The Shorewall team is pleased to announce the availability of Shorewall 4.4.9
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) Logical interface names in the EXTERNAL column of
/etc/shorewall/proxyarp were previously not mapped to their
corresponding physical interface names. This could cause 'start' or
'restart' to fail.
2) If find_first_interface_address() was unable to detect an address,
then Shorewall 4.4.8 would issue an obscure message
(startup_error: command not found) and continue.
Now, a meaningful error message is produced and the calling process
stops.
3) If LOG_VERBOSITY=0 in shorewall.conf, then when the compiled script
was executed, messages such as the following would be issued:
/var/lib/shorewall6/.restart: line 65: [: -gt: unary operator
expected
4) With optimize 4, if an unnecessary NONAT rule was included in
/etc/shorewall/rules (there was no DNAT or REDIRECT rule with the
same source zone), then 'shorewall start' and/or 'shorewall restart'
could fail with invalid iptables-restore input.
5) The tarball installers now check for the presence of the CLI
program (/sbin/shorewall, /sbin/shorewall6, etc) to determine if a
fresh install or an upgrade should be performed. Previously, the
installers used the presense of the configuration directory
(/etc/shorewall, /etc/shorewall6, etc.) which led to incomplete
installations where there was an existing configuration directory.
6) The fallback.sh scripts have been removed from Shorewall-lite,
Shorewall6, and Shorewall6-lite. These scripts no longer work and
should have been removed in 4.4.0.
7) The -lite products previously were inconsistent in how they
referred to their startup log. Some references included '-lite'
where some did not. This was particularly bad in the case of the
Shorewall-lite logrotate file which duplicated the name used by the
Shorewall package. This inconsistency could cause logrotate to
fail if both packages were installed.
8) Two additional problems with optimize 4 have been corrected. One
manifested as invalid iptables-restore input involving the 'tcpre'
mangle chain. The other involved wildcard interface names (those
ending in '+') and would likely also result in invalid
iptables-restore input.
9) Previously, Shorewall would set up infrastructure to handle traffic
from the firewall to bport zones. Such infrastructure could never
be used. Now, Shorewall avoids setting up these unneeded chains
and/or rules.
10) If optimization level 2 and there were no OUTPUT rules and the only
effective output policy was $FW->all ACCEPT, then the OUTPUT chain
was empty and no packets could be sent.
11) If find_first_interface_address() was called in the params file, a
fatal error occured on start/restart.
12) The following valid configuration produced invalid
iptables-restore input with optimization level 4.
/etc/shorewall/interfaces:
#ZONE INTERFACE BROADCAST OPTIONS
vpn tun+ -
/etc/shorewall/masq:
#INTERFACE SOURCE ADDRESS PROTO PORT
tun0 192.168.1.0/24
Use of tunN in the nat and netmap files also produced invalid
iptables-restore input.
----------------------------------------------------------------------------
N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) The compiler now auto-detects bridges for the purpose of setting
the 'routeback' option. Auto-detection is disabled when compiling
for export (-e option); note that -e is implicit in the 'load' and
'reload' commands.
2) When 'trace' is specified on a command that involves the compiler
(e.g., shorewall trace check), the compiler now creates a trace to
standard output.
Trace entries are of three types:
Input --- begin with IN===>. Input read from configuration
files. Comments have been
stripped, continuation lines
combined and shell variables
expanded.
Output --- begin with GS----->. Text written to the generated
script.
Netfilter -- begin with NF-(x)->. Updates to the compiler's chain
table, where 'x' is one of the
following:
N - Create a chain.
A - Append a rule to a chain.
R - Replace a rule in a chain.
I - Inserted a rule into a chain.
T - Shell source text appended/inserted into a chain --
converted into rules at run-time.
D - Deleted Rule from a chain; note that this causes the
following rules to be renumbered.
X - Deleted a chain
P - Change a built-in chains policy. Chains in the filter table
are created with a DROP policy. All other builtin chains
have policy ACCEPT.
! Followed by one or more of the following to indicate that
the operation is not allowed on the chain.
O - Optimize
D - Delete
M - Move rules
Netfilter trace records indicate the table and chain being
changed. If the change involves a particular rule, then the rule
number is also included.
Example (append the first rule to the filter FORWARD chain):
NF-(A)-> filter:FORWARD:1 ...
If the trace record involves the chain itself, then no rule number
is present.
Example (Delete the mangle tcpost chain):
NF-(X)-> mangle:tcpost
3) Thanks to Vincent Smeets, there is now an IPv6 mDNS macro.
4) Optimize 8 has been added. This optimization level eliminates
duplicate chains. So to set all possible optimizations, specify
OPTIMIZE=15.
5) The command-line tools now support 'show log <regex>' where <regex>
is a regular expression to search for in the LOGFILE. The command
searches the current LOGFILE for Netfilter messages matching the
supplied regex.
6) There are some instances where a bridge with no IP address is
configured. Prior to Shorewall 4.4.9, this required the following:
/etc/shorewall/interfaces:
#ZONE INTERFACE BROADCAST OPTIONS
dummy br0 - routeback
/etc/shorewall/policy:
#SOURCE DEST POLICY
dummy all DROP
all dummy DROP
Beginning in this release, a single entry will suffice:
/etc/shorewall/interfaces:
#ZONE INTERFACE BROADCAST OPTIONS
- br0 - bridge
7) The generated ruleset now uses conntrack match for state matching,
if it is available.
8) In /etc/shorewall/routestopped, the 'routeback' option is assumed
if the interface has 'routeback' specified (either explicitly or
detected).
9) Apple Macs running OS X may now be used as a Shorewall
administrative system. Simply install using the tarball installer.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
