The Shorewall team is pleased to announce the availability of Shorewall 4.2.10. Astute users will notice that the version of Shorewall-perl included in this release is 4.2.10.1. We corrected a problem which was discovered after the release was initially uploaded, and we wanted to avoid the confusion that would inevitabley result if we were to release a different set of code with the same version number.
Problems corrected in Shorewall-perl 4.2.10.1
1) Users that set TC_ENABLED=Internal and have entries in
/etc/shorewall/tcdevices and /etc/shorewall/tcclasses may experience
startup error such as the following:
ERROR: Command "tc qdisc add dev eth1 root handle 1: htb default 12
r2q 20.8" Failed
Problems corrected in Shorewall 4.2.10
1) A 'large quantum' warning log message during restart has been
eliminated. The log message occurred when an interface with a large
OUT-BANDWIDTH was defined in /etc/shorewall/tcdevices.
2) When a REJECT rule included a log entry, the disposition in the log
message was incorrectly shown as 'reject' rather than 'REJECT'.
3) When 'forward' was specified on one or more interfaces in
/etc/shorewall6/interfaces, the progress message "Compiling
Interface forwarding..." was issued multiple times. Now, only one
instance of the message is generated.
4) A typing error in the IPv6 two-interface sample shorewall6.conf
file has been corrected. This error prevented the compiler from
being able to find macros in /usr/share/shorewall/.
Known Problems Remaining:
1) When exclusion is used in an entry in /etc/shorewall/hosts, then
Shorewall-shell produces an invalid iptables rule if any of the
following OPTIONS are also specified in the entry:
blacklist
maclist
norfc1918
tcpflags
2) Shorewall-shell generates inversion rules which produce
warnings with iptables 1.4.3.
Example:
iptables -A lan2fw -p 6 --dport 999 -s ! 192.168.20.1 -j ACCEPT
with iptables 1.4.3.1 the following information message is produced:
Using intrapositioned negation (`--option ! this`) is deprecated in
favor of extrapositioned (`! --option this`).
We don't intend to fix this. It's time to migrate to Shorewall-perl
anyway.
New Features in Shorewall 4.2.10
1) Shorewall's suppport for dynamic gateways on interfaces managed by
dhclient works on OpenSuSE systems but not on some other
distributions.
In order to generalize support for learning the gateway for dynamic
interfaces, a new 'findgw' extension script (user exit) has been
added.
The exit will be invoked in a function that has a single argument:
$1 = <name of an interface>
If the function can determine the gateway for the passed interface,
it should write the gateway to standard out. Here is a sample
/etc/shorewall/findgw that works with dhclient (dhcp3) in Debian
Lenny:
if [ -f /var/lib/dhcp3/dhclient.${1}.leases ]; then
grep 'option routers' /var/lib/dhcp3/dhclient.${1}.leases |\
tail -n 1 |\
while read j1 j2 gateway; do\
echo $gateway | sed 's/;//';\
done
fi
The same code works on Ubuntu Jaunty if you replace the first '.'
with '-' and replace '.leases' with '.lease' (don't you just love
the consistency between distributions?).
That code also works on CentOS if you replace 'dhcp3' by
'dhclient'.
'findgw' files that have been customized for various distributions
may be found at
http://www.shorewall.net/pub/shorewall/contrib/findgw.
-The Shorewall Team
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
