diff --git a/Shorewall-lite/fallback.sh b/Shorewall-lite/fallback.sh index 80f0c95cd..58de338ef 100755 --- a/Shorewall-lite/fallback.sh +++ b/Shorewall-lite/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=4.3.9 +VERSION=4.3.10 usage() # $1 = exit status { diff --git a/Shorewall-lite/install.sh b/Shorewall-lite/install.sh index c765742a0..3140d1759 100755 --- a/Shorewall-lite/install.sh +++ b/Shorewall-lite/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.3.9 +VERSION=4.3.10 usage() # $1 = exit status { diff --git a/Shorewall-lite/shorewall-lite.spec b/Shorewall-lite/shorewall-lite.spec index 4b933d2e1..2ceabb68f 100644 --- a/Shorewall-lite/shorewall-lite.spec +++ b/Shorewall-lite/shorewall-lite.spec @@ -1,5 +1,5 @@ %define name shorewall-lite -%define version 4.3.9 +%define version 4.3.10 %define release 0base Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems. @@ -98,6 +98,8 @@ fi %doc COPYING changelog.txt releasenotes.txt %changelog +* Sun Apr 19 2009 Tom Eastep tom@shorewall.net +- Updated to 4.3.10-0base * Sat Apr 11 2009 Tom Eastep tom@shorewall.net - Updated to 4.3.9-0base * Tue Mar 17 2009 Tom Eastep tom@shorewall.net diff --git a/Shorewall-lite/uninstall.sh b/Shorewall-lite/uninstall.sh index b836523d2..602fc8d8b 100755 --- a/Shorewall-lite/uninstall.sh +++ b/Shorewall-lite/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.3.9 +VERSION=4.3.10 usage() # $1 = exit status { diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index e1c2bca27..ca46af6ae 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -323,7 +323,7 @@ sub initialize( $ ) { TC_SCRIPT => '', EXPORT => 0, UNTRACKED => 0, - VERSION => "4.3.9", + VERSION => "4.3.10", CAPVERSION => 40309 , ); diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index c544449d8..30ba0ac62 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -1,3 +1,7 @@ +Changes in Shorewall 4.3.10 + +None. + Changes in Shorewall 4.3.9 1) Logging rules now create separate chain. diff --git a/Shorewall/install.sh b/Shorewall/install.sh index 2f6f5a3b7..da66ce3ea 100755 --- a/Shorewall/install.sh +++ b/Shorewall/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.3.9 +VERSION=4.3.10 usage() # $1 = exit status { diff --git a/Shorewall/known_problems.txt b/Shorewall/known_problems.txt index 23978d23b..1818f5c7c 100644 --- a/Shorewall/known_problems.txt +++ b/Shorewall/known_problems.txt @@ -1 +1 @@ -There are no known problems in Shorewall version 4.3.9 +There are no known problems in Shorewall version 4.3.10 diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 71334f738..70bb6c4c2 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -1,4 +1,4 @@ -Shorewall 4.3.9 +Shorewall 4.3.10 Shorewall 4.3 is the development thread for Shorewall 4.4 which will be released late in 2009. @@ -56,19 +56,10 @@ released late in 2009. underlying support in the Linux kernel. ---------------------------------------------------------------------------- - P R O B L E M S C O R R E C T E D I N 4 . 3 . 9 + P R O B L E M S C O R R E C T E D I N 4 . 3 . 10 ---------------------------------------------------------------------------- -1) If an interface name was specified in a PREROUTING rule (tcrules or - notrack) then an invalid iptables rule would be generated. - -2) When a network address appeared in the SOURCE or DEST column of - /etc/shorewall/tcfilters, an incorrect netmask was being generated in - the resulting 'tc' rule. - -3) Placing an IP address in the BROADCAST column of - /etc/shorewall/interfaces caused Shorewall-perl to generate an - erroneous 'Invalid BROADCAST address' error. +None. ---------------------------------------------------------------------------- K N O W N P R O B L E M S R E M A I N I N G @@ -77,159 +68,10 @@ released late in 2009. None. ---------------------------------------------------------------------------- - N E W F E A T U R E S I N 4 . 3 . 9 + N E W F E A T U R E S I N 4 . 3 . 10 ---------------------------------------------------------------------------- -1) Rules that specify a log level with a target other than LOG or NFLOG - are now implemented through a separate chain. While this may increase - the processing cost slightly for packets that match these rules, it - is expected to reduce the overall cost of such rules because each - packet that doesn't match the rules only has to be processed once - per rule rather than twice. - - Example: - - /etc/shorewall/rules: - - REJECT:info loc net tcp 25 - - This previously generated these two rules (long rules folded): - - -A loc2net -p 6 --dport 25 -j LOG --log-level 6 - --log-prefix "Shorewall:loc2net:reject:" - -A loc2net -p 6 --dport 25 -j reject - - It now generates these rules: - - :log0 - [0:0] - ... - -A loc2net -p 6 --dport 25 -g log0 - ... - -A log0 -j LOG --log-level 6 - --log-prefix "Shorewall:loc2net:REJECT:" - -A log0 -p 6 --dport 25 -j reject - - Notice that now there is only a single rule generated in the - 'loc2net' chain where before there were two. Packets for other than - TCP port 25 had to be processed by both rules. - - Notice also that the new LOG rule reflects the original action - ("REJECT") rather than what Shorewall maps that to ("reject"). - -2) Shorewall6 has now been tested on kernel 2.6.24 (Ubuntu Hardy) and - hence will now start successfully when running on that kernel. - -3) Three new options (IP, TC and IPSET) have been added to - shorewall.conf and shorwall6.conf. These options specify the name - of the executable for the 'ip', 'tc' and 'ipset' utilities - respectively. - - If not specified, the default values are: - - IP=ip - TC=tc - IPSET=ipset - - In other words, the utilities will be located via the current PATH - setting. - -4) There has been a desire in the user community to limit traffic by - IP address using Shorewall traffic shaping. Heretofore, that has - required a very inefficient process: - - a) Define a tcclass for each internal host (two, if shaping both in - and out). - b) Define a tcrule for each host to mark to classify the packets - accordingly. - - Beginning with Shorewall 4.3.9, this process is made easier IF YOU - ARE WILLING TO INSTALL xtables-addons. The feature requires IPMARK - support in iptables[6] and your kernel. That support is available - in xtables-addons. - - The new facility has two components: - - a) A new IPMARK MARKing command in /etc/shorewall/tcrules. - b) A new 'occurs' OPTION in /etc/shorewall/tcclasses. - - The IPMARK target assigns a mark to each matching packet based on - the either the source or destination IP address. By default, it - assigns a mark value equal to the low-order 8 bits of the source - address. - - The syntax is as follows: - - IPMARK[([{src|dst}][,[][,[][,[]]]])] - - Default values are: - - src - = 0xFF - = 0x00 - = 0 - - 'src' and 'dst' specify whether the mark is to be based on the - source or destination address respectively. - - The selected address is first LANDed with then LORed with - . - - The result is then shifted bits to the right. - - Example: - - IPMARK(dst, 0XFF00, 0x8000,8) - - Destination IP address is 192.168.4.3 = 0xc0a80103 - - 0xc0a80403 LAND 0xFF00 = 0x0400 - 0x0400 LOR 0x80 = 0x8400 - 0x8400 >> 8 = 0x84 - - Mark = 0x84 = 132 - - The 'occurs' option causes the class definition to be replicated - many times. The synax is: - - occurs= - - When 'occurs' is used: - - a) The associated device may not have the 'classify' option. - b) The class may not be the default class. - c) The class may not have any 'tos=' options (including - 'tcp-ack'). - - The 'RATE' and 'CEIL' parameters apply to each instance of the - class. So the total RATE represented by an entry with 'occurs' will - be the listed RATE multiplied by the 'occurs' number. - - Example: - - #DEVICE MARK RATE CEIL PRIORITY OPTIONS - eth0 100 1kbit 230kbit 4 occurs=32 - - The above defines 32 classes with MARK values 100-131. Each - class has a guaranteed rate of 1kbit/second. - - As part of this change, the generation of class ids from mark - values has been changed. The class number is now - - ( << 10 ) | - - /sbin/shorewall has an 'encode' and 'decode' command to translate a - device number, mark pair to/from a classid: - - encode - decode - - Example: - - $ shorewall decode 3172 - Device = 3 Mark = 100 - $ shorewall encode 3 100 - Class number = 3172 - $ +None. ---------------------------------------------------------------------------- N E W F E A T U R E S IN 4 . 3 @@ -493,3 +335,155 @@ None. equivalent to this single rule: ACCEPT net fw tcp 25,587 - - s:mail:3/min + +13) Rules that specify a log level with a target other than LOG or NFLOG + are now implemented through a separate chain. While this may increase + the processing cost slightly for packets that match these rules, it + is expected to reduce the overall cost of such rules because each + packet that doesn't match the rules only has to be processed once + per rule rather than twice. + + Example: + + /etc/shorewall/rules: + + REJECT:info loc net tcp 25 + + This previously generated these two rules (long rules folded): + + -A loc2net -p 6 --dport 25 -j LOG --log-level 6 + --log-prefix "Shorewall:loc2net:reject:" + -A loc2net -p 6 --dport 25 -j reject + + It now generates these rules: + + :log0 - [0:0] + ... + -A loc2net -p 6 --dport 25 -g log0 + ... + -A log0 -j LOG --log-level 6 + --log-prefix "Shorewall:loc2net:REJECT:" + -A log0 -p 6 --dport 25 -j reject + + Notice that now there is only a single rule generated in the + 'loc2net' chain where before there were two. Packets for other than + TCP port 25 had to be processed by both rules. + + Notice also that the new LOG rule reflects the original action + ("REJECT") rather than what Shorewall maps that to ("reject"). + +14) Shorewall6 has now been tested on kernel 2.6.24 (Ubuntu Hardy) and + hence will now start successfully when running on that kernel. + +15) Three new options (IP, TC and IPSET) have been added to + shorewall.conf and shorwall6.conf. These options specify the name + of the executable for the 'ip', 'tc' and 'ipset' utilities + respectively. + + If not specified, the default values are: + + IP=ip + TC=tc + IPSET=ipset + + In other words, the utilities will be located via the current PATH + setting. + +16) There has been a desire in the user community to limit traffic by + IP address using Shorewall traffic shaping. Heretofore, that has + required a very inefficient process: + + a) Define a tcclass for each internal host (two, if shaping both in + and out). + b) Define a tcrule for each host to mark to classify the packets + accordingly. + + Beginning with Shorewall 4.3.9, this process is made easier IF YOU + ARE WILLING TO INSTALL xtables-addons. The feature requires IPMARK + support in iptables[6] and your kernel. That support is available + in xtables-addons. + + The new facility has two components: + + a) A new IPMARK MARKing command in /etc/shorewall/tcrules. + b) A new 'occurs' OPTION in /etc/shorewall/tcclasses. + + The IPMARK target assigns a mark to each matching packet based on + the either the source or destination IP address. By default, it + assigns a mark value equal to the low-order 8 bits of the source + address. + + The syntax is as follows: + + IPMARK[([{src|dst}][,[][,[][,[]]]])] + + Default values are: + + src + = 0xFF + = 0x00 + = 0 + + 'src' and 'dst' specify whether the mark is to be based on the + source or destination address respectively. + + The selected address is first LANDed with then LORed with + . + + The result is then shifted bits to the right. + + Example: + + IPMARK(dst, 0XFF00, 0x8000,8) + + Destination IP address is 192.168.4.3 = 0xc0a80103 + + 0xc0a80403 LAND 0xFF00 = 0x0400 + 0x0400 LOR 0x80 = 0x8400 + 0x8400 >> 8 = 0x84 + + Mark = 0x84 = 132 + + The 'occurs' option causes the class definition to be replicated + many times. The synax is: + + occurs= + + When 'occurs' is used: + + a) The associated device may not have the 'classify' option. + b) The class may not be the default class. + c) The class may not have any 'tos=' options (including + 'tcp-ack'). + + The 'RATE' and 'CEIL' parameters apply to each instance of the + class. So the total RATE represented by an entry with 'occurs' will + be the listed RATE multiplied by the 'occurs' number. + + Example: + + #DEVICE MARK RATE CEIL PRIORITY OPTIONS + eth0 100 1kbit 230kbit 4 occurs=32 + + The above defines 32 classes with MARK values 100-131. Each + class has a guaranteed rate of 1kbit/second. + + As part of this change, the generation of class ids from mark + values has been changed. The class number is now + + ( << 10 ) | + + /sbin/shorewall has an 'encode' and 'decode' command to translate a + device number, mark pair to/from a classid: + + encode + decode + + Example: + + $ shorewall decode 3172 + Device = 3 Mark = 100 + $ shorewall encode 3 100 + Class number = 3172 + $ + diff --git a/Shorewall/shorewall.spec b/Shorewall/shorewall.spec index a92abd52a..3bf791e09 100644 --- a/Shorewall/shorewall.spec +++ b/Shorewall/shorewall.spec @@ -1,5 +1,5 @@ %define name shorewall -%define version 4.3.9 +%define version 4.3.10 %define release 0base Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. @@ -172,6 +172,8 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples %changelog +* Sun Apr 19 2009 Tom Eastep tom@shorewall.net +- Updated to 4.3.10-0base * Sat Apr 11 2009 Tom Eastep tom@shorewall.net - Updated to 4.3.9-0base * Tue Mar 17 2009 Tom Eastep tom@shorewall.net diff --git a/Shorewall/uninstall.sh b/Shorewall/uninstall.sh index 437a6c837..3fdb2ca89 100755 --- a/Shorewall/uninstall.sh +++ b/Shorewall/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.3.9 +VERSION=4.3.10 usage() # $1 = exit status { diff --git a/Shorewall6-lite/fallback.sh b/Shorewall6-lite/fallback.sh index 80f0c95cd..58de338ef 100755 --- a/Shorewall6-lite/fallback.sh +++ b/Shorewall6-lite/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=4.3.9 +VERSION=4.3.10 usage() # $1 = exit status { diff --git a/Shorewall6-lite/install.sh b/Shorewall6-lite/install.sh index eb55496e1..652480922 100755 --- a/Shorewall6-lite/install.sh +++ b/Shorewall6-lite/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.3.9 +VERSION=4.3.10 usage() # $1 = exit status { diff --git a/Shorewall6-lite/shorewall6-lite.spec b/Shorewall6-lite/shorewall6-lite.spec index 83ad1e010..213b8b66e 100644 --- a/Shorewall6-lite/shorewall6-lite.spec +++ b/Shorewall6-lite/shorewall6-lite.spec @@ -1,5 +1,5 @@ %define name shorewall6-lite -%define version 4.3.9 +%define version 4.3.10 %define release 0base Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems. @@ -89,6 +89,8 @@ fi %doc COPYING changelog.txt releasenotes.txt %changelog +* Sun Apr 19 2009 Tom Eastep tom@shorewall.net +- Updated to 4.3.10-0base * Sat Apr 11 2009 Tom Eastep tom@shorewall.net - Updated to 4.3.9-0base * Tue Mar 17 2009 Tom Eastep tom@shorewall.net diff --git a/Shorewall6-lite/uninstall.sh b/Shorewall6-lite/uninstall.sh index 04d6ce02f..59e473c1f 100755 --- a/Shorewall6-lite/uninstall.sh +++ b/Shorewall6-lite/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.3.9 +VERSION=4.3.10 usage() # $1 = exit status { diff --git a/Shorewall6/fallback.sh b/Shorewall6/fallback.sh index 8ded2752c..4cab6f8bd 100755 --- a/Shorewall6/fallback.sh +++ b/Shorewall6/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=4.3.9 +VERSION=4.3.10 usage() # $1 = exit status { diff --git a/Shorewall6/install.sh b/Shorewall6/install.sh index 5209a52d5..eecdf37fd 100755 --- a/Shorewall6/install.sh +++ b/Shorewall6/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.3.9 +VERSION=4.3.10 usage() # $1 = exit status { diff --git a/Shorewall6/shorewall6.spec b/Shorewall6/shorewall6.spec index 4e970ebdc..aa4d9923a 100644 --- a/Shorewall6/shorewall6.spec +++ b/Shorewall6/shorewall6.spec @@ -1,5 +1,5 @@ %define name shorewall6 -%define version 4.3.9 +%define version 4.3.10 %define release 0base Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems. @@ -144,6 +144,8 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6 %changelog +* Sun Apr 19 2009 Tom Eastep tom@shorewall.net +- Updated to 4.3.10-0base * Sat Apr 11 2009 Tom Eastep tom@shorewall.net - Updated to 4.3.9-0base * Tue Mar 17 2009 Tom Eastep tom@shorewall.net diff --git a/Shorewall6/uninstall.sh b/Shorewall6/uninstall.sh index e611623d4..1a820130d 100755 --- a/Shorewall6/uninstall.sh +++ b/Shorewall6/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.3.9 +VERSION=4.3.10 usage() # $1 = exit status {