This time with promised attachments. On Mon, Dec 08, 2008 at 07:49:06PM -0500, Roberto C. Sánchez wrote: > I am preparing a new upstream release (4.0.15) of Shorewall (affected Debian > packages: shorewall-{perl,shell,common,lite,doc}). Nearly all of the changes > have already been approved, uploaded and migrated to Lenny in the form of > patches to the 4.0.14 packages. Only the latest fix (I just committed it > upstream tonight), has not been incorporated. I would like to receive approval > for upload of the new 4.0.15 (still to be released) packages. This will help > to avoid user confusion and 4.0.15 is currently planned to be the very last > release in the 4.0 series of Shorewall releases. > > The only substantial change between the current Debian packages in Lenny > and the 4.0.15 is represented by the attached ipp2p.diff: > > Shorewall-common/changelog.txt | 2 ++ > Shorewall-common/lib.base | 2 +- > Shorewall-common/releasenotes.txt | 8 ++++++++ > Shorewall-perl/Shorewall/Config.pm | 2 +- > 4 files changed, 12 insertions(+), 2 deletions(-) > > The affected packages are shorewall-{perl,common,lite}. You can > reproduce the diff yourself with this command: > > svn diff -r8952:8953 http://shorewall.svn.sourceforge.net/svnroot/shorewall/branches/4.0 > > The complete upstream changeset between 4.0.14 and 4.0.15 is represented > by the attached shorewall_4.0.14_to_4.0.15_upstream.diff: > > Shorewall-common/changelog.txt | 17 + > Shorewall-common/fallback.sh | 2 > Shorewall-common/install.sh | 2 > Shorewall-common/lib.base | 10 > Shorewall-common/releasenotes.txt | 497 +++++++++++++++++---------------- > Shorewall-common/shorewall-common.spec | 4 > Shorewall-common/started | 2 > Shorewall-common/uninstall.sh | 2 > Shorewall-lite/fallback.sh | 2 > Shorewall-lite/init.debian.sh | 2 > Shorewall-lite/install.sh | 2 > Shorewall-lite/shorewall-lite.spec | 4 > Shorewall-lite/uninstall.sh | 2 > Shorewall-perl/Shorewall/Chains.pm | 15 > Shorewall-perl/Shorewall/Config.pm | 27 + > Shorewall-perl/Shorewall/Rules.pm | 7 > Shorewall-perl/Shorewall/Tc.pm | 2 > Shorewall-perl/install.sh | 2 > Shorewall-perl/shorewall-perl.spec | 4 > Shorewall-shell/compiler | 54 +++ > Shorewall-shell/install.sh | 2 > Shorewall-shell/shorewall-shell.spec | 4 > known_problems.txt | 10 > manpages/shorewall-interfaces.xml | 4 > manpages/shorewall.conf.xml | 21 + > manpages/shorewall.xml | 22 + > 26 files changed, 449 insertions(+), 273 deletions(-) > > The large change in the release notes is a result of a formatting > cleanup. The manpage changes are typo fixes and addition of missing > documentation. All of the rest of the changes are already patched > individually into the affected Debian packages.o > > You can reproduce the diff yourself with this command: > > svn diff http://shorewall.svn.sourceforge.net/svnroot/shorewall/tags/4.0.14 http://shorewall.svn.sourceforge.net/svnroot/shorewall/branches/4.0 > > I think that overall it would be far better to have the 4.0.15 packages > in Debian, rather than patching yet again. However, if needed, I will > patch in the changes from the attached ipp2p.diff. > > Regards, > > -Roberto > > -- > Roberto C. Sánchez > http://people.connexer.com/~roberto > http://www.connexer.com -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com
Index: known_problems.txt =================================================================== --- known_problems.txt (.../tags/4.0.14) (revision 8953) +++ known_problems.txt (.../branches/4.0) (revision 8953) @@ -1,10 +0,0 @@ -Problems corrected in Shorewall 4.0.14.2 - -1) With Shorewall-perl, if a destination port list had exactly 16 - ports, where a port-range counts as two ports, then Shorewall-perl - would fail to split the rule into multiple rules and an - iptables-restore error would result. - -2) The change to Shorewall in 4.0.14.1 that promised iptables 1.4.1 - compatibility contained a typo that prevented it from working - correctly. Index: Shorewall-perl/install.sh =================================================================== --- Shorewall-perl/install.sh (.../tags/4.0.14) (revision 8953) +++ Shorewall-perl/install.sh (.../branches/4.0) (revision 8953) @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.0.14 +VERSION=4.0.15 usage() # $1 = exit status { Index: Shorewall-perl/Shorewall/Chains.pm =================================================================== --- Shorewall-perl/Shorewall/Chains.pm (.../tags/4.0.14) (revision 8953) +++ Shorewall-perl/Shorewall/Chains.pm (.../branches/4.0) (revision 8953) @@ -110,6 +110,7 @@ do_test do_ratelimit do_user + do_length do_tos match_source_dev match_dest_dev @@ -421,7 +422,7 @@ if ( $expandports && $rule =~ '^(.* --dports\s+)([^ ]+)(.*)$' ) { my ($first, $ports, $rest) = ( $1, $2, $3 ); - if ( ( $ports =~ tr/:,/:,/ ) > 15 ) { + if ( ( $ports =~ tr/:,/:,/ ) > 14 ) { my @ports = split '([,:])', $ports; while ( @ports ) { @@ -1212,6 +1213,16 @@ } # +# Create a "-m length" match for the passed TOS +# +sub do_length( $ ) { + my $length = $_[0]; + + require_capability( 'LENGTH_MATCH' , 'A non-empty LENGTH' , 's' ); + $length ne '-' ? "-m length --length $length " : ''; +} + +# # Match Source Interface # sub match_source_dev( $ ) { @@ -1345,7 +1356,7 @@ if ( $net =~ /^!/ ) { $net =~ s/!//; validate_net $net, 1; - "-m conntrack --ctorigdst ! $net "; + $capabilities{NEW_CONNTRACK_MATCH} ? "-m conntrack ! --ctorigdst $net " : "-m conntrack --ctorigdst ! $net "; } else { validate_net $net, 1; $net eq ALLIPv4 ? '' : "-m conntrack --ctorigdst $net "; Index: Shorewall-perl/Shorewall/Config.pm =================================================================== --- Shorewall-perl/Shorewall/Config.pm (.../tags/4.0.14) (revision 8953) +++ Shorewall-perl/Shorewall/Config.pm (.../branches/4.0) (revision 8953) @@ -162,6 +162,8 @@ MULTIPORT => 'Multi-port Match' , XMULTIPORT => 'Extended Multi-port Match', CONNTRACK_MATCH => 'Connection Tracking Match', + NEW_CONNTRACK_MATCH => + 'New Connection Tracking Match syntax', USEPKTTYPE => 'Packet Type Match', POLICY_MATCH => 'Policy Match', PHYSDEV_MATCH => 'Physdev Match', @@ -244,8 +246,8 @@ ORIGINAL_POLICY_MATCH => '', LOGPARMS => '', TC_SCRIPT => '', - VERSION => "4.0.14", - CAPVERSION => 40006 , + VERSION => "4.0.15", + CAPVERSION => 40015 , ); # # From shorewall.conf file @@ -357,6 +359,7 @@ MULTIPORT => undef, XMULTIPORT => undef, CONNTRACK_MATCH => undef, + NEW_CONNTRACK_MATCH => undef, USEPKTTYPE => undef, POLICY_MATCH => undef, PHYSDEV_MATCH => undef, @@ -1368,6 +1371,10 @@ qt1( "$iptables -N $sillyname" ); $capabilities{CONNTRACK_MATCH} = qt1( "$iptables -A $sillyname -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT" ); + + if ( $capabilities{CONNTRACK_MATCH} ) { + $capabilities{NEW_CONNTRACK_MATCH} = qt1( "$iptables -A $sillyname -m conntrack ! --ctorigdst 192.168.1.1 -j ACCEPT" ); + } if ( qt1( "$iptables -A $sillyname -p tcp -m multiport --dports 21,22 -j ACCEPT" ) ) { $capabilities{MULTIPORT} = 1; @@ -1400,7 +1407,7 @@ $capabilities{XCONNMARK_MATCH} = qt1( "$iptables -A $sillyname -m connmark --mark 2/0xFF -j ACCEPT" ); } - $capabilities{IPP2P_MATCH} = qt1( "$iptables -A $sillyname -p tcp -m ipp2p --ipp2p -j ACCEPT" ); + $capabilities{IPP2P_MATCH} = qt1( "$iptables -A $sillyname -p tcp -m ipp2p --edk -j ACCEPT" ); $capabilities{LENGTH_MATCH} = qt1( "$iptables -A $sillyname -m length --length 10:20 -j ACCEPT" ); $capabilities{ENHANCED_REJECT} = qt1( "$iptables -A $sillyname -j REJECT --reject-with icmp-host-prohibited" ); $capabilities{COMMENTS} = qt1( qq($iptables -A $sillyname -j ACCEPT -m comment --comment "This is a comment" ) ); @@ -1636,9 +1643,17 @@ $globals{ORIGINAL_POLICY_MATCH} = $capabilities{POLICY_MATCH}; if ( $config{LOGRATE} || $config{LOGBURST} ) { - $globals{LOGLIMIT} = '-m limit '; - $globals{LOGLIMIT} .= "--limit $config{LOGRATE} " if $config{LOGRATE}; - $globals{LOGLIMIT} .= "--limit-burst $config{LOGBURST} " if $config{LOGBURST}; + if ( defined $config{LOGRATE} ) { + fatal_error"Invalid LOGRATE ($config{LOGRATE})" unless $config{LOGRATE} =~ /^\d+\/(second|minute)$/; + } + + if ( defined $config{LOGBURST} ) { + fatal_error"Invalid LOGBURST ($config{LOGBURST})" unless $config{LOGBURST} =~ /^\d+$/; + } + + $globals{LOGLIMIT} = '-m limit '; + $globals{LOGLIMIT} .= "--limit $config{LOGRATE} " if defined $config{LOGRATE}; + $globals{LOGLIMIT} .= "--limit-burst $config{LOGBURST} " if defined $config{LOGBURST}; } else { $globals{LOGLIMIT} = ''; } Index: Shorewall-perl/Shorewall/Tc.pm =================================================================== --- Shorewall-perl/Shorewall/Tc.pm (.../tags/4.0.14) (revision 8953) +++ Shorewall-perl/Shorewall/Tc.pm (.../branches/4.0) (revision 8953) @@ -271,7 +271,7 @@ if ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) , $restrictions{$chain} , - do_proto( $proto, $ports, $sports) . do_user( $user ) . do_test( $testval, $mask ) . do_tos( $tos ) , + do_proto( $proto, $ports, $sports) . do_user( $user ) . do_test( $testval, $mask ) . do_length( $length ) . do_tos( $tos ) , $source , $dest , '' , Index: Shorewall-perl/Shorewall/Rules.pm =================================================================== --- Shorewall-perl/Shorewall/Rules.pm (.../tags/4.0.14) (revision 8953) +++ Shorewall-perl/Shorewall/Rules.pm (.../branches/4.0) (revision 8953) @@ -1002,6 +1002,11 @@ fatal_error "Missing DEST Qualifier ($dest)" if $2 eq ''; $destzone = $1; $dest = $2; + } elsif ( $dest =~ /.*\..*\./ ) { + # + # Appears to be an address + # + $destzone = '-'; } else { $destzone = $dest; $dest = ALLIPv4; @@ -1602,6 +1607,8 @@ if $hostref->{options}{broadcast}; } + clearrule; + next if $hostref->{options}{destonly}; my $source = match_source_net $net; Index: Shorewall-perl/shorewall-perl.spec =================================================================== --- Shorewall-perl/shorewall-perl.spec (.../tags/4.0.14) (revision 8953) +++ Shorewall-perl/shorewall-perl.spec (.../branches/4.0) (revision 8953) @@ -1,5 +1,5 @@ %define name shorewall-perl -%define version 4.0.14 +%define version 4.0.15 %define release 0base Summary: Shoreline Firewall Perl-based compiler. @@ -64,6 +64,8 @@ %doc COPYING releasenotes.txt %changelog +* Sat Oct 11 2008 Roberto C. Sanchez roberto@connexer.com +- Updated to 4.0.15-0base * Mon Sep 22 2008 Tom Eastep tom@shorewall.net - Updated to 4.0.14-0base * Sat Jul 26 2008 Tom Eastep tom@shorewall.net Property changes on: Shorewall-perl ___________________________________________________________________ Name: svn:mergeinfo - Property changes on: Samples ___________________________________________________________________ Name: svn:mergeinfo - Index: Shorewall-shell/install.sh =================================================================== --- Shorewall-shell/install.sh (.../tags/4.0.14) (revision 8953) +++ Shorewall-shell/install.sh (.../branches/4.0) (revision 8953) @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.0.14 +VERSION=4.0.15 usage() # $1 = exit status { Index: Shorewall-shell/shorewall-shell.spec =================================================================== --- Shorewall-shell/shorewall-shell.spec (.../tags/4.0.14) (revision 8953) +++ Shorewall-shell/shorewall-shell.spec (.../branches/4.0) (revision 8953) @@ -1,5 +1,5 @@ %define name shorewall-shell -%define version 4.0.14 +%define version 4.0.15 %define release 0base Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. @@ -81,6 +81,8 @@ %doc COPYING INSTALL %changelog +* Sat Oct 11 2008 Roberto C. Sanchez roberto@connexer.com +- Updated to 4.0.15-0base * Mon Sep 22 2008 Tom Eastep tom@shorewall.net - Updated to 4.0.14-0base * Sat Jul 26 2008 Tom Eastep tom@shorewall.net Index: Shorewall-shell/compiler =================================================================== --- Shorewall-shell/compiler (.../tags/4.0.14) (revision 8953) +++ Shorewall-shell/compiler (.../branches/4.0) (revision 8953) @@ -1674,8 +1674,18 @@ build_exclusion_chain chain filter "$excludesource" "$excludedest" if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then + match='--ctorigdst' + if [ -n "$NEW_CONNTRACK_MATCH" ]; then + case $adr in + !*) + match='!--ctorigdst' + adr=${adr#!} + ;; + esac + fi + for adr in $(separate_list $addr); do - run_iptables -A $logchain $state $(fix_bang $proto $multiport $sports $dports) $user -m conntrack --ctorigdst $adr -j $chain + run_iptables -A $logchain $state $(fix_bang $proto $multiport $sports $dports) $user -m conntrack $match $adr -j $chain done addr= else @@ -1891,14 +1901,24 @@ __EOF__ else for adr in $(separate_list $addr); do + match='--ctorigdst' + if [ -n "$NEW_CONNTRACK_MATCH" ]; then + case $adr in + !*) + match='!--ctorigdst' + adr=${adr#!} + ;; + esac + fi + if [ -n "$loglevel" -a -z "$natrule" ]; then - log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A -m conntrack --ctorigdst $adr \ + log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A -m conntrack $match $adr \ $user $mrk $(fix_bang $proto $multiport $sports $cli $srv $dports) $state fi if [ "$logtarget" != LOG ]; then run_iptables2 -A $chain $state $proto $ratelimit $multiport $cli $sports \ - $srv $dports -m conntrack --ctorigdst $adr $user $mrk -j $target + $srv $dports -m conntrack $match $adr $user $mrk -j $target fi done fi @@ -1958,20 +1978,30 @@ if [ -n "$addr" ]; then for adr in $(separate_list $addr); do + match='--ctorigdst' + if [ -n "$NEW_CONNTRACK_MATCH" ]; then + case $adr in + !*) + match='!--ctorigdst' + adr=${adr#!} + ;; + esac + fi + if [ -n "$loglevel" ]; then log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user $mrk \ - $state $(fix_bang $proto $multiport $cli $dest_interface $sports $dports -m conntrack --ctorigdst $adr) + $state $(fix_bang $proto $multiport $cli $dest_interface $sports $dports -m conntrack $match $adr) fi if [ "$logtarget" != LOG ]; then if [ -n "$nonat" ]; then addnatrule $(dnat_chain $source) $proto $multiport \ - $cli $sports $dports $ratelimit $user $mrk -m conntrack --ctorigdst $adr -j RETURN + $cli $sports $dports $ratelimit $user $mrk -m conntrack $match $adr -j RETURN fi if [ "$logtarget" != NONAT ]; then run_iptables2 -A $chain $state $proto $multiport $cli $dest_interface \ - $sports $dports $ratelimit $user $mrk -m conntrack --ctorigdst $adr -j $target + $sports $dports $ratelimit $user $mrk -m conntrack $match $adr -j $target fi fi done @@ -3670,7 +3700,17 @@ # # We have connection tracking match -- match on the original destination # - run_iptables2 -A $chain -m conntrack --ctorigdst $network -j $target + match='--ctorigdst' + if [ -n "$NEW_CONNTRACK_MATCH" ]; then + case $network in + !*) + match='!--ctorigdst' + network=${network#!} + ;; + esac + fi + + run_iptables2 -A $chain -m conntrack $match $network -j $target elif [ -n "$MANGLE_ENABLED" ]; then # # No connection tracking match but we have mangling -- add a rule to Property changes on: Shorewall-shell ___________________________________________________________________ Name: svn:mergeinfo - Index: Shorewall-common/uninstall.sh =================================================================== --- Shorewall-common/uninstall.sh (.../tags/4.0.14) (revision 8953) +++ Shorewall-common/uninstall.sh (.../branches/4.0) (revision 8953) @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.0.14 +VERSION=4.0.15 usage() # $1 = exit status { Index: Shorewall-common/changelog.txt =================================================================== --- Shorewall-common/changelog.txt (.../tags/4.0.14) (revision 8953) +++ Shorewall-common/changelog.txt (.../branches/4.0) (revision 8953) @@ -1,3 +1,18 @@ +Changes in 4.0.15 + +1) Fix iptables conntrack syntax when using newer versions of +iptables. + +2) Apply Lennart Sorensen's patch to finish LENGTH matching. + +3) Prevent invalid rules when KLUDGEFREE is not set. + +4) Document DISABLE_IPV6 in shorewall.conf man page. + +5) Fix nonat rules with destination IP address. + +6) Change ipp2p detection to support latest version. + Changes in 4.0.14 1) Fix handling of 'all-' in shorewall-shell. @@ -2,2 +17,4 @@ +2) Fix bashism in handling of options in Debian init script. + Changes in 4.0.13 Index: Shorewall-common/started =================================================================== --- Shorewall-common/started (.../tags/4.0.14) (revision 8953) +++ Shorewall-common/started (.../branches/4.0) (revision 8953) @@ -8,7 +8,7 @@ # extension script and /etc/shorewall/start is that this one is invoked # after delayed loading of the blacklist (DELAYBLACKLISTLOAD=Yes) and # after the 'shorewall' chain has been created (thus signaling that the -# firewall is completely up. +# firewall is completely up). # # This script should not change the firewall configuration directly but # may do so indirectly by running /sbin/shorewall with the 'nolock' Index: Shorewall-common/install.sh =================================================================== --- Shorewall-common/install.sh (.../tags/4.0.14) (revision 8953) +++ Shorewall-common/install.sh (.../branches/4.0) (revision 8953) @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.0.14 +VERSION=4.0.15 usage() # $1 = exit status { Index: Shorewall-common/releasenotes.txt =================================================================== --- Shorewall-common/releasenotes.txt (.../tags/4.0.14) (revision 8953) +++ Shorewall-common/releasenotes.txt (.../branches/4.0) (revision 8953) @@ -1,4 +1,4 @@ -Shorewall 4.0 Patch release 14. +Shorewall 4.0 Patch release 15. ---------------------------------------------------------------------------- R E L E A S E 4 . 0 H I G H L I G H T S @@ -26,27 +26,49 @@ Shorewall-perl compiler. This support utilizes the reduced-function physdev match support available in Linux kernel 2.6.20 and later. -Problems Corrected in Shorewall-shell 4.0.14. -1) If 'all-' appears in the DEST column of /etc/shorewall/rules and - the SOURCE column is not some form of 'all', then $FW was - incorrectly included in the DEST. +Problems Corrected in Shorewall 4.0.15. +1) Beginning with iptables version 1.4.1, the syntax for commands using the + conntrack module has changed. Shorewall now detects if the installed + version of iptables requires the new syntax. + +2) Support for the LENGTH column in /etc/shorewall/tcrules was + incomplete in Shorewall-perl with the result that the LENGTH column + was ignored. Thanks go to Lennart Sorensen for the patch. + +3) When ipranges were used to define zones, Shorewall-perl could + generate invalid iptables-restore input if 'Repeat Match' was not + available. Repeat Match is not a true match -- it rather is a + feature of recent iptables releases that allows a match to be + repeated within a rule. + +4) The DISABLE_IPV6 option has been documented in the shorewall.conf + man page. The option has been there all along, but it was not + previously documented in the man page. + +5) If a no-NAT rule (DNAT-, ACCEPT+, NONAT) included a destination IP + address and no zone name in the DEST column, Shorewall-perl would + reject the rule. If a zone name was specified, Shorewall-perl + would issue a Warning message. + +3) Following the Netfilter tradition, the IPP2P maintainer has made an + incompatible syntax change (the --ipp2p option has been + removed). Shorewall has always used "-m ipp2p --ipp2p" when + detecting the presence of IPP2P support. + + Shorewall-common and Shorewall-perl have been modified to use + "-m ipp2p --edk" instead. + Known Problems Remaining. 1) The 'refresh' command doesn't refresh the mangle table. So changes made to /etc/shorewall/providers and/or /etc/shorewall/tcrules may not be reflected in the running ruleset. -Other changes in Shorewall 4.0.13. +Other changes in Shorewall 4.0.15. -1) Beginning with Shorewall 4.0.0, the -f option was no longer the - default for '/etc/init.d/shorewall start'. Beginning with 4.0.13, - this is also true for Shoreawall-lite. +None. -2) A macro supporting RNDC (BIND remote management protocol) traffic - has been added. It can be used as any other macro (e.g., RNDC/ACCEPT) - in the rules file. - Migration Considerations: 1) Beginning with Shorewall 4.0.0, there is no single 'shorewall' @@ -915,226 +937,27 @@ (compiler, shorewall-common and shorewall-lite) must be version 4.0.0-RC2 or later. -Problems corrected in Shorewall-perl 4.0.6. +Problems Corrected in Shorewall 4.0.14. -1) In a DNAT or REDIRECT rule, if no serverport was given and the DEST - PORT(S) list contained a service name containing a hyphen ("-") then - an ERROR was generated. +1) If 'all-' appears in the DEST column of /etc/shorewall/rules and + the SOURCE column is not some form of 'all', then $FW was + incorrectly included in the DEST. - Example -- Rules file: +2) A bashism has been corrected in the init script shipped for Debian + and Debian-like distributions which prevented the proper options + from being passed to /sbin/shorewall or /sbin/shorewall-lite in + some cases. - DNAT net loc:$WINDOWS_IP tcp https,pptp,ms-wbt-server,4125 +Other changes in Shorewall 4.0.14. - Results in: +1) Beginning with Shorewall 4.0.0, the -f option was no longer the + default for '/etc/init.d/shorewall start'. Beginning with 4.0.13, + this is also true for Shoreawall-lite. - ERROR: Invalid port range (ms:wbt:server) : rules (line 49) +2) A macro supporting RNDC (BIND remote management protocol) traffic + has been added. It can be used as any other macro (e.g., RNDC/ACCEPT) + in the rules file. - Problem was introduced in Shorewall 4.0.5 and does not occur in - earlier releases. - -2) If a long destination port list needed to be broken at a port pair, - the generated rule contained an extra comma which resulted in an - iptables-restore failure. - -3) Several problems involving port ranges and port lists in REDIRECT - rules have been corrected. - -4) Shorewall-perl no longer requires an address in the GATEWAY column - of /etc/shorewall/tunnels. If the column is left empty (or contains - '-') then 0.0.0.0/0 is assumed. - -5) Previously with Shorewall-perl, redirecting both STDOUT and STDERR - to the same file descriptor resulted in scrambled output between - the two. The error messages were often in the middle of the - regular output far ahead of the point where the error occurred. - - This problem was possible in the Debian Shorewall init script - (/etc/init.d/shorewall) which redirects output to the - Debian-specific /var/log/shorewall-init.log file in this way: - - $SRWL $SRWL_OPTS start >> $INITLOG 2>&1 && ... - -6) With both compilers, when HIGH_ROUTE_MARKS=Yes, unpredictable - results could occur when marking in the PREROUTING or OUTPUT - chains. When a rule specified a mark value > 255, the compilers - were using the '--or-mark' operator rather than the '--set-mark' - operator. Consequently, when a packet matched more than one - rule, the resulting routing mark was the logical product of the - mark values in the matching rules rather than the mark value from - the last matching rule. - - Example: - - 0x100 192.168.1.44 0.0.0.0/0 - 0x200 0.0.0.0/0 0.0.0.0/0 tcp 25 - - A TCP packet from 192.168.1.44 with destination port 25 would have - a mark value of 0x300 rather than the expected value of 0x200. - -7) Previously, a 'start -f' on Shorewall Lite would produce the - following distressing output before starting the firewall: - - make: *** No rule to make target `/firewall', needed by - `/var/lib/shorewall-lite/restore'. Stop. - - Furthermore, the Makefile for both Shorewall and Shorewall Lite - failed to take into account the /etc/shorewall/vardir file. - - This has been corrected. As part of the fix, both /sbin/shorewall - and /sbin/shorewall-lite support a "show vardir" command that - displays the VARDIR setting. - -8) Shorewall-perl was previously ignoring the USER/GROUP column of the - tcrules file. - -9) Supplying the name of a built-in chain in the 'refresh' command - caused entries in the chain to be duplicated. Since this is a - feature of iptables-restore with the '-n' option, built-in chains - in the 'refresh' list will now be rejected. - -Other changes in Shorewall 4.0.6. - -1) Shorewall-perl now uses the '--physdev-is-bridged' option when it - is available. This option will suppress messages like the following: - - kernel: physdev match: using --physdev-out in the OUTPUT, FORWARD and - POSTROUTING chains for non-bridged traffic is not supported - anymore. - - This change only affects users who use bport/bport4 zones in a - briged configuration and requires that capabilities files be - regenerated using Shorewall-common or Shorewall-lite 4.0.6. - -2) Shorewall-perl now allows you to embed Shell or Perl scripts in - all configuration files except /etc/shorewall/params and - /etc/shorewall/shorewall.conf (As always, you can continue to - include arbitrary shell code in /etc/shorewall/params). - - To embed a one-line script, use one of the following: - - SHELL <shell script> - PERL <perl script> - - For multi-line scripts, use: - - BEGIN SHELL - <shell script> - END SHELL - - BEGIN PERL - <perl script> - END PERL - - For SHELL scripts, the output from the script is processed as if it - were part of the file. - - Example 1 (Shell): To generate SMTP/ACCEPT rules from zones a b c d - and e to the firewall: - - Either: - - BEGIN SHELL - for z in a b c d e; do - echo SMTP/ACCEPT $z fw tcp 25 - done - END SHELL - - or - - SHELL for z in a b c d e; do echo SMTP/ACCEPT $z fw tcp 25; done - - Either is equivalent to: - - SMTP/ACCEPT a fw tcp 25 - SMTP/ACCEPT b fw tcp 25 - SMTP/ACCEPT c fw tcp 25 - SMTP/ACCEPT d fw tcp 25 - SMTP/ACCEPT e fw tcp 25 - - With a Perl script, if you want to output text to be processed as - if it were part of the file, then pass the text to the shorewall() - function. - - Example 2 (Perl): To generate SMTP/ACCEPT rules from zones a b c d - and e to the firewall: - - BEGIN PERL - for ( qw/a b c d e/ ) { - shorewall "SMTP/ACCEPT $_ fw tcp 25"; - } - END PERL - - PERL scripts have access to any context accumulated in earlier PERL - scripts. All such embedded Perl, as well as conventional Perl - extension scripts are placed in the Shorewall::User package. That - way, your global variables and functions won't conflict with any of - Shorewall's. - - To allow you to load Perl modules and initialize any global state, - a new 'compile' compile-time extension script has been added. It is - called early in the compilation process. - - For additional information, see - - - http://www.shorewall.net/configuration_file_basics.html#Embedded - -3) To complement Embedded Perl scripts, Shorewall 4.0.6 allows Perl - scripts to create filter chains using - Shorewall::Chains::new_manual_chain() and then use the chain as a - target in subsequent entries in /etc/shorewall/rules. - - See http://www.shorewall.net/ManualChains.html for information. - -4) The 'hits' command now accepts a -t option which limits the report - to those log records generated today. - -5) A DONT_LOAD option has been added to shorewall.conf. If there are - kernel modules that you don't wish to have loaded, you can list - them in this entry as a comma-separated list. - - Example: - - DONT_LOAD=nf_conntrack_sip,nf_nat_sip - -6) Shorewall-perl now supports the --random option of the iptables - SNAT, MASQUERADE, DNAT and REDIRECT targets. Please note that - iptables support for this option is currently broken for the DNAT - and REDIRECT targets; I've sent a patch to the Netfilter team. - - For MASQUERADE, simply place the word 'random' in the ADDRESS - column. This causes Netfilter to randomize the source port seen by - the remote host. - - Example: - - #INTERFACE SOURCE ADDRESS - eth0 eth1 random - - For SNAT, follow the port list by ":random". - - Example: - - #INTERFACE SOURCE ADDRESS - eth0 eth1 206.124.146.179:10000-10999:random - - For DNAT, follow the port list by ":random". - - Example: - - #ACTION SOURCE DEST PROTO DEST - # PORT(S) - DNAT net loc:192.168.1.4:40-50:random tcp 22 - - For REDIRECT, you must use the fully-qualified form of the DEST: - - #ACTION SOURCE DEST PROTO DEST - # PORT(S) - REDIRECT net $FW::40-50:random tcp 22 - - Note that ':random' is only effective with SNAT, DNAT and REDIRECT - when a port range is specified in the ADDRESS/DEST column. It is - ignored by iptables/iptables-restore otherwise. - Problems corrected in Shorewall 4.0.13. 1) When DYNAMIC_ZONES=Yes, certain configurations would produce an @@ -1457,6 +1280,226 @@ xxxx eth0:~00-02-02-02-02-02 ... +Problems corrected in Shorewall-perl 4.0.6. + +1) In a DNAT or REDIRECT rule, if no serverport was given and the DEST + PORT(S) list contained a service name containing a hyphen ("-") then + an ERROR was generated. + + Example -- Rules file: + + DNAT net loc:$WINDOWS_IP tcp https,pptp,ms-wbt-server,4125 + + Results in: + + ERROR: Invalid port range (ms:wbt:server) : rules (line 49) + + Problem was introduced in Shorewall 4.0.5 and does not occur in + earlier releases. + +2) If a long destination port list needed to be broken at a port pair, + the generated rule contained an extra comma which resulted in an + iptables-restore failure. + +3) Several problems involving port ranges and port lists in REDIRECT + rules have been corrected. + +4) Shorewall-perl no longer requires an address in the GATEWAY column + of /etc/shorewall/tunnels. If the column is left empty (or contains + '-') then 0.0.0.0/0 is assumed. + +5) Previously with Shorewall-perl, redirecting both STDOUT and STDERR + to the same file descriptor resulted in scrambled output between + the two. The error messages were often in the middle of the + regular output far ahead of the point where the error occurred. + + This problem was possible in the Debian Shorewall init script + (/etc/init.d/shorewall) which redirects output to the + Debian-specific /var/log/shorewall-init.log file in this way: + + $SRWL $SRWL_OPTS start >> $INITLOG 2>&1 && ... + +6) With both compilers, when HIGH_ROUTE_MARKS=Yes, unpredictable + results could occur when marking in the PREROUTING or OUTPUT + chains. When a rule specified a mark value > 255, the compilers + were using the '--or-mark' operator rather than the '--set-mark' + operator. Consequently, when a packet matched more than one + rule, the resulting routing mark was the logical product of the + mark values in the matching rules rather than the mark value from + the last matching rule. + + Example: + + 0x100 192.168.1.44 0.0.0.0/0 + 0x200 0.0.0.0/0 0.0.0.0/0 tcp 25 + + A TCP packet from 192.168.1.44 with destination port 25 would have + a mark value of 0x300 rather than the expected value of 0x200. + +7) Previously, a 'start -f' on Shorewall Lite would produce the + following distressing output before starting the firewall: + + make: *** No rule to make target `/firewall', needed by + `/var/lib/shorewall-lite/restore'. Stop. + + Furthermore, the Makefile for both Shorewall and Shorewall Lite + failed to take into account the /etc/shorewall/vardir file. + + This has been corrected. As part of the fix, both /sbin/shorewall + and /sbin/shorewall-lite support a "show vardir" command that + displays the VARDIR setting. + +8) Shorewall-perl was previously ignoring the USER/GROUP column of the + tcrules file. + +9) Supplying the name of a built-in chain in the 'refresh' command + caused entries in the chain to be duplicated. Since this is a + feature of iptables-restore with the '-n' option, built-in chains + in the 'refresh' list will now be rejected. + +Other changes in Shorewall 4.0.6. + +1) Shorewall-perl now uses the '--physdev-is-bridged' option when it + is available. This option will suppress messages like the following: + + kernel: physdev match: using --physdev-out in the OUTPUT, FORWARD and + POSTROUTING chains for non-bridged traffic is not supported + anymore. + + This change only affects users who use bport/bport4 zones in a + briged configuration and requires that capabilities files be + regenerated using Shorewall-common or Shorewall-lite 4.0.6. + +2) Shorewall-perl now allows you to embed Shell or Perl scripts in + all configuration files except /etc/shorewall/params and + /etc/shorewall/shorewall.conf (As always, you can continue to + include arbitrary shell code in /etc/shorewall/params). + + To embed a one-line script, use one of the following: + + SHELL <shell script> + PERL <perl script> + + For multi-line scripts, use: + + BEGIN SHELL + <shell script> + END SHELL + + BEGIN PERL + <perl script> + END PERL + + For SHELL scripts, the output from the script is processed as if it + were part of the file. + + Example 1 (Shell): To generate SMTP/ACCEPT rules from zones a b c d + and e to the firewall: + + Either: + + BEGIN SHELL + for z in a b c d e; do + echo SMTP/ACCEPT $z fw tcp 25 + done + END SHELL + + or + + SHELL for z in a b c d e; do echo SMTP/ACCEPT $z fw tcp 25; done + + Either is equivalent to: + + SMTP/ACCEPT a fw tcp 25 + SMTP/ACCEPT b fw tcp 25 + SMTP/ACCEPT c fw tcp 25 + SMTP/ACCEPT d fw tcp 25 + SMTP/ACCEPT e fw tcp 25 + + With a Perl script, if you want to output text to be processed as + if it were part of the file, then pass the text to the shorewall() + function. + + Example 2 (Perl): To generate SMTP/ACCEPT rules from zones a b c d + and e to the firewall: + + BEGIN PERL + for ( qw/a b c d e/ ) { + shorewall "SMTP/ACCEPT $_ fw tcp 25"; + } + END PERL + + PERL scripts have access to any context accumulated in earlier PERL + scripts. All such embedded Perl, as well as conventional Perl + extension scripts are placed in the Shorewall::User package. That + way, your global variables and functions won't conflict with any of + Shorewall's. + + To allow you to load Perl modules and initialize any global state, + a new 'compile' compile-time extension script has been added. It is + called early in the compilation process. + + For additional information, see + + - http://www.shorewall.net/configuration_file_basics.html#Embedded + +3) To complement Embedded Perl scripts, Shorewall 4.0.6 allows Perl + scripts to create filter chains using + Shorewall::Chains::new_manual_chain() and then use the chain as a + target in subsequent entries in /etc/shorewall/rules. + + See http://www.shorewall.net/ManualChains.html for information. + +4) The 'hits' command now accepts a -t option which limits the report + to those log records generated today. + +5) A DONT_LOAD option has been added to shorewall.conf. If there are + kernel modules that you don't wish to have loaded, you can list + them in this entry as a comma-separated list. + + Example: + + DONT_LOAD=nf_conntrack_sip,nf_nat_sip + +6) Shorewall-perl now supports the --random option of the iptables + SNAT, MASQUERADE, DNAT and REDIRECT targets. Please note that + iptables support for this option is currently broken for the DNAT + and REDIRECT targets; I've sent a patch to the Netfilter team. + + For MASQUERADE, simply place the word 'random' in the ADDRESS + column. This causes Netfilter to randomize the source port seen by + the remote host. + + Example: + + #INTERFACE SOURCE ADDRESS + eth0 eth1 random + + For SNAT, follow the port list by ":random". + + Example: + + #INTERFACE SOURCE ADDRESS + eth0 eth1 206.124.146.179:10000-10999:random + + For DNAT, follow the port list by ":random". + + Example: + + #ACTION SOURCE DEST PROTO DEST + # PORT(S) + DNAT net loc:192.168.1.4:40-50:random tcp 22 + + For REDIRECT, you must use the fully-qualified form of the DEST: + + #ACTION SOURCE DEST PROTO DEST + # PORT(S) + REDIRECT net $FW::40-50:random tcp 22 + + Note that ':random' is only effective with SNAT, DNAT and REDIRECT + when a port range is specified in the ADDRESS/DEST column. It is + ignored by iptables/iptables-restore otherwise. + Problems corrected in Shorewall 4.0.5. 1) Previously, Shorewall-perl misprocessed $FW::<port> in the DEST Index: Shorewall-common/lib.base =================================================================== --- Shorewall-common/lib.base (.../tags/4.0.14) (revision 8953) +++ Shorewall-common/lib.base (.../branches/4.0) (revision 8953) @@ -35,7 +35,7 @@ # SHOREWALL_LIBVERSION=40000 -SHOREWALL_CAPVERSION=40006 +SHOREWALL_CAPVERSION=40015 [ -n "${VARDIR:=/var/lib/shorewall}" ] [ -n "${SHAREDIR:=/usr/share/shorewall}" ] @@ -979,6 +979,7 @@ qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED= CONNTRACK_MATCH= + NEW_CONNTRACK_MATCH= MULTIPORT= XMULTIPORT= POLICY_MATCH= @@ -1026,6 +1027,10 @@ qt $IPTABLES -A $chain -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes + if [ -n "$CONNTRACK_MATCH" ]; then + qt $IPTABLES -A $chain -m conntrack ! --ctorigdst 192.168.1.1 -j ACCEPT && NEW_CONNTRACK_MATCH=Yes + fi + if qt $IPTABLES -A $chain -p tcp -m multiport --dports 21,22 -j ACCEPT; then MULTIPORT=Yes qt $IPTABLES -A $chain -p tcp -m multiport --sports 60 -m multiport --dports 99 -j ACCEPT && KLUDEFREE=Yes @@ -1057,7 +1062,7 @@ qt $IPTABLES -A $chain -m connmark --mark 2/0xFF -j ACCEPT && XCONNMARK_MATCH=Yes fi - qt $IPTABLES -A $chain -p tcp -m ipp2p --ipp2p -j ACCEPT && IPP2P_MATCH=Yes + qt $IPTABLES -A $chain -p tcp -m ipp2p --edk -j ACCEPT && IPP2P_MATCH=Yes qt $IPTABLES -A $chain -m length --length 10:20 -j ACCEPT && LENGTH_MATCH=Yes qt $IPTABLES -A $chain -j REJECT --reject-with icmp-host-prohibited && ENHANCED_REJECT=Yes @@ -1126,6 +1131,7 @@ report_capability "Multi-port Match" $MULTIPORT [ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT report_capability "Connection Tracking Match" $CONNTRACK_MATCH + report_capability "New Connection Tracking Match Syntax" $NEW_CONNTRACK_MATCH report_capability "Packet Type Match" $USEPKTTYPE report_capability "Policy Match" $POLICY_MATCH report_capability "Physdev Match" $PHYSDEV_MATCH Index: Shorewall-common/shorewall-common.spec =================================================================== --- Shorewall-common/shorewall-common.spec (.../tags/4.0.14) (revision 8953) +++ Shorewall-common/shorewall-common.spec (.../branches/4.0) (revision 8953) @@ -1,5 +1,5 @@ %define name shorewall-common -%define version 4.0.14 +%define version 4.0.15 %define release 0base Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. @@ -244,6 +244,8 @@ %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples %changelog +* Sat Oct 11 2008 Roberto C. Sanchez roberto@connexer.com +- Updated to 4.0.15-0base * Mon Sep 22 2008 Tom Eastep tom@shorewall.net - Updated to 4.0.14-0base * Sat Jul 26 2008 Tom Eastep tom@shorewall.net Index: Shorewall-common/fallback.sh =================================================================== --- Shorewall-common/fallback.sh (.../tags/4.0.14) (revision 8953) +++ Shorewall-common/fallback.sh (.../branches/4.0) (revision 8953) @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=4.0.14 +VERSION=4.0.15 usage() # $1 = exit status { Property changes on: Shorewall-common ___________________________________________________________________ Name: svn:mergeinfo - Property changes on: manpages-lite ___________________________________________________________________ Name: svn:mergeinfo - Index: Shorewall-lite/install.sh =================================================================== --- Shorewall-lite/install.sh (.../tags/4.0.14) (revision 8953) +++ Shorewall-lite/install.sh (.../branches/4.0) (revision 8953) @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.0.14 +VERSION=4.0.15 usage() # $1 = exit status { Index: Shorewall-lite/uninstall.sh =================================================================== --- Shorewall-lite/uninstall.sh (.../tags/4.0.14) (revision 8953) +++ Shorewall-lite/uninstall.sh (.../branches/4.0) (revision 8953) @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.0.14 +VERSION=4.0.15 usage() # $1 = exit status { Index: Shorewall-lite/shorewall-lite.spec =================================================================== --- Shorewall-lite/shorewall-lite.spec (.../tags/4.0.14) (revision 8953) +++ Shorewall-lite/shorewall-lite.spec (.../branches/4.0) (revision 8953) @@ -1,5 +1,5 @@ %define name shorewall-lite -%define version 4.0.14 +%define version 4.0.15 %define release 0base Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems. @@ -98,6 +98,8 @@ %doc COPYING changelog.txt releasenotes.txt %changelog +* Sat Oct 11 2008 Roberto C. Sanchez roberto@connexer.com +- Updated to 4.0.15-0base * Mon Sep 22 2008 Tom Eastep tom@shorewall.net - Updated to 4.0.14-0base * Sat Jul 26 2008 Tom Eastep tom@shorewall.net Index: Shorewall-lite/fallback.sh =================================================================== --- Shorewall-lite/fallback.sh (.../tags/4.0.14) (revision 8953) +++ Shorewall-lite/fallback.sh (.../branches/4.0) (revision 8953) @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=4.0.14 +VERSION=4.0.15 usage() # $1 = exit status { Index: Shorewall-lite/init.debian.sh =================================================================== --- Shorewall-lite/init.debian.sh (.../tags/4.0.14) (revision 8953) +++ Shorewall-lite/init.debian.sh (.../branches/4.0) (revision 8953) @@ -66,7 +66,7 @@ if [ -f "/etc/default/shorewall-lite" ] then . /etc/default/shorewall-lite - $SRWL_OPTS+="$OPTIONS" + SRWL_OPTS="$SRWL_OPTS $OPTIONS" if [ "$startup" != "1" ] then not_configured Property changes on: Shorewall-lite ___________________________________________________________________ Name: svn:mergeinfo - Index: manpages/shorewall-interfaces.xml =================================================================== --- manpages/shorewall-interfaces.xml (.../tags/4.0.14) (revision 8953) +++ manpages/shorewall-interfaces.xml (.../branches/4.0) (revision 8953) @@ -22,7 +22,7 @@ <title>Description</title> <para>The interfaces file serves to define the firewall's network - interfaces to Shorewall.The order of entries in this file is not + interfaces to Shorewall. The order of entries in this file is not significant in determining zone composition.</para> <para>The columns in the file are as follows.</para> @@ -73,7 +73,7 @@ <para>Care must be exercised when using wildcards where there is another zone that uses a matching specific interface. See <ulink - url="shorewall-nesting.html">shorewall-nesting</ulink>(8) for a + url="shorewall-nesting.html">shorewall-nesting</ulink>(5) for a discussion of this problem.</para> <para>There is no need to define the loopback interface (lo) in this Index: manpages/shorewall.conf.xml =================================================================== --- manpages/shorewall.conf.xml (.../tags/4.0.14) (revision 8953) +++ manpages/shorewall.conf.xml (.../branches/4.0) (revision 8953) @@ -1,4 +1,6 @@ <?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" +"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> <refentry> <refmeta> <refentrytitle>shorewall.conf</refentrytitle> @@ -452,6 +454,21 @@ </varlistentry> <varlistentry> + <term><emphasis role="bold">DISABLE_IPV6=</emphasis>[<emphasis + role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term> + + <listitem> + <para>If set to <emphasis role="bold">Yes</emphasis> or <emphasis + role="bold">yes</emphasis>, IPv6 traffic to, from and through the + firewall system is disabled. If set to <emphasis + role="bold">No</emphasis> or <emphasis role="bold">no</emphasis>, + Shorewall will take no action with respect to allowing or + disallowing IPv6 traffic. If not specified or empty, + “DISABLE_IPV6=No” is assumed.</para> + </listitem> + </varlistentry> + + <varlistentry> <term><emphasis role="bold">DONT_LOAD=</emphasis>[<emphasis>module</emphasis>[,<emphasis>module</emphasis>]...]</term> @@ -1469,7 +1486,7 @@ <para>While Shorewall Actions can be very useful, they also require a sizable amount of code to implement. By setting USE_ACTIONS=No, embedded Shorewall installations can omit the large library - /usr/share/shorewall/lib.actions.</para> + /usr/share/shorewall-shell/lib.actions.</para> <note> <para>USE_ACTIONS=No is not supported by Shorewall-perl.</para> @@ -1522,4 +1539,4 @@ shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para> </refsect1> -</refentry> \ No newline at end of file +</refentry> Index: manpages/shorewall.xml =================================================================== --- manpages/shorewall.xml (.../tags/4.0.14) (revision 8953) +++ manpages/shorewall.xml (.../branches/4.0) (revision 8953) @@ -1,4 +1,6 @@ <?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" +"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> <refentry> <refmeta> <refentrytitle>shorewall</refentrytitle> @@ -1053,6 +1055,16 @@ SHOREWALL_COMPILER setting in <ulink url="shorewall.conf.html">shorewall.conf</ulink>(5) determines the compiler to use.</para> + + <warning> + <para>If you use Shorewall's multi-ISP feature, you are stronly + advised against using the -C option of the + <command>safe-restart</command> command when switching between + Shorewall-shell and Shorewall-perl. The only supported way to + switch compilers is to <command>shorewall stop</command> followed + by <command>shorewall safe-start -C</command> + <replaceable>compiler</replaceable></para> + </warning> </listitem> </varlistentry> @@ -1091,6 +1103,16 @@ SHOREWALL_COMPILER setting in <ulink url="shorewall.conf.html">shorewall.conf</ulink>(5) determines the compiler to use.</para> + + <warning> + <para>If you use Shorewall's multi-ISP feature, you are stronly + advised against using the -C option of the + <command>safe-restart</command> command when switching between + Shorewall-shell and Shorewall-perl. The only supported way to + switch compilers is to <command>shorewall stop</command> followed + by <command>shorewall safe-start -C</command> + <replaceable>compiler</replaceable></para> + </warning> </listitem> </varlistentry> Property changes on: manpages ___________________________________________________________________ Name: svn:mergeinfo -
Index: Shorewall-perl/Shorewall/Config.pm =================================================================== --- Shorewall-perl/Shorewall/Config.pm (revision 8952) +++ Shorewall-perl/Shorewall/Config.pm (revision 8953) @@ -1407,7 +1407,7 @@ $capabilities{XCONNMARK_MATCH} = qt1( "$iptables -A $sillyname -m connmark --mark 2/0xFF -j ACCEPT" ); } - $capabilities{IPP2P_MATCH} = qt1( "$iptables -A $sillyname -p tcp -m ipp2p --ipp2p -j ACCEPT" ); + $capabilities{IPP2P_MATCH} = qt1( "$iptables -A $sillyname -p tcp -m ipp2p --edk -j ACCEPT" ); $capabilities{LENGTH_MATCH} = qt1( "$iptables -A $sillyname -m length --length 10:20 -j ACCEPT" ); $capabilities{ENHANCED_REJECT} = qt1( "$iptables -A $sillyname -j REJECT --reject-with icmp-host-prohibited" ); $capabilities{COMMENTS} = qt1( qq($iptables -A $sillyname -j ACCEPT -m comment --comment "This is a comment" ) ); Index: Shorewall-common/changelog.txt =================================================================== --- Shorewall-common/changelog.txt (revision 8952) +++ Shorewall-common/changelog.txt (revision 8953) @@ -11,6 +11,8 @@ 5) Fix nonat rules with destination IP address. +6) Change ipp2p detection to support latest version. + Changes in 4.0.14 1) Fix handling of 'all-' in shorewall-shell. Index: Shorewall-common/releasenotes.txt =================================================================== --- Shorewall-common/releasenotes.txt (revision 8952) +++ Shorewall-common/releasenotes.txt (revision 8953) @@ -51,6 +51,14 @@ reject the rule. If a zone name was specified, Shorewall-perl would issue a Warning message. +3) Following the Netfilter tradition, the IPP2P maintainer has made an + incompatible syntax change (the --ipp2p option has been + removed). Shorewall has always used "-m ipp2p --ipp2p" when + detecting the presence of IPP2P support. + + Shorewall-common and Shorewall-perl have been modified to use + "-m ipp2p --edk" instead. + Known Problems Remaining. 1) The 'refresh' command doesn't refresh the mangle table. So changes Index: Shorewall-common/lib.base =================================================================== --- Shorewall-common/lib.base (revision 8952) +++ Shorewall-common/lib.base (revision 8953) @@ -1062,7 +1062,7 @@ qt $IPTABLES -A $chain -m connmark --mark 2/0xFF -j ACCEPT && XCONNMARK_MATCH=Yes fi - qt $IPTABLES -A $chain -p tcp -m ipp2p --ipp2p -j ACCEPT && IPP2P_MATCH=Yes + qt $IPTABLES -A $chain -p tcp -m ipp2p --edk -j ACCEPT && IPP2P_MATCH=Yes qt $IPTABLES -A $chain -m length --length 10:20 -j ACCEPT && LENGTH_MATCH=Yes qt $IPTABLES -A $chain -j REJECT --reject-with icmp-host-prohibited && ENHANCED_REJECT=Yes
Attachment:
signature.asc
Description: Digital signature