diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 212df4609..63f9045fb 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -4,6 +4,8 @@ Changes in 3.3.3 2) Add logical AND and OR support for tcrules. +3) Make the maximum zone name length dependent on LOGFORMAT. + Changes in 3.3.1 1) Load the proxyarp lib when 'proxyarp' option is specified. diff --git a/Shorewall/lib.config b/Shorewall/lib.config index 6b35ed98e..fcafd9bec 100644 --- a/Shorewall/lib.config +++ b/Shorewall/lib.config @@ -271,7 +271,7 @@ determine_zones() list_search $parent $ZONES || startup_error "Parent zone not defined: $parent" done - [ ${#zone} -gt 5 ] && startup_error "Zone name longer than 5 characters: $zone" + [ ${#zone} -gt $MAXZONENAMELENGTH ] && startup_error "Zone name longer than $MAXZONENAMELENGTH characters: $zone" case "$zone" in [0-9*]) @@ -1899,20 +1899,25 @@ do_initialize() { if [ -n "$LOGFORMAT" ]; then if [ -n "$(echo $LOGFORMAT | grep '%d')" ]; then LOGRULENUMBERS=Yes - temp=$(printf "$LOGFORMAT" fooxx 1 barxx 2> /dev/null) + temp=$(printf "$LOGFORMAT" fooxx2barxx 1 ACCEPT 2> /dev/null) if [ $? -ne 0 ]; then fatal_error "Invalid LOGFORMAT string: \"$LOGFORMAT\"" fi else - temp=$(printf "$LOGFORMAT" fooxx barxx 2> /dev/null) + temp=$(printf "$LOGFORMAT" fooxx2barxx ACCEPT 2> /dev/null) if [ $? -ne 0 ]; then fatal_error "Invalid LOGFORMAT string: \"$LOGFORMAT\"" fi fi [ ${#temp} -le 29 ] || fatal_error "LOGFORMAT string is longer than 29 characters: \"$LOGFORMAT\"" + + MAXZONENAMELENGTH=$(( 5 + ( ( 29 - ${#temp}) / 2) )) + MAXZONENAMELENGTH=${MAXZONENAMELENGTH%.*} + echo "Maximum Zone Name Length = $MAXZONENAMELENGTH" else LOGFORMAT="Shorewall:%s:%s:" + MAXZONENAMELENGTH=5 fi ADMINISABSENTMINDED=$(added_param_value_no ADMINISABSENTMINDED $ADMINISABSENTMINDED) diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 9f07c21b8..7c84d68fc 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -48,6 +48,23 @@ Other changes in 3.3.2 #MARK SOURCE |4 192.168.1.1 +2) Previously, zone names were restricted to five characters in + length. That length derives from the --log-prefix in Netfilter log + messages which must be 29 bytes or less in length. With the + standard Shorewall LOGFORMAT, 11 characters are left for the + chain name; since many chain names are of the form + 2, we have a maximum zone name length of 5. + + Beginning with this release, the maximum length of a zone name is + dependent on the LOGFORMAT (the maximum length may never be less + than 5 but it may be greater than 5). For example, setting + LOGFORMAT="FW:%s:%s:" will allow zone names of up to 8 characters. + + As part of this change, /sbin/shorewall[-lite] no longer uses the + LOGFORMAT to select Shorewall messages from log files. Instead, it + uses the regular expression /IN=.* OUT=/ which will match any + netfilter-generated log message. + Migration Considerations: 1) Shorewall supports the notion of "default actions". A default @@ -228,3 +245,27 @@ New Features: # THE FOLLOWING POLICY MUST BE LAST # all all REJECT:MyReject info + +4) For users whose kernel and iptables have Extended MARK Target + support, it is now possible to logically AND or OR a value into the + current packet mark by preceding the mark value (and optional mask) + with an ampersand ("&") or vertical bar ("|") respectively. + + Example: To logically OR the value 4 into the mark value for + packets from 192.168.1.1: + + #MARK SOURCE + |4 192.168.1.1 + +5) Previously, zone names were restricted to five characters in + length. That length derives from the --log-prefix in Netfilter log + messages which must be 29 bytes or less in length. With the + standard Shorewall LOGFORMAT, that leaves 11 characters for the + chain name; given that many chain names are of the form + 2, that gives a maximum zone name length of 11. + + Beginning with this release, the maximum length of a zone name is + dependent on the LOGFORMAT (the maximum length may never be less + than 5 but it may be greater than 5). For example, setting + LOGFORMAT="FW:%s:%s:" will allow zone names of up to 8 characters. +