diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index f09999366..ae9f8073c 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -1,3 +1,7 @@ +Changes in 3.3.4 + +1) Make exclusion work with "show zones" + Changes in 3.3.3 1) Fix excluding in SUBNET column. diff --git a/Shorewall/compiler b/Shorewall/compiler index 9f53de5d7..6965a1ead 100755 --- a/Shorewall/compiler +++ b/Shorewall/compiler @@ -4387,13 +4387,6 @@ activate_rules() # If the zone has a single interface then what matters is how many ports it has # [ $num_ifaces -eq 1 -a -n "$ports" ] && num_ifaces=$(list_count1 $ports) - # - # If we don't need to route back and if we have only one interface or one port to - # the zone then assume that hosts in the zone can communicate directly. - # - if [ $num_ifaces -lt 2 -a -z "$routeback" -a -z "$exclusions" ] ; then - continue - fi else routeback= num_ifaces=0 diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index dff9a0a6c..513d1e047 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -1,4 +1,4 @@ -Shorewall 3.3.3 +Shorewall 3.3.4 Note to users upgrading from Shorewall 3.0 or 3.3 @@ -31,149 +31,14 @@ Shorewall 3.3.3 Please see the "Migration Considerations" below for additional upgrade information. -Problems Corrected in 3.3.3 +Problems Corrected in 3.3.4 -1) Previously, the 'provider' portion of the packet mark was not being - cleared after routing for traffic that originates on the firewall - itself. +None. -Other changes in 3.3.3 +Other Changes in 3.3.4. -1) For users whose kernel and iptables have Extended MARK Target - support, it is now possible to logically AND or OR a value into the - current packet mark by preceding the mark value (and optional mask) - with an ampersand ("&") or vertical bar ("|") respectively. +None. - Example: To logically OR the value 4 into the mark value for - packets from 192.168.1.1: - - #MARK SOURCE - |4 192.168.1.1 - -2) Previously, zone names were restricted to five characters in - length. That length derives from the --log-prefix in Netfilter log - messages which must be 29 bytes or less in length. With the - standard Shorewall LOGFORMAT, 11 characters are left for the - chain name; since many chain names are of the form - 2, we have a maximum zone name length of 5. - - Beginning with this release, the maximum length of a zone name is - dependent on the LOGFORMAT (the maximum length may never be less - than 5 but it may be greater than 5). For example, setting - LOGFORMAT="FW:%s:%s:" will allow zone names of up to 8 characters. - - As part of this change, /sbin/shorewall[-lite] no longer uses the - LOGFORMAT to select Shorewall messages from log files. Instead, it - uses the regular expression /IN=.* OUT=/ which will match any - netfilter-generated log message. - -3) Netfilter provides support for attaching comments to Netfilter - rules. Comments can be up to 255 bytes in length and are - visible using the "shorewall show ", "shorewall show nat", - "shorewall show mangle" and "shorewall dump" commands. Comments are - delimited by '/* ... */" in the output. - - Beginning with Shorewall 3.3.3, you may place COMMENT lines in the - /etc/shorewall/rules, /etc/shorewall/tcrules, /etc/shorewall/nat - and /etc/shorewall/masq files and in action files. The remainder of - the line is treated as a comment and it will be attached as a - Netfilter comment to the rule(s) generated by the following entries - in the file. - - Note: Do not prefix the comment with "#". Shorewall's two-pass - compiler strips off "#" comments in the first pass and processes - COMMENT lines in the second pass. So by the time that COMMENT is - processed, the "#" and everything after it has been removed (see - example below). - - To stop the current comment from being attached to further - rules, simply include COMMENT on a line by itself (so that the - following rules will have no comment) or specify a new COMMENT. - - If you do not have Comment support in your iptables/kernel (see the - output of "shorewall[-lite] show capabilities") then COMMENTS are - ignored with this warning: - - COMMENT ignored -- requires comment support in iptables/Netfilter - - Example from my rules file: - - #SOURCE SOURCE DEST PROTO DEST PORT(S) - - COMMENT Stop Microsoft Noise - - REJECT loc net tcp 137,445 - REJECT loc net udp 137:139 - - COMMENT # Stop comment from being attached to rules below - - The output of "shorewall show loc2net" includes (folded): - - 0 0 reject tcp -- * * 0.0.0.0/0 - 0.0.0.0/0 multiport dports 137,445 /* Stop Microsoft Noise */ - 0 0 reject udp -- * * 0.0.0.0/0 - 0.0.0.0/0 udp dpts:137:139 /* Stop Microsoft Noise */ - -4) A new macro (macro.RDP) has been added for Microsoft Remote - Desktop. This macro was contributed by Tuomo Soini. - -5) A new 'maclog' extension file has been added. This file is - processed just before logging based on the setting of - MACLIST_LOG_LEVEL is done. When invoked, the CHAIN variable will - contain the name of the chain where rules should be inserted. - Remember that if you have specified MACLIST_TABLE=mangle, then your - run_iptables commands should include "-t mangle". - -6) The SUBNET column in /etc/shorewall/masq has been renamed SOURCE to - more accurately describe the contents of the column. - -7) Previously, it was not possible to use exclusion in - /etc/shorewall/hosts. Beginning with this release, you may now use - exclusion lists in entries in this file. Exclusion lists are - discussed at: - - http://www.shorewall.net/configuration_file_basics.htm#Exclusion. - - Example: - - loc eth0:192.168.1.0/24!192.168.1.4,192.168.1.16/28 - - In that example, the 'loc' zone is defined to be the subnet - 192.168.1.0/24 interfacing via eth0 *except* for host 192.168.1.4 - and hosts in the sub-network 192.168.1.16/28. - -8) In prior Shorewall versions, multiple jumps to a '2all' chain could - be generated in succession. - - Example from an earlier shorewall version: - - gateway:~ # shorewall-lite show eth2_fwd - Shorewall Lite 3.3.2 Chains eth2_fwd at gateway - Thu Oct 19 08:54:37 PDT 2006 - - Counters reset Thu Oct 19 08:34:47 PDT 2006 - - Chain eth2_fwd (1 references) - pkts bytes target prot opt in out source destination - 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW - 0 0 wifi2all all -- * eth0 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none - 0 0 wifi2all all -- * br0 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none - 0 0 wifi2all all -- * eth3 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none - 0 0 wifi2all all -- * tun+ 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none - gateway:~ # - - This redundancy has been eliminated: - - gateway:~ # shorewall-lite show eth2_fwd - Shorewall Lite 3.3.3 Chains eth2_fwd at gateway - Thu Oct 19 09:15:24 PDT 2006 - - Counters reset Thu Oct 19 09:15:19 PDT 2006 - - Chain eth2_fwd (1 references) - pkts bytes target prot opt in out source destination - 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW - 0 0 wifi2all all -- * * 0.0.0.0/0 0.0.0.0/0 - gateway:~ # - Migration Considerations: 1) Shorewall supports the notion of "default actions". A default @@ -378,3 +243,110 @@ New Features: than 5 but it may be greater than 5). For example, setting LOGFORMAT="FW:%s:%s:" will allow zone names of up to 8 characters. +6) Netfilter provides support for attaching comments to Netfilter + rules. Comments can be up to 255 bytes in length and are + visible using the "shorewall show ", "shorewall show nat", + "shorewall show mangle" and "shorewall dump" commands. Comments are + delimited by '/* ... */" in the output. + + Beginning with Shorewall 3.3.3, you may place COMMENT lines in the + /etc/shorewall/rules, /etc/shorewall/tcrules, /etc/shorewall/nat + and /etc/shorewall/masq files and in action files. The remainder of + the line is treated as a comment and it will be attached as a + Netfilter comment to the rule(s) generated by the following entries + in the file. + + Note: Do not prefix the comment with "#". Shorewall's two-pass + compiler strips off "#" comments in the first pass and processes + COMMENT lines in the second pass. So by the time that COMMENT is + processed, the "#" and everything after it has been removed (see + example below). + + To stop the current comment from being attached to further + rules, simply include COMMENT on a line by itself (so that the + following rules will have no comment) or specify a new COMMENT. + + If you do not have Comment support in your iptables/kernel (see the + output of "shorewall[-lite] show capabilities") then COMMENTS are + ignored with this warning: + + COMMENT ignored -- requires comment support in iptables/Netfilter + + Example from my rules file: + + #SOURCE SOURCE DEST PROTO DEST PORT(S) + + COMMENT Stop Microsoft Noise + + REJECT loc net tcp 137,445 + REJECT loc net udp 137:139 + + COMMENT # Stop comment from being attached to rules below + + The output of "shorewall show loc2net" includes (folded): + + 0 0 reject tcp -- * * 0.0.0.0/0 + 0.0.0.0/0 multiport dports 137,445 /* Stop Microsoft Noise */ + 0 0 reject udp -- * * 0.0.0.0/0 + 0.0.0.0/0 udp dpts:137:139 /* Stop Microsoft Noise */ + +7) A new macro (macro.RDP) has been added for Microsoft Remote + Desktop. This macro was contributed by Tuomo Soini. + +8) A new 'maclog' extension file has been added. This file is + processed just before logging based on the setting of + MACLIST_LOG_LEVEL is done. When invoked, the CHAIN variable will + contain the name of the chain where rules should be inserted. + Remember that if you have specified MACLIST_TABLE=mangle, then your + run_iptables commands should include "-t mangle". + +9) The SUBNET column in /etc/shorewall/masq has been renamed SOURCE to + more accurately describe the contents of the column. + +10) Previously, it was not possible to use exclusion in + /etc/shorewall/hosts. Beginning with this release, you may now use + exclusion lists in entries in this file. Exclusion lists are + discussed at: + + http://www.shorewall.net/configuration_file_basics.htm#Exclusion. + + Example: + + loc eth0:192.168.1.0/24!192.168.1.4,192.168.1.16/28 + + In that example, the 'loc' zone is defined to be the subnet + 192.168.1.0/24 interfacing via eth0 *except* for host 192.168.1.4 + and hosts in the sub-network 192.168.1.16/28. + +11) In prior Shorewall versions, multiple jumps to a '2all' chain could + be generated in succession. + + Example from an earlier shorewall version: + + gateway:~ # shorewall-lite show eth2_fwd + Shorewall Lite 3.3.2 Chains eth2_fwd at gateway - Thu Oct 19 08:54:37 PDT 2006 + + Counters reset Thu Oct 19 08:34:47 PDT 2006 + + Chain eth2_fwd (1 references) + pkts bytes target prot opt in out source destination + 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW + 0 0 wifi2all all -- * eth0 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none + 0 0 wifi2all all -- * br0 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none + 0 0 wifi2all all -- * eth3 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none + 0 0 wifi2all all -- * tun+ 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none + gateway:~ # + + This redundancy has been eliminated: + + gateway:~ # shorewall-lite show eth2_fwd + Shorewall Lite 3.3.3 Chains eth2_fwd at gateway - Thu Oct 19 09:15:24 PDT 2006 + + Counters reset Thu Oct 19 09:15:19 PDT 2006 + + Chain eth2_fwd (1 references) + pkts bytes target prot opt in out source destination + 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW + 0 0 wifi2all all -- * * 0.0.0.0/0 0.0.0.0/0 + gateway:~ # +