The Shorewall team is pleased to announce the availability of Shorewall
4.6.0.
----------------------------------------------------------------------------
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
This release includes all defect repair from releases up through
4.5.21.9.
1) The tarball installers, now install .service files with mode 644
rather than mode 600.
----------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G
----------------------------------------------------------------------------
1) On systems running Upstart, shorewall-init cannot reliably secure
the firewall before interfaces are brought up.
----------------------------------------------------------------------------
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) SECTION entries in the accounting and rules files now allow
"SECTION" to be immediately preceded by "?" (e.g.,
?SECTION). The
new form is preferred and if any SECTION entries do not have the
question mark, a warning is issued (see Migration Issues below).
2) The default setting for ZONE2ZONE has been changed from '2' to
'-'
for increased readability when zone names contain '2'.
3) The 'tcrules' file has been superceded by the 'mangle'
file. Existing 'tcrules' files will still be processed, with the
restriction that TPROXY is no longer supported in FORMAT 1.
You can convert your tcrules file into the equivalent mangle file
using the command:
shorewall update -t
See shorewall(8) and shorewall6(8) for important restrictions of
the -t option.
4) Prior to now, the ability to specify raw iptables matches has been
tied to the INLINE action. Beginning with this release, the two can
be separated by specifying INLINE_MATCHES=Yes.
When INLINE_MATCHES=Yes, then inline matches may be specified after
a semicolon in the following files:
action files
macros
rules
mangle
masq
Note that semicolons are not allowed in any other files. If you
want to use the alternative input format in those files, then you
must inclosed the specifications in curly brackets ({...}). The -i
option of the 'check' command will warn you of lines that need to
be changed from using ";" to using "{...}".
5) The 'conntrack', 'raw', 'mangle' and 'rules'
files now support an
IPTABLES (IP6TABLES) action. This action is similar to INLINE in
that it allows arbitrary ip[6]tables matches to be specified after a
semicolon (even when INLINE_MATCHES=No). It differs in that the
parameter passed is an iptables target with target options.
Example (rules file):
#ACTION SOURCE DEST PROTO
IPTABLES(TARPIT --honeypot) net pot
If the particular target that you wish to use is unknown to
Shorewall, you will get this error message:
ERROR: Unknown TARGET (<target>)
You can eliminate that error by adding your target as a builtin
action in /etc/shorewall[6]/actions.
As part if this change, the /etc/shorewall[6]/actions file options
have been extended to allow you to specify the Netfilter table(s)
where the target is accepted. When 'builtin' is specified, you can
also include the following options:
filter
nat
mangle
raw
If no table is given, 'filter' is assumed for backward
compatibility.
6) The 'tcpflags' option is now set by default. To disable the option,
specify 'tcpflags=0' in the OPTIONS column of the interface file.
7) You may now use ipset names (preceded by '+') in PORT columns,
allowing you to take advantage of bitmap:port ipsets.
8) The counter extensions to ipset matches have been
implemented. See shorewall[6]-ipsets for details.
9) DROP is now a valid action in the stoppedrules files. DROP occurs
in the raw table PREROUTING chain which avoids conntrack entry
creation.
10) A new BASIC_FILTERS option is now supported. When set to 'Yes',
this option causes the compiler to generate basic TC filters from
tcfilters entries rather than u32 filters.
Basic filters are more straight-forward than u32 filters and, in
later iptables/kernel versions, basic filters support ipset
matches. Please note that Shorewall cannot reliably detect whether
your iptables/kernel support ipset matches, so an error-free
compilation does not guarantee that the firewall will start
successfully when ipset names are specified in tcfilters entries.
11) The update command now supports an -A option. This is intended to
perform all available updates to the configuration and is currently
equivalent to '-b -D -t'.
12) Beginning with this release, FORMAT-1 actions and macros are
deprecated and a warning will be issued for each FORMAT-1 action
or macro found. See the Migration Issues for further information.
13) To facilitate creation of ipsets with characteristics different
from what Shorewall generates, the 'init' user exit is now executed
before Shorewall creates ipsets that don't exist.
----------------------------------------------------------------------------
I V. M I G R A T I O N I S S U E S
----------------------------------------------------------------------------
1) If you are migrating from Shorewall 4.4.x or earlier, please see
http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.21
/releasenotes.txt
2) Beginning with Shorewall 4.5.2, using /etc/shorewall-lite/vardir
and /etc/shorewall6-lite/vardir to specify VARDIR is deprecated in
favor of the VARDIR setting in shorewallrc.
NOTE: While the name of the variable remains VARDIR, the
meaning is slightly different. When set in shorewallrc,
each product (shorewall-lite, and shorewall6-lite) will
create a directory under the specified path name to
hold state information.
Example:
VARDIR=/opt/var/
The state directory for shorewall-lite will be
/opt/var/shorewall-lite/ and the directory for
shorewall6-lite will be /opt/var/shorewall6-lite.
When VARDIR is set in /etc/shorewall[6]/vardir, the
product will save its state directly in the specified
directory.
In Shorewall 4.5.8, a VARLIB variable was added to the shorewallrc
file and the meaning of VARDIR is once again consistent. The
default setting of VARDIR for a particular product is
${VARLIB}/$product. There is an entry of that form in the
shorewallrc file. Because there is a single shorewallrc file for
all installed products, the /etc/shorewall[6]-lite/vardir file
provides the only means for overriding this default.
3) Begining with Shorewall 4.5.6, the tcrules file is processed if
MANGLE_ENABLED=Yes, independent of the setting of TC_ENABLED. This
allows actions like TTL and TPROXY to be used without enabling
traffic shaping.
If you have rules in your tcrules file that you only want processed
when TC_ENABLED is other than 'No', then enclose them in
?IF $TC_ENABLED
...
?ENDIF
If they are to be processed only if TC_ENABLED=Internal, then
enclose them in
?IF TC_ENABLED eq 'Internal'
...
?ENDIF
4) Beginning with Shorewall 4.5.7, the deprecated
/etc/shorewall[6]/blacklist files are no longer installed. Existing
files are still processed by the compiler. Note that blacklist
files may be converted to equivalent blrules files using
'shorewall[6] update -b'.
5) In Shorewall 4.5.7, the /etc/shorewall[6]/notrack file was renamed
/etc/shorewall[6]/conntrack. When upgrading to a release >= 4.5.7,
the conntrack file will be installed along side of an existing
notrack file. When both files exist, a compiler warning is
generated:
WARNING: Both notrack and conntrack exist; conntrack is ignored
This warning may be eliminated by moving any entries in the notrack
file to the conntrack file and removing the notrack file.
6) In Shorewall 4.5.8, the /etc/shorewall[6]/routestopped files were
deprecated if favor of new /etc/shorewall[6]/stoppedrules
counterparts. The new files have much more familiar and
straightforward semantics. Once a stoppedrules file is populated,
the compiler will process that file and will ignore the
corresponding routestopped file.
7) In Shorewall 4.5.8, a new variable (VARLIB) was added to the
shorewallrc file. This variable assumes the role formerly played by
VARDIR, and VARDIR now designates the configuration directory for a
particular product.
This change should be transparent to all users:
a) If VARDIR is set in an existing shorewallrc file and VARLIB is
not, then VARLIB is set to ${VARDIR} and VARDIR is set to
${VARLIB}/${PRODUCT}.
b) If VARLIB is set in a shorewallrc file and VARDIR is not, then
VARDIR is set to ${VARLIB}/${PRODUCT}.
The Shorewall-core installer will automatically update
~/.shorewallrc and save the original in ~/.shorewallrc.bak
8) Previously, the macro.SNMP macro opened both UDP ports 161 and 162
from SOURCE to DEST. This is against the usual practice of opening
these ports in the opposite direction. Beginning with Shorewall
4.5.8, the SNMP macro opens port 161 from SOURCE to DEST as before,
and a new SNMPTrap macro is added that opens port 162 (from SOURCE
to DEST).
9) Beginning with Shorewall 4.5.11, ?FORMAT is preferred over FORMAT
for specifying the format of records in these configuration files:
action.* files
conntrack
interface
macro.* files
tcrules
While deprecated, FORMAT (without the '?') is still supported.
Also, ?COMMENT is preferred over COMMENT for attaching comments to
generated netfilter rules in the following files.
accounting
action.* files
blrules files
conntrack
masq
nat
rules
secmarks
tcrules
tunnels
When one of the deprecated forms is encountered, a warning message
is issued.
Examples:
WARNING: 'FORMAT' is deprecated in favor of '?FORMAT' -
consider running 'shorewall update -D'.
WARNING: 'COMMENT' is deprecated in favor of '?COMMENT' -
consider running 'shorewall update -D'.
As the warnings indicate, 'update -D' will traverse the CONFIG_PATH
replacing FORMAT and COMMENT lines with ?FORMAT and ?COMMENT
directives respectively. The original version of modified files
will be saved with a .bak suffix.
During the update, .bak files are skipped as are files in
${SHAREDIR}/shorewall and ${SHAREDIR}/shorewall6.
10) To allow finer-grained selection of the connection-tracking states
that are passed through blacklists (both dynamic and static), a
BLACKLIST option was added to shorewall.conf and shorewall6.conf in
Shorewall 4.5.13.
The BLACKLISTNEWONLY option was deprecated at that point. A
'shorewall update' ( 'shorewall6 update' ) will replace the
BLACKLISTNEWONLY option with the equivalent BLACKLIST option.
11) In Shorewall 4.5.14, the BLACKLIST_LOGLEVEL option was renamed
BLACKLIST_LOG_LEVEL to be consistent with the other log-level
option names. BLACKLIST_LOGLEVEL continues to be accepted as a
synonym for BLACKLIST_LOG_LEVEL, but a 'shorewall update' or
'shorewall6 update' command will replace BLACKLIST_LOGLEVEL with
BLACKLIST_LOG_LEVEL in the new .conf file.
12) Beginning with Shorewall 4.6.0, the default setting for 'ZONE2ZONE'
is '-' rather than '2'. If you prefer to keep your pre-4.6.0
chain
names, then specify ZONE2ZONE=2 in shorewall[6].conf.
13) Beginning with Shorewall 4.6.0, ection headers are now preceded by
'?' (e.g., '?SECTION ...'). If your configuration contains
any
bare 'SECTION' entries, the following warning is issued:
WARNING: 'SECTION' is deprecated in favor of '?SECTION' -
consider running 'shorewall update -D' ...
As mentioned in the message, running 'shorewall[6] update -D' will
eliminate the warning.
14) Beginning with Shorewall 4.6.0, the 'tcrules' file has been
superceded by the 'mangle' file. Existing 'tcrules' files
will
still be processed, with the restriction that TPROXY is no longer
supported in FORMAT 1.
If your 'tcrules' file has non-commentary entries, the following
warning message is issued:
WARNING: Non-empty tcrules file (...);
consider running 'shorewall update -t'
See shorewall6(8) for limitations of 'update -t'.
12) The default value LOAD_HELPERS_ONLY is now 'Yes'.
13) Beginning with Shorewall 4.5.0, FORMAT-1 actions and macros are
deprecated and a warning will be issued for each FORMAT-1 action
or macro found.
WARNING: FORMAT-1 actions are deprecated and support will be
dropped in a future release.
WARNING: FORMAT-1 macros are deprecated and support will be
dropped in a future release.
To eliminate these warnings, add the following line before the
first rule in the action or macro:
?FORMAT 2
and adjust the columns appropriately.
FORMAT-1 actions have the following columns:
TARGET
SOURCE
DEST
PROTO
DEST PORT(S)
SOURCE PORT(S)
RATE/LIMIT
USER/GROUP
TARGET
SOURCE
DEST
PROTO
DEST PORT(S)
SOURCE PORT(S)
RATE/LIMIT
USER/GROUP
MARK
while FORMAT-2 actions have these columns:
TARGET
SOURCE
DEST
PROTO
DEST PORT(S)
SOURCE PORT(S)
ORIGINAL DEST
RATE/LIMIT
USER/GROUP
MARK
CONNLIMIT
TIME
HEADERS (Used in IPv6 only)
CONDITION
HELPER
FORMAT-1 macros have the following columns:
TARGET
SOURCE
DEST
PROTO
DEST PORT(S)
SOURCE PORTS(S)
RATE/LIMIT
USER/GROUP
while FORMAT-2 macros have these columns:
TARGET
SOURCE
DEST
PROTO
DEST PORT(S)
SOURCE PORT(S)
ORIGINAL DEST
RATE/LIMIT
USER/GROUP
MARK
CONNLIMIT
TIME
HEADERS (Used in IPv6 only)
CONDITION
HELPER
Thank you for using Shorewall,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs