-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Tom;
I see the following (cosmetic?) pb after having updated shorewall(6)
on a LEAF box:
Use of uninitialized value $Shorewall::Config::sillyname in
concatenation (.) or string at
/usr/share/shorewall/Shorewall/Config.pm line 3907.
Note I haven't updated configs, maybe this causes the error messages?
tia
kp
Am 01.05.2013 15:43, schrieb Tom Eastep:
> The Shorewall team is pleased to announce the availability of
> Shorewall 4.5.16.
>
> ----------------------------------------------------------------------------
>
>
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
> ----------------------------------------------------------------------------
>
> 1) Previously, the TOS target and tos match did not work on
> older iptables versions such as 1.3.5 in RHEL5-based distributions.
> That has been corrected. To correct this problem, a new capability
> (New tos Match) was created, so users who utilize a capabilities
> file will need to regenerate the file. This applies to all
> distributions and not just the older ones.
>
> 2) A_ACCEPT! is now recognized as a rules ACTION. Previously, it
> was documented in shorewall[6]-rules(5) but was not implemented.
>
> 3) Previously, NFACCT accounting rules generated iptables rules
> with the matches in the incorrect order. That caused the counters
> to be incremented before all of the matches had been checked. Now,
> the counter in an NFACCT rule is incremented only if all of the
> other matches have been successful.
>
> 4) A number of ipset-related modules were incorrectly included in
> /usr/share/shorewall/helpers. Those entries have now been removed.
>
> ----------------------------------------------------------------------------
>
>
I I. K N O W N P R O B L E M S R E M A I N I N G
> ----------------------------------------------------------------------------
>
> 1) On systems running Upstart, shorewall-init cannot reliably
> secure the firewall before interfaces are brought up.
>
> ----------------------------------------------------------------------------
>
>
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
> ----------------------------------------------------------------------------
>
> 1) A new Shorewall6 interface option, 'accept_ra' has been added.
> The option value may be set as follows:
>
> 0
>
> Do not accept Router Advertisements. 1
>
> Accept Route Advertisements if forwarding is disabled. 2
>
> Overrule forwarding behavior. Accept Route Advertisements even if
> forwarding is enabled.
>
> If the option is specified without a value, then value 1 is
> assumed.
>
> 2) Two new macros have been added:
>
> macro.Xymon contributed by T.J. Yang macro.VRRP contributed by
> James Shubin
>
> 3) A new INLINE action has been added. This action allows
> defining arbitrary iptables rules in the blrules and rules files,
> as well as in action and macro bodies.
>
> The basic form of an INLINE rule is as follows:
>
> INLINE <src> <dst> <proto> ... ; <iptables matches and jump>
>
> The <iptables matches and jump> are added to the rule generated by
> the contents of the other supplied columns. Given the 'raw' nature
> of this action, you should examine the rule generated by the entry
> (e.g., 'shorewall check -r') prior to attempting a 'start' or
> 'restart' operation.
>
> Example:
>
> INLINE $FW net tcp 1234 ; -j SECCTX --name foo
>
> This entry generates the following:
>
> -A fw2net -p 6 --dport 1234 -j SECCTX --name foo
>
> When multiple matches are specified, the compiler will keep them
> in the order in which they appear, but they will not necessarily be
> at the end of the generated rule. For example, if addresses are
> specified in the SOURCE and/or DEST columns, their generated
> matches will appear after those specified using ';'.
>
> Note: The following matches will always appear at the front of the
> rule in the order shown:
>
> p dport sport icmp-type icmpv6-type s d i o policy state or
> conntrack --ctstate
>
> As part of this change, a new 'builtin' action type has been
> added. ip[6]tables targets not supported by Shorewall (such as
> 'SECCTX' in the example above), must be defined in your
> /etc/shorewall[6]/actions file:
>
> Example:
>
> SECCTX builtin
>
> Such builtin actions may only be used in INLINE action
> invocations; they may not appear in the ACTION column of a rule.
>
> If you want to use a standard Shorewall-supported action, you can
> pass it as a parameter to INLINE.
>
> Example:
>
> INLINE(ACCEPT) $FW net ; -m foo --bar baz
>
> Note that if you include a log level with INLINE and do not pass a
> parameter, Shorewall will automatically assume that the parameter
> is LOG. That means that you must not specify a log level if you
> specify your own rule target with '-j'.
>
> The alternate input format may be used with INLINE, provided that
> the {....} form of alternate input is used.
>
> Example:
>
> INLINE $FW net { owner=teastep } ; -j FOO --bar
>
> 4) The INLINE action is also supported in the accounting and
> tcrules files. In the accounting file, INLINE is treated the same
> as COUNT in the with the exception that the freeform iptables
> input following the ';' is appended to any matches generated by
> the column contents. INLINE is treated similarly in the tcrules
> file; that is, the freeform input following ';' must specify the
> rule target, if any. In the accounting and tcrules files, INLINE
> does not accept a parameter.
>
> 5) It is now possible to specify HELPERS=none in
> /etc/shorewall[6]/shorewall[6].conf.
>
> This setting has two consequences:
>
> a) All of the *_HELPER capabilities are set to off. b) No probing
> of helpers is performed, thus eliminating "xt_CT: No such helper
> XXX" warnings when the compiler is probing the system for
> capabilities.
>
> 6) It is now possible to specify multiple nfacct objects in an
> NFACCT accounting rule. Where previously, the following rules were
> given:
>
> SECTION INPUT NFACCT(all) NFACCT(all_in)
>
> SECTION OUTPUT NFACCT(all) NFACCT(all_out)
>
> SECTION FORWARD NFACCT(all) NFACCT(all_fwd)
>
> It is now possible to do the same thing as follows:
>
> SECTION INPUT NFACCT(all,all_in)
>
> SECTION OUTPUT NFACCT(all,all_out)
>
> SECTION FORWARD NFACCT(all,all_fwd)
>
> To allow a nfobject to be incremented unconditionally, you may
> follow the object name with '!' (e.g., NFACCT(all!)). When '!' is
> omitted, the object is incremented only if all of the rule's
> matches succeed.
>
> 7) It is now possible to increment an nfacct counter when a
> packet matches an ipset. To do that, simplly include the counter
> object's name in parentheses after the ipset specification.
>
> Examples:
>
> a) Increment the mysetcounter nfacct object when a packet's
> source matches myset.
>
> +myset[src](mysetcounter)
>
> b) Increment the mysetcounter1 and mysetcounter2 nfacct objects
> when a packet's sourcematches myset.
>
> +myset[src](mysetcounter1,mysetcounter2)
>
> b) In an accounting rule, increment the 'all' nfacct object
> unconditionally and increment the 'mysetcounter' object only if the
> packet source matches myset:
>
> NFACCT(all!) - +myset(mysetcounter)
>
> 8) Prior to the availability of BEGIN PERL....END PERL in
> configuration files, the only way to execute a chain-specific
> script was to create a script file with the same name as the chain
> and place it in a directory on the CONFIG_PATH. That facility has
> the drawback that the compiler will attempt to run a non-script
> file just because it has the same name as a chain. To disable this
> facility, a new CHAIN_SCRIPTS option has been added to
> shorewall[6].conf. The facility is disabled by setting
> CHAIN_SCRIPTS=No. If not specified or specified as the empty
> value, CHAIN_SCRIPTS=Yes is assumed for backward compatibility.
>
> Thank you for using Shorewall.
>
> -Tom
>
>
>
> ------------------------------------------------------------------------------
>
>
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
> Get 100% visibility into your production application - at no cost.
> Code-level diagnostics for performance bottlenecks with <2%
> overhead Download for free and get started troubleshooting in
> minutes. http://p.sf.net/sfu/appdyn_d2d_ap1
>
>
>
> _______________________________________________ Shorewall-users
> mailing list [email protected]
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAlGBRCIACgkQ4+OaXWTUIwW0ggCfTlZN43j4SOqKv6bUkr4gpObW
th8AoKrnuw30JtPZMWN/0uktD6qzgeve
=yR3Q
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
