Shorewall 4.4.17 is now available for download. ---------------------------------------------------------------------------- I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- 1) Previously, Shorewall did not check the length of the names of accounting chains and manual chains. This could result in errors when loading the resulting ruleset. Now, the compiler issues an error for chain names longer than 29 characters. Additionally, the compiler now ensures that these chain names are composed only of letters, digits, underscores (''_'') and dashes ("-"). This eliminates Perl runtime errors or other failures when a chain name is embedded within a regular expression. 2) Several issues with complex traffic shaping have been resolved: a) Specifying IPv6 network addresses in the SOURCE or DEST columns of /etc/shorewall6/tcfilters now works correctly. Previously, Perl runtime warnings occurred and an invalid tc command was generated. b) Previously, if flow= was specified on a parent class, a perl runtime warning occurred and an invalid tc command was generated. This combination is now flagged as an error at compile time. c) There is now an ipv6 tcfilters skeleton included with Shorewall6. 3) Several issues with accounting are corrected. a) If an accounting rule of the form: chain1 chain2 was configured and neither chain was referenced again in the configuration, then an internal error was generated when optimize level 4 was selected and OPTIMIZE_ACCOUNTING=Yes. b) If there was only a single accounting rule and that rule specified an interface in the SOURCE or DEST columns, then the generated ruleset would fail to load when OPTIMIZE_ACCOUNTING=Yes. c) If a per-IP accounting table name appeared in more than one rule and the specified network was not the same in all occurrences, then the generated ruleset would fail to load. This is now flagged as an error at compile time. 4) Two defects in compiler module loading have been corrected: a) Previously, the kernel/net/ipv6/netfilter/ directory was not searched. b) A Perl diagnostic was issued when running on a monolithic kernel when the modutils package was installed. 5) A line containing only ''INCLUDE'' appearing in an extension script now generates a compile-time diagnostic rather than a run-time diagnostic. 6) Previously, the uninstall.sh scripts used insserv (if installed) on Debian-based systems. These scripts now use the preferred tool (updaterc.d). 7) Beginning with 4.4.16, compilation would fail if an empty shell variable was referenced in a config file on a system where /bin/sh is the Bourne Again Shell (bash). 8) In earlier versions. if OPTIMIZE=8 then the ruleset displayed by ''check -r'' was the same as when OPTIMIZE=0 (unoptimized). Similarly, if OPTIMIZE=9 then the ruleset displayed was the same as when OPTIMIZE=1. 9) Startup could previously fail on a system where kernel module autoloading was not available and where TC_ENABLED=Simple was specified in shorewall.conf or shorewall6.conf. 10) Previously, a ''done.'' message could be printed at the end of command processing even when the command had failed. Now, such a message only appears if the command completed successfully. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G ---------------------------------------------------------------------------- 1) On systems running Upstart, shorewall-init cannot reliably secure the firewall before interfaces are brought up. ---------------------------------------------------------------------------- I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- 1) This release adds support for per-IP accounting using the ACCOUNT target. That target is only available when xtables-addons is installed. This support has been successfully tested with xtables-addons 1.32 on: - Fedora 14 - Debian Squeeze - OpenSuSE 11.3 It has also been tested with xtables-addons 1.21 on: - Debian Lenny Information about xtables-addons installation may be found at http://www.shorewall.net/Dynamic.html#xtables-addons This feature required addition of the "ACCOUNT Target" capability so if you use a capabilities file, you will want to refresh it after installing this release. Per-IP accounting is configured in /etc/shorewall/accounting (it is not currently supported in IPv6). In the ACTION column, enter: ACCOUNT(<table>,<network>) where: <table> is the name of an accounting table (you choose the name). Rules specifying the same table will have their per-IP counters accumulated in that table. <network> is an IPv4 in CIDR format. May be as large as a /8. Example: Suppose your WAN interface is eth0 and your LAN interface is eth1 with network 172.20.1.0/24. To account for all traffic between the WAN and LAN interfaces: #ACTION TABLE SOURCE DEST ... ACCOUNT(net-loc,172.20.1.0/24) - eth0 eth1 ACCOUNT(net-loc,172.20.1.0/24) - eth0 eth1 This will create a net-loc table for counting packets and bytes for traffic between the two interfaces. The table is dumped using the iptaccount utility: iptaccount [-f] -l net-loc Example (output folded): gateway:~# iptaccount -l loc-net libxt_ACCOUNT_cl userspace accounting tool v1.3 Showing table: loc-net Run #0 - 3 items found IP: 172.20.1.105 SRC packets: 115 bytes: 131107 DST packets: 68 bytes: 20045 IP: 172.20.1.131 SRC packets: 47 bytes: 12729 DST packets: 38 bytes: 25304 IP: 172.20.1.145 SRC packets: 20747 bytes: 2779676 DST packets: 27050 bytes: 32286071 Finished. gateway:~# For each local IP address with non-zero counters, the packet and byte count for both incoming traffic (IP is DST) and outgoing traffic (IP is SRC) are listed. The -f option causes the table to be flushed (reset all counters to zero). For a command synopsis, type: iptaccount --help One nice feature of per-IP accounting is that the counters survive ''shorewall restart''. This has a downside, however. If you change the <network> associated with an accounting table, then you must "shorewall stop; shorewall start" to have a successful restart (counters will be cleared). 2) A ''show ipa'' command has been added to /sbin/shorewall. It displays each per-IP accounting table. 3) Traditionally, the -lite products have used the modules (or helpers) file on the firewall system unless there is a modules (or helpers) file in the configuration directory on the administrative system. This release introduces the USE_LOCAL_MODULES option in shorewall[6].conf. When USE_LOCAL_MODULES=Yes, the modules (helpers) file on the administrative system will be used to determine the set of modules loaded. This also implies that the modules (helpers) file will be read at compile time rather than at run-time when using Shorewall and Shorewall6 directly on a firewall system. As part of this change, the modules and helpers files are now secured for read access by non-root users. 4) Given that shell variables are expanded at compile time, there was previously no way to cause such variables to be expanded at run time. This made it difficult (to impossible) to include dynamic IP addresses in a Shorewall-lite configuration. This release implements "Run-time address variables". In configuration files, these variables are expressed using an apersand (''&'') followed by the name of an interface defined in /etc/shorewall/interfaces. Wild-card interfaces (those whose names end in ''+'') are not allowed to be used in this way. Example: ð0 would represent the primary IP address of eth0. Run-time address variables may be used in the SOURCE and DEST column of the following configuration files: accounting action files blacklist macro files rules tcrules tos They may also appear in the ORIGINAL DEST column of action files macro files rules They may also be used in the SOURCE and ADDRESS columns of the masq file. For optional interfaces, if the interface is not usable at the time that the firewall starts, the resulting Netfilter rule(s) containing the interface address are not added. 5) The shell variables set in /etc/shorewall/params (/etc/shorewall6/params) are now available in the compiled script at run-time with EXPORTPARAMS=No. The EXPORTPARAMS option is now deprecated and the released /etc/shorewall/shorewall.conf and /etc/shorewall/shorewall6.conf have been modified to specify EXPORTPARAMS=No. 6) The INCLUDE directive may now be used in the following extension scripts: clear findgw init isusable refresh refreshed restored start started stop stopped tcclear The directive is executed during compilation so that the INCLUDEd file(s) is(are) copied into the generated script. This same technique is also now used for INCLUDE directives in the params file when EXPORTPARAMS=Yes. Previously, INCLUDE directives in that file were strongly discouraged with EXPORTPARAMS=Yes because the INCLUDE was performed on the firewall system rather than on the administrative system. Thank you for using Shorewall, -The Shorewall Team -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb