The Shorewall team is pleased to announce the availability of Shorewall 4.5.13.
----------------------------------------------------------------------------
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) If a chain consisted of a single RETURN rule, optimize level 4
would handle it incorrectly by moving the RETURN rule to the
chain(s) that jumped to the single-rule chain. The optimizer now
simply eliminates the chain and rule.
As part of this change, the optimizer now deletes trailing RETURN
rules from chains.
2) If a default inline action was specified with parameters, the
compiler would fail with an internal error.
3) The compiler was mis-handling simple arithmetic expressions
consisting of a single number, evaluating the number as '' rather
than as its numberic value.
----------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G
----------------------------------------------------------------------------
1) On systems running Upstart, shorewall-init cannot reliably secure
the firewall before interfaces are brought up.
----------------------------------------------------------------------------
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) A new DEFER_DNS_RESOLUTION option has been added to shorewall.conf.
Up to this time, when a DNS name appears in the SOURCE, DEST or
ORIGINAL DEST column of a configuration file, the compiler verifies
that the name can be resolved and then passes the name on to the
generated script. This means that ip[6]tables-restore must resolve
the name when the script runs.
When DEFER_DNS_RESOLUTION=Yes (the default) this old behavior is
retained. When DEFER_DNS_RESOLUTION=No, the compiler resolves the
name and uses the address(es) in the generated script.
2) The '@' Shorewall variables are now writable using the ?SET directive.
The variables are now also used when generating the contents of
--log-prefix in logging rules. Within an action body, the two
fields in the --log-prefix are:
@chain -- Existing variable.
@disposition -- New variable.
When either of these are undefined or empty, the compiler uses
the same value as previously.
When a non-inlined action is entered, @disposition is given the
empty value. When an inline action is entered, @disposition is not
altered.
Also added is a @caller variable which names the chain or action
which invoked the action.
When any action is exited, the variables revert to their values
when the action was entered.
When RESET, the named Shorewall variables are not removed from the
variable table but are rather set to the empty value.
3) Optimize level 8 now makes multiple passes of each table.
4) There are now two new sections in the rules file:
INVALID
Allows definition of rules to be applied to packets in the
INVALID connection state.
UNTRACKED
Allows definition of rules to be applied to packets in the
UNTRACKED connection state (due to entries in the conntrack
file).
The implementation of these sections is modeled after that of the
RELATED section. There are options in shorewall.conf
(shorewall6.conf) that control the disposition and logging of
packets that fail to match any of the rules in the section.
INVALID_DISPOSITION
Valid values are CONTINUE, DROP, REJECT, and A_DROP.
The default is CONTINUE, which provides compatibility with
earlier releases (the packets are subject to the rules in
the NEW section).
INVALID_LOG_LEVEL.
Determines logging of packets handled by
INVALID_DISPOSITION. Empty by default (no logginig).
UNTRACKED_DISPOSITION
Valid values are CONTINUE, ACCEPT, DROP, REJECT, A_ACCEPT
and A_DROP.
The default is CONTINUE, which provides compatibility with
earlier releases (the packets are subject to the rules in
the NEW section).
UNTRACKED_LOG_LEVEL.
Determines logging of packets handled by
NOTRACK_DISPOSITION. Empty by default (no logging).
The new order of sections in the rules files is:
ALL
ESTABLISHED
RELATED
INVALID
UNTRACKED
NEW
5) There are now 'Related', 'Untracked', 'Established' and 'New'
actions that match packets in the RELATED, UNTRACKED, ESTABLISHED
and NEW states respectively.
These actions are in-line and have a single parameter that
specifies the action to be taken. The action may be anything that
is valid in the ACTION column of the rules file.
As part of this change, action.Invalid, action.NotSyn and
action.RST are also inline and can accept an arbitrary action as an
argument. The 'audit' parameter, while still accepted, is
deprecated in favor of passing 'A_ACCEPT' etc. directly to the
inline.
The TCPFlags action may also now be inlined, although it is not
inlined by default.
6) The preceding enhancement required infrastructure for allowing
BEGIN PERL...END PERL to function in the body of an inline action.
use Shorewall::Rules;
perl_action_helper( $target, $matches )
$target is the target of the rule and may include log level and
tag (e.g, 'DROP:info:foo').
$matches is a string containing one or more ip[6]tables
matches.
Example: "-m conntrack --state ESTABLISHED".
The function returns true.
This function may be called in both inline and regular actions. In
an inline action, the matches from the invoking rule (SOURCE, DEST,
etc) are applied (in addition to the match(s) passed). In a regular
action only the passed matches are applied to the rule.
7) To allow finer-grained selection of the connection-tracking states
that are passed through blacklists (both dynamic and static), a
BLACKLIST option has been added in shorewall.conf and
shorewall6.conf.
The BLACKLISTNEWONLY option is now deprecated. A 'shorewall update'
( 'shorewall6 update' ) will replace the BLACKLISTNEWONLY option
with the equivalent BLACKLIST option.
8) The shorewallrc.archlinux file now assumes that systemd is
installed (Evangelos Foutras).
9) When the 'CONNTRACK match' capability is present (as it is in all
current distros), optimize level 16 now combines adjacent rules
that differ only in the conntrack states matched.
10) The legacy 'dropInvalid' and 'allowInvalid' builtin actions have
been converted to inline actions that invoke the Invalid action.
11) Parameters may now be omitted in action invocations. The following
two invocations are equivalent:
ACTION(-,foo,-,-)
ACTION(,FOO,,)
Thank you for using Shorewall,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
