The Shorewall team is pleased to announce the availability of Shorewall 4.5.16.
----------------------------------------------------------------------------
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) Previously, the TOS target and tos match did not work on older
iptables versions such as 1.3.5 in RHEL5-based distributions. That
has been corrected. To correct this problem, a new capability (New
tos Match) was created, so users who utilize a capabilities file
will need to regenerate the file. This applies to all distributions
and not just the older ones.
2) A_ACCEPT! is now recognized as a rules ACTION. Previously, it was
documented in shorewall[6]-rules(5) but was not implemented.
3) Previously, NFACCT accounting rules generated iptables rules with
the matches in the incorrect order. That caused the counters to be
incremented before all of the matches had been checked. Now, the
counter in an NFACCT rule is incremented only if all of the other
matches have been successful.
4) A number of ipset-related modules were incorrectly included in
/usr/share/shorewall/helpers. Those entries have now been removed.
----------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G
----------------------------------------------------------------------------
1) On systems running Upstart, shorewall-init cannot reliably secure
the firewall before interfaces are brought up.
----------------------------------------------------------------------------
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) A new Shorewall6 interface option, 'accept_ra' has been added. The
option value may be set as follows:
0
Do not accept Router Advertisements.
1
Accept Route Advertisements if forwarding is disabled.
2
Overrule forwarding behavior. Accept Route Advertisements even
if forwarding is enabled.
If the option is specified without a value, then value 1 is
assumed.
2) Two new macros have been added:
macro.Xymon contributed by T.J. Yang
macro.VRRP contributed by James Shubin
3) A new INLINE action has been added. This action allows defining
arbitrary iptables rules in the blrules and rules files, as well as
in action and macro bodies.
The basic form of an INLINE rule is as follows:
INLINE <src> <dst> <proto> ... ; <iptables matches and jump>
The <iptables matches and jump> are added to the rule generated by
the contents of the other supplied columns. Given the 'raw' nature
of this action, you should examine the rule generated by the entry
(e.g., 'shorewall check -r') prior to attempting a 'start' or
'restart' operation.
Example:
INLINE $FW net tcp 1234 ; -j SECCTX --name foo
This entry generates the following:
-A fw2net -p 6 --dport 1234 -j SECCTX --name foo
When multiple matches are specified, the compiler will keep them in
the order in which they appear, but they will not necessarily be at
the end of the generated rule. For example, if addresses are
specified in the SOURCE and/or DEST columns, their generated matches
will appear after those specified using ';'.
Note: The following matches will always appear at the front of the
rule in the order shown:
p
dport
sport
icmp-type
icmpv6-type
s
d
i
o
policy
state or conntrack --ctstate
As part of this change, a new 'builtin' action type has been added.
ip[6]tables targets not supported by Shorewall (such as 'SECCTX' in
the example above), must be defined in your
/etc/shorewall[6]/actions file:
Example:
SECCTX builtin
Such builtin actions may only be used in INLINE action invocations;
they may not appear in the ACTION column of a rule.
If you want to use a standard Shorewall-supported action, you can
pass it as a parameter to INLINE.
Example:
INLINE(ACCEPT) $FW net ; -m foo --bar baz
Note that if you include a log level with INLINE and do not pass a
parameter, Shorewall will automatically assume that the parameter
is LOG. That means that you must not specify a log level if you
specify your own rule target with '-j'.
The alternate input format may be used with INLINE, provided that
the {....} form of alternate input is used.
Example:
INLINE $FW net { owner=teastep } ; -j FOO --bar
4) The INLINE action is also supported in the accounting and tcrules
files. In the accounting file, INLINE is treated the same as COUNT
in the with the exception that the freeform iptables input
following the ';' is appended to any matches generated by the
column contents. INLINE is treated similarly in the tcrules file;
that is, the freeform input following ';' must specify the rule
target, if any. In the accounting and tcrules files, INLINE does
not accept a parameter.
5) It is now possible to specify HELPERS=none in
/etc/shorewall[6]/shorewall[6].conf.
This setting has two consequences:
a) All of the *_HELPER capabilities are set to off.
b) No probing of helpers is performed, thus eliminating "xt_CT: No
such helper XXX" warnings when the compiler is probing the
system for capabilities.
6) It is now possible to specify multiple nfacct objects in an NFACCT
accounting rule. Where previously, the following rules were given:
SECTION INPUT
NFACCT(all)
NFACCT(all_in)
SECTION OUTPUT
NFACCT(all)
NFACCT(all_out)
SECTION FORWARD
NFACCT(all)
NFACCT(all_fwd)
It is now possible to do the same thing as follows:
SECTION INPUT
NFACCT(all,all_in)
SECTION OUTPUT
NFACCT(all,all_out)
SECTION FORWARD
NFACCT(all,all_fwd)
To allow a nfobject to be incremented unconditionally, you may
follow the object name with '!' (e.g., NFACCT(all!)). When
'!' is omitted, the object is incremented only if all of the rule's
matches succeed.
7) It is now possible to increment an nfacct counter when a packet
matches an ipset. To do that, simplly include the counter object's
name in parentheses after the ipset specification.
Examples:
a) Increment the mysetcounter nfacct object when a packet's source
matches myset.
+myset[src](mysetcounter)
b) Increment the mysetcounter1 and mysetcounter2 nfacct objects
when a packet's sourcematches myset.
+myset[src](mysetcounter1,mysetcounter2)
b) In an accounting rule, increment the 'all' nfacct object
unconditionally and increment the 'mysetcounter' object only if
the packet source matches myset:
NFACCT(all!) - +myset(mysetcounter)
8) Prior to the availability of BEGIN PERL....END PERL in
configuration files, the only way to execute a chain-specific
script was to create a script file with the same name as the chain
and place it in a directory on the CONFIG_PATH. That facility has
the drawback that the compiler will attempt to run a non-script
file just because it has the same name as a chain. To disable this
facility, a new CHAIN_SCRIPTS option has been added to
shorewall[6].conf. The facility is disabled by setting
CHAIN_SCRIPTS=No. If not specified or specified as the empty value,
CHAIN_SCRIPTS=Yes is assumed for backward compatibility.
Thank you for using Shorewall.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET Get 100% visibility into your production application - at no cost. Code-level diagnostics for performance bottlenecks with <2% overhead Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
