The Shorewall team is pleased to announce the availability of Shorewall 4.4.26.
----------------------------------------------------------------------------
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) This release includes all corrections included in 4.4.25.1 through
.3.
2) In 4.4.25, ACCEPT behaved in the BLACKLIST section the same way as
in the other rules file sections. This could lead to connections
being accepted inadvertently.
Now, ACCEPT behaves like WHITELIST; that is, it exempts the packet
from the remaining rules in the BLACKLIST section.
3) Previously, Shorewall did not detect the ULOG and NFLOG
capabilities. This lead to run-time failures during 'start' and
'restart' as well as confusing error messages during compilation
when ULOG or NFLOG was used when the LOG target was not available.
ULOG and NFLOG are now detected capabilities so, if you use a
capabilities file, you will need to regenerate it in order to use
these log levels.
4) The SAME tcrules target was broken in Shorewall 4.4.22. It now
works correctly again.
5) Previously, 'shorewall6 update' did not update shorewall6.conf. The
command now works as expected.
6) In earlier releases, the compiler was attempting to process the
params file before it was aware of the setting of CONFIG_PATH. This
could cause the params file to be missed if it was not located in
/etc/shorewall[6] or in the directory named in the start
(restart,compile,check,...) command.
Now, /sbin/shorewall[6] passes $CONFIG_PATH to the compiler
(/usr/share/shorewall/compiler.pl) in the new '--config_path'
option.
----------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G
----------------------------------------------------------------------------
1) On systems running Upstart, shorewall-init cannot reliably secure
the firewall before interfaces are brought up.
----------------------------------------------------------------------------
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) A new 'blrules' file has been added as an alternative to rules in
the BLACKLIST section of the rules file. When rules are present in
both the blrules file and in the BLACKLIST section, those in
blrules are processed first.
2) A '-b' option has been added to the 'update' command. In addition
to updating the shorewall.conf file (shorewall6.conf), this option
causes the compiler to convert your current legacy blacklist
configuration to use the new blrules file.
Changes include:
a) blrules is populated with entries equivalent to your existing
blacklist file.
b) Your existing blacklist file is renamed blacklist.bak.
c) The 'blacklist' keyword is removed from your zones, interfaces
and hosts files. When one of these files is modified, the
unmodified original is saved in a .bak file.
As part of this change, the 'blacklog' target is permitted in the
blrules file when BLACKLIST_LOG_LEVEL is specified in
shorewall.conf (shorewall6.conf). It logs the packet at the
specified level, then disposes of it based on the setting of
BLACKLIST_DISPOSITION.
3) The Debian init files (with the exception of Shorewall-init) now
support the 'status' command.
4) This release formalizes the feature that has long been
documented at http://www.shorewall.net/PacketMarking.html#Values.
The WIDE_TC_MARKS and HIGH_ROUTE_MARKS options have traditionally
been used to define the various fields in a packet/connection mark.
But more flexible control is provided using these options.
TC_BITS
The number of bits at the least-significant end of the mark
to be used for traffic shaping marking. May be zero.
PROVIDER_BITS
The number of bits in the mark to be used for provider
marks. May be zero.
PROVIDER_OFFSET
The offset from the right (low-order end) of the provider
number field. If non-zero, must be >= TC_BITS. Shorewall
automatically adjusts PROVIDER OFFSETs value to inforce this
restriction. May be zero, in which case the TC mark field
and Provider mark field overlay.
MASK_BITS
The number of low-order bits to be masked when clearing the
traffic shaping mark. Must be >= TC_BITS and <=
PROVIDER_OFFSET (provider that PROVIDER_OFFSET > 0).
Beginning with Shorewall 4.4.12, the field between MASK_BITS and
PROVIDER_OFFSET can be used for any purpose you want.
Beginning with Shorewall 4.4.13, the first unused bit from the
right is used by Shorewall as an 'exclusion mark' which allows
exclusion in CONTINUE, NONAT and ACCEPT+ rules.
It is actually the values of the above four options that determine
how Packet/Connection Marks are layed out. Their default values are
derived from the settings of WIDE_TC_MARKS and HIGH_ROUTE_MARKS as
shown in the table at
http://www.shorewall.net/PacketMarking.html#Values.
The 'shorewall update' ('shorewall6 update') command will supply
values for these options based on the settings of WIDE_TC_MARKS and
HIGH_ROUTE_MARKS.
The 'shorewall show marks' ('shorewall6 show marks') command shows
the range of each field in both decimal and hex.
Example (TC_BITS=0, MASK_BITS=0, PROVIDER_BITS=2,
PROVIDER_OFFSET=16, ZONE_BITS=4):
Shorewall 4.4.26 - Mark Layout at gw - Sun Nov 20
2:08:23 PST 2011
Traffic Shaping: Not Enabled
User:1-65535 (0x1-0xffff) mask 0xffff
Provider:65536-196608 (0x10000-0x30000) mask 0x30000
Zone:262144-3932160 (0x40000-0x3c0000) mask 0x3c0000
Exclusion:4194304 mask 0x400000
As of this release WIDE_TC_MARKS and HIGH_ROUTE_MARKS are
deprecated.
5) This release introduces limited support for using back-to-back veth
devices to access a bridge.
Consider this setup:
-- eth1 (zone1)
/
WAN ---- eth0 veth0 <-> veth1-- br0 --- eth2 (zone2)
\
-- eth3 (zone3)
In this configuration, it is veth0 that has an IP address; the
bridge does not.
Because veth1 is a port on br0, Netfilter allows filtering between
that interface and each of the other ports. All connections from
the firewall (fw) and the WAN ((net) enter the bridge through
veth1. All traffic from zone1-zone3 enter the routing firewall
through veth0.
Note that, in this configuration, packets between zones1-zone3 and
the rest of the world go through Netfilter twice. Assume that we
associate veth0 with an ip zone called 'bridge' and veth1 with a
bport zone called 'portal'. Then the two traversals of Netfilter
are:
a) Between eth1-eth3 and veth1. Source zone is zone1-zone3 and the
destination zone is 'portal'.
b) Between veth0 and the final destination. The source zone is
bridge and the destination zone is either fw or net.
A similar scenario occurs with traffic originating in the net or
firewall zones and destined for zone1-zone3.
As you can see, the problem here is that in the first traversal, we
know the real source zone but not the real destination zone; and in
the second traversal, we know the real destination zone but not the
real source zone.
The solution allows us to know the real source zone during the
second traversal.
A new ZONE_BITS option is added to shorewall.conf
(shorewall6.conf). Its value determines the number of bits of the
packet mark to use for zone marks. When ZONE_BITS is non-zero,
Shorewall automatically assigns a mark value to each zone (the
firewall zone always has value 0). Zone marks are assigned to all
zones except those that specify 'nomark' in the OPTION column of
their zones file entry. In the above example, the bridge and portal
zones would have 'nomark' specified.
With ZONE_BITS and 'nomark' specified appropriately, now each
packet from the 'bridge' zone has a packet mark that lets us know
which of the three bport zones (zone1-zone3) the packet originated
on.
Similarly, packets entering the bridge through veth1 have a mark
value that records whether the packet is from the net zone or the
fw zone.
As part of these changes, the compiler now accepts a zone name in
the MARK column of the rules file, when ZONE_BITS is non-zero. This
permits rules of this type:
ACCEPT bridge net ... ; mark=zone2
to control connections from zone2 to the net, and rules such as
ACCEPT portal zone1 ...; mark=net
to control connections from the net to zone1.
One final note; DNAT rules should be placed in the first traversal
(net->bridge on input).
See http://www.shorewall.net/bridge-Shorewall-perl for a fuller
example.
6) This release introduces optimization category 16. When this
category is enabled, sequences of 'compatible' rules are combined
into a single rule.
A sequence of rules is considered compatible if the rules differ
only in their destination ports and comments.
A sequence of combatible rules is often generated when macros are
invoked in sequence.
The ability to combine adjacent rules is limited by two factors:
- Destination port lists may only be combined up to a maximum of 15
ports, where a port-pair counts as two ports.
- Rules may only be combined until the length of their concatinated
comments reach 255 characters.
When either of these limits would be exceeded, the current combined
rule is emitted and the compiler attemts to combine rules beginning
with the one that would have exceeded the limit.
Adjacent combined comments are separated by ', '. Empty comments at
the front of a group of combined comments are replaced by 'Others
and'. Empty comments at the end of a group of combined comments are
replaced by 'and others'.
Example 1: Rules with comments "FOO", <empty> and "BAR" would
result in the combined comment "FOO and others, BAR".
Example 2: Rules with comments <empty>, "FOO" and "BAR" would reult
in the combined comment "Others and FOO, BAR".
Note: Optimize level 16 requires "Extended Multi-port Match" in your
iptables and kernel.
7) The 'enable' and 'disable' commands, previously supported only by
the compiled firewall script, are now supported by the CLI programs
(/sbin/shorewall, /sbin/shorewall-lite, etc.) as well.
In earlier releases, these commands only allowed the provider to be
specified by its physical interface name, thus making it impossible
to enable/disable individual providers sharing a single
interface. The commands now accept a provider name for all optional
providers. For those that share an interface, only the provider
name is accepted.
Thank you for using Shorewall,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
