mirror of
https://gitlab.com/shorewall/code.git
synced 2025-06-21 02:08:48 +02:00
Update web site for 4.0.4
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7390 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
2bf7abc7b7
commit
3061086483
355
web/News.htm
355
web/News.htm
@ -27,6 +27,361 @@ License</a></span>”.<br>
|
|||||||
<p>August 10, 2007</p>
|
<p>August 10, 2007</p>
|
||||||
<hr style="width: 100%; height: 2px;">
|
<hr style="width: 100%; height: 2px;">
|
||||||
|
|
||||||
|
<p><strong>2007-09-28 Shorewall 4.0.4</strong></p>
|
||||||
|
<pre>Problems Corrected in Shorewall 4.0.4
|
||||||
|
|
||||||
|
1) If no interface had the 'blacklist' option, then when using
|
||||||
|
Shorewall-perl, the 'start' and 'restart' command failed:
|
||||||
|
|
||||||
|
ERROR: No filter chain found with name blacklst
|
||||||
|
|
||||||
|
New Shorewall-perl 4.0.3 packages were released that corrected this
|
||||||
|
problem; it is included here for completeness.
|
||||||
|
|
||||||
|
2) If no interface had the 'blacklist' option, then when using
|
||||||
|
Shorewall-perl, the generated script would issue this harmless
|
||||||
|
message during 'shorewall refresh':
|
||||||
|
|
||||||
|
chainlist_reload: Not found
|
||||||
|
|
||||||
|
3) If /bin/sh was a light-weight shell such as ash or dash, then
|
||||||
|
'shorewall refresh' failed.
|
||||||
|
|
||||||
|
4) During start/restart, the script generated by Shorewall-perl was
|
||||||
|
clearing the proxy_arp flag on all interfaces; that is not the
|
||||||
|
documented behavior.
|
||||||
|
|
||||||
|
5) If the module-init-tools package was not installed and
|
||||||
|
/etc/shorewall/modules did not exist or was non-empty, then
|
||||||
|
Shorewall-perl would fail with the message:
|
||||||
|
|
||||||
|
ERROR: Can't run lsmod : /etc/shorewall/modules (line 0)
|
||||||
|
|
||||||
|
6) Shorewall-perl now makes a compile-time check to insure that
|
||||||
|
iptables-restore exists and is executable. This check is made when
|
||||||
|
the compiler is being run by root and the -e option is not
|
||||||
|
given.
|
||||||
|
|
||||||
|
Note that iptables-restore must reside in the same directory as the
|
||||||
|
iptables executable specified by IPTABLES in shorewall.conf or
|
||||||
|
located by the PATH in the event that IPTABLES is not specified.
|
||||||
|
|
||||||
|
7) When using Shorewall-perl, if an action was invoked with more than
|
||||||
|
10 different combinations of log-levels/tags, some of those
|
||||||
|
invocations would have incorrect logging.
|
||||||
|
|
||||||
|
8) Previously, when 'shorewall restore' was executed, the
|
||||||
|
iptables-restore utility was always located using the PATH setting
|
||||||
|
rather than the IPTABLES setting.
|
||||||
|
|
||||||
|
With Shorewall-perl, the IPTABLES setting is now used to locate
|
||||||
|
this utility during 'restore' as it is during the processing of
|
||||||
|
other commands.
|
||||||
|
|
||||||
|
9) Although the shorewall.conf manpage indicates that the value
|
||||||
|
'internal' is allowed for TC_ENABLED, that value was previously
|
||||||
|
rejected ('Internal' was accepted).
|
||||||
|
|
||||||
|
10) The meaning of the 'loose' provider option was accidentally reversed
|
||||||
|
in Shorewall-perl. Rather than causing certain routing rules to be
|
||||||
|
omitted when specified, it actually caused them to be added (these
|
||||||
|
rules were omitted when the option was NOT specified).
|
||||||
|
|
||||||
|
11) If the 'bridge' option was specified on an interface but there were
|
||||||
|
no bport zones, then traffic originating on the firewall was not
|
||||||
|
passed through the accounting chain.
|
||||||
|
|
||||||
|
12) In commands such as:
|
||||||
|
|
||||||
|
shorewall compile <directory>
|
||||||
|
shorewall restart <directory>
|
||||||
|
shorewall check <directory>
|
||||||
|
|
||||||
|
if the name of the <directory> contained a period ("."), then
|
||||||
|
Shorewall-perl would incorrectly substitute the current working
|
||||||
|
directory for the name.
|
||||||
|
|
||||||
|
13) Previously, if the following sequence of routing rules was
|
||||||
|
specified, then the first rule would always be omitted.
|
||||||
|
|
||||||
|
#SOURCE DEST PROVIDER PRIORITY
|
||||||
|
$SRC_A $DESTIP1 ISP1 1000
|
||||||
|
$SRC_A $DESTIP2 SOMEISP 1000
|
||||||
|
$SRC_A - ISP2 1000
|
||||||
|
|
||||||
|
The reason for this omission was that Shorewall uses a
|
||||||
|
delete-before-add approach and attempting to delete the third rule
|
||||||
|
resulted in the deletion of the first one instead.
|
||||||
|
|
||||||
|
This problem occurred with both compilers.
|
||||||
|
|
||||||
|
14) When using Shorewall-shell, provider numbers were not recognized in
|
||||||
|
the PROVIDER column of /etc/shorewall/route_rules.
|
||||||
|
|
||||||
|
15) An off-by-one problem in Shorewall-perl caused the value 255 to be
|
||||||
|
rejected in the MARK column of /etc/shorewall/tcclasses.
|
||||||
|
|
||||||
|
16) When HIGH_ROUTE_MARKS=Yes, marks with values > 255 must be a
|
||||||
|
multiple of 256. That restriction was being enforced by
|
||||||
|
Shorewall-shell but not by Shorewall-perl. Shorewall-perl now also
|
||||||
|
enforces this restriction.
|
||||||
|
|
||||||
|
17) Using REDIRECT with a parameterized macro (e.g., DNS/REDIRECT)
|
||||||
|
failed with an "Unknown interface" error when using Shorewall-perl.
|
||||||
|
|
||||||
|
Other Changes in Shorewall 4.0.4
|
||||||
|
|
||||||
|
1) The detection of 'Repeat Match' has been improved. 'Repeat Match'
|
||||||
|
is not a match at all but rather is a feature of recent versions of
|
||||||
|
iptables that allows a particular match to be used multiple times
|
||||||
|
within a single rule.
|
||||||
|
|
||||||
|
Example:
|
||||||
|
|
||||||
|
-A foo -m physdev --physdev-in eth0 -m physdev --physdev-out ...
|
||||||
|
|
||||||
|
When using Shorewall-shell, the availability of 'Repeat Match' can
|
||||||
|
speed up compilation very slightly.
|
||||||
|
|
||||||
|
2) Apparently recent Fedora releases are broken. The
|
||||||
|
following sequence of commands demonstrates the problem:
|
||||||
|
|
||||||
|
ip rule add from 1.1.1.1 to 10.0.0.0/8 priority 1000 table 5
|
||||||
|
ip rule add from 1.1.1.1 to 0.0.0.0/0 priority 1000 table main
|
||||||
|
ip rule del from 1.1.1.1 to 0.0.0.0/0 priority 1000
|
||||||
|
|
||||||
|
The third command should fail but doesn't; instead, it incorrectly
|
||||||
|
removes the rule added by the first command.
|
||||||
|
To work around this issue, you can set DELETE_THEN_ADD=No in
|
||||||
|
shorewall.conf which prevents Shorewall from deleting ip rules
|
||||||
|
before attempting to add a similar rule.
|
||||||
|
|
||||||
|
3) When using Shorewall-perl, the following message is now issued if
|
||||||
|
the 'detectnets' option is specified in /etc/shorewall/interfaces:
|
||||||
|
|
||||||
|
WARNING: Support for the 'detectnets' option will be removed from
|
||||||
|
Shorewall-perl in version 4.0.5; better to use 'routefilter' and
|
||||||
|
'logmartians
|
||||||
|
|
||||||
|
The 'detect' options has always been rather silly. On input, it
|
||||||
|
duplicates the function of 'routefilter'. On output, it is a no-op
|
||||||
|
since traffic that doesn't match a route out of an interface won't
|
||||||
|
be sent through that interface (duh!).
|
||||||
|
|
||||||
|
Beginning with Shorewall 4.0.5, the warning message will read:
|
||||||
|
|
||||||
|
WARNING: Support for the 'detectnets' option has been removed</pre>
|
||||||
|
<hr>
|
||||||
|
|
||||||
|
<p><strong>2007-09-01 Shorewall 4.0.3</strong></p>
|
||||||
|
<pre>Problems Corrected in 4.0.3
|
||||||
|
|
||||||
|
1) Using the LOG target in the rules file could result in two LOG
|
||||||
|
rules being generated by Shorewall-shell. Additionally, using an IP
|
||||||
|
address range in a rule that performed logging could result in an
|
||||||
|
invalid iptables command.
|
||||||
|
|
||||||
|
2) Shorewall now loads the act_police kernel module needed by traffic
|
||||||
|
shaping.
|
||||||
|
|
||||||
|
3) Previously, "shorewall show -f capabilities" and "shorecap" omitted
|
||||||
|
the "TCPMSS Match" capability. This made it appear to a compiler
|
||||||
|
using a capabilities file that the TCPMSS Match capability was not
|
||||||
|
available.
|
||||||
|
|
||||||
|
4) Previously, Shorewall would truncate long log prefixes to 29
|
||||||
|
characters. This resulted in there being no space between the log
|
||||||
|
prefix and the IN= part of the message.
|
||||||
|
|
||||||
|
Example: fw2net:LOG:HTTPSoutIN= OUT=eth0
|
||||||
|
|
||||||
|
Beginning with this release, Shorewall will truncate the prefix to
|
||||||
|
28 bytes and add a trailing space.
|
||||||
|
|
||||||
|
Example: fw2net:LOG:HTTPSou IN= OUT=eth0
|
||||||
|
|
||||||
|
5) Previously, if:
|
||||||
|
|
||||||
|
- FASTACCEPT=No
|
||||||
|
- The policy from Z1 to Z2 was CONTINUE
|
||||||
|
- Neither Z1 nor Z2 had parent zones
|
||||||
|
- There were no Z1->Z2 rules
|
||||||
|
|
||||||
|
then connections from Z2->Z1 would fail even if there were
|
||||||
|
rules/policies allowing them. This has been
|
||||||
|
corrected.
|
||||||
|
|
||||||
|
6) The 'shorewall add' and 'shorewall delete' command would fail when:
|
||||||
|
|
||||||
|
- The running configuration was compiled with Shorewall-perl.
|
||||||
|
- The name of the interface specified in the command contained an
|
||||||
|
embedded special character such as '.' or '-'.
|
||||||
|
|
||||||
|
This problem was the result of the change in Shorewall 4.0.2 that
|
||||||
|
removed the legacy mapping of interface names when embedding such
|
||||||
|
names in a Netfilter chain name. To correct the problem, the
|
||||||
|
pre-4.0.2 name mapping is restored when DYNAMIC_ZONES=Yes.
|
||||||
|
|
||||||
|
5) A bug in Shorewall-shell prevented proper handling of PREROUTING
|
||||||
|
marks when HIGH_ROUTE_MARKS=No and the track option was specified
|
||||||
|
in /etc/shorewall/providers.
|
||||||
|
|
||||||
|
6) With Shorewall-perl, if EXPORTPARAMS=Yes then INCLUDE directives in
|
||||||
|
the params file would fail at script execution time with "INCLUDE:
|
||||||
|
not found". This has been corrected.
|
||||||
|
|
||||||
|
7) Shorewall-perl was mis-sorting the zone list when zones were nested
|
||||||
|
more than one deep.
|
||||||
|
|
||||||
|
8) Stale references to http://www.shorewall.net/Documentation.htm have
|
||||||
|
been removed from the config files (including samples). That URL
|
||||||
|
has been replaced by the online manpages.
|
||||||
|
|
||||||
|
Other Changes in 4.0.3
|
||||||
|
|
||||||
|
1) A script generated by Shorewall-perl now tries to modify/restore
|
||||||
|
/etc/iproute2/rt_tables only if the file is writable. This prevents
|
||||||
|
run-time errors when /etc is mounted read-only.
|
||||||
|
|
||||||
|
A new KEEP_RT_TABLES option has been added to shorewall.conf. When
|
||||||
|
set to Yes, this option prevents Shorewall from altering the
|
||||||
|
/etc/iproute2/rt_tables database. The KEEP_RT_TABLES option is only
|
||||||
|
recognized by Shorewall-perl and is ignored by Shorewall-shell.
|
||||||
|
|
||||||
|
2) Shorewall-perl now requires the FindBin Perl module.
|
||||||
|
|
||||||
|
3) When an optional provider is not available, a script generated by
|
||||||
|
Shorewall-perl will no longer add the corresponding
|
||||||
|
routing rules.
|
||||||
|
|
||||||
|
4) A new 'isusable' extension script has been added. This script
|
||||||
|
allows you to extend the availability test that Shorewall performs
|
||||||
|
on optional providers.
|
||||||
|
|
||||||
|
Here's an example that uses ping to ensure that the default
|
||||||
|
gateways through eth0 and eth1 are reachable:
|
||||||
|
|
||||||
|
case $1 in
|
||||||
|
eth0)
|
||||||
|
ping -c 4 -I eth0 206.124.146.254 > /dev/null 2>&1
|
||||||
|
return
|
||||||
|
;;
|
||||||
|
eth1)
|
||||||
|
ping -c 4 -I eth1 192.168.12.254 > /dev/null 2>&1
|
||||||
|
return
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
# Assume we don't need to do any additional testing
|
||||||
|
# for this interface beyond Shorewall's
|
||||||
|
return 0
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
Additional information is available at
|
||||||
|
http://www.shorewall.net/shorewall_extension_scripts.htm.
|
||||||
|
|
||||||
|
5) Processing of the message log in the 'show log', 'logwatch' and
|
||||||
|
'dump' commands has been speeded up thanks to a suggestion by
|
||||||
|
Andrew Suffield.
|
||||||
|
|
||||||
|
6) Beginning with Shorewall 4.0, the shorewall 'stop', and 'clear'
|
||||||
|
commands were processed by the generated script from the
|
||||||
|
last successful 'start', 'restart' or 'refresh' command. This had
|
||||||
|
the side effect that updates to the /etc/shorewall/routestopped
|
||||||
|
file did not take effect until one of those three commands was
|
||||||
|
successfully processed.
|
||||||
|
|
||||||
|
Beginning with Shorewall 4.0.3, the old 3.x behavior is restored as
|
||||||
|
the default and the 4.0 behavior is enabled using the '-f' command
|
||||||
|
option.
|
||||||
|
|
||||||
|
Example: shorewall stop -f
|
||||||
|
|
||||||
|
is only recognized by Shorewall-perl and causes Shorewall to set
|
||||||
|
the MSS field in forwarded TCP SYN packets going in or out the
|
||||||
|
interface to the value that you specify.
|
||||||
|
|
||||||
|
Example:
|
||||||
|
|
||||||
|
#ZONE INTERFACE BROADCAST OPTIONS
|
||||||
|
vpn ppp0 - mss=1400
|
||||||
|
|
||||||
|
The mss option only affects incoming traffic that has not been
|
||||||
|
decrypted by IPSEC and outgoing traffic that will not subsequently
|
||||||
|
be encrypted by IPSEC. The MSS for IPSEC traffic is managed by the
|
||||||
|
'mss' option in /etc/shorewall/zones.
|
||||||
|
|
||||||
|
8) Shorewall now detects the presence of the 'hashlimit match'
|
||||||
|
capability. There is no builtin support yet for hashlimit but
|
||||||
|
detection allows extension scripts for user-supplied actions to
|
||||||
|
determine if the capability exists.
|
||||||
|
|
||||||
|
With Shorewall-shell, $HASHLIMIT_MATCH will be non-empty if the
|
||||||
|
capability exists.
|
||||||
|
|
||||||
|
With Shorewall-perl, $capabilities{HASHLIMIT_MATCH} will be true in
|
||||||
|
a boolean context if the capability exists. Shorewall-perl users
|
||||||
|
may also code the following in their extension script:
|
||||||
|
|
||||||
|
use Shorewall::Config;
|
||||||
|
|
||||||
|
require_capability( 'HASHLIMIT_MATCH', #Capability
|
||||||
|
'My hashlimit action' , #Feature requiring
|
||||||
|
#capability
|
||||||
|
's' ); #Feature is singular
|
||||||
|
#(if plural, pass the
|
||||||
|
empty string)
|
||||||
|
|
||||||
|
That call would procduce the following fatal error if the
|
||||||
|
capability isn't available:
|
||||||
|
|
||||||
|
ERROR: My hashlimit action requires the Hashlimit match capability
|
||||||
|
in your kernel and iptables
|
||||||
|
|
||||||
|
9) NFQUEUE support has been added to Shorewall-perl.
|
||||||
|
|
||||||
|
NFQUEUE may appear in actions, macros, rules and as a policy.
|
||||||
|
When NFQUEUE is used by itself, queue number zero is assumed. To
|
||||||
|
specify a queue number, follow NFQUEUE by a slash ("/") and the
|
||||||
|
queue number.
|
||||||
|
|
||||||
|
Examples (/etc/shorewall/rules):
|
||||||
|
|
||||||
|
NFQUEUE loc net tcp #Queue number 0
|
||||||
|
NFQUEUE/22 loc net udp #Queue number 22
|
||||||
|
NFQUEUE/22:info loc net gre #With logging
|
||||||
|
|
||||||
|
An NFQUEUE_DEFAULT option has been added to shorewall.conf for
|
||||||
|
specifying the default action to use with NFQUEUE policies.
|
||||||
|
|
||||||
|
Use of NFQUEUE requires the NFQUEUE Target capability in your
|
||||||
|
kernel/iptables. If you intend to use NFQUEUE with Shorewall-lite,
|
||||||
|
then you must install Shorewall-lite 4.0.3 in order to build a
|
||||||
|
capabilities file that includes NFQUEUE Target. If your
|
||||||
|
capabilities file was generated by a Shorewall/Shorewall-lite
|
||||||
|
version earlier that 4.0.3, you will receive a warning during
|
||||||
|
compilation.
|
||||||
|
|
||||||
|
10) The 'refresh' command can now refresh chains other than 'blacklst'.
|
||||||
|
|
||||||
|
The syntax of the command is now:
|
||||||
|
|
||||||
|
shorewall refresh [ <chain> ... ]
|
||||||
|
|
||||||
|
If no <chain> is given then 'blacklst' is assumed. Otherwise, the
|
||||||
|
Shorewall-perl compiler compiles a script whose 'refresh' command
|
||||||
|
refreshes the listed <chain>(s).
|
||||||
|
|
||||||
|
The listed chains are assumed to be in the filter table. You can
|
||||||
|
refresh chains in other tables by prefixing the chain name with the
|
||||||
|
table name followed by ":" (e.g., nat:net_dnat). Chain names which
|
||||||
|
follow are assumed to be in that table until the end of the list or
|
||||||
|
until an entry in the list names another table.
|
||||||
|
|
||||||
|
This feature requires Shorewall-perl 4.0.3 as well as
|
||||||
|
Shorewall-common 4.0.3.</pre>
|
||||||
|
<hr>
|
||||||
|
|
||||||
<p><strong>2007-08-19 Shorewall 3.4.6</strong></p>
|
<p><strong>2007-08-19 Shorewall 3.4.6</strong></p>
|
||||||
<pre>Problems Corrected in 3.4.6.
|
<pre>Problems Corrected in 3.4.6.
|
||||||
|
|
||||||
|
@ -21,7 +21,7 @@ Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the
|
|||||||
license is included in the section entitled “<a href="GnuCopyright.htm"
|
license is included in the section entitled “<a href="GnuCopyright.htm"
|
||||||
target="_self">GNU Free Documentation License</a>”.</p>
|
target="_self">GNU Free Documentation License</a>”.</p>
|
||||||
|
|
||||||
<p>2007-09-01</p>
|
<p>2007-09-28</p>
|
||||||
<hr style="width: 100%; height: 2px;">
|
<hr style="width: 100%; height: 2px;">
|
||||||
|
|
||||||
<h2>Table of Contents</h2>
|
<h2>Table of Contents</h2>
|
||||||
@ -105,17 +105,17 @@ Features page</a>.<br>
|
|||||||
<h3><a name="Releases"></a>Current Shorewall Releases</h3>
|
<h3><a name="Releases"></a>Current Shorewall Releases</h3>
|
||||||
|
|
||||||
<p style="margin-left: 40px;">The <span style="font-weight: bold;">current
|
<p style="margin-left: 40px;">The <span style="font-weight: bold;">current
|
||||||
Stable Release</span> version is 4.0.3<br>
|
Stable Release</span> version is 4.0.4<br>
|
||||||
</p>
|
</p>
|
||||||
<ul style="margin-left: 40px;">
|
<ul style="margin-left: 40px;">
|
||||||
<li>Here are the <a
|
<li>Here are the <a
|
||||||
href="http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.3/releasenotes.txt">release
|
href="http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.4/releasenotes.txt">release
|
||||||
notes</a> <br>
|
notes</a> <br>
|
||||||
</li>
|
</li>
|
||||||
<li>Here are the <a
|
<li>Here are the <a
|
||||||
href="http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.3/known_problems.txt">known
|
href="http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.4/known_problems.txt">known
|
||||||
problems</a> and <a
|
problems</a> and <a
|
||||||
href="http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.3/errata/">updates</a>.
|
href="http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.4/errata/">updates</a>.
|
||||||
<p>Read more about the <a href="Shorewall-4.html">Release here</a>.<br>
|
<p>Read more about the <a href="Shorewall-4.html">Release here</a>.<br>
|
||||||
</p>
|
</p>
|
||||||
</li>
|
</li>
|
||||||
@ -169,7 +169,8 @@ General Public License for more detail.</p>
|
|||||||
|
|
||||||
<p style="margin-left: 0.42in;">You should have received a copy of the GNU
|
<p style="margin-left: 0.42in;">You should have received a copy of the GNU
|
||||||
General Public License along with this program; if not, write to the Free
|
General Public License along with this program; if not, write to the Free
|
||||||
Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.</p>
|
Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
||||||
|
02110-1301 USA.</p>
|
||||||
|
|
||||||
<p style="margin-left: 0.42in;">Permission is granted to copy, distribute
|
<p style="margin-left: 0.42in;">Permission is granted to copy, distribute
|
||||||
and/or modify this document under the terms of the GNU Free Documentation
|
and/or modify this document under the terms of the GNU Free Documentation
|
||||||
|
Loading…
x
Reference in New Issue
Block a user