1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848
|
----------------------------------------------------------------------------
S H O R E W A L L 4 . 6 . 4 . 3
------------------------------------
O c t o b e r 2 0 , 2 0 1 4
----------------------------------------------------------------------------
I. PROBLEMS CORRECTED IN THIS RELEASE
II. KNOWN PROBLEMS REMAINING
III. NEW FEATURES IN THIS RELEASE
IV. MIGRATION ISSUES
V. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
----------------------------------------------------------------------------
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
4.6.4.3
1) The fix for LOGBACKEND in 4.6.4.2 worked on some older
distributions but not on newer ones. This release fixes the problem
in the remaining cases.
4.6.4.2
1) Setting LOGBACKEND=ipt_LOG could result in the following startup
failure at boot:
Starting shorewall ...
/var/lib/shorewall/firewall: line 2080: echo: write error: No such file or directory
WARNING: Unable to set log backend to ipt_LOG
4.6.4.1
1) Confusing 'usage' output was produced under the following
conditions:
a) 4.6.4 installed
b) The running firewall was compiled on an earlier release.
c) A 'safe-start', 'save-restart', 'save' or 'try' command is
executed.
This problem has been corrected.
2) The 'optional' option has been removed from the IPv4 Universal
interfaces file, as that option caused startup failures.
4.6.4 Final.
1) This release includes defect repair through release 4.6.3.4.
2) Two corrections have been made to the .service files:
- The .service files now correctly specify
WantedBy=basic.target
- Conflicting services have been added.
3) A warning message generated during stoppedrules processing
previously referred to the file as routestopped.
4) Previously, the stoppedrules file did not work properly when
ADMINISABSENTMINDED=No.
- A warning message was issued stating that the file would be
processed as if ADMINISABSENTMINDED=Yes, and it was.
- Unfortunately, part of the surrounding rule-generating logic
proceded as if ADMINISABSENTMINDED=No, leading to an unusable
ruleset.
This problem has been corrected by changing the way that
stoppedrules works with ADMINISABSENTMINDED=No. In the new
implementation:
- All existing connections continue to work.
- Response packets and related connection requests to new accepted
connections are accepted (in other words, the resulting ruleset
is stateful).
See shorewall[6].conf(5) for additional details.
5) The .spec files now set SBINDIR correctly.
6) The -lite installers now create INITDIR if it doesn't exist.
7) The installers no longer attempt to create a symbolic link to the
init script when no init script is installed.
8) A large number of defects in the uninstallers have been corrected.
----------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G
----------------------------------------------------------------------------
1) On systems running Upstart, shorewall-init cannot reliably secure
the firewall before interfaces are brought up.
----------------------------------------------------------------------------
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) Install support for Centos 7 and Foobar 7 has been added (Tuomo
Soini).
2) A 'terminating' option has been added to shorewall[6].actions.
this option, when used with the 'builtin' option, indicates to the
compiler that the built-in action is terminating. This allows the
optimizer to omit rules after an unconditional jump to the
built-in.
3) A LOG_BACKEND option has been added to allow specification of the
default logging backends. See shorewall.conf(5) and
shorewall6.conf(5) for details.
4) The SAVE_IPSETS option may now specify a list of ipsets to be
saved. When such a list is specified, only those ipsets together
with the ipsets supporting dynamic zones are saved.
Shorewall6 now supports the SAVE_IPSETS option. When
SAVE_IPSETS=Yes, only ipv6 ipsets are saved. For Shorewall, if
SAVE_IPSETS=ipv4, then only ipv4 ipsets are saved. Both features
require ipset version 5 or later.
Note that shorewall.conf and shorewall6.conf may now both specify
SAVE_IPSETS.
5) The SBINDIR setting for SuSE now defaults to /usr/sbin/.
6) With the exception of Shorewall-core, the tarball installers and
uninstallers now support a -n option which inhibits any attempt to
change the startup configuration. The -n option can be
automatically invoked by setting the SANDBOX variable to a
non-empty value, either in the environment or in your shorewallrc
file.
----------------------------------------------------------------------------
I V. M I G R A T I O N I S S U E S
----------------------------------------------------------------------------
1) If you are migrating from Shorewall 4.4.x or earlier, please see
http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.21/releasenotes.txt
2) Beginning with Shorewall 4.5.2, using /etc/shorewall-lite/vardir
and /etc/shorewall6-lite/vardir to specify VARDIR is deprecated in
favor of the VARDIR setting in shorewallrc.
NOTE: While the name of the variable remains VARDIR, the
meaning is slightly different. When set in shorewallrc,
each product (shorewall-lite, and shorewall6-lite) will
create a directory under the specified path name to
hold state information.
Example:
VARDIR=/opt/var/
The state directory for shorewall-lite will be
/opt/var/shorewall-lite/ and the directory for
shorewall6-lite will be /opt/var/shorewall6-lite.
When VARDIR is set in /etc/shorewall[6]/vardir, the
product will save its state directly in the specified
directory.
In Shorewall 4.5.8, a VARLIB variable was added to the shorewallrc
file and the meaning of VARDIR is once again consistent. The
default setting of VARDIR for a particular product is
${VARLIB}/$product. There is an entry of that form in the
shorewallrc file. Because there is a single shorewallrc file for
all installed products, the /etc/shorewall[6]-lite/vardir file
provides the only means for overriding this default.
3) Begining with Shorewall 4.5.6, the tcrules file is processed if
MANGLE_ENABLED=Yes, independent of the setting of TC_ENABLED. This
allows actions like TTL and TPROXY to be used without enabling
traffic shaping.
If you have rules in your tcrules file that you only want processed
when TC_ENABLED is other than 'No', then enclose them in
?IF $TC_ENABLED
...
?ENDIF
If they are to be processed only if TC_ENABLED=Internal, then enclose
them in
?IF TC_ENABLED eq 'Internal'
...
?ENDIF
4) Beginning with Shorewall 4.5.7, the deprecated
/etc/shorewall[6]/blacklist files are no longer installed. Existing
files are still processed by the compiler. Note that blacklist
files may be converted to equivalent blrules files using
'shorewall[6] update -b'.
5) In Shorewall 4.5.7, the /etc/shorewall[6]/notrack file was renamed
/etc/shorewall[6]/conntrack. When upgrading to a release >= 4.5.7,
the conntrack file will be installed along side of an existing
notrack file. When both files exist, a compiler warning is
generated:
WARNING: Both notrack and conntrack exist; conntrack is ignored
This warning may be eliminated by moving any entries in the notrack
file to the conntrack file and removing the notrack file.
6) In Shorewall 4.5.8, the /etc/shorewall[6]/routestopped files were
deprecated if favor of new /etc/shorewall[6]/stoppedrules
counterparts. The new files have much more familiar and
straightforward semantics. Once a stoppedrules file is populated,
the compiler will process that file and will ignore the
corresponding routestopped file.
7) In Shorewall 4.5.8, a new variable (VARLIB) was added to the
shorewallrc file. This variable assumes the role formerly played by
VARDIR, and VARDIR now designates the configuration directory for a
particular product.
This change should be transparent to all users:
a) If VARDIR is set in an existing shorewallrc file and VARLIB is
not, then VARLIB is set to ${VARDIR} and VARDIR is set to
${VARLIB}/${PRODUCT}.
b) If VARLIB is set in a shorewallrc file and VARDIR is not, then
VARDIR is set to ${VARLIB}/${PRODUCT}.
The Shorewall-core installer will automatically update
~/.shorewallrc and save the original in ~/.shorewallrc.bak
8) Previously, the macro.SNMP macro opened both UDP ports 161 and 162
from SOURCE to DEST. This is against the usual practice of opening
these ports in the opposite direction. Beginning with Shorewall
4.5.8, the SNMP macro opens port 161 from SOURCE to DEST as before,
and a new SNMPTrap macro is added that opens port 162 (from SOURCE
to DEST).
9) Beginning with Shorewall 4.5.11, ?FORMAT is preferred over FORMAT
for specifying the format of records in these configuration files:
action.* files
conntrack
interface
macro.* files
tcrules
While deprecated, FORMAT (without the '?') is still supported.
Also, ?COMMENT is preferred over COMMENT for attaching comments to
generated netfilter rules in the following files.
accounting
action.* files
blrules files
conntrack
masq
nat
rules
secmarks
tcrules
tunnels
When one of the deprecated forms is encountered, a warning message
is issued.
Examples:
WARNING: 'FORMAT' is deprecated in favor of '?FORMAT' -
consider running 'shorewall update -D'.
WARNING: 'COMMENT' is deprecated in favor of '?COMMENT' -
consider running 'shorewall update -D'.
As the warnings indicate, 'update -D' will traverse the CONFIG_PATH
replacing FORMAT and COMMENT lines with ?FORMAT and ?COMMENT
directives respectively. The original version of modified files
will be saved with a .bak suffix.
During the update, .bak files are skipped as are files in
${SHAREDIR}/shorewall and ${SHAREDIR}/shorewall6.
10) To allow finer-grained selection of the connection-tracking states
that are passed through blacklists (both dynamic and static), a
BLACKLIST option was added to shorewall.conf and shorewall6.conf in
Shorewall 4.5.13.
The BLACKLISTNEWONLY option was deprecated at that point. A
'shorewall update' ( 'shorewall6 update' ) will replace the
BLACKLISTNEWONLY option with the equivalent BLACKLIST option.
11) In Shorewall 4.5.14, the BLACKLIST_LOGLEVEL option was renamed
BLACKLIST_LOG_LEVEL to be consistent with the other log-level
option names. BLACKLIST_LOGLEVEL continues to be accepted as a
synonym for BLACKLIST_LOG_LEVEL, but a 'shorewall update' or
'shorewall6 update' command will replace BLACKLIST_LOGLEVEL with
BLACKLIST_LOG_LEVEL in the new .conf file.
12) Beginning with Shorewall 4.6.0, the default setting for 'ZONE2ZONE'
is '-' rather than '2'. If you prefer to keep your pre-4.6.0 chain
names, then specify ZONE2ZONE=2 in shorewall[6].conf.
13) Beginning with Shorewall 4.6.0, ection headers are now preceded by
'?' (e.g., '?SECTION ...'). If your configuration contains any
bare 'SECTION' entries, the following warning is issued:
WARNING: 'SECTION' is deprecated in favor of '?SECTION' -
consider running 'shorewall update -D' ...
As mentioned in the message, running 'shorewall[6] update -D' will
eliminate the warning.
14) Beginning with Shorewall 4.6.0, the 'tcrules' file has been
superceded by the 'mangle' file. Existing 'tcrules' files will
still be processed, with the restriction that TPROXY is no longer
supported in FORMAT 1.
If your 'tcrules' file has non-commentary entries, the following
warning message is issued:
WARNING: Non-empty tcrules file (...);
consider running 'shorewall update -t'
See shorewall6(8) for limitations of 'update -t'.
15) The default value LOAD_HELPERS_ONLY is now 'Yes'.
16) Beginning with Shorewall 4.6.0, FORMAT-1 actions and macros are
deprecated and a warning will be issued for each FORMAT-1 action
or macro found.
WARNING: FORMAT-1 actions are deprecated and support will be
dropped in a future release.
WARNING: FORMAT-1 macros are deprecated and support will be
dropped in a future release.
To eliminate these warnings, add the following line before the
first rule in the action or macro:
?FORMAT 2
and adjust the columns appropriately.
FORMAT-1 actions have the following columns:
TARGET
SOURCE
DEST
PROTO
DEST PORT(S)
SOURCE PORT(S)
RATE/LIMIT
USER/GROUP
MARK
while FORMAT-2 actions have these columns:
TARGET
SOURCE
DEST
PROTO
DEST PORT(S)
SOURCE PORT(S)
ORIGINAL DEST
RATE/LIMIT
USER/GROUP
MARK
CONNLIMIT
TIME
HEADERS (Used in IPv6 only)
CONDITION
HELPER
FORMAT-1 macros have the following columns:
TARGET
SOURCE
DEST
PROTO
DEST PORT(S)
SOURCE PORTS(S)
RATE/LIMIT
USER/GROUP
while FORMAT-2 macros have these columns:
TARGET
SOURCE
DEST
PROTO
DEST PORT(S)
SOURCE PORT(S)
ORIGINAL DEST
RATE/LIMIT
USER/GROUP
MARK
CONNLIMIT
TIME
HEADERS (Used in IPv6 only)
CONDITION
HELPER
17) Prior to Shorewall 4.6.4, the stoppedrules file did not work
properly when ADMINISABSENTMINDED=No.
- A warning message was issued stating that the file would be
processed as if ADMINISABSENTMINDED=Yes, and it was.
- Unfortunately, part of the surrounding rule-generating logic
proceded as if ADMINISABSENTMINDED=No, leading to an unusable
ruleset.
In Shorewall 4.6.4, this problem was corrected by changing the way
that stoppedrules works with ADMINISABSENTMINDED=No. In the new
implementation:
- All existing connections continue to work.
- Response packets and related connection requests to new accepted
connections are accepted (in other words, the resulting ruleset
is stateful).
See shorewall[6].conf(5) for additional details.
----------------------------------------------------------------------------
V. N O T E S F R O M O T H E R 4 . 6 R E L E A S E S
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 4 . 6 . 3
----------------------------------------------------------------------------
4.6.3.1
1) The DNSAmp action released in 4.6.3 matched more packets than it
should have. That has now been corrected.
4.6.3
1) This release contains defect repair up through release 4.6.2.5.
2) The SAVE_IPSETS option in the Debian version of Shorewall-init now
works correctly. Thomas D.
----------------------------------------------------------------------------
N E W F E A T U R E S I N 4 . 6 . 3
----------------------------------------------------------------------------
1) A new 'run' command has been implemented. This command allows you
to run an arbitrary command in the context of the generated
script.
shorewall[6][-lite] run <command> [ <parameter> ... ]
Normally, <command> will be a function declared in lib.private.
2) A DNSAmp action has been added. This action matches recursive UDP
DNS queries. The default disposition is DROP which can be
overridden by the single action parameter (e.g, 'DNSAmp(REJECT)'
will reject these queries). Recursive DNS queries are the basis for
'DNS Amplification' attacks; hence the action name.
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 4 . 6 . 2
----------------------------------------------------------------------------
4.6.2.5
1) Previously, when an interface specified the 'physical=' option and
the physical interface name was specified in the INTERFACES column
of the providers file, compilation would fail with diagnostics
similar to the following:
Use of uninitialized value $physical in pattern match
(m//) at /usr/lib/perl5/vendor_perl/5.18.1/
Shorewall/Providers.pm line 463, <$currentfile> line 2.
ERROR: A provider interface must have at least one
associated zone /opt/etc/shorewall/providers (line 2)
2) Shorewall-init now works correctly on systems with systemd.
By Louis Lagendijk.
4.6.2.4
1) Previously, inline matches were incorrectly disallowed in action
files. These matches are now allowed.
4.6.2.3
1) Previously, the compiler would fail with a Perl diagnostic if:
- Optimize Level 8 was enabled.
- Perl 5.20 was being used. This is the current Perl version on
Arch Linux.
The diagnostic was:
Can't use string ("nat") as a HASH ref while "strict refs" in use
at /usr/share/shorewall/Shorewall/Chains.pm line 3486.
4.6.2.2
1) The compiler now correctly detects the IPv6 "Header Match"
capability when LOAD_MODULES_ONLY=No.
2) The compiler now correctly detects the IPv6 "Ipset Match"
capability on systems running a 3.14 or later kernel.
3) The compiler now correctly detects "Arptables JF" capability when
LOAD_MODULES_ONLY=No.
3) The tcfilter manpages previously failed to mention that
BASIC_FILTERS=Yes is required to use ipsets in the tcfilters files.
4.6.2.1
1) Two issues with tcrules processing have been corrected:
- SAVE and RESTORE generated fatal compilation errors.
- '|' and '&' were ignored.
4.6.2
1) The DSCP match in the mangle and tcrules files didn't work with
service class names such as EF, BE, CS1, ... (Thibaut Chèze)
2) The SAVE and RESTORE actions were disallowed in the OUTPUT chain in
tcrules and mangle; this was a regression from 4.5.21.
3) Additional ports required by Asus, Supermicro and Dell have been
added to the IPMI macro (Tuomo Soini).
4) Some issues regarding install under Cygwin64 have been addressed.
- configure.pl did not understand CYGWIN returned from `uname`
- Shorewall-core install.sh did not understand CYGWIN returned from
`uname`.
- The Shorewall and Shorewall6 installers tried to run the command
'mkdir -p //etc/shorewall[6]' which is broken in the current
Cygwin64.
----------------------------------------------------------------------------
N E W F E A T U R E S I N 4 . 6 . 2
----------------------------------------------------------------------------
1) The 'status' command now allows a -i option which causes the state
of all optional and provider interfaces to be displayed.
Example:
root@gateway:/etc/shorewall# shorewall status -i
Shorewall-4.6.1 Status at gateway - Wed Jun 18 14:27:19 PDT 2014
Shorewall is running
State:Started (Wed Jun 18 09:50:01 PDT 2014) from /etc/shorewall/
(/var/lib/shorewall/firewall compiled by Shorewall version 4.6.1)
Interface eth0 is Enabled
Interface eth1 is Enabled
Interface lo is Enabled
2) A 'shorewall show blacklists' command has been
implemented. The abbreviation 'bl' may be used in place of
'blacklists'.
The command displays the output of the 'dynamic' chain together
with the chains created by entries in the blrules file.
3) A TIME column has been added to the mangle file. It has the same
use in that file as the corresponding column in the rules file.
4) A stateful port knocking example has been added to the Events
article (http://www.shorewall.net/Events.html). This example allows
a sequence of knocking ports to be defined (Gerhard Weisinger).
5) A macro supporting HP's Integrated Lights Out (ILO) has been added
(Tuomo Soini).
6) It is now possible to specify the MAC address of a provider
GATEWAY. This is useful when there are multiple providers serviced
by a single interface as it avoids the need for the generated
script to detect the MAC during start/restart.
7) The copyrights in the sample configuration files have been updated.
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 4 . 6 . 1
----------------------------------------------------------------------------
4.6.1.4
1) The DSCP match in the mangle and tcrles files didn't work with
service class names such as EF, BE, CS1, ...
2) The SAVE and RESTORE actions were disallowed in the OUTPUT chain in
tcrules and mangle; this was a regression from 4.6.21.
4.6.1.3
1) Use of the 'IfEvent' action resulted in a compilation failure:
ERROR: -j is only allowed when the ACTION is INLINE with no
parameter /usr/share/shorewall/action.IfEvent (line 139)
from /etc/shorewall/action.SSHKnock (line 8)
from /etc/shorewall/rules (line 31)
4.6.1.2
1) The shorewall-masq(5) and shorewall6-masq(5) manpages had a mangled
heading for the description of the SOURCE column, leading some
readers to assert the that description was missing.
2) When INLINE_MATCHES=Yes and AUTOHELPERS=No, start or restart could
fail during script execution with this diagnostic:
Running /sbin/iptables-restore...
Bad argument `helper=netbios-ns'
Error occurred at line: nnn
Try `iptables-restore -h' or 'iptables-restore --help' for more
information.
ERROR: iptables-restore Failed. Input is in
/var/lib/shorewall/.iptables-restore-input
4.6.1.1
1) An improved error message is generatred when a server address list
is specified in the DEST colume of a DNAT or REDIRECT
rule. At one time, iptables supported such lists, but now only a
single address or an address range is supported.
The previous error message was:
ERROR: Unkknown Host (192.168.1.4,192.168.1.22)
The new error message is:
ERROR: An address list (192.168.1.4,192.168.1.22) is not
allowed in the DEST column of a xxx RULE
where xxx is DNAT or REDIRECT as appropriate.
2) Two problems have been corrected in the Shorewall-init Debian init
script.
a) A cosmetic problem which resulted in 'echo_notdone' being
displayed on failure rather than 'not done'.
b) More seriously, the test for the existance of compiled
firewall scripts was incorrect, with the result that the
firewall scripts were not executed.
These defects, introduced in Shorewall 4.5.17, have now been
corrected.
4.6.1
1) When the 'rpfilter' option is specified on all interfaces, no
references to the 'dynamic' chain were created and that chain was
optimized away.
----------------------------------------------------------------------------
N E W F E A T U R E S I N 4 . 6 . 1
----------------------------------------------------------------------------
1) Tuomo Soini has provided new macros for AMOP, MongoDB, Redis, Sieve
and IPMI (RMCP).
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 4 . 6 . 0
----------------------------------------------------------------------------
4.6.0.3
1) The Shorewall-init package now installs correctly on RHEL7.
2) 1:1 NAT is now enabled in IPv6.
3) A subtle interaction between NAT and sub-zones is explained in
shorewall-nat.
4) The 'show filters' command now works with Simple TC.
4.6.0.2
1) The 'upgrade -A' command now converts the tcrules file to a mangle
file. Previously, that didn't happen.
2) The install components now support RHEL7.
3) Whitespace issues in the skeleton configuration files have been
corrected (Tuomo Soini).
4) The install components now support RHEL7.
5) FAQ 2e has been added which describes additional steps required to
achieve hairpin NAT on a bridge where the modified packets are to
go out the same bridge port as they entered.
6) shorewall-masq(5) has been corrected to include the word SOURCE on
the description of that column. Previously, the description read
'(formerly called SUBNET)'.
7) The output of 'shorewall show filters' once again shows ingress
(policing) filters. This works around undocumented changes to the
behavior of the 'tc' utility.
4.6.0.1
1) The CHECKSUM target in the tcrules and mangle files was broken and
resulted in this error diagnostic:
Running /sbin/iptables-restore...
iptables-restore v1.4.7: CHECKSUM target: Parameter --checksum-fill is
required
Error occurred at line: 41
Try `iptables-restore -h' or 'iptables-restore --help' for more
information.
ERROR: iptables-restore Failed. Input is in
/var/lib/shorewall/.iptables-restore-input
The compiler is now generating the correct rule.
2) Some cosmetic issues in the 'mangle' files have been resolved.
3) When an invalid chain designator was supplied in 'tcrules' or
'mangle', the compiler's error message was garbled and a
Perl diagnostic was issued.
4.6.0
This release includes all defect repair from releases up through
4.5.21.9.
1) The tarball installers, now install .service files with mode 644
rather than mode 600.
----------------------------------------------------------------------------
N E W F E A T U R E S I N 4 . 6 . 0
----------------------------------------------------------------------------
1) SECTION entries in the accounting and rules files now allow
"SECTION" to be immediately preceded by "?" (e.g., ?SECTION). The
new form is preferred and if any SECTION entries do not have the
question mark, a warning is issued (see Migration Issues below).
2) The default setting for ZONE2ZONE has been changed from '2' to '-'
for increased readability when zone names contain '2'.
3) The 'tcrules' file has been superceded by the 'mangle'
file. Existing 'tcrules' files will still be processed, with the
restriction that TPROXY is no longer supported in FORMAT 1.
You can convert your tcrules file into the equivalent mangle file
using the command:
shorewall update -t
See shorewall(8) and shorewall6(8) for important restrictions of
the -t option.
4) Prior to now, the ability to specify raw iptables matches has been
tied to the INLINE action. Beginning with this release, the two can
be separated by specifying INLINE_MATCHES=Yes.
When INLINE_MATCHES=Yes, then inline matches may be specified after
a semicolon in the following files:
action files
macros
rules
mangle
masq
Note that semicolons are not allowed in any other files. If you
want to use the alternative input format in those files, then you
must inclosed the specifications in curly brackets ({...}). The -i
option of the 'check' command will warn you of lines that need to
be changed from using ";" to using "{...}".
5) The 'conntrack', 'raw', 'mangle' and 'rules' files now support an IPTABLES
(IP6TABLES) action. This action is similar to INLINE in that it
allows arbitrary ip[6]tables matches to be specified after a
semicolon (even when INLINE_MATCHES=No). It differs in that the
parameter passed is an iptables target with target options.
Example (rules file):
#ACTION SOURCE DEST PROTO
IPTABLES(TARPIT --honeypot) net pot
If the particular target that you wish to use is unknown to
Shorewall, you will get this error message:
ERROR: Unknown TARGET (<target>)
You can eliminate that error by adding your target as a builtin
action in /etc/shorewall[6]/actions.
As part if this change, the /etc/shorewall[6]/actions file options
have been extended to allow you to specify the Netfilter table(s)
where the target is accepted. When 'builtin' is specified, you can
also include the following options:
filter
nat
mangle
raw
If no table is given, 'filter' is assumed for backward
compatibility.
6) The 'tcpflags' option is now set by default. To disable the option,
specify 'tcpflags=0' in the OPTIONS column of the interface file.
7) You may now use ipset names (preceded by '+') in PORT columns,
allowing you to take advantage of bitmap:port ipsets.
8) The counter extensions to ipset matches have been
implemented. See shorewall[6]-ipsets for details.
9) DROP is now a valid action in the stoppedrules files. DROP occurs
in the raw table PREROUTING chain which avoids conntrack entry
creation.
10) A new BASIC_FILTERS option is now supported. When set to 'Yes',
this option causes the compiler to generate basic TC filters from
tcfilters entries rather than u32 filters.
Basic filters are more straight-forward than u32 filters and, in
later iptables/kernel versions, basic filters support ipset
matches. Please note that Shorewall cannot reliably detect whether
your iptables/kernel support ipset matches, so an error-free
compilation does not guarantee that the firewall will start
successfully when ipset names are specified in tcfilters entries.
11) The update command now supports an -A option. This is intended to
perform all available updates to the configuration and is currently
equivalent to '-b -D -t'.
12) Beginning with this release, FORMAT-1 actions and macros are
deprecated and a warning will be issued for each FORMAT-1 action
or macro found. See the Migration Issues for further information.
13) To facilitate creation of ipsets with characteristics different
from what Shorewall generates, the 'init' user exit is now executed
before Shorewall creates ipsets that don't exist.
|