Shorewall 4.5.21.4 is now available for download.
Problems corrected since 4.5.21.3:
1) The Broadcast actions have been corrected:
o --dst-type BROADCAST has been removed from the IPv6 version
o A superfluous DROP rule in the IPv4 version has been suppressed.
2) Previously, if an HFSC class was specified with dmax but not umax,
then the firewall would fail to start with the messages:
Nov 14 13:42:42 Setting up Traffic Control...
HFSC: Illegal "umax"
HFSC: Illegal "sc"
ERROR: Command "tc class add dev eth1 parent 1:1 classid 1:110
hfsc sc umax b dmax 150ms rate 1575kbit ul rate 3150kbit" Failed
That problem has been corrected.
New Feature:
1) The tcrules file now supports DROP entries to allow early dropping
of DOS packets.
Thank you for using Shorewall.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing
conversations that shape the rapidly evolving mobile landscape. Sign up now.
http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
Hi, Tom Eastep wrote:> Problems corrected since 4.5.21.3: > > 1) The Broadcast actions have been corrected: > > o --dst-type BROADCAST has been removed from the IPv6 versionBTW: I still see> Nov 25 18:14:20 fw2 kernel: [263893.233375] xt_addrtype: ipv6 does > not support BROADCAST matchingmessages in kern.log when re-compiling shorewall6. I guess the fix shouldn''t address this, but I am not sure if you are aware about the message and because you fixed the other broadcast related problem I am posting this now to let you know. -Thomas ------------------------------------------------------------------------------ Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
On 11/25/2013 9:20 AM, Thomas D. wrote:> Hi, > > Tom Eastep wrote: >> Problems corrected since 4.5.21.3: >> >> 1) The Broadcast actions have been corrected: >> >> o --dst-type BROADCAST has been removed from the IPv6 version > > BTW: I still see > >> Nov 25 18:14:20 fw2 kernel: [263893.233375] xt_addrtype: ipv6 does >> not support BROADCAST matching > > messages in kern.log when re-compiling shorewall6. > > I guess the fix shouldn''t address this, but I am not sure if you are > aware about the message and because you fixed the other broadcast > related problem I am posting this now to let you know.As I explained previously, that message is issued when Shorewall is probing your ip[6]tables/kernel to determine its capabilities. It may be safely ignored. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
On 11/25/2013 11:34 AM, Tom Eastep wrote:> On 11/25/2013 9:20 AM, Thomas D. wrote: >> Hi, >> >> Tom Eastep wrote: >>> Problems corrected since 4.5.21.3: >>> >>> 1) The Broadcast actions have been corrected: >>> >>> o --dst-type BROADCAST has been removed from the IPv6 version >> >> BTW: I still see >> >>> Nov 25 18:14:20 fw2 kernel: [263893.233375] xt_addrtype: ipv6 does >>> not support BROADCAST matching >> >> messages in kern.log when re-compiling shorewall6. >> >> I guess the fix shouldn''t address this, but I am not sure if you are >> aware about the message and because you fixed the other broadcast >> related problem I am posting this now to let you know. > > As I explained previously, that message is issued when Shorewall is > probing your ip[6]tables/kernel to determine its capabilities. It may be > safely ignored.If you really want to suppress these messages, you can use a capabilities file: shorewall show -f capabilities > /etc/shorewall/capabilities Just be sure to execute the above command again after an upgrade or if you install a newer kernel. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk