Shorewall 4.4.16 is now available for download. --------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ----------------------------------------------------------------------------
1) If the output of 'env' contained a multi-line value, then
compilation failed with an Internal Error. The code has been
changed so that the compiler now handles multi-line values
correctly.
2) In 4.4.15, output to Standard Out (FD 1) generated by
/etc/shorewall/params (/etc/shorewall6/params) was redirected to
/dev/null. It is now redirected to Standard Error (FD 2).
3) If a params file did not appear in the CONFIG_PATH, compilation
failed with the error:
.: 31: Can't open /etc/shorewall6/params
ERROR: Processing of /etc/shorewall6/params failed
4) Compilation no longer fails when /bin/sh is an older (e.g.,
RHEL5.x) bash.
5) Previously, proxy ARP with logical interface names did not
work. Symptoms included numerous Perl runtime error messages.
6) Previously, the root of a wildcard name erroneously matched that
name. For example 'eth' matched 'eth+'. Now there must be at least
one additional character (e.g., 'eth4').
7) Use of logical interface names in the notrack and ecn files
resulted in perl runtime warning messages.
8) The use of wildcard-matching names in certain contexts would result
in anomalous behavior. Among the symptoms were:
- Perl run-time messages similar to this one:
Use of uninitialized value in numeric comparison (<=>)
at /usr/share/shorewall/Shorewall/Zones.pm line 1334.
- Failure to treat the interface as optional or required.
9) Where two ISPs share the same interface, if one of the ISPs was not
reachable, an iptables-restore error such as this occurred:
iptables-restore v1.4.10: Bad mac address "-j"
10) Previously, under very rare circumstances, a chain would be
optimized away while there were still jumps to the chain. This
caused Shorewall start/restart to fail during iptables-restore.
11) Previously, the setting of BLACKLIST_DISPOSITION was not
validated. Now, an error is raised unless the value is DROP or
REJECT.
----------------------------------------------------------------------------
K N O W N P R O B L E M S R E M A I N I N G
----------------------------------------------------------------------------
1) On systems running Upstart, shorewall-init cannot reliably secure
the firewall before interfaces are brought up.
----------------------------------------------------------------------------
N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) Shorewall-init now handles ppp devices.
2) To support proxy NDP in a manner similar to Proxy ARP, an
/etc/shorewall6/proxyndp file has been added. It should be noted
that IPv6 implements a "strong host model" whereas Linux IPv4
implements a "weak host model". In the strong model, IP addresses
are associated with interfaces; in the weak model, they are
associated with the host. This is relevant with respect to Proxy
NDP in that a multi-homed Linux IPv6 host will only respond to
neighbor discoverey requests for IPv6 addresses configured on the
interface receiving the request. So if eth0 has address
2001:470:b:227::44/128 and eth1 has address 2001:470:b:227::1/64
then in order for eth1 to respond to neighbor discovery requests
for 2001:470:b:227::44, the following entry in
/etc/shorewall6/proxyndp is required:
#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
2001:470:b:227::44 - eth1 Yes
As part of this change, the INTERFACE column in
/etc/shorewall/proxyarp is now optional and is only required when
HAVEROUTE=No (the default).
3) Shorewall 4.4.16 introduces format-2 Actions. Based on the similar
feature of macros, format-2 actions allow the same column layout
for macros, actions and rules.
In the action.xxx file, simply make the first non-commentary line:
FORMAT 2
This allows the lines which follow to have the same columns as
those in the rules file.
As part of this change, the earlier kludgy restrictions regarding
Macros and Actions have been eliminated. For example, DNAT, DNAT-,
REDIRECT, REDIRECT- and ACCEPT+ rules are now allowed in Actions
and in macros invoked from Actions. Additionally, Macros used in
Actions are now free to invoke other actions.
4) Action processing has been largely re-implemented in this release.
The prior implementation contained a lot of duplicated code which
made maintainance difficult. The old implementation pre-processed
all action files early in the compilation process and then
post-processed the ones that had been actionally used after the
rules file had been read. The new algorithm generates the chain for
each unique action invocation at the time that the invocation is
encountered in the rules file.
Consideration was given to eliminating the
/usr/share/shorewall/actions.std and /etc/shorewall/actions files,
since it is possible to discover actions "on the fly" in the same
way as macros are discovered. That change was ultimately rejected
because it could cause migration issues for users with macros and
actions with the same name (e.g., action.xxx and macro.xxx). If a
new major release of Shorewall (e.g., 4.6) is created, that change
will be reconsidered for inclusion at that time.
Action names are now verified to be composed of alphanumeric
characters, '_' and '-'.
There is now support for parameterized actions. The parameters are
a comma-separated list enclosed in parentheses following the
action name (e.g., ACT(REDIRECT,192.168.1.4)). Within the action
body, the parameter values are available in $1, $2, etc.
You can 'omit' a parameter in the list by using '-' (e,g,
REDIRECT,-.info) would omit the second parameter (within the action
body, $2 would expand to nothing). If you want to specify '-' as a
parameter value, use '--'.
Parameter values are also available to extensions scripts. See
http://www.shorewall.net/Actions.html#Extension for more
information.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Protect Your Site and Customers from Malware Attacks Learn about various malware tactics and how to avoid them. Understand malware threats, the impact they can have on your business, and how you can protect your company and customers by using code signing. http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
