From 2f7c8f9120fb697d98077bae837a940bbd38d624 Mon Sep 17 00:00:00 2001 From: teastep Date: Sun, 18 Mar 2007 02:53:58 +0000 Subject: [PATCH] Update modules for kernel 2.6.20 git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5564 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/changelog.txt | 4 + Shorewall/modules | 27 +++++ Shorewall/releasenotes.txt | 233 ++++++++----------------------------- 3 files changed, 82 insertions(+), 182 deletions(-) diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 3a65023cb..f0e7acac7 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -1,3 +1,7 @@ +Changes in 3.4.2 + +1) Update modules file for 2.6.20 module madness. + Changes in 3.4.1 1) Add rest of proxy arp fix. diff --git a/Shorewall/modules b/Shorewall/modules index 962ea8393..7956075e8 100644 --- a/Shorewall/modules +++ b/Shorewall/modules @@ -22,6 +22,8 @@ loadmodule ip_tables loadmodule iptable_filter loadmodule iptable_mangle loadmodule ip_conntrack +loadmodule nf_conntrack +loadmodule nf_conntrack_ipv4 loadmodule iptable_nat loadmodule xt_state loadmodule xt_tcpudp @@ -33,12 +35,14 @@ loadmodule xt_connmark loadmodule xt_CONNMARK loadmodule xt_conntrack loadmodule xt_dccp +loadmodule xt_hashlimit loadmodule xt_helper loadmodule xt_length loadmodule xt_limit loadmodule xt_mac loadmodule xt_mark loadmodule xt_MARK +loadmodule xt_NFLOG loadmodule xt_NFQUEUE loadmodule xt_physdev loadmodule xt_pkttype @@ -68,6 +72,29 @@ loadmodule ip_set_ipmap loadmodule ip_set_macipmap loadmodule ip_set_portmap # +# 2.6.20+ helpers +# +loadmodule nf_conntrack_ftp +loadmodule nf_conntrack_h323 +loadmodule nf_conntrack_irc +loadmodule nf_conntrack_netbios_ns +loadmodule nf_conntrack_netlink +loadmodule nf_conntrack_pptp +loadmodule nf_conntrack_proto_gre +loadmodule nf_conntrack_proto_sctp +loadmodule nf_conntrack_sip +loadmodule nf_conntrack_tftp +loadmodule nf_nat_amanda +loadmodule nf_nat_ftp +loadmodule nf_nat_h323 +loadmodule nf_nat_irc +loadmodule nf_nat +loadmodule nf_nat_pptp +loadmodule nf_nat_proto_gre +loadmodule nf_nat_sip +loadmodule nf_nat_snmp_basic +loadmodule nf_nat_tftp +# # Traffic Shaping # loadmodule sch_sfq diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 7822c0281..1a24baf17 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -1,4 +1,4 @@ -Shorewall 3.4.1 +Shorewall 3.4.2 Release Highlights @@ -28,66 +28,10 @@ Release Highlights /etc/shorewall/route_rules and reverses those changes when appropriate. -Problems Corrected in 3.4.1 +Problems corrected in Shorewall 3.4.2 -1) The "shorewall-[lite] [re]start and stop" commands reset the - proxy_arp flag on all interfaces on the system making it impossible - to control proxy arp manually with Shorewall installed. There was a - partial fix included in 3.4.0; unfortunately, it did not correct the - problem completely. Shorewall 3.4.1 includes the rest of the change - necessarey to only clear proxy arp if there were entries in - /etc/shorewall/proxyarp the last time that Shorewall was - [re]started. - -2) If the log-prefix in a log message exceeded 29 characters, - 'shorewall restart' fails with 'truncate: command not found' and a - possible segmentation fault in iptables. - -3) Log messages specifying a log tag had two spaces appended to the - log prefix. This could cause mysterious "log-prefix truncated" - messages. - -4) When nested zones were defined in the /etc/shorewall/zones file and - IMPLICIT_CONTINUE=Yes was given in /etc/shorewall/shorewall.conf, - shell error messages ( usually ': not found' ) during - compilation resulted. - -5) Use of CONTINUE policies lead to startup errors with a message - such as the following: - - Applying Policies... - iptables v1.3.7: Couldn't load target - `CONTINUE':/usr/local/lib/iptables/libipt_CONTINUE.so: cannot open - shared object file: No such file or directory - - Try `iptables -h' or 'iptables --help' for more information. - - ERROR: Command "/sbin/iptables -A net2c148 -j CONTINUE" - Failed - -6) If there were hosts defined as 'critical' in - /etc/shorewall/routestopped then problems occured in two cases: - - i) On a Shorewall Lite system when 'shorewall stop' or 'shorewall - clear' was issued. - - ii) On Shorewall or Shorewall lite system when 'start' or 'restart' - failed during execution of the compiled script and there was no saved - configuration ('shorewall[-lite] save' has not been issued). - - The symptoms were that the following shell messages were issued and - the 'critical' hosts were not enabled: - - /var/lib/shorewall/.start: line nnn: source_ip_range: command not found - /var/lib/shorewall/.start: line nnm: dest_ip_range: command not found - -Other changes in 3.4.1 - -1) Several changes are included which allow testing of experimental - versions of Shorewall on systems with 3.4.1 and later 3.4 releases - installed. Among these changes is the detection and reporting of - "Address Type Match" which may be used in future 3.4 releases. - These changes have no effect on normal Shorewall operation. +1) The /usr/share/shorewall[-lite]/modules file has been updated for + kernel 2.6.20. Migration Considerations: @@ -732,139 +676,64 @@ New Features in Shorewall 3.4: 3.2.9. It is described here for the benefit of those who did not install that version. -Problems Corrected in 3.4.0 Beta 1. +Problems Corrected in 3.4.1 -1) It is now possible to place entries in the IPSEC column of - /etc/shorewall/masq without having specified ipsec zones or hosts. +1) The "shorewall-[lite] [re]start and stop" commands reset the + proxy_arp flag on all interfaces on the system making it impossible + to control proxy arp manually with Shorewall installed. There was a + partial fix included in 3.4.0; unfortunately, it did not correct the + problem completely. Shorewall 3.4.1 includes the rest of the change + necessarey to only clear proxy arp if there were entries in + /etc/shorewall/proxyarp the last time that Shorewall was + [re]started. -2) The /etc/shorewall/masq file is no longer ignored when the - /etc/shorewall/nat file is empty. +2) If the log-prefix in a log message exceeded 29 characters, + 'shorewall restart' fails with 'truncate: command not found' and a + possible segmentation fault in iptables. -Problems Corrected in 3.4.0 Beta 2 +3) Log messages specifying a log tag had two spaces appended to the + log prefix. This could cause mysterious "log-prefix truncated" + messages. -1) If 'blacklist' was specified on an interface and the - /etc/shorewall/blacklist file was empty, then the generated - firewall script contained a syntax error (the function - load_blacklist() was empty). +4) When nested zones were defined in the /etc/shorewall/zones file and + IMPLICIT_CONTINUE=Yes was given in /etc/shorewall/shorewall.conf, + shell error messages ( usually ': not found' ) during + compilation resulted. -2) If the file /etc/shorewall/init did not exist, then the compiler - would incorrectly copy /usr/share/shorewall/init into the - compiled script. /usr/share/shorewall/init is a symbolic link - to the Shorewall init script (usually /etc/init.d/shorewall). +5) Use of CONTINUE policies lead to startup errors with a message + such as the following: -3) To allow Shorewall and Shorewall Lite to coexist on a single - system, the Shorewall section 5 manpages are no longer included in - Shorewall Lite. In addition, the Shorewall Lite manpage for - "shorewall.conf" has been renamed "shorewall-lite.conf". This - has resulted in a similar change to the actual file -- - /etc/shorewall-lite/shorewall.conf has been renamed - /etc/shorewall-lite/shorewall-lite.conf. + Applying Policies... + iptables v1.3.7: Couldn't load target + `CONTINUE':/usr/local/lib/iptables/libipt_CONTINUE.so: cannot open + shared object file: No such file or directory -Problems Corrected in 3.4.0 Beta 3 + Try `iptables -h' or 'iptables --help' for more information. + + ERROR: Command "/sbin/iptables -A net2c148 -j CONTINUE" + Failed -1) Shorewall now supports VLAN interfaces with names of the form - vlan@ethX. +6) If there were hosts defined as 'critical' in + /etc/shorewall/routestopped then problems occured in two cases: -2) Previously, "ipp2p:udp" was incorrectly rejected in the PROTO - column of an action definition. + i) On a Shorewall Lite system when 'shorewall stop' or 'shorewall + clear' was issued. -3) Previously, if an invalid DISPOSITION was specified in a record in - /etc/shorewall/maclist, then a confusing error message would - result. + ii) On Shorewall or Shorewall lite system when 'start' or 'restart' + failed during execution of the compiled script and there was no saved + configuration ('shorewall[-lite] save' has not been issued). - Example: + The symptoms were that the following shell messages were issued and + the 'critical' hosts were not enabled: - /etc/shorewall/mac: + /var/lib/shorewall/.start: line nnn: source_ip_range: command not found + /var/lib/shorewall/.start: line nnm: dest_ip_range: command not found + +Other changes in 3.4.1 - ALOW:info eth0 02:0C:03:04:05:06 +1) Several changes are included which allow testing of experimental + versions of Shorewall on systems with 3.4.1 and later 3.4 releases + installed. Among these changes is the detection and reporting of + "Address Type Match" which may be used in future 3.4 releases. + These changes have no effect on normal Shorewall operation. - Error message: - - ERROR: No hosts on ALOW:info have the maclist option specified - - The new error message is: - - ERROR: Invalid DISPOSITION (ALOW:info) in rule "ALOW:info eth0 - 02:0C:03:04:05:06" - -Problems Corrected in 3.4.0 RC1 - -1) While most distributions store the Shorewall Lite compiled program - in /var/lib/shorewall/, Shorewall includes features that allow that - location to be changed on a per-distribution basis. The default for - a particular distribution may be determined by the command - "shorewall[-lite] show config". - - teastep@lists:~/shorewall/trunk$ shorewall show config - Default CONFIG_PATH is /etc/shorewall:/usr/share/shorewall - LITEDIR is /var/lib/shorewall-lite - teastep@lists:~/shorewall/trunk$ - - The LITEDIR setting is the location where the compiled script - should be placed. Unfortunately, the "shorewall [re]load" command - previously used the setting on the administrative system rather - than the one from the firewall system so it was possible for that - command to upload the compiled script to the wrong directory. - - To work around this problem, Shorewall now determines the LITEDIR - setting on the firewall system and uses that setting for uploading - the compiled script and its companion .conf file. - -2) Previously, IP ranges and ipset names were handled incorrectly in - the last column of the maclist file with the result that run-time - errors occured. - -3) The Beta3 manpages are sprinked with .html filenames enclosed in - square brackets. - - Example: - - ...set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf - [shorewall.conf.html](5) and have... - - These were generated by elements in the XML source which - were added to provide inter-document links in the HTML rendition of - the manpages. s were previously ignored by the XML->man - conversion tool; unfortunately, the latest release of the tool - no longer ignores these elements but rather produces the ugly - result shown above. - - This problem has been corrected in RC1. - -4) Previously, if "INCLUDE " appeared in - /etc/shorewall/params then run-time errors occurred. - - As part of the fix for this problem, the mechanism by which - /etc/shorewall/params is copied into the compiler output was - changed. As a result, extra white space is removed from the text - during the copy operation so code in /etc/shorewall/params should - not depend on precise white-space, even in quoted strings. - -Other Changes in 3.4.0 RC 1 - -1) A macro that handles SixXS has been contributed by Christian - Roessner. - -Problems Corrected in 3.4.0 RC2 - -1) The new SIP and H323 Netfilter helper modules were not being - automatically loaded by Shorewall. They have now been added to the - /usr/share/shorewall[-lite]/modules files. - -2) It is quite difficult to code a 'params' file that assigns other - than constant values such that it works correctly with Shorewall - Lite. To work around this problem, a new EXPORTPARAMS option - has been added to shorewall.conf. When EXPORTPARAMS=No, the - 'params' file is no longer copied to the compiler output. - - With EXPORTPARAMS=No, if you need to set environmental variables on - the firewall system for use by your extension scripts, then do so - in the init extension script. - - The default is EXPORTPARAMS=Yes to retain the current behavior. - - This fix is brought forward from Shorewall version 3.2.9. - -Other Changes in 3.4.0 RC 2 - -None.