extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-21 02:08:48 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update web site for 4.0.4

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7390 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-09-26 14:01:35 +00:00
parent 2bf7abc7b7
commit 3061086483
2 changed files with 362 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

355
web/News.htm
View File

@ -27,6 +27,361 @@ License</a></span>”.<br>
<p>August 10, 2007</p> <p>August 10, 2007</p>
<hr style="width: 100%; height: 2px;"> <hr style="width: 100%; height: 2px;">
<p><strong>2007-09-28 Shorewall 4.0.4</strong></p>
<pre>Problems Corrected in Shorewall 4.0.4
1) If no interface had the 'blacklist' option, then when using
Shorewall-perl, the 'start' and 'restart' command failed:
ERROR: No filter chain found with name blacklst
New Shorewall-perl 4.0.3 packages were released that corrected this
problem; it is included here for completeness.
2) If no interface had the 'blacklist' option, then when using
Shorewall-perl, the generated script would issue this harmless
message during 'shorewall refresh':
chainlist_reload: Not found
3) If /bin/sh was a light-weight shell such as ash or dash, then
'shorewall refresh' failed.
4) During start/restart, the script generated by Shorewall-perl was
clearing the proxy_arp flag on all interfaces; that is not the
documented behavior.
5) If the module-init-tools package was not installed and
/etc/shorewall/modules did not exist or was non-empty, then
Shorewall-perl would fail with the message:
ERROR: Can't run lsmod : /etc/shorewall/modules (line 0)
6) Shorewall-perl now makes a compile-time check to insure that
iptables-restore exists and is executable. This check is made when
the compiler is being run by root and the -e option is not
given.
Note that iptables-restore must reside in the same directory as the
iptables executable specified by IPTABLES in shorewall.conf or
located by the PATH in the event that IPTABLES is not specified.
7) When using Shorewall-perl, if an action was invoked with more than
10 different combinations of log-levels/tags, some of those
invocations would have incorrect logging.
8) Previously, when 'shorewall restore' was executed, the
iptables-restore utility was always located using the PATH setting
rather than the IPTABLES setting.
With Shorewall-perl, the IPTABLES setting is now used to locate
this utility during 'restore' as it is during the processing of
other commands.
9) Although the shorewall.conf manpage indicates that the value
'internal' is allowed for TC_ENABLED, that value was previously
rejected ('Internal' was accepted).
10) The meaning of the 'loose' provider option was accidentally reversed
in Shorewall-perl. Rather than causing certain routing rules to be
omitted when specified, it actually caused them to be added (these
rules were omitted when the option was NOT specified).
11) If the 'bridge' option was specified on an interface but there were
no bport zones, then traffic originating on the firewall was not
passed through the accounting chain.
12) In commands such as:
shorewall compile &lt;directory&gt;
shorewall restart &lt;directory&gt;
shorewall check &lt;directory&gt;
if the name of the &lt;directory&gt; contained a period ("."), then
Shorewall-perl would incorrectly substitute the current working
directory for the name.
13) Previously, if the following sequence of routing rules was
specified, then the first rule would always be omitted.
#SOURCE DEST PROVIDER PRIORITY
$SRC_A $DESTIP1 ISP1 1000
$SRC_A $DESTIP2 SOMEISP 1000
$SRC_A - ISP2 1000
The reason for this omission was that Shorewall uses a
delete-before-add approach and attempting to delete the third rule
resulted in the deletion of the first one instead.
This problem occurred with both compilers.
14) When using Shorewall-shell, provider numbers were not recognized in
the PROVIDER column of /etc/shorewall/route_rules.
15) An off-by-one problem in Shorewall-perl caused the value 255 to be
rejected in the MARK column of /etc/shorewall/tcclasses.
16) When HIGH_ROUTE_MARKS=Yes, marks with values &gt; 255 must be a
multiple of 256. That restriction was being enforced by
Shorewall-shell but not by Shorewall-perl. Shorewall-perl now also
enforces this restriction.
17) Using REDIRECT with a parameterized macro (e.g., DNS/REDIRECT)
failed with an "Unknown interface" error when using Shorewall-perl.
Other Changes in Shorewall 4.0.4
1) The detection of 'Repeat Match' has been improved. 'Repeat Match'
is not a match at all but rather is a feature of recent versions of
iptables that allows a particular match to be used multiple times
within a single rule.
Example:
-A foo -m physdev --physdev-in eth0 -m physdev --physdev-out ...
When using Shorewall-shell, the availability of 'Repeat Match' can
speed up compilation very slightly.
2) Apparently recent Fedora releases are broken. The
following sequence of commands demonstrates the problem:
ip rule add from 1.1.1.1 to 10.0.0.0/8 priority 1000 table 5
ip rule add from 1.1.1.1 to 0.0.0.0/0 priority 1000 table main
ip rule del from 1.1.1.1 to 0.0.0.0/0 priority 1000
The third command should fail but doesn't; instead, it incorrectly
removes the rule added by the first command.
To work around this issue, you can set DELETE_THEN_ADD=No in
shorewall.conf which prevents Shorewall from deleting ip rules
before attempting to add a similar rule.
3) When using Shorewall-perl, the following message is now issued if
the 'detectnets' option is specified in /etc/shorewall/interfaces:
WARNING: Support for the 'detectnets' option will be removed from
Shorewall-perl in version 4.0.5; better to use 'routefilter' and
'logmartians
The 'detect' options has always been rather silly. On input, it
duplicates the function of 'routefilter'. On output, it is a no-op
since traffic that doesn't match a route out of an interface won't
be sent through that interface (duh!).
Beginning with Shorewall 4.0.5, the warning message will read:
WARNING: Support for the 'detectnets' option has been removed</pre>
<hr>
<p><strong>2007-09-01 Shorewall 4.0.3</strong></p>
<pre>Problems Corrected in 4.0.3
1) Using the LOG target in the rules file could result in two LOG
rules being generated by Shorewall-shell. Additionally, using an IP
address range in a rule that performed logging could result in an
invalid iptables command.
2) Shorewall now loads the act_police kernel module needed by traffic
shaping.
3) Previously, "shorewall show -f capabilities" and "shorecap" omitted
the "TCPMSS Match" capability. This made it appear to a compiler
using a capabilities file that the TCPMSS Match capability was not
available.
4) Previously, Shorewall would truncate long log prefixes to 29
characters. This resulted in there being no space between the log
prefix and the IN= part of the message.
Example: fw2net:LOG:HTTPSoutIN= OUT=eth0
Beginning with this release, Shorewall will truncate the prefix to
28 bytes and add a trailing space.
Example: fw2net:LOG:HTTPSou IN= OUT=eth0
5) Previously, if:
- FASTACCEPT=No
- The policy from Z1 to Z2 was CONTINUE
- Neither Z1 nor Z2 had parent zones
- There were no Z1-&gt;Z2 rules
then connections from Z2-&gt;Z1 would fail even if there were
rules/policies allowing them. This has been
corrected.
6) The 'shorewall add' and 'shorewall delete' command would fail when:
- The running configuration was compiled with Shorewall-perl.
- The name of the interface specified in the command contained an
embedded special character such as '.' or '-'.
This problem was the result of the change in Shorewall 4.0.2 that
removed the legacy mapping of interface names when embedding such
names in a Netfilter chain name. To correct the problem, the
pre-4.0.2 name mapping is restored when DYNAMIC_ZONES=Yes.
5) A bug in Shorewall-shell prevented proper handling of PREROUTING
marks when HIGH_ROUTE_MARKS=No and the track option was specified
in /etc/shorewall/providers.
6) With Shorewall-perl, if EXPORTPARAMS=Yes then INCLUDE directives in
the params file would fail at script execution time with "INCLUDE:
not found". This has been corrected.
7) Shorewall-perl was mis-sorting the zone list when zones were nested
more than one deep.
8) Stale references to http://www.shorewall.net/Documentation.htm have
been removed from the config files (including samples). That URL
has been replaced by the online manpages.
Other Changes in 4.0.3
1) A script generated by Shorewall-perl now tries to modify/restore
/etc/iproute2/rt_tables only if the file is writable. This prevents
run-time errors when /etc is mounted read-only.
A new KEEP_RT_TABLES option has been added to shorewall.conf. When
set to Yes, this option prevents Shorewall from altering the
/etc/iproute2/rt_tables database. The KEEP_RT_TABLES option is only
recognized by Shorewall-perl and is ignored by Shorewall-shell.
2) Shorewall-perl now requires the FindBin Perl module.
3) When an optional provider is not available, a script generated by
Shorewall-perl will no longer add the corresponding
routing rules.
4) A new 'isusable' extension script has been added. This script
allows you to extend the availability test that Shorewall performs
on optional providers.
Here's an example that uses ping to ensure that the default
gateways through eth0 and eth1 are reachable:
case $1 in
eth0)
ping -c 4 -I eth0 206.124.146.254 &gt; /dev/null 2&gt;&amp;1
return
;;
eth1)
ping -c 4 -I eth1 192.168.12.254 &gt; /dev/null 2&gt;&amp;1
return
;;
*)
# Assume we don't need to do any additional testing
# for this interface beyond Shorewall's
return 0
;;
esac
Additional information is available at
http://www.shorewall.net/shorewall_extension_scripts.htm.
5) Processing of the message log in the 'show log', 'logwatch' and
'dump' commands has been speeded up thanks to a suggestion by
Andrew Suffield.
6) Beginning with Shorewall 4.0, the shorewall 'stop', and 'clear'
commands were processed by the generated script from the
last successful 'start', 'restart' or 'refresh' command. This had
the side effect that updates to the /etc/shorewall/routestopped
file did not take effect until one of those three commands was
successfully processed.
Beginning with Shorewall 4.0.3, the old 3.x behavior is restored as
the default and the 4.0 behavior is enabled using the '-f' command
option.
Example: shorewall stop -f
is only recognized by Shorewall-perl and causes Shorewall to set
the MSS field in forwarded TCP SYN packets going in or out the
interface to the value that you specify.
Example:
#ZONE INTERFACE BROADCAST OPTIONS
vpn ppp0 - mss=1400
The mss option only affects incoming traffic that has not been
decrypted by IPSEC and outgoing traffic that will not subsequently
be encrypted by IPSEC. The MSS for IPSEC traffic is managed by the
'mss' option in /etc/shorewall/zones.
8) Shorewall now detects the presence of the 'hashlimit match'
capability. There is no builtin support yet for hashlimit but
detection allows extension scripts for user-supplied actions to
determine if the capability exists.
With Shorewall-shell, $HASHLIMIT_MATCH will be non-empty if the
capability exists.
With Shorewall-perl, $capabilities{HASHLIMIT_MATCH} will be true in
a boolean context if the capability exists. Shorewall-perl users
may also code the following in their extension script:
use Shorewall::Config;
require_capability( 'HASHLIMIT_MATCH', #Capability
'My hashlimit action' , #Feature requiring
#capability
's' ); #Feature is singular
#(if plural, pass the
empty string)
That call would procduce the following fatal error if the
capability isn't available:
ERROR: My hashlimit action requires the Hashlimit match capability
in your kernel and iptables
9) NFQUEUE support has been added to Shorewall-perl.
NFQUEUE may appear in actions, macros, rules and as a policy.
When NFQUEUE is used by itself, queue number zero is assumed. To
specify a queue number, follow NFQUEUE by a slash ("/") and the
queue number.
Examples (/etc/shorewall/rules):
NFQUEUE loc net tcp #Queue number 0
NFQUEUE/22 loc net udp #Queue number 22
NFQUEUE/22:info loc net gre #With logging
An NFQUEUE_DEFAULT option has been added to shorewall.conf for
specifying the default action to use with NFQUEUE policies.
Use of NFQUEUE requires the NFQUEUE Target capability in your
kernel/iptables. If you intend to use NFQUEUE with Shorewall-lite,
then you must install Shorewall-lite 4.0.3 in order to build a
capabilities file that includes NFQUEUE Target. If your
capabilities file was generated by a Shorewall/Shorewall-lite
version earlier that 4.0.3, you will receive a warning during
compilation.
10) The 'refresh' command can now refresh chains other than 'blacklst'.
The syntax of the command is now:
shorewall refresh [ &lt;chain&gt; ... ]
If no &lt;chain&gt; is given then 'blacklst' is assumed. Otherwise, the
Shorewall-perl compiler compiles a script whose 'refresh' command
refreshes the listed &lt;chain&gt;(s).
The listed chains are assumed to be in the filter table. You can
refresh chains in other tables by prefixing the chain name with the
table name followed by ":" (e.g., nat:net_dnat). Chain names which
follow are assumed to be in that table until the end of the list or
until an entry in the list names another table.
This feature requires Shorewall-perl 4.0.3 as well as
Shorewall-common 4.0.3.</pre>
<hr>
<p><strong>2007-08-19 Shorewall 3.4.6</strong></p> <p><strong>2007-08-19 Shorewall 3.4.6</strong></p>
<pre>Problems Corrected in 3.4.6. <pre>Problems Corrected in 3.4.6.

13
web/shorewall_index.htm
View File

@ -21,7 +21,7 @@ Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the
license is included in the section entitled “<a href="GnuCopyright.htm" license is included in the section entitled “<a href="GnuCopyright.htm"
target="_self">GNU Free Documentation License</a>”.</p> target="_self">GNU Free Documentation License</a>”.</p>
<p>2007-09-01</p> <p>2007-09-28</p>
<hr style="width: 100%; height: 2px;"> <hr style="width: 100%; height: 2px;">
<h2>Table of Contents</h2> <h2>Table of Contents</h2>
@ -105,17 +105,17 @@ Features page</a>.<br>
<h3><a name="Releases"></a>Current Shorewall Releases</h3> <h3><a name="Releases"></a>Current Shorewall Releases</h3>
<p style="margin-left: 40px;">The <span style="font-weight: bold;">current <p style="margin-left: 40px;">The <span style="font-weight: bold;">current
Stable Release</span> version is  4.0.3<br> Stable Release</span> version is  4.0.4<br>
</p> </p>
<ul style="margin-left: 40px;"> <ul style="margin-left: 40px;">
<li>Here are the <a <li>Here are the <a
href="http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.3/releasenotes.txt">release href="http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.4/releasenotes.txt">release
notes</a> <br> notes</a> <br>
</li> </li>
<li>Here are the <a <li>Here are the <a
href="http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.3/known_problems.txt">known href="http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.4/known_problems.txt">known
problems</a> and <a problems</a> and <a
href="http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.3/errata/">updates</a>. href="http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.4/errata/">updates</a>.
<p>Read more about the <a href="Shorewall-4.html">Release here</a>.<br> <p>Read more about the <a href="Shorewall-4.html">Release here</a>.<br>
</p> </p>
</li> </li>
@ -169,7 +169,8 @@ General Public License for more detail.</p>
<p style="margin-left: 0.42in;">You should have received a copy of the GNU <p style="margin-left: 0.42in;">You should have received a copy of the GNU
General Public License along with this program; if not, write to the Free General Public License along with this program; if not, write to the Free
Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.</p> Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
02110-1301 USA.</p>
<p style="margin-left: 0.42in;">Permission is granted to copy, distribute <p style="margin-left: 0.42in;">Permission is granted to copy, distribute
and/or modify this document under the terms of the GNU Free Documentation and/or modify this document under the terms of the GNU Free Documentation