As is often the case with a new major release, we've accumulated a number of patches over the ten days that Shorewall 4.0.0 has been available. I'm releasing 4.0.1 to ease the patching/updating burden for people wishing to upgrade to Shorewall 4.0.
Problems corrected in 4.0.1. 1) The Shorewall Lite installer was producing an empty shorewall-lite manpage. Since the installer runs as part of creating the RPM, the RPM also suffered from this problem. The 4.0.0 Shorewall-lite packages were re-uploaded with this problem corrected. 2) The Shorewall Lite uninstaller incorrectly removed /sbin/shorewall rather than /sbin/shorewall-lite. 3) Both the Shorewall and Shorewall Lite uninstallers did a "shorewall clear" if Shorewall [Lite] was running. Now, the Shorewall Lite uninstaller correctly does "shorewall-lite clear" and both uninstallers only perform the 'clear' operation if the other product is not installed. This prevents the removal of one of the two products from clearing the firewall configuration established by the other one. 4) The 'ipsec' OPTION in /etc/shorewall/hosts was mis-handled by Shorewall-perl. If the zone type was changed to 'ipsec' or 'ipsec4' and the 'ipsec' option removed from the hosts file entry, the configuration worked properly. 5) If a CLASSID was specified in a tcrule and TC_ENABLED=No, then Shorewall-perl produced the following: Compiling... Use of uninitialized value in string ne at /usr/share/shorewall-perl/Shorewall/Tc.pm line 285, <$currentfile> line 18. ERROR: Class Id n:m is not associated with device eth0 : /etc/shorewall/tcrules (line 18) 6) If IPTABLES was not specified in shorewall.conf, Shorewall-perl was locating the binary using the PATH environmental variable rather than the PATH setting in shorewall.conf. If no PATH was available when Shorewall-perl was run and IPTABLES was not set in shorewall.conf, the following messages were issued: Use of uninitialized value in split at /usr/share/shorewall-perl/Shorewall/Config.pm line 1054. ERROR: Can't find iptables executable ERROR: Shorewall restart failed 7) If the "Mangle FORWARD Chain" capability was supported, entries in the /etc/shorewall/ecn file would cause invalid iptables commands to be generated. This problem occurred with both compilers. 8) Shorewall now starts at reboot after an upgrade from shorewall < 4.0.0. Previously, Shorewall was not started automatically at reboot after an upgrade using the RPMs. 9) Shorewall-perl was generating invalid iptables-restore input when a log level was specified with the dropBcast and allowBcast builtin actions and when a log level followed by '!' was used with any builtin actions. 10) Shorewall-perl was incorrectly rejecting 'min' as a valid unit of time in rate-limiting specifications. 11) Certain errors occurring during start/restart/safe-start/safe-restart/try processing could cause the lockfile to be left behind. This resulted in a 60-second delay the next time one of these commands was run. Other changes in Shorewall 4.0.1. 1) A new EXPAND_POLICIES option is added to shorewall.conf. The option is recognized by Shorewall-perl and is ignored by Shorewall-shell. Normally, when the SOURCE or DEST columns in shorewall-policy(5) contains 'all', a single policy chain is created and the policy is inforced in that chain. For example, if the policy entry is #SOURCE DEST POLICY LOG # LEVEL net all DROP info then the chain name is 'net2all' which is also the chain named in Shorewall log messages generated as a result of the policy. If EXPAND_POLICIES=Yes, then Shorewall-perl will create a separate chain for each pair of zones covered by the policy. This makes the resulting log messages easier to interpret since the chain in the messages will have a name of the form 'a2b' where 'a' is the SOURCE zone and 'b' is the DEST zone. See http://linuxman.wikispaces.com/PPPPPPS for more information. 2) The Shorewall-perl dependency on the "Address Type Match" capability has been relaxed. This allows Shorewall 4.0.1 to be used on releases like RHEL4 that don't support that capability. 3) Shorewall-perl now detects dead policy file entries that result when an entry is masked by an earlier entry. Example: all all REJECT info loc net ACCEPT 4) Recent kernels are apparently hard to configure and we have been seeing a lot of problem reports where the root cause is the lack of state match support in the kernel. This problem is difficult to diagnose when using Shorewall-perl so the generated shell program now checks specifically for this problem and terminates with an error if the capability doesn't exist. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users