Shorewall 5.1.10.1 is now available for download. Problems Corrected:
5.1.10.1
1) The Shorewall-core installer previously failed to update the shell
library files correctly when SHAREDIR was not set to /usr/share/.
That has been corrected.
2) Previously, the installer modified the shorewall[6].conf installed
in /etc/shorewall[6] based on the Linux distribution (HOST in
shorewallrc) but installed an unmodified file in
/usr/share/shorewall/configfiles/. Beginning with this release,
the modified file is also installed in the latter directory.
5.1.10
1) Several typos have been corrected in the manpages (Roberto
Sanchez).
2) Regarding Known Problem 3 below, the code added in 5.0.15 could
fail to delete an existing default route if the new default route
was not identical to the one being replaced. Now, the default route
is deleted, even the new route is different.
3) Previously, if the 'ss' utility was not installed but 'netstat' was
installed, the 'dump' command would issue the error message
/sbin/shorewall: line 1: netatat: not found
and the dump would not contain socket information. That problem
has been corrected.
4) Previously, a plain 'reset' command would only reset counters in
the 'filter' and 'mangle' tables. Now, all four tables have their
counters reset.
5) Specifying IN-BANDWIDTH would previously cause a run-time
start/restart/reload failure when a later version of iproute2 was
installed. The problem has been observed on both iproute2 4.13.0
and 4.14.0. The failure message was similar to the following:
Setting up Traffic Control...
"rate" or "avrate" MUST be specified.
Illegal "police"
ERROR: Command "tc filter add dev ppp0 parent ffff: protocol all
prio 10 basic police mpu 64 drop rate 55378kbit burst 10kb" Failed
This problem has been resolved.
6) Previously, Shorewall-init would recompile the firewall script each
time that it ran. Now, it only compiles the script if it doesn't
exist.
7) Most interface OPTIONS have always been ignored when the INTERFACE
name is '+'. Beginning with this release, a warning is issued when
an ignored option is specified with interface name '+'.
Example: The 'sourceroute' option is ignored when used with
interface name '+'
In most cases, this issue can be worked around by a change similar
to the following:
Original:
net + dhcp,routeback,sourceroute=0
Change to:
net all dhcp,physical=+,routeback,sourceroute=0
--- ----------
As part of this change, interfaces that specify a wildcard physical
interface name will generate a warning if any of the following
options are specified:
accept_ra
arp_filter
arp_ignore
forward
logmartians
proxyarp
proxyndp
routefilter
sourceroute
When the warning is issued, the specified option is then ignored
for the interface.
Example:
WARNING: The 'sourceroute' option is ignored when used with a
wildcard physical name
/etc/shorewall6.universal/interfaces (line 14)
8) When the IPv6 Universal sample configuration was used, the
following warning was issued during start/restart/reload:
WARNING: Cannot set Accept Source Routing on +
The Universal interfaces file has been corrected to eliminate that
error.
9) Previously, the Shorewall and Shorewall6 example
interfaces.annotated files were truncated, due to a defect in the
Shorewall build tools. That defect has been corrected so that the
files are no longer truncated.
New Features in 5.1.10:
) Previously, it was necessary to remove ${CONFDIR}/shorewall[6] from
the CONFIG_PATH to create a configuration directory for a remote
firewall managed by shorewall[6]-lite. Without this modification,
when the compiler looked for a file that was not present in the
configuration directory, it would attempt to read the file by the
same name residing in ${CONFDIR}/shorewall[6].
Now, if the setting of CONFIG_PATH begins with a colon (":"),
the first directory in the path is ignored when compiling for
export or when the user running the compiler is not root.
The released copies of shorewall[6].conf have all been modified to
set CONFIG_PATH with a leading colon.
2) The documentation surrounding use of DNS names in Shorewall
configuration has been improved.
3) It is now possible to associate a particular protocol with an
action in shorewall[6]-actions(5). When a protocol is specified in
that file, it is not necessary to specify the protocol in the PROTO
column when invoking the action. If a protocol is included in the
PROTO column then it must match the one specified in the actions
file. If an action defined with a protocol is used as a Policy
Action, then only packets with the specified protocol will be
passed to the action.
A number of standard actions definitions in
/usr/share/shorewall[6]/actions.std have had a protocol added.
The protocol has no effect if 'builtin' or 'inline' is also
specified; specifying 'builtin' with a protocol results in a
warning message. No warning is issued when 'inline' is specified
with a protocol, thus allowing 'inline' and a protocol to appear
together in actions.std. Note that 'noinline' in
shorewall-actions(5) can override an 'inline' specification in
actions.std.
4) The FIN action previously included the PSH flag (FIN,ACK,PSH). To
make the action a bit more general, the PSH flag is now removed and
TCP packets with just the FIN and ACK flags set will now match.
Thank you for using Shorewall,
-Tom
--
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \ understand
\_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
