mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-15 02:41:01 +01:00
Remove superfluous test; switch release docs to 3.3.4
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4720 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
867a707d83
commit
796362b3ba
@ -1,3 +1,7 @@
|
||||
Changes in 3.3.4
|
||||
|
||||
1) Make exclusion work with "show zones"
|
||||
|
||||
Changes in 3.3.3
|
||||
|
||||
1) Fix excluding in SUBNET column.
|
||||
|
@ -4387,13 +4387,6 @@ activate_rules()
|
||||
# If the zone has a single interface then what matters is how many ports it has
|
||||
#
|
||||
[ $num_ifaces -eq 1 -a -n "$ports" ] && num_ifaces=$(list_count1 $ports)
|
||||
#
|
||||
# If we don't need to route back and if we have only one interface or one port to
|
||||
# the zone then assume that hosts in the zone can communicate directly.
|
||||
#
|
||||
if [ $num_ifaces -lt 2 -a -z "$routeback" -a -z "$exclusions" ] ; then
|
||||
continue
|
||||
fi
|
||||
else
|
||||
routeback=
|
||||
num_ifaces=0
|
||||
|
@ -1,4 +1,4 @@
|
||||
Shorewall 3.3.3
|
||||
Shorewall 3.3.4
|
||||
|
||||
Note to users upgrading from Shorewall 3.0 or 3.3
|
||||
|
||||
@ -31,149 +31,14 @@ Shorewall 3.3.3
|
||||
Please see the "Migration Considerations" below for additional upgrade
|
||||
information.
|
||||
|
||||
Problems Corrected in 3.3.3
|
||||
Problems Corrected in 3.3.4
|
||||
|
||||
1) Previously, the 'provider' portion of the packet mark was not being
|
||||
cleared after routing for traffic that originates on the firewall
|
||||
itself.
|
||||
None.
|
||||
|
||||
Other changes in 3.3.3
|
||||
Other Changes in 3.3.4.
|
||||
|
||||
1) For users whose kernel and iptables have Extended MARK Target
|
||||
support, it is now possible to logically AND or OR a value into the
|
||||
current packet mark by preceding the mark value (and optional mask)
|
||||
with an ampersand ("&") or vertical bar ("|") respectively.
|
||||
None.
|
||||
|
||||
Example: To logically OR the value 4 into the mark value for
|
||||
packets from 192.168.1.1:
|
||||
|
||||
#MARK SOURCE
|
||||
|4 192.168.1.1
|
||||
|
||||
2) Previously, zone names were restricted to five characters in
|
||||
length. That length derives from the --log-prefix in Netfilter log
|
||||
messages which must be 29 bytes or less in length. With the
|
||||
standard Shorewall LOGFORMAT, 11 characters are left for the
|
||||
chain name; since many chain names are of the form
|
||||
<zone1>2<zone2>, we have a maximum zone name length of 5.
|
||||
|
||||
Beginning with this release, the maximum length of a zone name is
|
||||
dependent on the LOGFORMAT (the maximum length may never be less
|
||||
than 5 but it may be greater than 5). For example, setting
|
||||
LOGFORMAT="FW:%s:%s:" will allow zone names of up to 8 characters.
|
||||
|
||||
As part of this change, /sbin/shorewall[-lite] no longer uses the
|
||||
LOGFORMAT to select Shorewall messages from log files. Instead, it
|
||||
uses the regular expression /IN=.* OUT=/ which will match any
|
||||
netfilter-generated log message.
|
||||
|
||||
3) Netfilter provides support for attaching comments to Netfilter
|
||||
rules. Comments can be up to 255 bytes in length and are
|
||||
visible using the "shorewall show <chain>", "shorewall show nat",
|
||||
"shorewall show mangle" and "shorewall dump" commands. Comments are
|
||||
delimited by '/* ... */" in the output.
|
||||
|
||||
Beginning with Shorewall 3.3.3, you may place COMMENT lines in the
|
||||
/etc/shorewall/rules, /etc/shorewall/tcrules, /etc/shorewall/nat
|
||||
and /etc/shorewall/masq files and in action files. The remainder of
|
||||
the line is treated as a comment and it will be attached as a
|
||||
Netfilter comment to the rule(s) generated by the following entries
|
||||
in the file.
|
||||
|
||||
Note: Do not prefix the comment with "#". Shorewall's two-pass
|
||||
compiler strips off "#" comments in the first pass and processes
|
||||
COMMENT lines in the second pass. So by the time that COMMENT is
|
||||
processed, the "#" and everything after it has been removed (see
|
||||
example below).
|
||||
|
||||
To stop the current comment from being attached to further
|
||||
rules, simply include COMMENT on a line by itself (so that the
|
||||
following rules will have no comment) or specify a new COMMENT.
|
||||
|
||||
If you do not have Comment support in your iptables/kernel (see the
|
||||
output of "shorewall[-lite] show capabilities") then COMMENTS are
|
||||
ignored with this warning:
|
||||
|
||||
COMMENT ignored -- requires comment support in iptables/Netfilter
|
||||
|
||||
Example from my rules file:
|
||||
|
||||
#SOURCE SOURCE DEST PROTO DEST PORT(S)
|
||||
|
||||
COMMENT Stop Microsoft Noise
|
||||
|
||||
REJECT loc net tcp 137,445
|
||||
REJECT loc net udp 137:139
|
||||
|
||||
COMMENT # Stop comment from being attached to rules below
|
||||
|
||||
The output of "shorewall show loc2net" includes (folded):
|
||||
|
||||
0 0 reject tcp -- * * 0.0.0.0/0
|
||||
0.0.0.0/0 multiport dports 137,445 /* Stop Microsoft Noise */
|
||||
0 0 reject udp -- * * 0.0.0.0/0
|
||||
0.0.0.0/0 udp dpts:137:139 /* Stop Microsoft Noise */
|
||||
|
||||
4) A new macro (macro.RDP) has been added for Microsoft Remote
|
||||
Desktop. This macro was contributed by Tuomo Soini.
|
||||
|
||||
5) A new 'maclog' extension file has been added. This file is
|
||||
processed just before logging based on the setting of
|
||||
MACLIST_LOG_LEVEL is done. When invoked, the CHAIN variable will
|
||||
contain the name of the chain where rules should be inserted.
|
||||
Remember that if you have specified MACLIST_TABLE=mangle, then your
|
||||
run_iptables commands should include "-t mangle".
|
||||
|
||||
6) The SUBNET column in /etc/shorewall/masq has been renamed SOURCE to
|
||||
more accurately describe the contents of the column.
|
||||
|
||||
7) Previously, it was not possible to use exclusion in
|
||||
/etc/shorewall/hosts. Beginning with this release, you may now use
|
||||
exclusion lists in entries in this file. Exclusion lists are
|
||||
discussed at:
|
||||
|
||||
http://www.shorewall.net/configuration_file_basics.htm#Exclusion.
|
||||
|
||||
Example:
|
||||
|
||||
loc eth0:192.168.1.0/24!192.168.1.4,192.168.1.16/28
|
||||
|
||||
In that example, the 'loc' zone is defined to be the subnet
|
||||
192.168.1.0/24 interfacing via eth0 *except* for host 192.168.1.4
|
||||
and hosts in the sub-network 192.168.1.16/28.
|
||||
|
||||
8) In prior Shorewall versions, multiple jumps to a '2all' chain could
|
||||
be generated in succession.
|
||||
|
||||
Example from an earlier shorewall version:
|
||||
|
||||
gateway:~ # shorewall-lite show eth2_fwd
|
||||
Shorewall Lite 3.3.2 Chains eth2_fwd at gateway - Thu Oct 19 08:54:37 PDT 2006
|
||||
|
||||
Counters reset Thu Oct 19 08:34:47 PDT 2006
|
||||
|
||||
Chain eth2_fwd (1 references)
|
||||
pkts bytes target prot opt in out source destination
|
||||
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
|
||||
0 0 wifi2all all -- * eth0 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none
|
||||
0 0 wifi2all all -- * br0 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none
|
||||
0 0 wifi2all all -- * eth3 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none
|
||||
0 0 wifi2all all -- * tun+ 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none
|
||||
gateway:~ #
|
||||
|
||||
This redundancy has been eliminated:
|
||||
|
||||
gateway:~ # shorewall-lite show eth2_fwd
|
||||
Shorewall Lite 3.3.3 Chains eth2_fwd at gateway - Thu Oct 19 09:15:24 PDT 2006
|
||||
|
||||
Counters reset Thu Oct 19 09:15:19 PDT 2006
|
||||
|
||||
Chain eth2_fwd (1 references)
|
||||
pkts bytes target prot opt in out source destination
|
||||
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
|
||||
0 0 wifi2all all -- * * 0.0.0.0/0 0.0.0.0/0
|
||||
gateway:~ #
|
||||
|
||||
Migration Considerations:
|
||||
|
||||
1) Shorewall supports the notion of "default actions". A default
|
||||
@ -378,3 +243,110 @@ New Features:
|
||||
than 5 but it may be greater than 5). For example, setting
|
||||
LOGFORMAT="FW:%s:%s:" will allow zone names of up to 8 characters.
|
||||
|
||||
6) Netfilter provides support for attaching comments to Netfilter
|
||||
rules. Comments can be up to 255 bytes in length and are
|
||||
visible using the "shorewall show <chain>", "shorewall show nat",
|
||||
"shorewall show mangle" and "shorewall dump" commands. Comments are
|
||||
delimited by '/* ... */" in the output.
|
||||
|
||||
Beginning with Shorewall 3.3.3, you may place COMMENT lines in the
|
||||
/etc/shorewall/rules, /etc/shorewall/tcrules, /etc/shorewall/nat
|
||||
and /etc/shorewall/masq files and in action files. The remainder of
|
||||
the line is treated as a comment and it will be attached as a
|
||||
Netfilter comment to the rule(s) generated by the following entries
|
||||
in the file.
|
||||
|
||||
Note: Do not prefix the comment with "#". Shorewall's two-pass
|
||||
compiler strips off "#" comments in the first pass and processes
|
||||
COMMENT lines in the second pass. So by the time that COMMENT is
|
||||
processed, the "#" and everything after it has been removed (see
|
||||
example below).
|
||||
|
||||
To stop the current comment from being attached to further
|
||||
rules, simply include COMMENT on a line by itself (so that the
|
||||
following rules will have no comment) or specify a new COMMENT.
|
||||
|
||||
If you do not have Comment support in your iptables/kernel (see the
|
||||
output of "shorewall[-lite] show capabilities") then COMMENTS are
|
||||
ignored with this warning:
|
||||
|
||||
COMMENT ignored -- requires comment support in iptables/Netfilter
|
||||
|
||||
Example from my rules file:
|
||||
|
||||
#SOURCE SOURCE DEST PROTO DEST PORT(S)
|
||||
|
||||
COMMENT Stop Microsoft Noise
|
||||
|
||||
REJECT loc net tcp 137,445
|
||||
REJECT loc net udp 137:139
|
||||
|
||||
COMMENT # Stop comment from being attached to rules below
|
||||
|
||||
The output of "shorewall show loc2net" includes (folded):
|
||||
|
||||
0 0 reject tcp -- * * 0.0.0.0/0
|
||||
0.0.0.0/0 multiport dports 137,445 /* Stop Microsoft Noise */
|
||||
0 0 reject udp -- * * 0.0.0.0/0
|
||||
0.0.0.0/0 udp dpts:137:139 /* Stop Microsoft Noise */
|
||||
|
||||
7) A new macro (macro.RDP) has been added for Microsoft Remote
|
||||
Desktop. This macro was contributed by Tuomo Soini.
|
||||
|
||||
8) A new 'maclog' extension file has been added. This file is
|
||||
processed just before logging based on the setting of
|
||||
MACLIST_LOG_LEVEL is done. When invoked, the CHAIN variable will
|
||||
contain the name of the chain where rules should be inserted.
|
||||
Remember that if you have specified MACLIST_TABLE=mangle, then your
|
||||
run_iptables commands should include "-t mangle".
|
||||
|
||||
9) The SUBNET column in /etc/shorewall/masq has been renamed SOURCE to
|
||||
more accurately describe the contents of the column.
|
||||
|
||||
10) Previously, it was not possible to use exclusion in
|
||||
/etc/shorewall/hosts. Beginning with this release, you may now use
|
||||
exclusion lists in entries in this file. Exclusion lists are
|
||||
discussed at:
|
||||
|
||||
http://www.shorewall.net/configuration_file_basics.htm#Exclusion.
|
||||
|
||||
Example:
|
||||
|
||||
loc eth0:192.168.1.0/24!192.168.1.4,192.168.1.16/28
|
||||
|
||||
In that example, the 'loc' zone is defined to be the subnet
|
||||
192.168.1.0/24 interfacing via eth0 *except* for host 192.168.1.4
|
||||
and hosts in the sub-network 192.168.1.16/28.
|
||||
|
||||
11) In prior Shorewall versions, multiple jumps to a '2all' chain could
|
||||
be generated in succession.
|
||||
|
||||
Example from an earlier shorewall version:
|
||||
|
||||
gateway:~ # shorewall-lite show eth2_fwd
|
||||
Shorewall Lite 3.3.2 Chains eth2_fwd at gateway - Thu Oct 19 08:54:37 PDT 2006
|
||||
|
||||
Counters reset Thu Oct 19 08:34:47 PDT 2006
|
||||
|
||||
Chain eth2_fwd (1 references)
|
||||
pkts bytes target prot opt in out source destination
|
||||
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
|
||||
0 0 wifi2all all -- * eth0 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none
|
||||
0 0 wifi2all all -- * br0 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none
|
||||
0 0 wifi2all all -- * eth3 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none
|
||||
0 0 wifi2all all -- * tun+ 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none
|
||||
gateway:~ #
|
||||
|
||||
This redundancy has been eliminated:
|
||||
|
||||
gateway:~ # shorewall-lite show eth2_fwd
|
||||
Shorewall Lite 3.3.3 Chains eth2_fwd at gateway - Thu Oct 19 09:15:24 PDT 2006
|
||||
|
||||
Counters reset Thu Oct 19 09:15:19 PDT 2006
|
||||
|
||||
Chain eth2_fwd (1 references)
|
||||
pkts bytes target prot opt in out source destination
|
||||
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
|
||||
0 0 wifi2all all -- * * 0.0.0.0/0 0.0.0.0/0
|
||||
gateway:~ #
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user