diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt index 3aee04423..59405c08b 100644 --- a/Shorewall2/changelog.txt +++ b/Shorewall2/changelog.txt @@ -46,3 +46,5 @@ Changes since 1.4.10 22) Added DISABLE_IPV6 option. 23) Allow rate limiting on CONTINUE and REJECT. + +24) Move rfc1918 to /usr/share/shorewall diff --git a/Shorewall2/firewall b/Shorewall2/firewall index c3c0740e9..a4f7fbe23 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -926,7 +926,8 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = disposition , $4 = rate limi eval iptables -A $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix '"$(printf "$LOGFORMAT" $chain $rulenum $disposition)"' ;; *) - eval iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix '"$(printf "$LOGFORMAT" $chain $rulenum $disposition)"' + eval iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level \ + --log-prefix '"$(printf "$LOGFORMAT" $chain $rulenum $disposition)"' ;; esac @@ -943,7 +944,8 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = disposition , $4 = rate limi eval iptables -A $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix '"$(printf "$LOGFORMAT" $chain $disposition)"' ;; *) - eval iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix '"$(printf "$LOGFORMAT" $chain $disposition)"' + eval iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level \ + --log-prefix '"$(printf "$LOGFORMAT" $chain $disposition)"' ;; esac diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt index 0e7138925..0a4a15d13 100755 --- a/Shorewall2/releasenotes.txt +++ b/Shorewall2/releasenotes.txt @@ -1,9 +1,16 @@ -Shorewall 2.0.0-Beta2 +Shorewall 2.0.0-Beta3 ---------------------------------------------------------------------- Problems Corrected since prior version. - None - this is the initial release. +1) A blank USER/GROUP column in /etc/shorewall/tcrules no longer causes + a [re]start error. + +2) The 'fgrep' utility is no longer required (caused startup problems + on LEAF/Bering). + +3) The "shorewall add" command no longer inserts rules before checking + of the blacklist. ----------------------------------------------------------------------- Issues when migrating from Shorewall 1.4.x to Shorewall 2.0.0: @@ -27,7 +34,8 @@ Issues when migrating from Shorewall 1.4.x to Shorewall 2.0.0: /etc/shorewall/common.def /etc/shorewall/common /etc/shorewall/icmpdef - /etc/shorewall/action.template + /etc/shorewall/action.template (Moved to /usr/share/shorewall) + /etc/shorewall/rfc1918 (Moved to /usr/share/shorewall). The /etc/shorewall/action file now allows an action to be designated as the "common" action for a particular policy type by @@ -132,6 +140,13 @@ Issues when migrating from Shorewall 1.4.x to Shorewall 2.0.0: column of /etc/shorewall/rules -- you must use the RATE LIMIT column. +7) Depending on which method you use to upgrade, if you have your own + version of /etc/shorewall/rfc1918, you may have to take special + action to restore it after the upgrade. Look for + /etc/shorewall/rfc1918*, locate the proper file and rename it back + to /etc/shorewall/rfc1918. The contents of that file will supercede + the contents of /usr/share/shorewall/rfc1918. + New Features: 1) The INCLUDE directive now allows absolute file names. diff --git a/Shorewall2/rules b/Shorewall2/rules index 54a7e2363..4d9fb1204 100755 --- a/Shorewall2/rules +++ b/Shorewall2/rules @@ -54,29 +54,11 @@ # -- The name of an action defined in # /etc/shorewall/actions. # -# You may rate-limit the rule by optionally -# following ACCEPT, DNAT[-], REDIRECT[-] or LOG with -# -# < /[:] > -# -# where is the number of connections per -# ("sec" or "min") and is the -# largest burst permitted. If no is given, -# a value of 5 is assumed. There may be no -# no whitespace embedded in the specification. -# -# Example: ACCEPT<10/sec:20> -# -# The ACTION (and rate limit) may optionally be followed +# The ACTION may optionally be followed # by ":" and a syslog log level (e.g, REJECT:info or -# DNAT<4/sec:8>:debugging). This causes the packet to be +# DNAT:debug). This causes the packet to be # logged at the specified level. # -# NOTE: For those of you who prefer to place the -# rate limit in a separate column, see the RATE LIMIT -# column below. If you specify a value in that column, -# you must not include a rate limit in the ACTION column -# # You may also specify ULOG (must be in upper case) as a # log level.This will log to the ULOG target for routing # to a separate log through use of ulogd @@ -232,9 +214,6 @@ # # Example: 10/sec:20 # -# If you place a rate limit in this column, you may not -# place a similar limit in the ACTION column. -# # USER/GROUP This column may only be non-empty if the SOURCE is # the firewall itself. #