forked from extern/shorewall_code
Prepare 4.3.10
This commit is contained in:
parent
43faa0880a
commit
aa4afa6b66
@ -28,7 +28,7 @@
|
||||
# shown below. Simply run this script to revert to your prior version of
|
||||
# Shoreline Firewall.
|
||||
|
||||
VERSION=4.3.9
|
||||
VERSION=4.3.10
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -22,7 +22,7 @@
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
|
||||
VERSION=4.3.9
|
||||
VERSION=4.3.10
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -1,5 +1,5 @@
|
||||
%define name shorewall-lite
|
||||
%define version 4.3.9
|
||||
%define version 4.3.10
|
||||
%define release 0base
|
||||
|
||||
Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
|
||||
@ -98,6 +98,8 @@ fi
|
||||
%doc COPYING changelog.txt releasenotes.txt
|
||||
|
||||
%changelog
|
||||
* Sun Apr 19 2009 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.3.10-0base
|
||||
* Sat Apr 11 2009 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.3.9-0base
|
||||
* Tue Mar 17 2009 Tom Eastep tom@shorewall.net
|
||||
|
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Shorewall Firewall
|
||||
|
||||
VERSION=4.3.9
|
||||
VERSION=4.3.10
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -323,7 +323,7 @@ sub initialize( $ ) {
|
||||
TC_SCRIPT => '',
|
||||
EXPORT => 0,
|
||||
UNTRACKED => 0,
|
||||
VERSION => "4.3.9",
|
||||
VERSION => "4.3.10",
|
||||
CAPVERSION => 40309 ,
|
||||
);
|
||||
|
||||
|
@ -1,3 +1,7 @@
|
||||
Changes in Shorewall 4.3.10
|
||||
|
||||
None.
|
||||
|
||||
Changes in Shorewall 4.3.9
|
||||
|
||||
1) Logging rules now create separate chain.
|
||||
|
@ -22,7 +22,7 @@
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
|
||||
VERSION=4.3.9
|
||||
VERSION=4.3.10
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -1 +1 @@
|
||||
There are no known problems in Shorewall version 4.3.9
|
||||
There are no known problems in Shorewall version 4.3.10
|
||||
|
@ -1,4 +1,4 @@
|
||||
Shorewall 4.3.9
|
||||
Shorewall 4.3.10
|
||||
|
||||
Shorewall 4.3 is the development thread for Shorewall 4.4 which will be
|
||||
released late in 2009.
|
||||
@ -56,19 +56,10 @@ released late in 2009.
|
||||
underlying support in the Linux kernel.
|
||||
|
||||
----------------------------------------------------------------------------
|
||||
P R O B L E M S C O R R E C T E D I N 4 . 3 . 9
|
||||
P R O B L E M S C O R R E C T E D I N 4 . 3 . 10
|
||||
----------------------------------------------------------------------------
|
||||
|
||||
1) If an interface name was specified in a PREROUTING rule (tcrules or
|
||||
notrack) then an invalid iptables rule would be generated.
|
||||
|
||||
2) When a network address appeared in the SOURCE or DEST column of
|
||||
/etc/shorewall/tcfilters, an incorrect netmask was being generated in
|
||||
the resulting 'tc' rule.
|
||||
|
||||
3) Placing an IP address in the BROADCAST column of
|
||||
/etc/shorewall/interfaces caused Shorewall-perl to generate an
|
||||
erroneous 'Invalid BROADCAST address' error.
|
||||
None.
|
||||
|
||||
----------------------------------------------------------------------------
|
||||
K N O W N P R O B L E M S R E M A I N I N G
|
||||
@ -77,159 +68,10 @@ released late in 2009.
|
||||
None.
|
||||
|
||||
----------------------------------------------------------------------------
|
||||
N E W F E A T U R E S I N 4 . 3 . 9
|
||||
N E W F E A T U R E S I N 4 . 3 . 10
|
||||
----------------------------------------------------------------------------
|
||||
|
||||
1) Rules that specify a log level with a target other than LOG or NFLOG
|
||||
are now implemented through a separate chain. While this may increase
|
||||
the processing cost slightly for packets that match these rules, it
|
||||
is expected to reduce the overall cost of such rules because each
|
||||
packet that doesn't match the rules only has to be processed once
|
||||
per rule rather than twice.
|
||||
|
||||
Example:
|
||||
|
||||
/etc/shorewall/rules:
|
||||
|
||||
REJECT:info loc net tcp 25
|
||||
|
||||
This previously generated these two rules (long rules folded):
|
||||
|
||||
-A loc2net -p 6 --dport 25 -j LOG --log-level 6
|
||||
--log-prefix "Shorewall:loc2net:reject:"
|
||||
-A loc2net -p 6 --dport 25 -j reject
|
||||
|
||||
It now generates these rules:
|
||||
|
||||
:log0 - [0:0]
|
||||
...
|
||||
-A loc2net -p 6 --dport 25 -g log0
|
||||
...
|
||||
-A log0 -j LOG --log-level 6
|
||||
--log-prefix "Shorewall:loc2net:REJECT:"
|
||||
-A log0 -p 6 --dport 25 -j reject
|
||||
|
||||
Notice that now there is only a single rule generated in the
|
||||
'loc2net' chain where before there were two. Packets for other than
|
||||
TCP port 25 had to be processed by both rules.
|
||||
|
||||
Notice also that the new LOG rule reflects the original action
|
||||
("REJECT") rather than what Shorewall maps that to ("reject").
|
||||
|
||||
2) Shorewall6 has now been tested on kernel 2.6.24 (Ubuntu Hardy) and
|
||||
hence will now start successfully when running on that kernel.
|
||||
|
||||
3) Three new options (IP, TC and IPSET) have been added to
|
||||
shorewall.conf and shorwall6.conf. These options specify the name
|
||||
of the executable for the 'ip', 'tc' and 'ipset' utilities
|
||||
respectively.
|
||||
|
||||
If not specified, the default values are:
|
||||
|
||||
IP=ip
|
||||
TC=tc
|
||||
IPSET=ipset
|
||||
|
||||
In other words, the utilities will be located via the current PATH
|
||||
setting.
|
||||
|
||||
4) There has been a desire in the user community to limit traffic by
|
||||
IP address using Shorewall traffic shaping. Heretofore, that has
|
||||
required a very inefficient process:
|
||||
|
||||
a) Define a tcclass for each internal host (two, if shaping both in
|
||||
and out).
|
||||
b) Define a tcrule for each host to mark to classify the packets
|
||||
accordingly.
|
||||
|
||||
Beginning with Shorewall 4.3.9, this process is made easier IF YOU
|
||||
ARE WILLING TO INSTALL xtables-addons. The feature requires IPMARK
|
||||
support in iptables[6] and your kernel. That support is available
|
||||
in xtables-addons.
|
||||
|
||||
The new facility has two components:
|
||||
|
||||
a) A new IPMARK MARKing command in /etc/shorewall/tcrules.
|
||||
b) A new 'occurs' OPTION in /etc/shorewall/tcclasses.
|
||||
|
||||
The IPMARK target assigns a mark to each matching packet based on
|
||||
the either the source or destination IP address. By default, it
|
||||
assigns a mark value equal to the low-order 8 bits of the source
|
||||
address.
|
||||
|
||||
The syntax is as follows:
|
||||
|
||||
IPMARK[([{src|dst}][,[<mask1>][,[<mask2>][,[<shift>]]]])]
|
||||
|
||||
Default values are:
|
||||
|
||||
src
|
||||
<mask1> = 0xFF
|
||||
<mask2> = 0x00
|
||||
<shift> = 0
|
||||
|
||||
'src' and 'dst' specify whether the mark is to be based on the
|
||||
source or destination address respectively.
|
||||
|
||||
The selected address is first LANDed with <mask1> then LORed with
|
||||
<mask2>.
|
||||
|
||||
The result is then shifted <shift> bits to the right.
|
||||
|
||||
Example:
|
||||
|
||||
IPMARK(dst, 0XFF00, 0x8000,8)
|
||||
|
||||
Destination IP address is 192.168.4.3 = 0xc0a80103
|
||||
|
||||
0xc0a80403 LAND 0xFF00 = 0x0400
|
||||
0x0400 LOR 0x80 = 0x8400
|
||||
0x8400 >> 8 = 0x84
|
||||
|
||||
Mark = 0x84 = 132
|
||||
|
||||
The 'occurs' option causes the class definition to be replicated
|
||||
many times. The synax is:
|
||||
|
||||
occurs=<number>
|
||||
|
||||
When 'occurs' is used:
|
||||
|
||||
a) The associated device may not have the 'classify' option.
|
||||
b) The class may not be the default class.
|
||||
c) The class may not have any 'tos=' options (including
|
||||
'tcp-ack').
|
||||
|
||||
The 'RATE' and 'CEIL' parameters apply to each instance of the
|
||||
class. So the total RATE represented by an entry with 'occurs' will
|
||||
be the listed RATE multiplied by the 'occurs' number.
|
||||
|
||||
Example:
|
||||
|
||||
#DEVICE MARK RATE CEIL PRIORITY OPTIONS
|
||||
eth0 100 1kbit 230kbit 4 occurs=32
|
||||
|
||||
The above defines 32 classes with MARK values 100-131. Each
|
||||
class has a guaranteed rate of 1kbit/second.
|
||||
|
||||
As part of this change, the generation of class ids from mark
|
||||
values has been changed. The class number is now
|
||||
|
||||
( <devnum> << 10 ) | <mask>
|
||||
|
||||
/sbin/shorewall has an 'encode' and 'decode' command to translate a
|
||||
device number, mark pair to/from a classid:
|
||||
|
||||
encode <devnum> <mark>
|
||||
decode <classnum>
|
||||
|
||||
Example:
|
||||
|
||||
$ shorewall decode 3172
|
||||
Device = 3 Mark = 100
|
||||
$ shorewall encode 3 100
|
||||
Class number = 3172
|
||||
$
|
||||
None.
|
||||
|
||||
----------------------------------------------------------------------------
|
||||
N E W F E A T U R E S IN 4 . 3
|
||||
@ -493,3 +335,155 @@ None.
|
||||
equivalent to this single rule:
|
||||
|
||||
ACCEPT net fw tcp 25,587 - - s:mail:3/min
|
||||
|
||||
13) Rules that specify a log level with a target other than LOG or NFLOG
|
||||
are now implemented through a separate chain. While this may increase
|
||||
the processing cost slightly for packets that match these rules, it
|
||||
is expected to reduce the overall cost of such rules because each
|
||||
packet that doesn't match the rules only has to be processed once
|
||||
per rule rather than twice.
|
||||
|
||||
Example:
|
||||
|
||||
/etc/shorewall/rules:
|
||||
|
||||
REJECT:info loc net tcp 25
|
||||
|
||||
This previously generated these two rules (long rules folded):
|
||||
|
||||
-A loc2net -p 6 --dport 25 -j LOG --log-level 6
|
||||
--log-prefix "Shorewall:loc2net:reject:"
|
||||
-A loc2net -p 6 --dport 25 -j reject
|
||||
|
||||
It now generates these rules:
|
||||
|
||||
:log0 - [0:0]
|
||||
...
|
||||
-A loc2net -p 6 --dport 25 -g log0
|
||||
...
|
||||
-A log0 -j LOG --log-level 6
|
||||
--log-prefix "Shorewall:loc2net:REJECT:"
|
||||
-A log0 -p 6 --dport 25 -j reject
|
||||
|
||||
Notice that now there is only a single rule generated in the
|
||||
'loc2net' chain where before there were two. Packets for other than
|
||||
TCP port 25 had to be processed by both rules.
|
||||
|
||||
Notice also that the new LOG rule reflects the original action
|
||||
("REJECT") rather than what Shorewall maps that to ("reject").
|
||||
|
||||
14) Shorewall6 has now been tested on kernel 2.6.24 (Ubuntu Hardy) and
|
||||
hence will now start successfully when running on that kernel.
|
||||
|
||||
15) Three new options (IP, TC and IPSET) have been added to
|
||||
shorewall.conf and shorwall6.conf. These options specify the name
|
||||
of the executable for the 'ip', 'tc' and 'ipset' utilities
|
||||
respectively.
|
||||
|
||||
If not specified, the default values are:
|
||||
|
||||
IP=ip
|
||||
TC=tc
|
||||
IPSET=ipset
|
||||
|
||||
In other words, the utilities will be located via the current PATH
|
||||
setting.
|
||||
|
||||
16) There has been a desire in the user community to limit traffic by
|
||||
IP address using Shorewall traffic shaping. Heretofore, that has
|
||||
required a very inefficient process:
|
||||
|
||||
a) Define a tcclass for each internal host (two, if shaping both in
|
||||
and out).
|
||||
b) Define a tcrule for each host to mark to classify the packets
|
||||
accordingly.
|
||||
|
||||
Beginning with Shorewall 4.3.9, this process is made easier IF YOU
|
||||
ARE WILLING TO INSTALL xtables-addons. The feature requires IPMARK
|
||||
support in iptables[6] and your kernel. That support is available
|
||||
in xtables-addons.
|
||||
|
||||
The new facility has two components:
|
||||
|
||||
a) A new IPMARK MARKing command in /etc/shorewall/tcrules.
|
||||
b) A new 'occurs' OPTION in /etc/shorewall/tcclasses.
|
||||
|
||||
The IPMARK target assigns a mark to each matching packet based on
|
||||
the either the source or destination IP address. By default, it
|
||||
assigns a mark value equal to the low-order 8 bits of the source
|
||||
address.
|
||||
|
||||
The syntax is as follows:
|
||||
|
||||
IPMARK[([{src|dst}][,[<mask1>][,[<mask2>][,[<shift>]]]])]
|
||||
|
||||
Default values are:
|
||||
|
||||
src
|
||||
<mask1> = 0xFF
|
||||
<mask2> = 0x00
|
||||
<shift> = 0
|
||||
|
||||
'src' and 'dst' specify whether the mark is to be based on the
|
||||
source or destination address respectively.
|
||||
|
||||
The selected address is first LANDed with <mask1> then LORed with
|
||||
<mask2>.
|
||||
|
||||
The result is then shifted <shift> bits to the right.
|
||||
|
||||
Example:
|
||||
|
||||
IPMARK(dst, 0XFF00, 0x8000,8)
|
||||
|
||||
Destination IP address is 192.168.4.3 = 0xc0a80103
|
||||
|
||||
0xc0a80403 LAND 0xFF00 = 0x0400
|
||||
0x0400 LOR 0x80 = 0x8400
|
||||
0x8400 >> 8 = 0x84
|
||||
|
||||
Mark = 0x84 = 132
|
||||
|
||||
The 'occurs' option causes the class definition to be replicated
|
||||
many times. The synax is:
|
||||
|
||||
occurs=<number>
|
||||
|
||||
When 'occurs' is used:
|
||||
|
||||
a) The associated device may not have the 'classify' option.
|
||||
b) The class may not be the default class.
|
||||
c) The class may not have any 'tos=' options (including
|
||||
'tcp-ack').
|
||||
|
||||
The 'RATE' and 'CEIL' parameters apply to each instance of the
|
||||
class. So the total RATE represented by an entry with 'occurs' will
|
||||
be the listed RATE multiplied by the 'occurs' number.
|
||||
|
||||
Example:
|
||||
|
||||
#DEVICE MARK RATE CEIL PRIORITY OPTIONS
|
||||
eth0 100 1kbit 230kbit 4 occurs=32
|
||||
|
||||
The above defines 32 classes with MARK values 100-131. Each
|
||||
class has a guaranteed rate of 1kbit/second.
|
||||
|
||||
As part of this change, the generation of class ids from mark
|
||||
values has been changed. The class number is now
|
||||
|
||||
( <devnum> << 10 ) | <mask>
|
||||
|
||||
/sbin/shorewall has an 'encode' and 'decode' command to translate a
|
||||
device number, mark pair to/from a classid:
|
||||
|
||||
encode <devnum> <mark>
|
||||
decode <classnum>
|
||||
|
||||
Example:
|
||||
|
||||
$ shorewall decode 3172
|
||||
Device = 3 Mark = 100
|
||||
$ shorewall encode 3 100
|
||||
Class number = 3172
|
||||
$
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
%define name shorewall
|
||||
%define version 4.3.9
|
||||
%define version 4.3.10
|
||||
%define release 0base
|
||||
|
||||
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
|
||||
@ -172,6 +172,8 @@ fi
|
||||
%doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples
|
||||
|
||||
%changelog
|
||||
* Sun Apr 19 2009 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.3.10-0base
|
||||
* Sat Apr 11 2009 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.3.9-0base
|
||||
* Tue Mar 17 2009 Tom Eastep tom@shorewall.net
|
||||
|
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Shorewall Firewall
|
||||
|
||||
VERSION=4.3.9
|
||||
VERSION=4.3.10
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -28,7 +28,7 @@
|
||||
# shown below. Simply run this script to revert to your prior version of
|
||||
# Shoreline Firewall.
|
||||
|
||||
VERSION=4.3.9
|
||||
VERSION=4.3.10
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -22,7 +22,7 @@
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
|
||||
VERSION=4.3.9
|
||||
VERSION=4.3.10
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -1,5 +1,5 @@
|
||||
%define name shorewall6-lite
|
||||
%define version 4.3.9
|
||||
%define version 4.3.10
|
||||
%define release 0base
|
||||
|
||||
Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
|
||||
@ -89,6 +89,8 @@ fi
|
||||
%doc COPYING changelog.txt releasenotes.txt
|
||||
|
||||
%changelog
|
||||
* Sun Apr 19 2009 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.3.10-0base
|
||||
* Sat Apr 11 2009 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.3.9-0base
|
||||
* Tue Mar 17 2009 Tom Eastep tom@shorewall.net
|
||||
|
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Shorewall Firewall
|
||||
|
||||
VERSION=4.3.9
|
||||
VERSION=4.3.10
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -28,7 +28,7 @@
|
||||
# shown below. Simply run this script to revert to your prior version of
|
||||
# Shoreline Firewall.
|
||||
|
||||
VERSION=4.3.9
|
||||
VERSION=4.3.10
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -22,7 +22,7 @@
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
|
||||
VERSION=4.3.9
|
||||
VERSION=4.3.10
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -1,5 +1,5 @@
|
||||
%define name shorewall6
|
||||
%define version 4.3.9
|
||||
%define version 4.3.10
|
||||
%define release 0base
|
||||
|
||||
Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
|
||||
@ -144,6 +144,8 @@ fi
|
||||
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
|
||||
|
||||
%changelog
|
||||
* Sun Apr 19 2009 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.3.10-0base
|
||||
* Sat Apr 11 2009 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.3.9-0base
|
||||
* Tue Mar 17 2009 Tom Eastep tom@shorewall.net
|
||||
|
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Shorewall Firewall
|
||||
|
||||
VERSION=4.3.9
|
||||
VERSION=4.3.10
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
Loading…
Reference in New Issue
Block a user