diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 5087a9def..12c735349 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -1,3 +1,7 @@ +Changes in Shorewall 4.4.15 + +1) Handle exported VERBOSE. + Changes in Shorewall 4.4.14 1) Support ipset lists. diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 7bc73a0e0..057dca30e 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -1,5 +1,6 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 4 . 1 4 + S H O R E W A L L 4 . 4 . 1 5 + B E T A 1 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -13,98 +14,8 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) Previously, messages to the STARTUP_LOG had inconsistent date formats. - -2) The blacklisting change in 4.4.13 was broken in some simple - configurations with the effect that blacklisting was not enabled. - -3) Previously, Shorewall6 produced an untidy sequence of error - messages when an attempt was made to start it on a system running a - kernel older than 2.6.24: - - [root@localhost shorewall6]# shorewall6 start - Compiling... - Processing /etc/shorewall6/shorewall6.conf... - Loading Modules... - Compiling /etc/shorewall6/zones... - ... - Shorewall configuration compiled to /var/lib/shorewall6/.start - ERROR: Shorewall6 requires Linux kernel 2.6.24 or later - /usr/share/shorewall6/lib.common: line 73: - [: -lt: unary operator expected - ERROR: Shorewall6 requires Linux kernel 2.6.24 or later - [root@localhost shorewall6]# - - This has been corrected so that a single ERROR message is - generated. - -4) Previously, an ipset name appearing in the /etc/shorewall/hosts - file could be qualified with a list of 'src' and/or 'dst' enclosed - in quotes. This was virtually guaranteed not to work since the set - must match when used to verify both a packet source and a - packet destination. Now, the following error is raised: - - ERROR: ipset name qualification is disallowed in this file - - As part of this change, the ipset name is now verified to begin - with a letter and be composed of letters, digits, underscores ("_") - and hyphens ("-"). - -5) The Shorewall-lite and Shorewall6-lite Debian init scripts contained a - syntax error. - -6) If the -v or -q options were used in /sbin/shorewall-lite or - /sbin/shorewall6-lite commands that involve the compiled firewall - script and the resulting effective VERBOSITY was > 2 or < -1, then - the command would fail. - -7) The log reading commands (show log, logwatch, and dump) returned no - log records when run on one of the -lite products. - -8) To avoid future confusion, the following obsolete options have been - deleted from the sample shorewall.conf files: - - BRIDGING - DELAYBLACKLISTLOAD - PKTTYPE - - They will still be recognized by the rules compiler. - -9) All sample .conf files have been changed to specify - - FORWARD_CLEAR_MARK= - - rather than - - FORWARD_CLEAR_MARK=Yes - - That way, systems without MARK support will still be able to - install the sample configurations and FORWARD_CLEAR_MARK will - default to Yes on systems with MARK support. - -10) The install scripts in the tarballs now correctly create init - symlinks on recent Ubuntu releases. - -11) Previously, this entry in the OPTIONS column of - /etc/shorewall/interfaces incorrectly generated a syntax error. - - nets=(1.2.3.0/24) - - The error was: - - ERROR: Invalid VLSM (24)) - -12) Previously, if 10 or more interfaces were configured in Complex - Traffic Shaping (/etc/shorewall/tcdevices), the following - compilation diagnostic was generated: - - Argument "a" isn't numeric in sprintf at - /usr/share/shorewall/Shorewall/Config.pm line 893. - - and an invalid TC configuration was generated. - -13) If the current environment exported the VERBOSITY variable with a - non-zero value, startup would fail. +1) If the variable VERBOSE was exported with a non-zero value then + startup would fail. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -117,48 +28,7 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) Multiple source or destination ipset matches can be generated by - enclosing the ipset list in +[...]. - - Example (/etc/shorewall/rules): - - ACCEPT $FW net:+[dest-ip-map,dest-port-map] - -2) Shorewall now uses the 'conntrack' utility for 'show connections' - if that utility is installed. Going forward, the Netfilter team - will be enhancing this interface rather than the /proc interface. - -3) The CPU time required for optimization has been reduced by 2/3. - -4) An 'scfilter' extension script has been added. This extension - script differs from other such scripts in that it is invoked by the - command line tools (/sbin/shorewall, /sbin/shorewall6, - /sbin/shorewall-lite and /sbin/shorewall6-lite). - - The script acts as a filter for the output of the 'show - connections' command. Each connection is piped through the filter - which can modify and/or drop information as desired. - - Example: - - #!/bin/sh - sed 's/secmark=0 //' - - That script will remove 'secmark=0 ' from each line. - - The default script is: - - #!/bin/sh - cat - - - which passes the output through unmodified. - - If you are using Shorewall-lite and/or Shorewall6-lite, the - scfilter file is kept on the administrative system. The compiler - encapsulates the script into a shell function that is copied - into the generated auxillary configuration file - (firewall.conf). That function is then invoked by the 'show - connections' command. +None. ---------------------------------------------------------------------------- I V. R E L E A S E 4 . 4 H I G H L I G H T S @@ -379,6 +249,150 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES ---------------------------------------------------------------------------- V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S I N P R I O R R E L E A S E S +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 4 . 1 4 +---------------------------------------------------------------------------- + +1) Previously, messages to the STARTUP_LOG had inconsistent date formats. + +2) The blacklisting change in 4.4.13 was broken in some simple + configurations with the effect that blacklisting was not enabled. + +3) Previously, Shorewall6 produced an untidy sequence of error + messages when an attempt was made to start it on a system running a + kernel older than 2.6.24: + + [root@localhost shorewall6]# shorewall6 start + Compiling... + Processing /etc/shorewall6/shorewall6.conf... + Loading Modules... + Compiling /etc/shorewall6/zones... + ... + Shorewall configuration compiled to /var/lib/shorewall6/.start + ERROR: Shorewall6 requires Linux kernel 2.6.24 or later + /usr/share/shorewall6/lib.common: line 73: + [: -lt: unary operator expected + ERROR: Shorewall6 requires Linux kernel 2.6.24 or later + [root@localhost shorewall6]# + + This has been corrected so that a single ERROR message is + generated. + +4) Previously, an ipset name appearing in the /etc/shorewall/hosts + file could be qualified with a list of 'src' and/or 'dst' enclosed + in quotes. This was virtually guaranteed not to work since the set + must match when used to verify both a packet source and a + packet destination. Now, the following error is raised: + + ERROR: ipset name qualification is disallowed in this file + + As part of this change, the ipset name is now verified to begin + with a letter and be composed of letters, digits, underscores ("_") + and hyphens ("-"). + +5) The Shorewall-lite and Shorewall6-lite Debian init scripts contained a + syntax error. + +6) If the -v or -q options were used in /sbin/shorewall-lite or + /sbin/shorewall6-lite commands that involve the compiled firewall + script and the resulting effective VERBOSITY was > 2 or < -1, then + the command would fail. + +7) The log reading commands (show log, logwatch, and dump) returned no + log records when run on one of the -lite products. + +8) To avoid future confusion, the following obsolete options have been + deleted from the sample shorewall.conf files: + + BRIDGING + DELAYBLACKLISTLOAD + PKTTYPE + + They will still be recognized by the rules compiler. + +9) All sample .conf files have been changed to specify + + FORWARD_CLEAR_MARK= + + rather than + + FORWARD_CLEAR_MARK=Yes + + That way, systems without MARK support will still be able to + install the sample configurations and FORWARD_CLEAR_MARK will + default to Yes on systems with MARK support. + +10) The install scripts in the tarballs now correctly create init + symlinks on recent Ubuntu releases. + +11) Previously, this entry in the OPTIONS column of + /etc/shorewall/interfaces incorrectly generated a syntax error. + + nets=(1.2.3.0/24) + + The error was: + + ERROR: Invalid VLSM (24)) + +12) Previously, if 10 or more interfaces were configured in Complex + Traffic Shaping (/etc/shorewall/tcdevices), the following + compilation diagnostic was generated: + + Argument "a" isn't numeric in sprintf at + /usr/share/shorewall/Shorewall/Config.pm line 893. + + and an invalid TC configuration was generated. + +13) If the current environment exported the VERBOSITY variable with a + non-zero value, startup would fail. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 4 . 1 4 +---------------------------------------------------------------------------- + +1) Multiple source or destination ipset matches can be generated by + enclosing the ipset list in +[...]. + + Example (/etc/shorewall/rules): + + ACCEPT $FW net:+[dest-ip-map,dest-port-map] + +2) Shorewall now uses the 'conntrack' utility for 'show connections' + if that utility is installed. Going forward, the Netfilter team + will be enhancing this interface rather than the /proc interface. + +3) The CPU time required for optimization has been reduced by 2/3. + +4) An 'scfilter' extension script has been added. This extension + script differs from other such scripts in that it is invoked by the + command line tools (/sbin/shorewall, /sbin/shorewall6, + /sbin/shorewall-lite and /sbin/shorewall6-lite). + + The script acts as a filter for the output of the 'show + connections' command. Each connection is piped through the filter + which can modify and/or drop information as desired. + + Example: + + #!/bin/sh + sed 's/secmark=0 //' + + That script will remove 'secmark=0 ' from each line. + + The default script is: + + #!/bin/sh + cat - + + which passes the output through unmodified. + + If you are using Shorewall-lite and/or Shorewall6-lite, the + scfilter file is kept on the administrative system. The compiler + encapsulates the script into a shell function that is copied + into the generated auxillary configuration file + (firewall.conf). That function is then invoked by the 'show + connections' command. + ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 4 . 1 3 ----------------------------------------------------------------------------