From f8d5c5375eb91d8df37463054f01ff179bff0fa7 Mon Sep 17 00:00:00 2001 From: teastep Date: Tue, 18 Jul 2006 13:28:56 +0000 Subject: [PATCH] Remove dynamic zones (again) git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4232 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/changelog.txt | 283 +------------------ Shorewall/releasenotes.txt | 561 +------------------------------------ 2 files changed, 14 insertions(+), 830 deletions(-) diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index b76cf9e41..dbefedafe 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -1,282 +1,3 @@ -Changes in 3.2.1 +Changes in 3.3.0 -1) Change the detection of physdev match to use - --physdev-out. Preparation for removal of physdev-out match - capability. - -2) Add missing edits to configuration parameters in firewall script. - -------------------------------------------------------------------------------- -Changes in 3.2.0 Final - -1) Avoid extraneous double quotes in log rules generated at run-time. - -Changes in 3.2.0 RC 6 - -1) Correct generation of the balanced default route. - -2) Allow 'detect' in the ADDRESS column of the masq file. - -3) Correct some permission problems. - -------------------------------------------------------------------------------- -Changes in 3.2.0 RC 5 - -1) Fix DOA 'LITEDIR' problem in /sbin/shorewall. - -2) Stop the compiler from running iptables. - -3) Avoid problem with ash. - -4) Make the 'try' command use the correct SHOREWALL_SHELL. - -5) Don't defer Action/chain extension script processing until - run-time. - -6) Run extension script for policy chains. - -------------------------------------------------------------------------------- -Changes in 3.2.0 RC 4 - -1) Fix permissions on Limit file. - -2) Make progress messages product-specific. - -3) Add 'reload' command. - -------------------------------------------------------------------------------- -Changes in 3.2.0 RC 3 - -1) Remove hard directory references from compiled programs. - -2) Fix /nat <-> /proxyarp typo. - -3) Avoid use of symbolic link for /sbin/shorewall - -------------------------------------------------------------------------------- -Changes in 3.2.0 RC 2 - -1) Update versions. - -2) Rationalize the use of IPTABLES and LOGFORMAT. - -3) Allow Shorewall/Shorewall-lite coexistance under RPM - -------------------------------------------------------------------------------- -Changes in 3.2.0 RC 1 - -1) Update versions. - -------------------------------------------------------------------------------- -Changes in 3.2.0 Beta 8 - -1) Issue more helpful BRIDGING=No error messages. - -2) Implement "all-" in rules file. - -3) Add xmodules file. - -4) Detect devices in tcdevices entries. - -5) Fix for white-space in log prefix. - -6) Fix rule parsing of single excluded MAC address. - -------------------------------------------------------------------------------- -Changes in 3.2.0 Beta 7 - -1) Fix mark/mask validation. - -2) Restore traffic control to 'refresh'. - -3) Detect MTU for entries in /etc/shorewall/tcdevices. - -4) Avoid fatal error after missing forwardUPnP rule warning. - -------------------------------------------------------------------------------- -Changes in 3.2.0 Beta 6 - -1) Fix tc "notfound" errors when 'restart' is run out of ip-up.local. - -2) Allow 'detectnets' to work. - -3) Add TOS column to tcrules. - -4) Fix 'proxyarp' interface attribute handling. - -5) Fix default route generation in providers handling. - -6) Change interraction of 'track' and PREROUTING marking. - -------------------------------------------------------------------------------- -Changes in 3.2.0 Beta 5 - -1) Fix compilation problem on LEAF Bering. - -2) Remove traffic shaping code from the 'firewall' script to avoid - unmaintainable code duplication. - -3) Fix DETECT_DNAT_IPADDRS=No bug. - -4) Handle absense of mangle FORWARD chain. - -5) Rename the rtrules file to route_rules. - -6) Fix deletion of SNAT ip addresses. - -7) Accomodate ancient kernel's with no FORWARD or POSTROUTING in mangle. - -8) Clear SUBSYSLOCK on Debian/Ubuntu installs. - -------------------------------------------------------------------------------- -Changes in 3.2.0 Beta 4 - -1) Fix 'routeback' with bridge ports. - -2) Add support for explicit routing rules. - -3) Fix mktempdir problem. - -4) Implement HIGH_ROUTE_MARKS - -Changes in 3.2.0 Beta 3 - -1) Correct handling of verbosity in the 'try' command. - -2) Add IMPLICIT_CONTINUE option to shorewall.conf. - -3) Fix SAME/ADD_SNAT_ALIASES interaction. - -------------------------------------------------------------------------------- -Changes in 3.2.0 Beta 2 - -1) Make "shorewall start -f" work correctly. - -2) Remove SUBSYSLOCK code from default and debian footers. - -3) Add 'refreshed' extension script. - -4) Implement 'logdrop' and 'logreject' - -------------------------------------------------------------------------------- -Changes in 3.1.x. and 3.2.x - -1) Removal of dynamic zones. - -2) Implement 'generate' command. - -3) Implement 'super-quiet' mode using multiple -q options (e.g., -qq). - -4) Add back dynamic zones. - -5) Allow remote compiles. - -6) Change output of 'generate' to always be the file name entered (do not - prepend /var/lib/shorewall/) - -7) Remove some restrictions on remote compiles. - -8) Add error checking to generated script. - -9) Merge Fabio Longerai's 'length' patch. - -10) Add the "-p" option to the compile command. - -11) Fix 'check' bug in setup_masq - -12) Break compiler/firewall into two files - -13) Make Shoreall quiet for a change. - -14) Make "Compile-and-go" the only mode of operation. - -15) Remove -p - -16) Apply Tuomo's patches for IPSEC and Noecho. - -17) Fix bridging - -18) Fix QUEUE when used in the ESTABLISHED section. - -19) Apply Ed Suominen's patch to tcrules. -------------------------------------------------------------------------------- -3.1.5 - -20) Speed up compilation by rewriting 'fix_bang()'. - -21) Correct GATEWAY handling in the providers file. - -22) Remove sub-zone exclusion from DNAT/REDIRECT. - -23) Add compiled-program/library versioning scheme. - -------------------------------------------------------------------------------- -3.1.6 - -24) Apply Steven Springl's help patch. - -25) Fix 'allow/drop/reject' while Shorewall not running. - -26) Implement bi-directional macros. - -27) Fix TC bridge port handling. - -28) Fix/document "check -e" - -29) Automatically use capabilities file when non-root. - -30) Correct typo in help file ("help drop"). - -31) Added 'tcpsyn' - -------------------------------------------------------------------------------- -3.1.7 - -32) Change 'tcpsyn' to 'tcp:syn' - -33) Remove superfluous rules in MAC validation. - -34) Correct Makefile. - -35) Add -t option - -36) Restore log messages. - -37) Fix "shorewall capabilities" with VERBOSITY < 2. - -------------------------------------------------------------------------------- -3.1.8 - -38) Remove compile-time running of extension scripts. - -39) Correctly handle interfaces named 'inet'. - -40) SUBSYSLOCK functionality restored. - -------------------------------------------------------------------------------- -3.1.9 - -41) Fix Provider route generation when a specific gateway is specified. - -42) Be sure that restore file name is preserved regardless of 'set --' in - define_firewall().) - -43) Add Simon's redhat prog files. - -44) Add 'delete_nat' to compiled program. - -45) Move 'shorecap' to /usr/share/shorewall - -46) Add debian prog files. - -47) Correct syntax error in validate_policy() -------------------------------------------------------------------------------- -3.2.0 Beta 1. - -48) Streamlined some code in setup_tc1() - -49) Process /etc/shorewall/params at run-time. - -50) Add new modules to /etc/shorewall/modules. - -51) Make default behavior of "compile" distribution-neutral. +1) Remove dynamic zone capability. diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 29efad2a4..cddc43c2d 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -1,4 +1,4 @@ -Shorewall 3.2.1 +Shorewall 3.3.0 Note to users upgrading from Shorewall 2.x or 3.0 @@ -31,561 +31,24 @@ Note to users upgrading from Shorewall 2.x or 3.0 Please see the "Migration Considerations" below for additional upgrade information. -Problems Corrected in 3.2.1 +Problems Corrected in 3.3.0 None. -Other changes in 3.2.1 +Other changes in 3.3.0 -None. +1) Support for dynamic zones (DYNAMIC_ZONES=Yes in shorewall.conf and + the /sbin/shorewall "add" and "delete" commands) has been + removed. Please use ipsets to implement dynamic zones as described + in http://www.shorewall.net/DynamicZones.html. Migration Considerations: -1) If you are upgrading from Shorewall 2.x, it is essential that you read - the Shorewall 3.0.8 (or later) release notes: - - http://www.shorewall.net/pub/shorewall/3.0/shorewall-3.0.8/releasenotes.txt - -2) A number of macros have been split into two. The macros affected are: - - IMAP LDAP NNTP POP3 SMTP - - Each of these macros now handles only traffic on the native (plaintext) - port. There is a corresponding macro with S added to the end of the - name for the SSL version of the same protocol. Thus each macro results - in the insertion of only one port per invocation. - - The Web macro has not been split, but two new macros, HTTP and HTTPS have - been created. The Web macro is deprecated in favour of these new macros, - and may be removed from future Shorewall releases. - - These changes have been made to ensure no unexpected ports are opened due - to the use of macros. - -3) In previous Shorewall releases, DNAT and REDIRECT rules supported a - special syntax for exclusion of a sub-zone from the effect of the rule. - - Example: - - Z2 is a subzone of Z1: - - DNAT Z1!Z2 loc:192.168.1.4 ... - - That feature has never worked correctly when Z2 is a dynamic zone. - Furthermore, now that Shorewall supports exclusion lists, the capability - is redundant since the above rule can now be written in the form: - - DNAT Z1:! loc:192.168.1.4 ... - - Beginning with Shorewall 3.2.0, the special exclusion syntax will no - longer be supported. - -4) Important if you use the QUEUE target. - - In the /etc/shorewall/rules file and in actions, you may now specify - 'tcp:syn' in the PROTO column. 'tcp:syn' is equivalent to 'tcp' but also - requires that the SYN flag is set and the RST, FIN and ACK flags be - off ("--syn" is added to the iptables rule). - - As part of this change, Shorewall no longer adds the "--syn" option - to TCP rules that specify QUEUE as their target. - -5) Extension Scripts may require change - - In previous releases, extension scripts were executed during [re]start - by using the Bourne Shell "." operator. In addition to executing commands - during [re]start, these scripts had to "save" the commands to be executed - during "shorewall restore". - - This clumsiness has been eliminated in Shorewall 3.2. In Shorewall 3.2, - extension scripts are copied in-line into the compiled program and are - executed in-line during "start", "restart" and "restore". This - applies to all extension scripts except those associated with a - chain or action -- those extension scripts continue to be processed - at compile time. - - This new approach has two implications for existing scripts. - - a) It is no longer necessary to save the commands; so functions like - 'save_command', 'run_and_save_command' and 'ensure_and_save_command' - need no longer be called. For convenience, the generated program will - supply functions with these names: - - save_command() - does nothing - run_and_save_command() - runs the passed command - ensure_and_save_command() - runs the passed command and - stops/restores the firewall if the - command fails. - - These functions should provide for transparent migration of - scripts that use them until you can get around to eliminating - their use completely. - - b) When the extension script is copied into the compiled program, it - is indented to line up with the surrounding code. If you have 'awk' - installed on your system, the Shorewall compiler will correctly handle - line continuation (last character on the line = "\"). If you do not - have awk, it will not be possible to use line-continuation in your - extension scripts. - - In no case is it possible to continue a quoted string over multiple lines - without having additional whitespace inserted into the string. - -6) Beginning with this release, the way in which packet marking in the - PREROUTING chain interracts with the 'track' option in /etc/shorewall/providers - has changed in two ways: - - a) Packets arriving on a tracked interface are now passed to the PREROUTING - marking chain so that they may be marked with a mark other than the - 'track' mark (the connection still retains the 'track' mark). - - b) When HIGH_ROUTE_MARKS=Yes, you can still clear the mark on packets - in the PREROUTING chain (i.e., you can specify a mark value of zero). - -7) Kernel version 2.6.16 introduces 'xtables', a new common packet - filtering and connection tracking facility that supports both IPv4 - and IPv6. Because a different set of kernel modules must be loaded - for xtables, Shorewall now includes two 'modules' files: - - a) /usr/share/shorewall/modules -- the former - /etc/shorewall/modules - - b) /usr/share/shorewall/xmodules -- a new file that support - xtables. - - If you wish to use the new file, then simply execute this command: - - cp -f /usr/share/shorewall/xmodules /etc/shorewall/modules +1) Support for dynamic zones (DYNAMIC_ZONES=Yes in shorewall.conf and + the /sbin/shorewall "add" and "delete" commands) has been + removed. Please use ipsets to implement dynamic zones as described + in http://www.shorewall.net/DynamicZones.html. New Features: -1) Shorewall has always been very noisy (lots of messages). No longer. - - You set the default level of verbosity using the VERBOSITY option in - shorewall.conf. If you don't set it (as would be the case of you use your - old shorewall.conf file) then VERBOSITY defaults to a value of 2 which - results in behavior compatible with previous Shorewall versions. - A value of 1 suppresses some of the output (like the old -q option did) - while a value of 0 makes Shorewall almost silent. A value of -1 - suppresses all output except warning and error messages. - - The value specified in the 3.2 shorewall.conf is 1. So you can make - Shorewall as verbose as previously using a single -v and you can make it - almost silent by using a single -q. - - If VERBOSITY is set at 2, you can still make a command nearly - silent by using two "q"s (e.g., shorewall -qq restart). - - In summary, each "q" subtracts one from VERBOSITY while each "v" adds one - to VERBOSITY. - - The "shorewall show log", "shorewall logwatch" and "shorewall dump" - commands require VERBOSITY to be greater than or equal to 3 to - display MAC addresses.This is consistent with the previous - implementation which required a single -v to enable MAC display but - means that if you set VERBOSITY=0 in shorewall.conf, then you will - need to include -vvv in commands that display log records in order - to have MACs displayed. - - To make the display of MAC addresses less cumbersome, a '-m' option has - been added to the "show" and logwatch commands: - - shorewall show -m log - shorewall logwatch -m - -2) A new 'shorewall compile' command has been added. - - shorewall compile [ -e ] [ ]