diff --git a/Shorewall/Perl/Shorewall/Nat.pm b/Shorewall/Perl/Shorewall/Nat.pm
index 0c8990cae..549687c91 100644
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -115,7 +115,7 @@ sub do_ipsec_options($)
#
sub process_one_masq( )
{
- my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark ) = split_line1 2, 7, 'masq file';
+ my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user ) = split_line1 2, 8, 'masq file';
if ( $interfacelist eq 'COMMENT' ) {
process_comment;
@@ -183,6 +183,7 @@ sub process_one_masq( )
# Handle Mark
#
$baserule .= do_test( $mark, 0xFF) if $mark ne '-';
+ $baserule .= do_user( $user ) if $user ne '-';
for my $fullinterface (split_list $interfacelist, 'interface' ) {
my $rule = '';
diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt
index b824d79ab..c39f6dc34 100644
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -18,6 +18,8 @@ Changes in Shorewall 4.4.0-Beta2
7) Add 'iptrace' and 'noiptrace' command.
+8) Add 'USER/GROUP' column to masq file.
+
Changes in Shorewall 4.4.0-Beta1
1) Correct typo in Shorewall6 two-interface sample shorewall.conf.
diff --git a/Shorewall/configfiles/masq b/Shorewall/configfiles/masq
index 9b4f38dd1..c045d8170 100644
--- a/Shorewall/configfiles/masq
+++ b/Shorewall/configfiles/masq
@@ -7,5 +7,6 @@
# http://www.shorewall.net/manpages/shorewall-masq.html
#
###############################################################################
-#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
+#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/
+# GROUP
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt
index 8d42aa75a..5e8a9893e 100644
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -175,6 +175,10 @@ None.
To turn that trace off:
shorewall noiptrace -d 206.124.146.176
+
+3) A USER/GROUP column has been added to /etc/shorewall/masq. The
+ column works similarly to USER/GROUP columns in other Shorewall
+ configuration files. Only locally-generated traffic is matched.
----------------------------------------------------------------------------
N E W F E A T U R E S IN 4 . 4
diff --git a/manpages/shorewall-masq.xml b/manpages/shorewall-masq.xml
index ad9c2a78f..b763a36e6 100644
--- a/manpages/shorewall-masq.xml
+++ b/manpages/shorewall-masq.xml
@@ -386,6 +386,67 @@
+
+
+ USER/GROUP (Optional) -
+ [!][user-name-or-number][:group-name-or-number][+program-name]
+
+
+ Only locally-generated connections will match if this column
+ is non-empty.
+
+ When this column is non-empty, the rule applies only if the
+ program generating the output is running under the effective
+ user and/or group
+ specified (or is NOT running under that id if "!" is given).
+
+ Examples:
+
+
+
+ joe
+
+
+ program must be run by joe
+
+
+
+
+ :kids
+
+
+ program must be run by a member of the 'kids'
+ group
+
+
+
+
+ !:kids
+
+
+ program must not be run by a member of the 'kids'
+ group
+
+
+
+
+ +upnpd
+
+
+ #program named upnpd
+
+
+ The ability to specify a program name was removed from
+ Netfilter in kernel version 2.6.14.
+
+
+
+
+
+
diff --git a/web/News.htm b/web/News.htm
index b9cc43bce..7e8f69dae 100644
--- a/web/News.htm
+++ b/web/News.htm
@@ -23,9 +23,13 @@ license is included in the section entitled GNU Free Documentation
License".
-June 14, 2009
+
June 18, 2009
+2009-06-18 Shorewall 4.2.10
+
+Problems corrected in Shorewall 4.2.10
1) A 'large quantum' warning log message during restart has been
eliminated. The log message occurred when an interface with a large
OUT-BANDWIDTH was defined in /etc/shorewall/tcdevices.
2) When a REJECT rule included a log entry, the disposition in the log
message was incorrectly shown as 'reject' rather than 'REJECT'.
3) When 'forward' was specified on one or more interfaces in
/etc/shorewall6/interfaces, the progress message "Compiling
Interface forwarding..." was issued multiple times. Now, only one
instance of the message is generated.
4) A typing error in the IPv6 two-interface sample shorewall6.conf
file has been corrected. This error prevented the compiler from
being able to find macros in /usr/share/shorewall/.
Known Problems Remaining:
1) When exclusion is used in an entry in /etc/shorewall/hosts, then
Shorewall-shell produces an invalid iptables rule if any of the
following OPTIONS are also specified in the entry:
blacklist
maclist
norfc1918
tcpflags
2) Shorewall-shell generates inversion rules which produce
warnings with iptables 1.4.3.
Example:
iptables -A lan2fw -p 6 --dport 999 -s ! 192.168.20.1 -j ACCEPT
with iptables 1.4.3.1 the following information message is produced:
Using intrapositioned negation (`--option ! this`) is deprecated in
favor of extrapositioned (`! --option this`).
We don't intend to fix this. It's time to migrate to Shorewall-perl
anyway.
New Features in Shorewall 4.2.10
1) Shorewall's suppport for dynamic gateways on interfaces managed by
dhclient works on OpenSuSE systems but not on some other
distributions.
In order to generalize support for learning the gateway for dynamic
interfaces, a new 'findgw' extension script (user exit) has been
added.
The exit will be invoked in a function that has a single argument:
$1 = <name of an interface>
If the function can determine the gateway for the passed interface,
it should write the gateway to standard out. Here is a sample
/etc/shorewall/findgw that works with dhclient (dhcp3) in Debian
Lenny:
if [ -f /var/lib/dhcp3/dhclient.${1}.leases ]; then
grep 'option routers' /var/lib/dhcp3/dhclient.${1}.leases |\
tail -n 1 |\
while read j1 j2 gateway; do\
echo $gateway | sed 's/;//';\
done
fi
The same code works on Ubuntu Jaunty if you replace the first '.'
with '-' and replace '.leases' with '.lease' (don't you just love
the consistency between distributions?).
That code also works on CentOS if you replace 'dhcp3' by
'dhclient'.
'findgw' files that have been customized for various distributions
may be found at
http://www.shorewall.net/pub/shorewall/contrib/findgw.
+
2009-06-13 Shorewall 4.4.0 Beta 1
Read the details at http://www1.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.0-Beta1/releasenotes.txt
diff --git a/web/shorewall_index.htm b/web/shorewall_index.htm
index cc5c255e7..4e2c97adb 100644
--- a/web/shorewall_index.htm
+++ b/web/shorewall_index.htm
@@ -47,7 +47,7 @@
-
2009-06-17
+
2009-06-18
Current Shorewall Releases
@@ -60,13 +60,13 @@
Stable Release
- 4.2.9
+ | 4.2.10
(includes IPv6 support.) |
Release
+ href="http://www1.shorewall.net/pub/shorewall/4.2/shorewall-4.2.10/releasenotes.txt">Release
notes |
Known
+ href="http://www1.shorewall.net/pub/shorewall/4.2/shorewall-4.2.10/known_problems.txt">Known
Problems |