Greetings from Linuxfest Northwest in Bellingham, Washington. The Shorewall Team is pleased to announce the availability of Shorewall 5.0.8.
Problems Corrected:
1) This release includes defect repair through Shorewall 5.0.7.2.
2) If a physical interface name was used in the INTERFACE column of an
entry in /etc/shorewall/masq, then previously a Perl diagnostic was
issued as the masq rule was being processed and the iptables rule
and its containing chain were dropped by the optimizer. That has
been corrected so that physical interface names are handled
correctly.
Similar issues with physical names in the INTERFACE column of the
nat, netmap and ecn files have also been resolved.
3) The optional plus sign ('+') in the MODULESDIR setting, added in
Shorewall 5.0.3, is now documented in the shorewall[6].conf
manpages.
4) Address variables that specified the physical interface name
previously caused Perl diagnostics to be issued and wrong code
to be generated. That has been corrected.
5) The IPv6 default treatment of Auth (TCP 113) is now consistent with
IPv4; nothing special is done with these requests, so they are
simply logged and dropped or rejected.
IMPORTANT: If you want to continue to silengly reject Auth
requests, you can do so by changing your xxx_DEFAULT settings to
make the second parameter 'Reject'. For example, if you currently
have:
DROP_DEFAULT=Drop
REJECT_DEFAULT=Reject
you can change it to:
DROP_DEFAULT="Drop(-,REJECT)"
REJECT_DEFAULT="Reject(-,REJECT)"
6) Previously, if a zone had two or more interfaces, then the
interfaces' option rules (DHCP, dynamic blacklisting, etc.) could
be moved into the fw->zone chain without being restricted to their
respective interfaces. This could result in needless duplication of
rules. These rules are now kept in separate chains which, if they
are identical, will be combined by the optimizer if OPTIMIZE level 8
is enabled.
7) A number of issues have been resolved with saving/restoring ipsets
in Shorewall and Shorewall6.
- Even if Shorewall's SAVE_IPSETS was set to ipv4, restarting one
configuration would attempt to flush/destroy the ipsets for the
other address family.
- The same set could be saved multiple times, with the result
that ipset error messages were issued during 'shorewall[6]
start'.
- Needless repetition of code was generated due to the use of
compile-time loops rather than run-time loops.
8) Previously, when AUTOMAKE=Yes, the 'start' command would not
regenerate an out-of-date firewall script.
9) A couple of recent changes have resulted in file name collisions
on Cygwin with its underlying case-insensitive filesystem. To avoid
these collisions.
- /usr/share/shorewall/deprecated and
/usr/share/shorewall6/deprecated directories have been created.
- When a name collision occurs, the file with the older name is
moved to the deprecated directory
- The compiler automatically searches the deprecated directory
(both directories in the case of Shorewall6) for files.
In this release, macro.SNMPTraps and action.A_Reject were moved to
/usr/share/shorewall/deprecated/. Note that both are deprecated -
Reject accepts an 'audit' parameter, and macro.SNMPTraps has been
superseded by macro.SNMPtraps.
10) Previously, the 'reload' command did not produce a system log
message when it succeeded. That has been corrected.
11) Previously, when compilation was done as part of a reload or
restart operation, compiler logging to the STARTUP_LOG was
suppressed. Such logging is now enabled.
12) The compiler now uses a uniform format for timestamps in the
STARTUP_LOG and on standard output (when the -t option is
specified). Previously, some messages suppressed a leading zero in
the hour where others did not. Now, the leading zero is never
suppressed for compatibility with the timestamps produced by the
generated script.
13) Previously, the compiler would allow 0 to be specified in the MARK
column of the tcclasses file, resulting in a run-time failure:
Setting up Traffic Control...
RTNETLINK answers: Invalid argument
We have an error talking to the kernel
ERROR: Command "tc filter add dev eth0 protocol all parent 1:0
prio 276 handle 0 fw classid 1:10" Failed
Now, the following error is generated by the compiler:
ERROR: MARK value must be non-zero
As part of this change, the shorewall[6]-tcclasses(5) manpages have
been updated:
- Specifity a filter priority in the MARK column is now documented
(this feature has been in the code for several years)
- The default priorities of the filters for tos= and tcp-ack have
been correcgted.
14) For consistency with Docker, when bridge docker0 is listed in
/etc/shorewall/interfaces, the following rule is now generated:
-A FORWARD -o docker0 -m conntrack \
--ctstate RELATED,ESTABLISHED -j ACCEPT
15) Previously, the safe-* commands did not direct the compiler to
write to the STARTUP_LOG. That has been corrected. The commands
which direct the compiler to write to that log are now:
start
try
refresh
reload
restart
safe-*
16) In the last several releases, the following Known Problem
Remaining has been listed:
The 'enable', 'reenable' and 'disable' commands do now work
correctly in configurations with USE_DEFAULT_RT=No.
That description is a bit broader than is necessary and is now
restricted to the case where an optional provider is listed in the
DUPLICATE column (see below). Additionally, the compiler now
generates a warning in that case:
WARNING: An optional provider (xxxx) is listed in the
DUPLICATE column - enable and disable will not work
correctly on that provider
New Features:
1) Support for later versions of miniupnpd has been added in the form
of a MINIUPNPD option in shorewall.conf. If set to Yes, Shorewall
will create a chain in the nat table named MINIUPNPD-POSTROUTING
and will add jumps from POSTROUTING to that chain for each
interface with the upnpd option specified. Default is No.
The contents of the chain are preserved over 'shorewall reload' and
'shorewall restart' operations.
2) The REJECT and A_REJECT actions may now take an optional parameter
that specifies the way in which the packet is to be rejected. See
shorewall[6]-rules(5) for details.
3) The standard action files and shell libraries now have a uniform
format for their header comments (Tuomo Soini).
4) The compiler now uses the iptables goto (-g) parameter rather than
the jump (-j) parameter, when the target is a terminating chain
(does not have any rules with the RETURN target and the last rule
in the chain is an unconditional jump to a terminating target or
chain).
5) The compiler now raises an error if the target of a chain's rule is
the chain itself.
6) The compiler now raises an error if the action specified in
REJECT_ACTION contains a RETURN (CONTINUE) jump or if the last rule
in the action is not an unconditional jump to a terminating target.
7) The Drop and Reject default actions now accept a sixth parameter
that specifies the action to be taken on UPnP packets. Previously,
the same action was performed on UPnP as was performed on late DNS
replies. The default is DROP in both cases.
8) Heretofore, when DYNAMIC_BLACKLISTING=Yes, blacklists were checked
on packets arriving and leaving on all interfaces. Now, individual
interfaces may be exempted from dynamic blacklisting through use of
the "nodbl" interface option.
9) Prior to this release, dynamic blacklisting has been implemented
using rules in an ip[6]tables chain. This scales poorly when there
are a large number of blacklisted addresses.
Beginning with this release, dynamic blacklisting can be ipset-
based. See DYNAMIC_BLACKLIST in shorewall.conf(5) and
shorewall6.conf(5) and the 'blacklist' command in shorewall(8) and
shorewall6(8).
As part of this change, ipsets created by Shorewall are now of type
hash:net with the 'timeout 0 counters' options, rather than
hash:ip with no options. This allows both network and individual
host addresses to be added to these ipsets, a timeout to be
specified when addresses are added to the ipsets, and visibility
into matches on individual members of the ipset.
10) New new Redis macros have been added, one for Redis Cluster and the
other for Redis Sentinal (Tuomo Soini).
11) The system log messages created by Shorewall via the 'logger'
utility may now be augmented using logger's -t (--tag) option
through use of the SW_LOGGERTAG environmental variable. If this
variable is set to a non-empty value, then its contents will be
passed as the -t option (e.g. logger -t "$SW_LOGGERTAG" ...).
12) Similar to ?ERROR, which was introduced in Shorewall 5.0.7, this
release supports additional ?WARNING and ?INFO directives
?ERROR <message>
?WARNING <message>
?INFO <message>
The <message> is written to STDERR prefaced by the directive name
(WARNING or INFO) followed by a colon (':'). It is also written to
the STARTUP_LOG if:
- A STARTUP_LOG has been configured
- The command is start, try, restart, reload, refresh or one of the
safe-* commands
Unlike ?ERROR, ?WARNING and ?INFO do not cause compilation to be
aborted.
Thank you for using Shorewall.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
