 Yes As part of this change, the INTERFACE column in /etc/shorewall/proxyarp is now optional and is only required when HAVEROUTE=No (the default). 3) Shorewall 4.4.16 introduces format-2 Actions. Based on the similar feature of macros, format-2 actions allow the same column layout for macros, actions and rules. In the action.xxx file, simply make the first non-commentary line: FORMAT 2 This allows the lines which follow to have the same columns as those in the rules file. As part of this change, the earlier kludgy restrictions regarding Macros and Actions have been eliminated. For example, DNAT, DNAT-, REDIRECT, REDIRECT- and ACCEPT+ rules are now allowed in Actions and in macros invoked from Actions. Additionally, Macros used in Actions are now free to invoke other actions. 4) Action processing has been largely re-implemented in this release. The prior implementation contained a lot of duplicated code which made maintainance difficult. The old implementation pre-processed all action files early in the compilation process and then post-processed the ones that had been actionally used after the rules file had been read. The new algorithm generates the chain for each unique action invocation at the time that the invocation is encountered in the rules file. Consideration was given to eliminating the /usr/share/shorewall/actions.std and /etc/shorewall/actions files, since it is possible to discover actions "on the fly" in the same way as macros are discovered. That change was ultimately rejected because it could cause migration issues for users with macros and actions with the same name (e.g., action.xxx and macro.xxx). If a new major release of Shorewall (e.g., 4.6) is created, that change will be reconsidered for inclusion at that time. Action names are now verified to be composed of alphanumeric characters, ''_'' and ''-''. There is now support for parameterized actions. The parameters are a comma-separated list enclosed in parentheses following the action name (e.g., ACT(REDIRECT,192.168.1.4)). Within the action body, the parameter values are available in $1, $2, etc. You can ''omit'' a parameter in the list by using ''-'' (e,g, REDIRECT,-.info) would omit the second parameter (within the action body, $2 would expand to nothing). If you want to specify ''-'' as a parameter value, use ''--''. Parameter values are also available to extensions scripts. See http://www.shorewall.net/Actions.html#Extension for more information. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Protect Your Site and Customers from Malware Attacks Learn about various malware tactics and how to avoid them. Understand malware threats, the impact they can have on your business, and how you can protect your company and customers by using code signing. http://p.sf.net/sfu/oracle-sfdevnl