With the discovery yesterday of a serious problem with Shorewall-perl's processing of /etc/shorewall/accounting, I've decided to go ahead and release 4.0.2.
Problems corrected in 4.0.2
1) The Shorewall-perl compiler was still generating invalid
iptables-restore input from entries in /etc/shorewall/ecn.
2) When using Shorewall-perl, unless an interface was specified as
'optional' in the interfaces file, the 'restore' command would
fail if the routes through the interface or the addresses on the
interface could not be detected.
Route detection occurs when the interface is named in the SOURCE
column of the masq file. Address detection occurs when
DETECT_DNAT_IPADDRS=Yes and the interface is the SOURCE for a DNAT
or REDIRECT rule or when 'maclist' is specified for the interface.
Since the 'restore' command doesn't use the detected information,
detection is now skipped if the command is 'restore'.
3) It was not previously possible to define traffic shaping on a
bridge port; the generated script complained that the
interface was not up and configured.
4) When Shorewall-shell was not installed, certain options in
/etc/shorewall/interfaces and /etc/shorewall/hosts would cause the
'add' and 'delete' commands to fail with a missing library error.
OPTION FILE
maclist interfaces,hosts
proxyarp interfaces
5) The /var/lib/shorewall/zones file was being overwritten during
processing of the 'refresh' command by a script generated with
Shorewall-perl. The result was that hosts previously added to
dynamic zones could not be deleted after the 'refresh'.
6) If the file named as the output file in a Shorewall-perl 'compile'
command was a symbolic link, the generated error message
erroneously stated that the file's parent directory was a symbolic
link.
As part of this change, cosmetic changes were made to a number of
other error messages.
7) Some intra-zone rules were missing when a zone involved multiple
interfaces or when a zone included both IPSEC and non-IPSEC
networks.
8) Shorewall was not previously loading the xt_multiport kernel
module.
9) The Russian and French translations no longer have English headings
on notes, cautions, etc..
10) Previously, using a port list in the DEST PORT(S) column of the
rules file or in an action file could cause an invalid iptables
command to be generated by Shorewall-shell.
11) If there were no bridges in a configuration, Shorewall-perl would
ignore the CHAIN column in /etc/shorewall/accounting.
Other changes in 4.0.2
1) Shorewall-perl now detects when a port range is included in a list
of ports and iptables/kernel support for Extended Multi-port Match
is not available. This avoids an iptables-restore failure at
run-time.
2) Most chains created by Shorewall-shell have names that can be
embedded within shell variable names. This is a workaround for
limitations in the shell programming language which has no
equivalent to Perl hashes. Often chain names must have the name of
a network interface encoded in them. Given that interface names can
contain characters that are invalid in a shell variable name,
Shorewall-shell performs a name mapping which was carried forward to
Shorewall-perl:
- Trailing '+' is dropped.
- The characters ".", "-", "%' and "@" are translated to "_".
This mapping has been elminated in the 4.0.2 release of Shorewall-
perl. So where before you would see chain "eth0_0_in", you may now
see the same chain named "eth0.0_in". Similarly, a chain previously
named "ppp_fwd" may now be called "ppp+_fwd".
3) Shorewall-perl now uses the contents of the BROADCAST column in
/etc/shorewall/interfaces when the Address Type match capability is
not available.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ [EMAIL PROTECTED]
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
