Shorewall 4.4.18 is now available for download.
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
4.4.18 Final
1) Previously, if an IPv6 host address (no "/<vlsm>") was used in a
context where a network address is allowed, the compiler failed to
supply the default <vlsm> of 128. This could lead to startup errors
and/or Perl errors such as:
Use of uninitialized value $mask in concatenation (.) or
string at /usr/share/shorewall/Shorewall/Tc.pm line 979,
<$currentfile> line 11.
2) The <burst> option for the IN-BANDWIDTH column of tcdevices was
previously not recognized. That functionality has been restored.
3) If an interface mentioned in the tcfilters file was not up when
Shorewall was started or restarted, then the command would fail
at run-time with a 'tc' error message.
4.4.18 RC 1
1) None.
4.4.18 Beta 4
1) Edting of the MARK column has been tighened to catch errors at
compile time rather than at run time.
2) The MODULE_SUFFIX default has been changed to "ko ko.gz o o.gz gz"
to get the most common suffixes at the front of the list. It is
still recommended that you modify this setting to include only the
suffix(es) used on your system. Current distributions use 'ko'
almost exclusively.
4.4.18 Beta 2
1) Previously, the 'local' option in /etc/shorewall6/providers would
produce an 'ip route add' command containing an IPv4 address. It now
correctly uses the equivalent IPv6 address. Note that this option
is still undocumented for use with IPv6.
2) When optimize level 4 was set, the optimizer mis-handled rules of the
form:
-A <chain1> -j <chain2> -m comment ...
when such a rule was the only rule in a chain.
4.4.18 Beta 1
None.
----------------------------------------------------------------------------
K N O W N P R O B L E M S R E M A I N I N G
----------------------------------------------------------------------------
1) On systems running Upstart, shorewall-init cannot reliably secure
the firewall before interfaces are brought up.
----------------------------------------------------------------------------
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) The modules files are now just a driver that INCLUDEs several new
files and one old file:
- /usr/share/shorewall[6]/modules.essential # Essential modules
- /usr/share/shorewall[6]/modules.xtables # xt_ modules
- /usr/share/shorewall[6]/helpers # Existing file
- /usr/share/shorewall/ipset # ipset modules
- /usr/share/shorewall[6]/modules.tc # Traffic Shaping
- /usr/share/shorewall[6]/modules.extensions # Other extensions
This should make it easier to configure your own
/etc/shorewall[6]/modules file that won't be obsolete when you
upgrade your Shorewall/Shorewall6 installation.
For example, if you don't use traffic shaping or ipsets, you can
remove those from your copy of the modules file (copy in
/etc/shorewall/).
2) Traditionally, the root of the Shorewall accounting rules has been
the 'accounting' chain. Having a single root chain has drawbacks:
- Many rules are traversed needlessly (they could not possibly
match traffic).
- At any time, the Netfilter team could begin generating errors
when loading those same rules.
- MAC addresses may not be used in the accounting rules.
- The 'accounting' chain cannot be optimized when
OPTIMIZE_ACCOUNTING=Yes.
In addition, currently the rules may be defined in any order so the
rules compiler must post-process the ruleset to alert the user to
unreferenced chains.
Beginning with Shorewall 4.4.18, the accounting structure can be
created with three root chains:
- accountin: Rules that are valid in the INPUT chain (may not
specify an output interface).
- accountout: Rules that are valid in the OUTPUT chain (may not
specify an input interface or a MAC address).
- accountfwd: Other rules.
The new structure is enabled by sectioning the accounting file in a
manner similar to the rules file.
The sections are INPUT, OUTPUT and FORWARD and must appear in that
order (although any of them may be omitted). The first
non-commentary record in the accounting file must be a section
header when sectioning is used.
When sections are enabled:
- You must jump to a user-defined accounting chain before you can
add rules to that chain. This eliminates the possibility of
unreferenced chains.
- You may not specify an output interface in the INPUT section.
- In the OUTPUT section:
- You may not specify an input interface
- You may not jump to a chain defined in the INPUT section that
specifies an input interface
- You may not specify a MAC address
- You may not jump to a chain defined in the INPUT section that
specifies specifies a MAC address.
- The default value of the CHAIN column is:
- 'accountin' in the INPUT section
- 'accountout' in the OUTPUT section
- 'accountfwd' in the FORWARD section
- Traffic addressed to the firewall goes through the rules defined
in the INPUT section.
- Traffic originating on the firewall goes through the rules
defined in the OUTPUT section.
- Traffic being forwarded through the firewall goes through the
rules defined in the FORWARD section.
As part of this change, the USER/GROUP column must now be empty
except in the OUTPUT section. This is consistent with recent
Netfilter releases which disallow the owner match in rules
reachable from the INPUT and FORWARD hooks.
3) Internals Change: The Policy.pm module has been merged into the
Rules.pm module.
Thank you for using Shorewall,
The Shorewall Team
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
