diff --git a/Shorewall/install.sh b/Shorewall/install.sh index c31a3d831..6ef420fa2 100755 --- a/Shorewall/install.sh +++ b/Shorewall/install.sh @@ -389,12 +389,18 @@ if [ ! -f ${PREFIX}/etc/shorewall/masq ]; then echo "Masquerade file installed as ${PREFIX}/etc/shorewall/masq" fi # -# Install the Modules file +# Install the Modules files # -if [ ! -f ${PREFIX}/etc/shorewall/modules ]; then - run_install $OWNERSHIP -m 0600 modules ${PREFIX}/etc/shorewall/modules - echo "Modules file installed as ${PREFIX}/etc/shorewall/modules" +if [ ! -f ${PREFIX}/usr/share/shorewall/modules ]; then + run_install $OWNERSHIP -m 0600 modules ${PREFIX}/usr/share/shorewall/modules + echo "Modules file installed as ${PREFIX}/usr/share/shorewall/modules" fi + +if [ ! -f ${PREFIX}/usr/share/shorewall/xmodules ]; then + run_install $OWNERSHIP -m 0600 modules ${PREFIX}/usr/share/shorewall/xmodules + echo "Xmodules file installed as ${PREFIX}/usr/share/shorewall/xmodules" +fi + # # Install the TC Rules file # diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 30e27d698..91abae1e1 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -24,6 +24,10 @@ Note to users upgrading from Shorewall 2.x or 3.0 172.16.0.0 - 172.31.255.255 192.168.0.0 - 192.168.255.255 + If you have a file named /etc/shorewall/modules, please remove + it. The default modules file is now located in /usr/share/shorewall/ + (see the "Migration Considerations" below). + Please see the "Migration Considerations" below for additional upgrade information. @@ -47,6 +51,21 @@ Other changes in 3.2.0 Beta 8 "all+-" means "All zones except the firewall" and intra-zone traffic is included. +2) Kernel version 2.6.16 introduces 'xtables', a new common packet + filtering and connection tracking facility that supports both IPv4 + and IPv6. Because a different set of kernel modules must be loaded + for xtables, Shorewall now includes two 'modules' files: + + a) /usr/share/shorewall/modules -- the former + /etc/shorewall/modules + + b) /usr/share/shorewall/xmodules -- a new file that support + xtables. + + If you wish to use the new file, then simply execute this command: + + cp -f /usr/share/shorewall/xmodules /etc/modules + Migration Considerations: 1) If you are upgrading from Shorewall 2.x, it is essential that you read @@ -147,6 +166,21 @@ Migration Considerations: b) When HIGH_ROUTE_MARKS=Yes, you can still clear the mark on packets in the PREROUTING chain (i.e., you can specify a mark value of zero). +7) Kernel version 2.6.16 introduces 'xtables', a new common packet + filtering and connection tracking facility that supports both IPv4 + and IPv6. Because a different set of kernel modules must be loaded + for xtables, Shorewall now includes two 'modules' files: + + a) /usr/share/shorewall/modules -- the former + /etc/shorewall/modules + + b) /usr/share/shorewall/xmodules -- a new file that support + xtables. + + If you wish to use the new file, then simply execute this command: + + cp -f /usr/share/shorewall/xmodules /etc/modules + New Features: 1) Shorewall has always been very noisy (lots of messages). No longer. @@ -395,6 +429,21 @@ New Features: As part of this change, Shorewall no longer adds the "--syn" option to TCP rules that specify QUEUE as their target. +2) Kernel version 2.6.16 introduces 'xtables', a new common packet + filtering and connection tracking facility that supports both IPv4 + and IPv6. Because a different set of kernel modules must be loaded + for xtables, Shorewall now includes two 'modules' files: + + a) /usr/share/shorewall/modules -- the former + /etc/shorewall/modules + + b) /usr/share/shorewall/xmodules -- a new file that support + xtables. + + If you wish to use the new file, then simply execute this command: + + cp -f /usr/share/shorewall/xmodules /etc/modules + 6) /sbin/shorewall now supports a "-t" option that causes all progress messages to be timestamped. diff --git a/Shorewall/shorewall.spec b/Shorewall/shorewall.spec index 2deaceb76..b9ffecd59 100644 --- a/Shorewall/shorewall.spec +++ b/Shorewall/shorewall.spec @@ -80,7 +80,6 @@ fi %attr(0600,root,root) %config(noreplace) /etc/shorewall/routestopped %attr(0600,root,root) %config(noreplace) /etc/shorewall/maclist %attr(0600,root,root) %config(noreplace) /etc/shorewall/masq -%attr(0600,root,root) %config(noreplace) /etc/shorewall/modules %attr(0600,root,root) %config(noreplace) /etc/shorewall/tcrules %attr(0600,root,root) %config(noreplace) /etc/shorewall/tos %attr(0600,root,root) %config(noreplace) /etc/shorewall/tunnels @@ -166,6 +165,7 @@ fi %attr(0644,root,root) /usr/share/shorewall/macro.Web %attr(0644,root,root) /usr/share/shorewall/macro.Webmin %attr(0644,root,root) /usr/share/shorewall/macro.Whois +%attr(0644,root,root) /usr/share/shorewall/modules %attr(0644,root,root) /usr/share/shorewall/prog.footer %attr(0644,root,root) /usr/share/shorewall/prog.header %attr(0644,root,root) /usr/share/shorewall/prog.footer.debian @@ -176,6 +176,7 @@ fi %attr(0644,root,root) /usr/share/shorewall/prog.header.suse %attr(0644,root,root) /usr/share/shorewall/rfc1918 %attr(0644,root,root) /usr/share/shorewall/configpath +%attr(0644,root,root) /usr/share/shorewall/xmodules %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples diff --git a/Shorewall/xmodules b/Shorewall/xmodules new file mode 100644 index 000000000..04509cdc2 --- /dev/null +++ b/Shorewall/xmodules @@ -0,0 +1,118 @@ +# +# Shorewall version 3.2 - xtables Modules File +# +# /etc/shorewall/xmodules +# +# This file loads the modules needed by the firewall on 2.6.16 and later +# kernels. +# +# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in +# dependency order. i.e., if M2 depends on M1 then you must load M1 +# before you load M2. +# +# For additional information, see +# http://shorewall.net/Documentation.htm#modules +# +############################################################################### +# +# Essential Modules +# +loadmodule nfnetlink +loadmodule x_tables +loadmodule ip_tables +loadmodule iptable_filter +loadmodule iptable_mangle +loadmodule ip_conntrack +loadmodule iptable_nat +loadmodule xt_state +loadmodule xt_tcpudp +# +# Other xtables modules +# +loadmodule xt_CLASSIFY +loadmodule xt_connmark +loadmodule xt_CONNMARK +loadmodule xt_conntrack +loadmodule xt_dccp +loadmodule xt_helper +loadmodule xt_length +loadmodule xt_limit +loadmodule xt_mac +loadmodule xt_mark +loadmodule xt_MARK +loadmodule xt_NFQUEUE +loadmodule xt_physdev +loadmodule xt_pkttype +loadmodule xt_tcpmss +# +# Helpers +# +loadmodule ip_conntrack_ftp +loadmodule ip_conntrack_tftp +loadmodule ip_conntrack_irc +loadmodule iptable_nat +loadmodule ip_nat_ftp +loadmodule ip_nat_tftp +loadmodule ip_nat_irc +loadmodule ip_set +loadmodule ip_set_iphash +loadmodule ip_set_ipmap +loadmodule ip_set_macipmap +loadmodule ip_set_portmap +# +# Traffic Shaping +# +loadmodule sch_sfq +loadmodule sch_ingress +loadmodule sch_htb +loadmodule cls_u32 +# +# Extensions +# +loadmodule ipt_addrtype +loadmodule ipt_ah +loadmodule ipt_CLASSIFY +loadmodule ipt_CLUSTERIP +loadmodule ipt_comment +loadmodule ipt_connmark +loadmodule ipt_CONNMARK +loadmodule ipt_conntrack +loadmodule ipt_dscp +loadmodule ipt_DSCP +loadmodule ipt_ecn +loadmodule ipt_ECN +loadmodule ipt_esp +loadmodule ipt_hashlimit +loadmodule ipt_helper +loadmodule ipt_ipp2p +loadmodule ipt_iprange +loadmodule ipt_length +loadmodule ipt_limit +loadmodule ipt_LOG +loadmodule ipt_mac +loadmodule ipt_mark +loadmodule ipt_MARK +loadmodule ipt_MASQUERADE +loadmodule ipt_multiport +loadmodule ipt_NETMAP +loadmodule ipt_NOTRACK +loadmodule ipt_owner +loadmodule ipt_physdev +loadmodule ipt_pkttype +loadmodule ipt_policy +loadmodule ipt_realm +loadmodule ipt_recent +loadmodule ipt_REDIRECT +loadmodule ipt_REJECT +loadmodule ipt_SAME +loadmodule ipt_sctp +loadmodule ipt_set +loadmodule ipt_state +loadmodule ipt_tcpmss +loadmodule ipt_TCPMSS +loadmodule ipt_tos +loadmodule ipt_TOS +loadmodule ipt_ttl +loadmodule ipt_TTL +loadmodule ipt_ULOG +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE