Prepare 4.3.10

This commit is contained in:
Tom Eastep 2009-04-19 17:37:36 -07:00
parent 43faa0880a
commit aa4afa6b66
19 changed files with 186 additions and 180 deletions

View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=4.3.9
VERSION=4.3.10
usage() # $1 = exit status
{

View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VERSION=4.3.9
VERSION=4.3.10
usage() # $1 = exit status
{

View File

@ -1,5 +1,5 @@
%define name shorewall-lite
%define version 4.3.9
%define version 4.3.10
%define release 0base
Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
@ -98,6 +98,8 @@ fi
%doc COPYING changelog.txt releasenotes.txt
%changelog
* Sun Apr 19 2009 Tom Eastep tom@shorewall.net
- Updated to 4.3.10-0base
* Sat Apr 11 2009 Tom Eastep tom@shorewall.net
- Updated to 4.3.9-0base
* Tue Mar 17 2009 Tom Eastep tom@shorewall.net

View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.3.9
VERSION=4.3.10
usage() # $1 = exit status
{

View File

@ -323,7 +323,7 @@ sub initialize( $ ) {
TC_SCRIPT => '',
EXPORT => 0,
UNTRACKED => 0,
VERSION => "4.3.9",
VERSION => "4.3.10",
CAPVERSION => 40309 ,
);

View File

@ -1,3 +1,7 @@
Changes in Shorewall 4.3.10
None.
Changes in Shorewall 4.3.9
1) Logging rules now create separate chain.

View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VERSION=4.3.9
VERSION=4.3.10
usage() # $1 = exit status
{

View File

@ -1 +1 @@
There are no known problems in Shorewall version 4.3.9
There are no known problems in Shorewall version 4.3.10

View File

@ -1,4 +1,4 @@
Shorewall 4.3.9
Shorewall 4.3.10
Shorewall 4.3 is the development thread for Shorewall 4.4 which will be
released late in 2009.
@ -56,19 +56,10 @@ released late in 2009.
underlying support in the Linux kernel.
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 4 . 3 . 9
P R O B L E M S C O R R E C T E D I N 4 . 3 . 10
----------------------------------------------------------------------------
1) If an interface name was specified in a PREROUTING rule (tcrules or
notrack) then an invalid iptables rule would be generated.
2) When a network address appeared in the SOURCE or DEST column of
/etc/shorewall/tcfilters, an incorrect netmask was being generated in
the resulting 'tc' rule.
3) Placing an IP address in the BROADCAST column of
/etc/shorewall/interfaces caused Shorewall-perl to generate an
erroneous 'Invalid BROADCAST address' error.
None.
----------------------------------------------------------------------------
K N O W N P R O B L E M S R E M A I N I N G
@ -77,159 +68,10 @@ released late in 2009.
None.
----------------------------------------------------------------------------
N E W F E A T U R E S I N 4 . 3 . 9
N E W F E A T U R E S I N 4 . 3 . 10
----------------------------------------------------------------------------
1) Rules that specify a log level with a target other than LOG or NFLOG
are now implemented through a separate chain. While this may increase
the processing cost slightly for packets that match these rules, it
is expected to reduce the overall cost of such rules because each
packet that doesn't match the rules only has to be processed once
per rule rather than twice.
Example:
/etc/shorewall/rules:
REJECT:info loc net tcp 25
This previously generated these two rules (long rules folded):
-A loc2net -p 6 --dport 25 -j LOG --log-level 6
--log-prefix "Shorewall:loc2net:reject:"
-A loc2net -p 6 --dport 25 -j reject
It now generates these rules:
:log0 - [0:0]
...
-A loc2net -p 6 --dport 25 -g log0
...
-A log0 -j LOG --log-level 6
--log-prefix "Shorewall:loc2net:REJECT:"
-A log0 -p 6 --dport 25 -j reject
Notice that now there is only a single rule generated in the
'loc2net' chain where before there were two. Packets for other than
TCP port 25 had to be processed by both rules.
Notice also that the new LOG rule reflects the original action
("REJECT") rather than what Shorewall maps that to ("reject").
2) Shorewall6 has now been tested on kernel 2.6.24 (Ubuntu Hardy) and
hence will now start successfully when running on that kernel.
3) Three new options (IP, TC and IPSET) have been added to
shorewall.conf and shorwall6.conf. These options specify the name
of the executable for the 'ip', 'tc' and 'ipset' utilities
respectively.
If not specified, the default values are:
IP=ip
TC=tc
IPSET=ipset
In other words, the utilities will be located via the current PATH
setting.
4) There has been a desire in the user community to limit traffic by
IP address using Shorewall traffic shaping. Heretofore, that has
required a very inefficient process:
a) Define a tcclass for each internal host (two, if shaping both in
and out).
b) Define a tcrule for each host to mark to classify the packets
accordingly.
Beginning with Shorewall 4.3.9, this process is made easier IF YOU
ARE WILLING TO INSTALL xtables-addons. The feature requires IPMARK
support in iptables[6] and your kernel. That support is available
in xtables-addons.
The new facility has two components:
a) A new IPMARK MARKing command in /etc/shorewall/tcrules.
b) A new 'occurs' OPTION in /etc/shorewall/tcclasses.
The IPMARK target assigns a mark to each matching packet based on
the either the source or destination IP address. By default, it
assigns a mark value equal to the low-order 8 bits of the source
address.
The syntax is as follows:
IPMARK[([{src|dst}][,[<mask1>][,[<mask2>][,[<shift>]]]])]
Default values are:
src
<mask1> = 0xFF
<mask2> = 0x00
<shift> = 0
'src' and 'dst' specify whether the mark is to be based on the
source or destination address respectively.
The selected address is first LANDed with <mask1> then LORed with
<mask2>.
The result is then shifted <shift> bits to the right.
Example:
IPMARK(dst, 0XFF00, 0x8000,8)
Destination IP address is 192.168.4.3 = 0xc0a80103
0xc0a80403 LAND 0xFF00 = 0x0400
0x0400 LOR 0x80 = 0x8400
0x8400 >> 8 = 0x84
Mark = 0x84 = 132
The 'occurs' option causes the class definition to be replicated
many times. The synax is:
occurs=<number>
When 'occurs' is used:
a) The associated device may not have the 'classify' option.
b) The class may not be the default class.
c) The class may not have any 'tos=' options (including
'tcp-ack').
The 'RATE' and 'CEIL' parameters apply to each instance of the
class. So the total RATE represented by an entry with 'occurs' will
be the listed RATE multiplied by the 'occurs' number.
Example:
#DEVICE MARK RATE CEIL PRIORITY OPTIONS
eth0 100 1kbit 230kbit 4 occurs=32
The above defines 32 classes with MARK values 100-131. Each
class has a guaranteed rate of 1kbit/second.
As part of this change, the generation of class ids from mark
values has been changed. The class number is now
( <devnum> << 10 ) | <mask>
/sbin/shorewall has an 'encode' and 'decode' command to translate a
device number, mark pair to/from a classid:
encode <devnum> <mark>
decode <classnum>
Example:
$ shorewall decode 3172
Device = 3 Mark = 100
$ shorewall encode 3 100
Class number = 3172
$
None.
----------------------------------------------------------------------------
N E W F E A T U R E S IN 4 . 3
@ -493,3 +335,155 @@ None.
equivalent to this single rule:
ACCEPT net fw tcp 25,587 - - s:mail:3/min
13) Rules that specify a log level with a target other than LOG or NFLOG
are now implemented through a separate chain. While this may increase
the processing cost slightly for packets that match these rules, it
is expected to reduce the overall cost of such rules because each
packet that doesn't match the rules only has to be processed once
per rule rather than twice.
Example:
/etc/shorewall/rules:
REJECT:info loc net tcp 25
This previously generated these two rules (long rules folded):
-A loc2net -p 6 --dport 25 -j LOG --log-level 6
--log-prefix "Shorewall:loc2net:reject:"
-A loc2net -p 6 --dport 25 -j reject
It now generates these rules:
:log0 - [0:0]
...
-A loc2net -p 6 --dport 25 -g log0
...
-A log0 -j LOG --log-level 6
--log-prefix "Shorewall:loc2net:REJECT:"
-A log0 -p 6 --dport 25 -j reject
Notice that now there is only a single rule generated in the
'loc2net' chain where before there were two. Packets for other than
TCP port 25 had to be processed by both rules.
Notice also that the new LOG rule reflects the original action
("REJECT") rather than what Shorewall maps that to ("reject").
14) Shorewall6 has now been tested on kernel 2.6.24 (Ubuntu Hardy) and
hence will now start successfully when running on that kernel.
15) Three new options (IP, TC and IPSET) have been added to
shorewall.conf and shorwall6.conf. These options specify the name
of the executable for the 'ip', 'tc' and 'ipset' utilities
respectively.
If not specified, the default values are:
IP=ip
TC=tc
IPSET=ipset
In other words, the utilities will be located via the current PATH
setting.
16) There has been a desire in the user community to limit traffic by
IP address using Shorewall traffic shaping. Heretofore, that has
required a very inefficient process:
a) Define a tcclass for each internal host (two, if shaping both in
and out).
b) Define a tcrule for each host to mark to classify the packets
accordingly.
Beginning with Shorewall 4.3.9, this process is made easier IF YOU
ARE WILLING TO INSTALL xtables-addons. The feature requires IPMARK
support in iptables[6] and your kernel. That support is available
in xtables-addons.
The new facility has two components:
a) A new IPMARK MARKing command in /etc/shorewall/tcrules.
b) A new 'occurs' OPTION in /etc/shorewall/tcclasses.
The IPMARK target assigns a mark to each matching packet based on
the either the source or destination IP address. By default, it
assigns a mark value equal to the low-order 8 bits of the source
address.
The syntax is as follows:
IPMARK[([{src|dst}][,[<mask1>][,[<mask2>][,[<shift>]]]])]
Default values are:
src
<mask1> = 0xFF
<mask2> = 0x00
<shift> = 0
'src' and 'dst' specify whether the mark is to be based on the
source or destination address respectively.
The selected address is first LANDed with <mask1> then LORed with
<mask2>.
The result is then shifted <shift> bits to the right.
Example:
IPMARK(dst, 0XFF00, 0x8000,8)
Destination IP address is 192.168.4.3 = 0xc0a80103
0xc0a80403 LAND 0xFF00 = 0x0400
0x0400 LOR 0x80 = 0x8400
0x8400 >> 8 = 0x84
Mark = 0x84 = 132
The 'occurs' option causes the class definition to be replicated
many times. The synax is:
occurs=<number>
When 'occurs' is used:
a) The associated device may not have the 'classify' option.
b) The class may not be the default class.
c) The class may not have any 'tos=' options (including
'tcp-ack').
The 'RATE' and 'CEIL' parameters apply to each instance of the
class. So the total RATE represented by an entry with 'occurs' will
be the listed RATE multiplied by the 'occurs' number.
Example:
#DEVICE MARK RATE CEIL PRIORITY OPTIONS
eth0 100 1kbit 230kbit 4 occurs=32
The above defines 32 classes with MARK values 100-131. Each
class has a guaranteed rate of 1kbit/second.
As part of this change, the generation of class ids from mark
values has been changed. The class number is now
( <devnum> << 10 ) | <mask>
/sbin/shorewall has an 'encode' and 'decode' command to translate a
device number, mark pair to/from a classid:
encode <devnum> <mark>
decode <classnum>
Example:
$ shorewall decode 3172
Device = 3 Mark = 100
$ shorewall encode 3 100
Class number = 3172
$

View File

@ -1,5 +1,5 @@
%define name shorewall
%define version 4.3.9
%define version 4.3.10
%define release 0base
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@ -172,6 +172,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples
%changelog
* Sun Apr 19 2009 Tom Eastep tom@shorewall.net
- Updated to 4.3.10-0base
* Sat Apr 11 2009 Tom Eastep tom@shorewall.net
- Updated to 4.3.9-0base
* Tue Mar 17 2009 Tom Eastep tom@shorewall.net

View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.3.9
VERSION=4.3.10
usage() # $1 = exit status
{

View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=4.3.9
VERSION=4.3.10
usage() # $1 = exit status
{

View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VERSION=4.3.9
VERSION=4.3.10
usage() # $1 = exit status
{

View File

@ -1,5 +1,5 @@
%define name shorewall6-lite
%define version 4.3.9
%define version 4.3.10
%define release 0base
Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
@ -89,6 +89,8 @@ fi
%doc COPYING changelog.txt releasenotes.txt
%changelog
* Sun Apr 19 2009 Tom Eastep tom@shorewall.net
- Updated to 4.3.10-0base
* Sat Apr 11 2009 Tom Eastep tom@shorewall.net
- Updated to 4.3.9-0base
* Tue Mar 17 2009 Tom Eastep tom@shorewall.net

View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.3.9
VERSION=4.3.10
usage() # $1 = exit status
{

View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=4.3.9
VERSION=4.3.10
usage() # $1 = exit status
{

View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VERSION=4.3.9
VERSION=4.3.10
usage() # $1 = exit status
{

View File

@ -1,5 +1,5 @@
%define name shorewall6
%define version 4.3.9
%define version 4.3.10
%define release 0base
Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
@ -144,6 +144,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
%changelog
* Sun Apr 19 2009 Tom Eastep tom@shorewall.net
- Updated to 4.3.10-0base
* Sat Apr 11 2009 Tom Eastep tom@shorewall.net
- Updated to 4.3.9-0base
* Tue Mar 17 2009 Tom Eastep tom@shorewall.net

View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.3.9
VERSION=4.3.10
usage() # $1 = exit status
{