Shorewall 4.2.5 is now available for download.
Problems corrected in 4.2.5
1) If exclusion is used to define a zone in /etc/shorewall/hosts and
that zone is used as the SOURCE zone in a DNAT or REDIRECT rule,
then Shorewall-perl can generated invalid iptables-restore input.
2) A bug in the Perl Cwd module (see
http://rt.cpan.org/Public/Bug/Display.html?id=13851) causes the
Shorewall-perl compiler to fail if it doesn't have at least read
access to its current working directory. 4.2.5 contains a
workaround.
3) If 'critical' was specified on an entry in
/etc/shorewall6/routestopped, Shorewall6 (Shorewall-perl) would
generate an error.
4) In certain cases where exclusion occurred in /etc/shorewall/hosts,
Shorewall-perl would generate incorrect iptables-restore input.
5) In certain cases where exclusion occurred in /etc/shorewall/hosts,
Shorewall-perl would generate invalid iptables-restore input.
6) The 'shorewall6 refresh' command runs iptables_restore rather than
ip6tables_restore.
7) The commands 'shorewall6 save-start', 'shorewall6-save-restart' and
'shorewall6 restore' were previously broken.
8) The Debian init script was checking $startup in
/etc/default/shorewall rather than in /etc/default/shorweall6
9) The Archlinux init scripts for Shorewall6 and Shorewall6 Lite were
unconverted Shorewall scripts.
10) When 'detect' is used in the GATEWAY column of
/etc/shorewall/providers, Shorewall-perl now ensures that the
gateway was successfully detected. If the gateway cannot be
detected, action is taken depending on whether the provider is
'optional' or not. If the provider is optional, it's configuration
is skipped; if the provider is not optional, the current operation
is aborted.
11) The command 'shorewall6 debug start' would previously fail with
ERROR: Command "/sbin/ip6tables -t nat -F" Failed
12) Both ipv4 and ipv6 compiled programs attempt to run the tcclear
script itself at run time rather than running the copy of the
file in the compiled script. This usually isn't noticable unless
you are running Shorewall Lite or Shorewall6 Lite in which case,
the script doesn't get run (since it is on the administrative
system and not the firewall system).
13) If your iptables/kernel included "Extended Connection Tracking
Match support" (see the output of "shorewall show capabilities"),
then a REDIRECT rule that specified a port list or range would
cause Shorewall-perl to create invalid iptables-restore input:
Running /usr/sbin/iptables-restore...
iptables-restore v1.4.2-rc1: conntrack: Bad value for
"--ctorigdstport" option: "1025:65535"
Error occurred at line: 191
Try `iptables-restore -h' or 'iptables-restore --help' for more
information.
ERROR: iptables-restore Failed. Input is in
/var/lib/shorewall/.iptables-restore-input
Known Problems Remaiining:
1) When exclusion is used in an entry in /etc/shorewall/hosts, then
Shorewall-shell produces an invalid iptables rule if any of the
following OPTIONS are also specified in the entry:
blacklist
maclist
norfc1918
tcpflags
New Feature in Shorewall 4.2.5
1) A new 'fallback' option is added in
/etc/shorewall/providers. The option works similar to 'balance'
except that the default route is added in the default routing table
(253) rather than in the main table (254).
The option can be used by itself or followed by =<number> (e.g,
fallback=2).
When the option is used by itself, a separate (not balanced)
default route is added with a metric equal to the provider's NUMBER.
When the option is used with a number, a balanced route is added
with the weight set to the specified number.
'fallback' is ignored if USE_DEFAULT_RT=Yes in shorewall.conf and
is only available with Shorewall-perl.
'fallback' is useful in situations where:
- You want all traffic to be sent via one primary provider unless
there is a compelling reason to use a different provider
- If the primary provider is down, then you want to balance the
outgoing traffic among a set of other providers or to a
ordered list of providers.
In this case:
- Do not specify 'balance' on any of the providers.
- Disable route filtering ('ROUTE_FILTER=No' in shorewall.conf).
- Specify 'fallback' on those providers that you want to use if
the primary is down.
- Only the primary provider should have a default route in the main
routing table.
See http://www.shorewall.net/MultiISP.html#Complete for an example
of this option's use.
2) Shorewall-perl now transparently handles the xtables-addon version
of ipp2p. Shorewall detects whether the installed ipp2p is from
patch-o-matic-ng or from xtables-addon and proceeds accordingly.
If the patch-o-matic-ng version is installed:
a) If no DEST PORT is supplied, the default is "--ipp2p".
b) If "ipp2p" is supplied as the DEST PORT, it will be passed to
iptables-restore as "--ipp2p".
If the xtables-addons version is installed:
a) If no DEST PORT is supplied, the default is "--edk --gnu --dc
--kazaa".
b) If "ipp2p" is supplied as the DEST PORT, it will be passed to
iptables-restore as "--edk --gnu --dc --kazaa".
Shorewall-perl now also accepts a comma-separated list of options
(e.g., "edk,gnu,dc,kazaa).
Additionally, Shorewall now looks for modules in /lib/modules/$(uname
-r)/extra and in /lib/modules/$(uname -r)/extra/ipset
This change introduced a new capability ("Old IPP2P Match Syntax")
so if you use a capabilities file, be sure to re-generate the
file(s) after you have installed 4.2.5.
3) There is now a macro.Git, which opens git-daemon's port (9418/tcp).
4) There is also a macro.IRC which open's the Internet Relay Chat port
(6667/tcp).
-Tom
------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
