mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-18 19:48:19 +01:00
17a7a0492d
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@634 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
113 lines
4.3 KiB
Plaintext
Executable File
113 lines
4.3 KiB
Plaintext
Executable File
This is a minor release of Shorewall.
|
|
|
|
Problems Corrected:
|
|
|
|
1) A problem seen on RH7.3 systems where Shorewall encountered start
|
|
errors when started using the "service" mechanism has been worked
|
|
around.
|
|
|
|
2) Where a list of IP addresses appears in the DEST column of a DNAT[-]
|
|
rule, Shorewall incorrectly created multiple DNAT rules in the nat
|
|
table (one for each element in the list). Shorewall now correctly
|
|
creates a single DNAT rule with multiple "--to-destination" clauses.
|
|
|
|
New Features:
|
|
|
|
1) A 'newnotsyn' interface option has been added. This option may be
|
|
specified in /etc/shorewall/interfaces and overrides the setting
|
|
NEWNOTSYN=No for packets arriving on the associated interface.
|
|
|
|
2) The means for specifying a range of IP addresses in
|
|
/etc/shorewall/masq to use for SNAT is now
|
|
documented. ADD_SNAT_ALIASES=Yes is enabled for address ranges.
|
|
|
|
3) Shorewall can now add IP addresses to subnets other than the first
|
|
one on an interface.
|
|
|
|
4) DNAT[-] rules may now be used to load balance (round-robin) over a
|
|
set of servers. Up to 256 servers may be specified in a range of
|
|
addresses given as <first address>-<last address>.
|
|
|
|
Example:
|
|
|
|
DNAT net loc:192.168.10.2-192.168.10.5 tcp 80
|
|
|
|
Note that this capability has previously been available using a
|
|
combination of a DNAT- rule and one or more ACCEPT rules. That
|
|
technique is still preferable for load-balancing over a large number
|
|
of servers (> 16) since specifying a range in the DNAT rule causes
|
|
one filter table ACCEPT rule to be generated for each IP address in
|
|
the range.
|
|
|
|
5) The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration options
|
|
have been removed and have been replaced by code that detects
|
|
whether these capabilities are present in the current kernel. The
|
|
output of the start, restart and check commands have been enhanced
|
|
to report the outcome:
|
|
|
|
Shorewall has detected the following iptables/netfilter capabilities:
|
|
NAT: Available
|
|
Packet Mangling: Available
|
|
Multi-port Match: Available
|
|
Verifying Configuration...
|
|
|
|
6) Support for the Connection Tracking Match Extension has been
|
|
added. This extension is available in recent kernel/iptables
|
|
releases and allows for rules which match against elements in
|
|
netfilter's connection tracking table.
|
|
|
|
Shorewall automatically detects the availability of this extension
|
|
and reports its availability in the output of the start, restart and
|
|
check commands.
|
|
|
|
Shorewall has detected the following iptables/netfilter capabilities:
|
|
NAT: Available
|
|
Packet Mangling: Available
|
|
Multi-port Match: Available
|
|
Connection Tracking Match: Available
|
|
Verifying Configuration...
|
|
|
|
If this extension is available, the ruleset generated by Shorewall
|
|
is changed in the following ways:
|
|
|
|
a) To handle 'norfc1918' filtering, Shorewall will not create chains
|
|
in the mangle table but will rather do all 'norfc1918' filtering in
|
|
the filter table (rfc1918 chain).
|
|
|
|
b) Recall that Shorewall DNAT rules generate two netfilter rules;
|
|
one in the nat table and one in the filter table. If the Connection
|
|
Tracking Match Extension is available, the rule in the filter table
|
|
is extended to check that the original destination address was the
|
|
same as specified (or defaulted to) in the DNAT rule.
|
|
|
|
7) The shell used to interpret the firewall script
|
|
(/usr/share/shorewall/firewall) may now be specified using the
|
|
SHOREWALL_SHELL parameter in shorewall.conf.
|
|
|
|
8) An 'ipcalc' command has been added to /sbin/shorewall.
|
|
|
|
ipcalc [ <address> <netmask> | <address>/<vlsm> ]
|
|
|
|
Examples:
|
|
|
|
[root@wookie root]# shorewall ipcalc 192.168.1.0/24
|
|
CIDR=192.168.1.0/24
|
|
NETMASK=255.255.255.0
|
|
NETWORK=192.168.1.0
|
|
BROADCAST=192.168.1.255
|
|
[root@wookie root]#
|
|
|
|
[root@wookie root]# shorewall ipcalc 192.168.1.0 255.255.255.0
|
|
CIDR=192.168.1.0/24
|
|
NETMASK=255.255.255.0
|
|
NETWORK=192.168.1.0
|
|
BROADCAST=192.168.1.255
|
|
[root@wookie root]#
|
|
|
|
Warning:
|
|
|
|
If your shell only supports 32-bit signed arithmatic (ash or
|
|
dash), then the ipcalc command produces incorrect information for
|
|
IP addresses 128.0.0.0-1 and for /1 networks. Bash should produce
|
|
correct information for all valid IP addresses.
|