|
|
|
|
@ -1,5 +1,6 @@
|
|
|
|
|
----------------------------------------------------------------------------
|
|
|
|
|
S H O R E W A L L 4 . 4 . 1 6
|
|
|
|
|
S H O R E W A L L 4 . 4 . 1 7
|
|
|
|
|
B E T A 1
|
|
|
|
|
----------------------------------------------------------------------------
|
|
|
|
|
|
|
|
|
|
I. PROBLEMS CORRECTED IN THIS RELEASE
|
|
|
|
|
@ -13,55 +14,7 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
|
|
|
|
|
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
|
|
|
|
|
----------------------------------------------------------------------------
|
|
|
|
|
|
|
|
|
|
1) If the output of 'env' contained a multi-line value, then
|
|
|
|
|
compilation failed with an Internal Error. The code has been
|
|
|
|
|
changed so that the compiler now handles multi-line values
|
|
|
|
|
correctly.
|
|
|
|
|
|
|
|
|
|
2) In 4.4.15, output to Standard Out (FD 2) generated by
|
|
|
|
|
/etc/shorewall/params (/etc/shorewall6/params) was redirected to
|
|
|
|
|
/dev/null. It is now redirected to Standard Error (FD 2).
|
|
|
|
|
|
|
|
|
|
3) 2) If a params file did not appear in the CONFIG_PATH, compilation
|
|
|
|
|
failed with the error:
|
|
|
|
|
|
|
|
|
|
.: 31: Can't open /etc/shorewall6/params
|
|
|
|
|
ERROR: Processing of /etc/shorewall6/params failed
|
|
|
|
|
|
|
|
|
|
4) Compilation no longer fails when /bin/sh is an older (e.g.,
|
|
|
|
|
RHEL5.x) bash.
|
|
|
|
|
|
|
|
|
|
5) Previously, proxy ARP with logical interface names did not
|
|
|
|
|
work. Symptoms included numerous Perl runtime error messages.
|
|
|
|
|
|
|
|
|
|
6) Previously, the root of a wildcard name erroneously matched that
|
|
|
|
|
name. For example 'eth' matched 'eth+'. Now there must be at least
|
|
|
|
|
one additional character (e.g., 'eth4').
|
|
|
|
|
|
|
|
|
|
7) Use of logical interface names in the notrack and ecn files
|
|
|
|
|
resulted in perl runtime warning messages.
|
|
|
|
|
|
|
|
|
|
8) The use of wildcard-matching names in certain contexts would result
|
|
|
|
|
in anomalous behavior. Among the symptoms were:
|
|
|
|
|
|
|
|
|
|
- Perl run-time messages similar to this one:
|
|
|
|
|
|
|
|
|
|
Use of uninitialized value in numeric comparison (<=>)
|
|
|
|
|
at /usr/share/shorewall/Shorewall/Zones.pm line 1334.
|
|
|
|
|
|
|
|
|
|
- Failure to treat the interface as optional or required.
|
|
|
|
|
|
|
|
|
|
9) Where two ISPs share the same interface, if one of the ISPs was not
|
|
|
|
|
reachable, an iptables-restore error such as this occurred:
|
|
|
|
|
|
|
|
|
|
iptables-restore v1.4.10: Bad mac address "-j"
|
|
|
|
|
|
|
|
|
|
10) Previously, under very rare circumstances, a chain would be
|
|
|
|
|
optimized away while there were still jumps to the chain. This caused
|
|
|
|
|
Shorewall start/restart to fail during iptables-restore.
|
|
|
|
|
|
|
|
|
|
11) Previously, the setting of BLACKLIST_DISPOSITION was not
|
|
|
|
|
validated. Now, an error is raised unless the value is DROP or REJECT.
|
|
|
|
|
None.
|
|
|
|
|
|
|
|
|
|
----------------------------------------------------------------------------
|
|
|
|
|
I I. K N O W N P R O B L E M S R E M A I N I N G
|
|
|
|
|
@ -74,80 +27,7 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
|
|
|
|
|
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
|
|
|
|
|
----------------------------------------------------------------------------
|
|
|
|
|
|
|
|
|
|
1) Shorewall-init now handles ppp devices.
|
|
|
|
|
|
|
|
|
|
2) To support proxy NDP in a manner similar to Proxy ARP, an
|
|
|
|
|
/etc/shorewall6/proxyndp file has been added. It should be noted
|
|
|
|
|
that IPv6 implements a "strong host model" whereas Linux IPv4
|
|
|
|
|
implements a "weak host model". In the strong model, IP addresses
|
|
|
|
|
are associated with interfaces; in the weak model, they are
|
|
|
|
|
associated with the host. This is relevant with respect to Proxy
|
|
|
|
|
NDP in that a multi-homed Linux IPv6 host will only respond to
|
|
|
|
|
neighbor discoverey requests for IPv6 addresses configured on the
|
|
|
|
|
interface receiving the request. So if eth0 has address
|
|
|
|
|
2001:470:b:227::44/128 and eth1 has address 2001:470:b:227::1/64
|
|
|
|
|
then in order for eth1 to respond to neighbor discovery requests
|
|
|
|
|
for 2001:470:b:227::44, the following entry in
|
|
|
|
|
/etc/shorewall6/proxyndp is required:
|
|
|
|
|
|
|
|
|
|
#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
|
|
|
|
|
2001:470:b:227::44 - eth1 Yes
|
|
|
|
|
|
|
|
|
|
As part of this change, the INTERFACE column in
|
|
|
|
|
/etc/shorewall/proxyarp is now optional and is only required when
|
|
|
|
|
HAVEROUTE=No (the default).
|
|
|
|
|
|
|
|
|
|
3) Shorewall 4.4.16 introduces format-2 Actions. Based on the similar
|
|
|
|
|
feature of macros, format-2 actions allow the same column layout
|
|
|
|
|
for macros, actions and rules.
|
|
|
|
|
|
|
|
|
|
In the action.xxx file, simply make the first non-commentary line:
|
|
|
|
|
|
|
|
|
|
FORMAT 2
|
|
|
|
|
|
|
|
|
|
This allows the lines which follow to have the same columns as
|
|
|
|
|
those in the rules file.
|
|
|
|
|
|
|
|
|
|
As part of this change, the earlier kludgy restrictions regarding
|
|
|
|
|
Macros and Actions have been eliminated. For example, DNAT, DNAT-,
|
|
|
|
|
REDIRECT, REDIRECT- and ACCEPT+ rules are now allowed in Actions
|
|
|
|
|
and in macros invoked from Actions. Additionally, Macros used in
|
|
|
|
|
Actions are now free to invoke other actions.
|
|
|
|
|
|
|
|
|
|
4) Action processing has been largely re-implemented in this release.
|
|
|
|
|
The prior implementation contained a lot of duplicated code which
|
|
|
|
|
made maintainance difficult. The old implementation pre-processed
|
|
|
|
|
all action files early in the compilation process and then
|
|
|
|
|
post-processed the ones that had been actionally used after the
|
|
|
|
|
rules file had been read. The new algorithm generates the chain for
|
|
|
|
|
each unique action invocation at the time that the invocation is
|
|
|
|
|
encountered in the rules file.
|
|
|
|
|
|
|
|
|
|
Consideration was given to eliminating the
|
|
|
|
|
/usr/share/shorewall/actions.std and /etc/shorewall/actions files,
|
|
|
|
|
since it is possible to discover actions "on the fly" in the same
|
|
|
|
|
way as macros are discovered. That change was ultimately rejected
|
|
|
|
|
because it could cause migration issues for users with macros and
|
|
|
|
|
actions with the same name (e.g., action.xxx and macro.xxx). If a
|
|
|
|
|
new major release of Shorewall (e.g., 4.6) is created, that change
|
|
|
|
|
will be reconsidered for inclusion at that time.
|
|
|
|
|
|
|
|
|
|
Action names are now verified to be composed of alphanumeric
|
|
|
|
|
characters, '_' and '-'.
|
|
|
|
|
|
|
|
|
|
There is now support for parameterized actions. The parameters are
|
|
|
|
|
a comma-separated list enclosed in parentheses following the
|
|
|
|
|
action name (e.g., ACT(REDIRECT,192.168.1.4)). Within the action
|
|
|
|
|
body, the parameter values are available in $1, $2, etc.
|
|
|
|
|
|
|
|
|
|
You can 'omit' a parameter in the list by using '-' (e,g,
|
|
|
|
|
REDIRECT,-.info) would omit the second parameter (within the action
|
|
|
|
|
body, $2 would expand to nothing). If you want to specify '-' as a
|
|
|
|
|
parameter value, use '--'.
|
|
|
|
|
|
|
|
|
|
Parameter values are also available to extensions scripts. See
|
|
|
|
|
http://www.shorewall.net/Actions.html#Extension for more
|
|
|
|
|
information.
|
|
|
|
|
None.
|
|
|
|
|
|
|
|
|
|
----------------------------------------------------------------------------
|
|
|
|
|
I V. R E L E A S E 4 . 4 H I G H L I G H T S
|
|
|
|
|
@ -373,6 +253,139 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
|
|
|
|
|
----------------------------------------------------------------------------
|
|
|
|
|
V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
|
|
|
|
|
I N P R I O R R E L E A S E S
|
|
|
|
|
----------------------------------------------------------------------------
|
|
|
|
|
P R O B L E M S C O R R E C T E D I N 4 . 4 . 1 6
|
|
|
|
|
----------------------------------------------------------------------------
|
|
|
|
|
|
|
|
|
|
1) If the output of 'env' contained a multi-line value, then
|
|
|
|
|
compilation failed with an Internal Error. The code has been
|
|
|
|
|
changed so that the compiler now handles multi-line values
|
|
|
|
|
correctly.
|
|
|
|
|
|
|
|
|
|
2) In 4.4.15, output to Standard Out (FD 1) generated by
|
|
|
|
|
/etc/shorewall/params (/etc/shorewall6/params) was redirected to
|
|
|
|
|
/dev/null. It is now redirected to Standard Error (FD 2).
|
|
|
|
|
|
|
|
|
|
3) 2) If a params file did not appear in the CONFIG_PATH, compilation
|
|
|
|
|
failed with the error:
|
|
|
|
|
|
|
|
|
|
.: 31: Can't open /etc/shorewall6/params
|
|
|
|
|
ERROR: Processing of /etc/shorewall6/params failed
|
|
|
|
|
|
|
|
|
|
4) Compilation no longer fails when /bin/sh is an older (e.g.,
|
|
|
|
|
RHEL5.x) bash.
|
|
|
|
|
|
|
|
|
|
5) Previously, proxy ARP with logical interface names did not
|
|
|
|
|
work. Symptoms included numerous Perl runtime error messages.
|
|
|
|
|
|
|
|
|
|
6) Previously, the root of a wildcard name erroneously matched that
|
|
|
|
|
name. For example 'eth' matched 'eth+'. Now there must be at least
|
|
|
|
|
one additional character (e.g., 'eth4').
|
|
|
|
|
|
|
|
|
|
7) Use of logical interface names in the notrack and ecn files
|
|
|
|
|
resulted in perl runtime warning messages.
|
|
|
|
|
|
|
|
|
|
8) The use of wildcard-matching names in certain contexts would result
|
|
|
|
|
in anomalous behavior. Among the symptoms were:
|
|
|
|
|
|
|
|
|
|
- Perl run-time messages similar to this one:
|
|
|
|
|
|
|
|
|
|
Use of uninitialized value in numeric comparison (<=>)
|
|
|
|
|
at /usr/share/shorewall/Shorewall/Zones.pm line 1334.
|
|
|
|
|
|
|
|
|
|
- Failure to treat the interface as optional or required.
|
|
|
|
|
|
|
|
|
|
9) Where two ISPs share the same interface, if one of the ISPs was not
|
|
|
|
|
reachable, an iptables-restore error such as this occurred:
|
|
|
|
|
|
|
|
|
|
iptables-restore v1.4.10: Bad mac address "-j"
|
|
|
|
|
|
|
|
|
|
10) Previously, under very rare circumstances, a chain would be
|
|
|
|
|
optimized away while there were still jumps to the chain. This caused
|
|
|
|
|
Shorewall start/restart to fail during iptables-restore.
|
|
|
|
|
|
|
|
|
|
11) Previously, the setting of BLACKLIST_DISPOSITION was not
|
|
|
|
|
validated. Now, an error is raised unless the value is DROP or REJECT.
|
|
|
|
|
|
|
|
|
|
----------------------------------------------------------------------------
|
|
|
|
|
N E W F E A T U R E S I N 4 . 4 . 1 6
|
|
|
|
|
----------------------------------------------------------------------------
|
|
|
|
|
|
|
|
|
|
1) Shorewall-init now handles ppp devices.
|
|
|
|
|
|
|
|
|
|
2) To support proxy NDP in a manner similar to Proxy ARP, an
|
|
|
|
|
/etc/shorewall6/proxyndp file has been added. It should be noted
|
|
|
|
|
that IPv6 implements a "strong host model" whereas Linux IPv4
|
|
|
|
|
implements a "weak host model". In the strong model, IP addresses
|
|
|
|
|
are associated with interfaces; in the weak model, they are
|
|
|
|
|
associated with the host. This is relevant with respect to Proxy
|
|
|
|
|
NDP in that a multi-homed Linux IPv6 host will only respond to
|
|
|
|
|
neighbor discoverey requests for IPv6 addresses configured on the
|
|
|
|
|
interface receiving the request. So if eth0 has address
|
|
|
|
|
2001:470:b:227::44/128 and eth1 has address 2001:470:b:227::1/64
|
|
|
|
|
then in order for eth1 to respond to neighbor discovery requests
|
|
|
|
|
for 2001:470:b:227::44, the following entry in
|
|
|
|
|
/etc/shorewall6/proxyndp is required:
|
|
|
|
|
|
|
|
|
|
#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
|
|
|
|
|
2001:470:b:227::44 - eth1 Yes
|
|
|
|
|
|
|
|
|
|
As part of this change, the INTERFACE column in
|
|
|
|
|
/etc/shorewall/proxyarp is now optional and is only required when
|
|
|
|
|
HAVEROUTE=No (the default).
|
|
|
|
|
|
|
|
|
|
3) Shorewall 4.4.16 introduces format-2 Actions. Based on the similar
|
|
|
|
|
feature of macros, format-2 actions allow the same column layout
|
|
|
|
|
for macros, actions and rules.
|
|
|
|
|
|
|
|
|
|
In the action.xxx file, simply make the first non-commentary line:
|
|
|
|
|
|
|
|
|
|
FORMAT 2
|
|
|
|
|
|
|
|
|
|
This allows the lines which follow to have the same columns as
|
|
|
|
|
those in the rules file.
|
|
|
|
|
|
|
|
|
|
As part of this change, the earlier kludgy restrictions regarding
|
|
|
|
|
Macros and Actions have been eliminated. For example, DNAT, DNAT-,
|
|
|
|
|
REDIRECT, REDIRECT- and ACCEPT+ rules are now allowed in Actions
|
|
|
|
|
and in macros invoked from Actions. Additionally, Macros used in
|
|
|
|
|
Actions are now free to invoke other actions.
|
|
|
|
|
|
|
|
|
|
4) Action processing has been largely re-implemented in this release.
|
|
|
|
|
The prior implementation contained a lot of duplicated code which
|
|
|
|
|
made maintainance difficult. The old implementation pre-processed
|
|
|
|
|
all action files early in the compilation process and then
|
|
|
|
|
post-processed the ones that had been actionally used after the
|
|
|
|
|
rules file had been read. The new algorithm generates the chain for
|
|
|
|
|
each unique action invocation at the time that the invocation is
|
|
|
|
|
encountered in the rules file.
|
|
|
|
|
|
|
|
|
|
Consideration was given to eliminating the
|
|
|
|
|
/usr/share/shorewall/actions.std and /etc/shorewall/actions files,
|
|
|
|
|
since it is possible to discover actions "on the fly" in the same
|
|
|
|
|
way as macros are discovered. That change was ultimately rejected
|
|
|
|
|
because it could cause migration issues for users with macros and
|
|
|
|
|
actions with the same name (e.g., action.xxx and macro.xxx). If a
|
|
|
|
|
new major release of Shorewall (e.g., 4.6) is created, that change
|
|
|
|
|
will be reconsidered for inclusion at that time.
|
|
|
|
|
|
|
|
|
|
Action names are now verified to be composed of alphanumeric
|
|
|
|
|
characters, '_' and '-'.
|
|
|
|
|
|
|
|
|
|
There is now support for parameterized actions. The parameters are
|
|
|
|
|
a comma-separated list enclosed in parentheses following the
|
|
|
|
|
action name (e.g., ACT(REDIRECT,192.168.1.4)). Within the action
|
|
|
|
|
body, the parameter values are available in $1, $2, etc.
|
|
|
|
|
|
|
|
|
|
You can 'omit' a parameter in the list by using '-' (e,g,
|
|
|
|
|
REDIRECT,-.info) would omit the second parameter (within the action
|
|
|
|
|
body, $2 would expand to nothing). If you want to specify '-' as a
|
|
|
|
|
parameter value, use '--'.
|
|
|
|
|
|
|
|
|
|
Parameter values are also available to extensions scripts. See
|
|
|
|
|
http://www.shorewall.net/Actions.html#Extension for more
|
|
|
|
|
information.
|
|
|
|
|
|
|
|
|
|
----------------------------------------------------------------------------
|
|
|
|
|
P R O B L E M S C O R R E C T E D I N 4 . 4 . 1 5
|
|
|
|
|
----------------------------------------------------------------------------
|
|
|
|
|
|
Tom Eastep