Add a known problem

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Avoid multiple policy matches with OPTIMIZE=7 and not KLUDGEFREE
2010-03-22 08:10:25 -07:00 · 2010-03-08 07:41:09 -08:00 · 2010-03-08 07:36:51 -08:00 · 2010-03-01 13:39:51 -08:00 · 2010-03-01 13:38:54 -08:00 · 2010-03-01 12:16:36 -08:00
31 changed files with 430 additions and 84 deletions
--- a/Shorewall-lite/fallback.sh
+++ b/Shorewall-lite/fallback.sh
@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
-VERSION=4.4.7
+VERSION=4.4.7.6
 usage() # $1 = exit status
 {
--- a/Shorewall-lite/init.debian.sh
+++ b/Shorewall-lite/init.debian.sh
@ -2,8 +2,8 @@
 ### BEGIN INIT INFO
 # Provides:          shorewall-lite
-# Required-Start:    $network
+# Required-Start:    $network $remote_fs
-# Required-Stop:     $network
+# Required-Stop:     $network $remote_fs
 # Default-Start:     S
 # Default-Stop:      0 6
 # Short-Description: Configure the firewall at boot time
@ -42,6 +42,7 @@ echo_notdone () {
 	  echo "not done (check $INITLOG)."
  fi
  exit 1
 }
 not_configured () {
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-VERSION=4.4.7
+VERSION=4.4.7.6
 usage() # $1 = exit status
 {
--- a/Shorewall-lite/shorewall-lite.spec
+++ b/Shorewall-lite/shorewall-lite.spec
@ -1,6 +1,6 @@
 %define name shorewall-lite
 %define version 4.4.7
-%define release 0base
+%define release 6
 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
 Name: %{name}
@ -100,7 +100,19 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 %changelog
-* Fri Feb 05 2010 Tom Eastep tom@shorewall.net
+* Sat Feb 20 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-6
 * Mon Feb 15 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-5
 * Mon Feb 15 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-4
 * Sun Feb 14 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-3
 * Sun Feb 14 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-2
 * Sat Feb 13 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-1
 * Thu Feb 11 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-0base
 * Tue Feb 02 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-0RC2
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
-VERSION=4.4.7
+VERSION=4.4.7.6
 usage() # $1 = exit status
 {
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@ -262,6 +262,7 @@ our $chainseq;
 our $idiotcount;
 our $idiotcount1;
 our $warningcount;
 our $hashlimitset;
 our $global_variables;
@ -373,6 +374,7 @@ sub initialize( $ ) {
    $idiotcount         = 0;
    $idiotcount1        = 0;
    $warningcount       = 0;
    $hashlimitset       = 0;
    #
    # The chain table is initialized via a call to initialize_chain_table() after the configuration and capabilities have been determined.
    #
@ -633,7 +635,7 @@ sub add_jump( $$$;$$$ ) {
 	#
 	# Ensure that we have the chain unless it is a builtin like 'ACCEPT'
 	#
-	$toref = ensure_chain( $fromref->{table} , $to ) unless $builtin_target{ $to };
+	$toref = ensure_chain( $fromref->{table} , $to ) unless $builtin_target{$to} || $to =~ / --/; #If the target has options, it must be a builtin. 
    }
    #
@ -1596,7 +1598,7 @@ sub optimize_ruleset() {
 			    #
 			    # Not so easy -- the rule contains matches
 			    #
-			    if ( $chainref->{builtin} ) {
+			    if ( $chainref->{builtin} || ! have_capability 'KLUDGEFREE' ) {
 				#
 				# This case requires a new rule merging algorithm. Ignore this chain for
 				# now.
@ -2026,20 +2028,36 @@ sub do_ratelimit( $$ ) {
 	my $limit = "-m hashlimit ";
 	my $match = have_capability( 'OLD_HL_MATCH' ) ? 'hashlimit' : 'hashlimit-upto';
 	my $units;
 	if ( $rate =~ /^[sd]:((\w*):)?(\d+(\/(sec|min|hour|day))?):(\d+)$/ ) {
 	    $limit .= "--hashlimit $3 --hashlimit-burst $6 --hashlimit-name ";
-	    $limit .= $2 ? $2 : 'shorewall';
+	    $limit .= $2 ? $2 : 'shorewall' . $hashlimitset++;
 	    $limit .= ' --hashlimit-mode ';
 	    $units = $5;
 	} elsif ( $rate =~ /^[sd]:((\w*):)?(\d+(\/(sec|min|hour|day))?)$/ ) {
 	    $limit .= "--$match $3 --hashlimit-name ";
-	    $limit .= $2 ? $2 : 'shorewall';
+	    $limit .= $2 ? $2 :  'shorewall' . $hashlimitset++;
 	    $limit .= ' --hashlimit-mode ';
 	    $units = $5;
 	} else {
 	    fatal_error "Invalid rate ($rate)";
 	}
 	$limit .= $rate =~ /^s:/ ? 'srcip ' : 'dstip ';
 	if ( $units && $units ne 'sec' ) {
 	    my $expire = 60000; # 1 minute in milliseconds
 	    if ( $units ne 'min' ) {
 		$expire *= 60; #At least an hour
 		$expire *= 24 if $units eq 'day';
 	    }
 	    $limit .= "--hashlimit-htable-expire $expire ";
 	} 
 	$limit;
    } elsif ( $rate =~ /^(\d+(\/(sec|min|hour|day))?):(\d+)$/ ) {
 	"-m limit --limit $1 --limit-burst $4 ";
    } elsif ( $rate =~ /^(\d+)(\/(sec|min|hour|day))?$/ )  {
@ -3256,7 +3274,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 		    if ( $loglevel ne '' ) {
 			if ( $disposition ne 'LOG' ) {
-			    unless ( $logname ) {
+			    unless ( $logname || $target =~ /-j RETURN\b/ ) {
 				#
 				# Find/Create a chain that both logs and applies the target action
 				# and jump to the log chain if all of the rule's conditions are met
@ -3270,7 +3288,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 				log_rule_limit(
 					       $loglevel ,
 					       $chainref ,
-					       $logname ,
+					       $logname || $chain,
 					       $disposition ,
 					       '',
 					       $logtag,
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@ -337,7 +337,7 @@ sub initialize( $ ) {
 		    TC_SCRIPT => '',
 		    EXPORT => 0,
 		    UNTRACKED => 0,
-		    VERSION => "4.4.7",
+		    VERSION => "4.4.7.6",
 		    CAPVERSION => 40407 ,
 		  );
@ -2394,7 +2394,9 @@ sub determine_capabilities() {
    fatal_error 'Your kernel/iptables do not include state match support. No version of Shorewall will run on this system'
 	unless qt1( "$iptables -A $sillyname -m state --state ESTABLISHED,RELATED -j ACCEPT");
-    unless ( $config{ LOAD_HELPERS_ONLY } ) {
+    if ( $config{ LOAD_HELPERS_ONLY } ) {
 	$capabilities{FLOW_FILTER} = undef;
    } else {
 	#
 	# Using 'detect_capability()' is a bit less efficient than calling the individual detection
 	# functions but it ensures that %detect_capability is initialized properly.
@ -2468,6 +2470,7 @@ sub determine_capabilities() {
 	$capabilities{GOTO_TARGET}     = detect_capability( 'GOTO_TARGET' );
 	$capabilities{LOG_TARGET}      = detect_capability( 'LOG_TARGET' );
 	$capabilities{LOGMARK_TARGET}  = detect_capability( 'LOGMARK_TARGET' );
 	$capabilities{FLOW_FILTER}     = detect_capability( 'FLOW_FILTER' );
 	qt1( "$iptables -F $sillyname" );
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@ -1182,13 +1182,25 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
    #
    # Generate Fixed part of the rule
    #
-    $rule = join( '', 
+    if ( $actiontype & ( NATRULE | NONAT ) && ! ( $actiontype & NATONLY ) ) {
-		  do_proto($proto, $ports, $sports),
+	#
-		  do_ratelimit( $ratelimit, $basictarget ) ,
+	# Either a DNAT, REDIRECT or ACCEPT+ rule; don't apply rate limiting twice
-		  do_user( $user ) ,
+	#
-		  do_test( $mark , $globals{TC_MASK} ) ,
+	$rule = join( '', 
-		  do_connlimit( $connlimit ),
+		      do_proto($proto, $ports, $sports),
-		  do_time( $time ) );
+		      do_user( $user ) ,
 		      do_test( $mark , $globals{TC_MASK} ) ,
 		      do_connlimit( $connlimit ),
 		      do_time( $time ) );
    } else {
 	$rule = join( '', 
 		      do_proto($proto, $ports, $sports),
 		      do_ratelimit( $ratelimit, $basictarget ) ,
 		      do_user( $user ) ,
 		      do_test( $mark , $globals{TC_MASK} ) ,
 		      do_connlimit( $connlimit ),
 		      do_time( $time ) );
    }
    unless ( $section eq 'NEW' ) {
 	fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" if $config{FASTACCEPT};
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@ -132,7 +132,6 @@ our $devnum;
 our $sticky;
 our $ipp2p;
 #
 # TCClasses Table
 #
@ -514,7 +513,7 @@ sub process_simple_device() {
    while ( ++$i <= 3 ) {
 	emit "run_tc qdisc add dev $physical parent $number:$i handle ${number}${i}: sfq quantum 1875 limit 127 perturb 10";
-	emit "run_tc filter add dev $physical protocol all parent $number: handle $i fw classid $devnum:$i";
+	emit "run_tc filter add dev $physical protocol all parent $number: handle $i fw classid $number:$i";
 	emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: handle ${number}${i} flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER';
 	emit '';
    }
@ -1198,6 +1197,9 @@ sub setup_traffic_shaping() {
 	validate_tc_device while read_a_line;
    }
    my $sfq = $devnum;
    my $sfqinhex;
    $devnum = $devnum > 10 ? 10 : 1;
    $fn = open_file 'tcclasses';
@ -1334,7 +1336,10 @@ sub setup_traffic_shaping() {
 	    }
 	}
-	emit( "run_tc qdisc add dev $device parent $classid handle ${classnum}: sfq quantum \$quantum limit $tcref->{limit} perturb 10" ) if $tcref->{leaf} && ! $tcref->{pfifo};
+	if ( $tcref->{leaf} && ! $tcref->{pfifo} ) {
 	    $sfqinhex = in_hexp( ++$sfq);
 	    emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: sfq quantum \$quantum limit $tcref->{limit} perturb 10" );
 	}
 	#
 	# add filters
 	#
@ -1344,7 +1349,7 @@ sub setup_traffic_shaping() {
 	    }
 	}
-	emit "run_tc filter add dev $device protocol all prio 1 parent $classnum: handle $classnum flow hash keys $tcref->{flow} divisor 1024" if $tcref->{flow};
+	emit "run_tc filter add dev $device protocol all prio 1 parent $sfqinhex: handle $classnum flow hash keys $tcref->{flow} divisor 1024" if $tcref->{flow};
 	#
 	# options
 	#
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -1,3 +1,37 @@
 Changes in Shorewall 4.4.7.6
 1)  Fix Debian init script exit status
 2)  Fix NFQUEUE(queue-num) in policy
 3)  Fix multiple policy matches with OPTIMIZE 4 and not KLUDGEFREE
 Changes in Shorewall 4.4.7.5
 1)  Don't create a logging chain for rules with '-j RETURN'.
 2)  Avoid duplicate SFQ class numbers.
 3)  Fix low per-IP rate limits.
 Changes in Shorewall 4.4.7.4
 1)  Add $remote_fs to Required-start and Required-stop for Debian.
 Changes in Shorewall 4.4.7.3
 1)  Detect FLOW_FILTER when LOAD_HELPERS_ONLY=Yes
 Changes in Shorewall 4.4.7.2
 1)  Fix detection of "Old hashlimit match".
 2)  Detect FLOW_FILTER when LOAD_HELPERS_ONLY=No
 Changes in Shorewall 4.4.7.1
 1)  Don't apply rate limiting twice in NAT rules.
 Changes in Shorewall 4.4.7
 1)  Backport optimization changes from 4.5.
--- a/Shorewall/init.debian.sh
+++ b/Shorewall/init.debian.sh
@ -1,8 +1,8 @@
 #!/bin/sh
 ### BEGIN INIT INFO
 # Provides:          shorewall
-# Required-Start:    $network
+# Required-Start:    $network $remote_fs
-# Required-Stop:     $network
+# Required-Stop:     $network $remote_fs
 # Default-Start:     S
 # Default-Stop:      0 6
 # Short-Description: Configure the firewall at boot time
@ -38,6 +38,7 @@ echo_notdone () {
 	  echo "not done (check $INITLOG)."
  fi
  exit 1
 }
 not_configured () {
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-VERSION=4.4.7
+VERSION=4.4.7.6
 usage() # $1 = exit status
 {
--- a/Shorewall/known_problems.txt
+++ b/Shorewall/known_problems.txt
@ -1 +1,101 @@
-There are no known problems in Shorewall 4.4.7.
+1)  All versions of Shorewall-perl mishandle per-IP rate limiting in
    REDIRECT and DNAT rules. The effective rate and burst are 1/2 of
    the values given in the rule.
    Corrected in 4.4.7.1
 2)  Detection of the 'Old hashlimit match' capability was broken in
    /sbin/shorewall, /sbin/shorewall-lite and in the IPv4 version of 
    shorecap. This problem only affects users of older distributions
    such as RHEL5 and derivatives.
    Corrected in 4.4.7.2
 3)  On older distributions such as RHEL5 and derivatives, when
    LOAD_HELPERS_ONLY=No, Shorewall would fail to start if a TYPE was
    specified in /etc/shorewall/tcinterfaces.
    Corrected in 4.4.7.2
 4)  On older distributions such as RHEL5 and derivatives, when
    LOAD_HELPERS_ONLY=Yes, Shorewall would fail to start if a TYPE was
    specified in /etc/shorewall/tcinterfaces.
    Corrected in 4.4.7.3
 5)  A CONTINUE rule specifying a log level will cause the compiler to
    generate an incorrect rule sequence. The packet will be logged but
    the CONTINUE action will not occur.
    To work around the problem break the rule into two rules; a logging
    rule and a CONTINUE rule.
    Corrected in 4.4.7.5.
 6)  If multiple entries are present in /etc/shorewall/tcdevices and
    globally unique class numbers are not explicitly specified in
    /etc/shorewall/tcclasses, then 'shorewall start' will fail with a
    diagnostic such as:
    Setting up Traffic Control...
    RTNETLINK answers: File exists
      ERROR: Command "tc qdisc add dev eth1 parent 2:2 handle 2: sfq quantum
             1500 limit 127 perturb 10" Failed
    Processing /etc/shorewall/stop ...
    Corrected in 4.4.7.5.
 7)  If a low per-IP rate limit (such as 1/hour) is specified, the
    effective enforced rate is much higher (approximately 6/min). The
    Shorewall compiler now configures the hashlimit table idle timeout
    based on the rate units (min, hour, ...) so that the rate is more
    accurately enforced.
    Corrected in 4.4.7.5.
    As part of this change, a unique hash table name is assigned to
    each per-IP rate limiting rule that does not specify a table name
    in the rule. The assigned names are of the form 'shorewallN' where
    N is an integer. Previously, all such rules shared a single
    'shorewall' table which lead to unexpected results.
 8)  All prior versions of Shorewall-perl mishandle per-IP rate limiting
    in REDIRECT, DNAT and ACCEPT+ rules. The effective rate and burst
    are 1/2 of the values given in the rule.
    Corrected in 4.4.7.5.
 9)  If a queue-number is specified in an NFQUEUE policy (e.g.,
    NFQUEUE(0)), invalid iptables-restore input is generated.
    Corrected in 4.4.7.6.
 10) The Debian init scripts return exit status 0, even when the command
    fails.
    Corrected in 4.4.7.6.
 11) Previously, with optimization 4, users of ipsec on older releases
    such as RHEL5 and CentOS, could encounter an error similar to this
    one:
    Running /sbin/iptables-restore...
    iptables-restore v1.3.5: Unknown arg `out'
    Error occurred at line: 93
    Try `iptables-restore -h' or 'iptables-restore --help' for more
        information.
    	ERROR: iptables-restore Failed. Input is in
               /var/lib/shorewall/.iptables-restore-input
    Corrected in 4.4.7.6.
 12) If optimization 4 is enabled, the 'blacklst' chain may be optimized
    away. If that occurs, then if the 'blacklist' file is subsequently
    updated, the 'shorewall refresh' command will succeed but the
    changes will not be included in the active ruleset.
    Workaround: Use 'shorewall restart' to install the changes.
    Will be corrected in 4.4.8.
--- a/Shorewall/lib.base
+++ b/Shorewall/lib.base
@ -956,7 +956,7 @@ determine_capabilities() {
    qt $IPTABLES -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
    qt $IPTABLES -A $chain -m hashlimit --hashlimit-upto 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
    if [ -z "$HASHLIMIT_MATCH" ]; then
-	qt $IPTABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && NEW_HL_MATCH=Yes
+	qt $IPTABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && OLD_HL_MATCH=Yes
 	HASHLIMIT_MATCH=$OLD_HL_MATCH
    fi	
    qt $IPTABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -1,4 +1,4 @@
-Shorewall 4.4.7
+Shorewall 4.4.7 Patch Release 6.
 ----------------------------------------------------------------------------
               R E L E A S E  4 . 4  H I G H L I G H T S
@ -184,7 +184,102 @@ Shorewall 4.4.7
    one from the release (not recommended).
 ----------------------------------------------------------------------------
-        P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 7
+       P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 7 . 6
 ----------------------------------------------------------------------------
 1)  Previously, when a supported command failed, the Debian Shorewall
    init script would still return a success (zero) exit status. It now
    returns a failure status (1) when the command fails.
 2)  Previously, if a queue number was specified in an NFQUEUE policy
    (e.g., NFQUEUE(0)), invalid iptables-restore input would be
    generated.
 3)  Previously, with optimization 4, users of ipsec on older releases
    such as RHEL5 and CentOS, could encounter an error similar to this
    one:
    Running /sbin/iptables-restore...
    iptables-restore v1.3.5: Unknown arg `out'
    Error occurred at line: 93
    Try `iptables-restore -h' or 'iptables-restore --help' for more
        information.
    	ERROR: iptables-restore Failed. Input is in
               /var/lib/shorewall/.iptables-restore-input
 ----------------------------------------------------------------------------
       P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 7 . 5
 ----------------------------------------------------------------------------
 1)  A CONTINUE rule specifying a log level would cause the compiler to 
    generate an incorrect rule sequence. The packet would be logged
    but the CONTINUE action would not occur.
 2)  If multiple entries were present in /etc/shorewall/tcdevices and
    globally unique class numbers were not explicitly specified in
    /etc/shorewall/tcclasses, then 'shorewall start' would fail with a
    diagnostic such as:
    Setting up Traffic Control...
    RTNETLINK answers: File exists
      ERROR: Command "tc qdisc add dev eth1 parent 2:2 handle 2: sfq quantum
             1500 limit 127 perturb 10" Failed
    Processing /etc/shorewall/stop ...
 3)  Previously, when a low per-IP rate limit (such as 1/hour) was
    specified, the effective enforced rate was much higher
    (approximately 6/min). The Shorewall compiler now configures the
    hashlimit table idle timeout based on the rate units (min, hour,
    ...) so that the rate is more accurately enforced.
    As part of this change, a unique hashlimit table name is assigned
    to each per-IP rate limiting rule that does not specify a table name
    in the rule. The assigned names are of the form 'shorewallN' where
    N is an integer. Previously, all such rules shared a single
    'shorewall' table which lead to unexpected results.
 4)  All prior versions of Shorewall-perl mishandle per-IP rate limiting
    ACCEPT+ rules. The effective rate and burst are 1/2 of the values
    given in the rule. This problem has been corrected so that the
    specified rate is now the effective rate.
 ----------------------------------------------------------------------------
       P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 7 . 4
 ----------------------------------------------------------------------------
 1)  The Debian init scripts are modified to include $remote_fs in the 
    Required-start and Required-stop specifications.
 ----------------------------------------------------------------------------
       P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 7 . 3
 ----------------------------------------------------------------------------
 1)  On older distributions such as RHEL5 and derivatives, when
    LOAD_HELPERS_ONLY=Yes, Shorewall would fail to start if a TYPE was
    specified in /etc/shorewall/tcinterfaces.
 ----------------------------------------------------------------------------
       P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 7 . 2
 ----------------------------------------------------------------------------
 1)  Detection of the 'Old hashlimit match' capability was broken in
    /sbin/shorewall, /sbin/shorewall-lite and in the IPv4 version of 
    shorecap.
 2)  On older distributions such as RHEL5 and derivatives, when
    LOAD_HELPERS_ONLY=No, Shorewall would fail to start if a TYPE was
    specified in /etc/shorewall/tcinterfaces.
 ----------------------------------------------------------------------------
       P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 7 . 1
 ----------------------------------------------------------------------------
 1)  All versions of Shorewall-perl mishandle per-IP rate limiting in
    REDIRECT and DNAT rules. The effective rate and burst are 1/2 of
    the values given in the rule.
 ----------------------------------------------------------------------------
          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 7
 ----------------------------------------------------------------------------
 1)  The tcinterfaces and tcpri files are now installed by the
--- a/Shorewall/shorewall.spec
+++ b/Shorewall/shorewall.spec
@ -1,6 +1,6 @@
 %define name shorewall
 %define version 4.4.7
-%define release 0base
+%define release 6
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
 Name: %{name}
@ -107,7 +107,19 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples 
 %changelog
-* Fri Feb 05 2010 Tom Eastep tom@shorewall.net
+* Sat Feb 20 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-6
 * Mon Feb 15 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-5
 * Mon Feb 15 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-4
 * Sun Feb 14 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-3
 * Sun Feb 14 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-2
 * Sat Feb 13 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-1
 * Thu Feb 11 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-0base
 * Tue Feb 02 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-0RC2
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
-VERSION=4.4.7
+VERSION=4.4.7.6
 usage() # $1 = exit status
 {
--- a/Shorewall6-lite/fallback.sh
+++ b/Shorewall6-lite/fallback.sh
@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
-VERSION=4.4.7
+VERSION=4.4.7.6
 usage() # $1 = exit status
 {
--- a/Shorewall6-lite/init.debian.sh
+++ b/Shorewall6-lite/init.debian.sh
@ -2,8 +2,8 @@
 ### BEGIN INIT INFO
 # Provides:          shorewall6-lite
-# Required-Start:    $network
+# Required-Start:    $network $remote_fs
-# Required-Stop:     $network
+# Required-Stop:     $network $remote_fs
 # Default-Start:     S
 # Default-Stop:      0 6
 # Short-Description: Configure the firewall at boot time
@ -42,6 +42,7 @@ echo_notdone () {
 	  echo "not done (check $INITLOG)."
  fi
  exit 1
 }
 not_configured () {
--- a/Shorewall6-lite/install.sh
+++ b/Shorewall6-lite/install.sh
@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-VERSION=4.4.7
+VERSION=4.4.7.6
 usage() # $1 = exit status
 {
--- a/Shorewall6-lite/shorewall6-lite.spec
+++ b/Shorewall6-lite/shorewall6-lite.spec
@ -1,6 +1,6 @@
 %define name shorewall6-lite
 %define version 4.4.7
-%define release 0base
+%define release 6
 Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@ -91,7 +91,19 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 %changelog
-* Fri Feb 05 2010 Tom Eastep tom@shorewall.net
+* Sat Feb 20 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-6
 * Mon Feb 15 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-5
 * Mon Feb 15 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-4
 * Sun Feb 14 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-3
 * Sun Feb 14 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-2
 * Sat Feb 13 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-1
 * Thu Feb 11 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-0base
 * Tue Feb 02 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-0RC2
--- a/Shorewall6-lite/uninstall.sh
+++ b/Shorewall6-lite/uninstall.sh
@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
-VERSION=4.4.7
+VERSION=4.4.7.6
 usage() # $1 = exit status
 {
--- a/Shorewall6/fallback.sh
+++ b/Shorewall6/fallback.sh
@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
-VERSION=4.4.7
+VERSION=4.4.7.6
 usage() # $1 = exit status
 {
--- a/Shorewall6/init.debian.sh
+++ b/Shorewall6/init.debian.sh
@ -1,8 +1,8 @@
 #!/bin/sh
 ### BEGIN INIT INFO
 # Provides:          shorewall6
-# Required-Start:    $network
+# Required-Start:    $network $remote_fs
-# Required-Stop:     $network
+# Required-Stop:     $network $remote_fs
 # Default-Start:     S
 # Default-Stop:      0 6
 # Short-Description: Configure the firewall at boot time
@ -38,6 +38,7 @@ echo_notdone () {
 	  echo "not done (check $INITLOG)."
  fi
  exit 1
 }
 not_configured () {
--- a/Shorewall6/install.sh
+++ b/Shorewall6/install.sh
@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-VERSION=4.4.7
+VERSION=4.4.7.6
 usage() # $1 = exit status
 {
--- a/Shorewall6/shorewall6.spec
+++ b/Shorewall6/shorewall6.spec
@ -1,6 +1,6 @@
 %define name shorewall6
 %define version 4.4.7
-%define release 0base
+%define release 6
 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@ -96,7 +96,19 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
 %changelog
-* Fri Feb 05 2010 Tom Eastep tom@shorewall.net
+* Sat Feb 20 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-6
 * Mon Feb 15 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-5
 * Mon Feb 15 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-4
 * Sun Feb 14 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-3
 * Sun Feb 14 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-2
 * Sat Feb 13 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-1
 * Thu Feb 11 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-0base
 * Tue Feb 02 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-0RC2
--- a/Shorewall6/uninstall.sh
+++ b/Shorewall6/uninstall.sh
@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
-VERSION=4.4.7
+VERSION=4.4.7.6
 usage() # $1 = exit status
 {
--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@ -1203,33 +1203,34 @@ LOGBURST=""</programlisting>
        </literallayout>
        <para>I personally use <ulink
-        url="http://www.logwatch.org">Logwatch</ulink>. It emails me a report
+        url="http://www.cert.uni-stuttgart.de.projects/fwlogwatch">fwlogwatch</ulink>.
-        each day from my various systems with each report summarizing the
+        It emails me a report each day from my various systems with each
-        logged activity on the corresponding system. I use the brief report
+        report summarizing the logged activity on the corresponding system;
-        format; here's a sample:</para>
+        here's a sample:</para>
        <blockquote>
-          <programlisting> --------------------- iptables firewall Begin ------------------------ 
+          <programlisting>fwlogwatch summary
 Generated Monday March 01 12:05:04 PST 2010 by root.
 840 (and 166 older than 86400 seconds) of 1006 entries in 2 input files are packet logs, 178 have unique characteristics.
 First packet log entry: Feb 28 12:56:49, last: Mar 01 12:00:38.
 All entries were logged by the same host: "gateway".
 All entries have the same target: "-".
- Dropped 111 packets on interface eth0
+net-fw DROP  eth0 72 packets from 174.37.159.222 to 76.104.233.98
-   From 58.20.162.142 - 5 packets to tcp(1080) 
+net-fw DROP  eth2 30 packets from 66.249.65.20 to 206.124.146.176
-   From 62.163.19.50 - 1 packet to udp(6348) 
+net-fw DROP  eth0 22 packets from 85.247.221.191 to 76.104.233.98
-   From 66.111.45.60 - 9 packets to tcp(192) 
+net-dmz DROP  eth2 18 packets from 60.217.65.115 to 206.124.146.178
-   From 69.31.82.50 - 18 packets to tcp(3128) 
+net-fw DROP  eth2 18 packets from 60.217.65.115 to 206.124.146.180
-   From 72.232.183.102 - 2 packets to tcp(3128) 
+net-fw DROP  eth2 18 packets from 60.217.65.115 to 206.124.146.176
-   From 82.96.96.3 - 6 packets to tcp(808,1080,1978,7600,65506) 
+net-fw DROP  eth2 18 packets from 60.217.65.115 to 206.124.146.179
-   From 128.48.51.209 - 5 packets to tcp(143) 
+net-fw DROP  eth0 18 packets from 221.195.73.86 to 76.104.233.98
-   From 164.77.223.150 - 12 packets to tcp(873) 
+net-dmz DROP  eth2 16 packets from 60.217.65.115 to 206.124.146.177
-   From 165.233.109.23 - 8 packets to tcp(22) 
+net-fw DROP  eth0 16 packets from 24.30.147.199 to 76.104.233.98
-   From 202.99.172.175 - 4 packets to udp(2,4081) 
+...</programlisting>
   From 206.59.41.101 - 2 packets to tcp(5900) 
   From 217.91.30.224 - 24 packets to tcp(873) 
   From 218.87.47.114 - 6 packets to tcp(3128) 
   From 220.110.219.234 - 4 packets to tcp(22) 
   From 220.133.116.173 - 5 packets to tcp(3128) 
 ---------------------- iptables firewall End -------------------------</programlisting>
        </blockquote>
        <para>Fwlogwatch contains a built-in web server that allows monitoring
        recent activity in summary fashion.</para>
      </section>
      <section id="faq6b">
--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@ -1140,9 +1140,9 @@ DNAT       net        loc:192.168.1.3 tcp       4000:4100</programlisting>
    '!' to specify "All ports except these" (e.g., "!80,443").</para>
    <para>Prior to Shorewall 4.4.4, port lists appearing in the <ulink
-    url="manpages/shorewall-routestopped.html">/etc/shorewall/routestopped</ulink>
+    url="manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>
-    file may specify no more than 15 ports; port ranges appearing in a list
+    (5) file may specify no more than 15 ports; port ranges appearing in a
-    count as two ports each.</para>
+    list count as two ports each.</para>
  </section>
  <section id="MAC">
@ -1186,6 +1186,32 @@ DNAT       net        loc:192.168.1.3 tcp       4000:4100</programlisting>
    </note>
  </section>
  <section id="RateLimit">
    <title>Rate Limiting (Rate and Burst)</title>
    <para>Shorewall supports rate limiting in a number of ways. When
    specifying a rate limit, both a <firstterm>rate</firstterm> and a
    <firstterm>burst</firstterm> value are given.</para>
    <para>Example from <ulink
    url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5): </para>
    <simplelist>
      <member>LOGRATE=10/minute</member>
      <member>LOGBURST=5</member>
    </simplelist>
    <para> For each logging rule, the first time the rule is reached, the
    packet will be logged; in fact, since the burst is 5, the first five
    packets will be logged. After this, it will be 6 seconds (1 minute divided
    by the rate of 10) before a message will be logged from the rule,
    regardless of how many packets reach it. Also, every 6 seconds which
    passes without matching a packet, one of the bursts will be regained; if
    no packets hit the rule for 30 seconds, the burst will be fully recharged;
    back where we started.</para>
  </section>
  <section id="Logical">
    <title>Logical Interface Names</title>
--- a/manpages/shorewall-rules.xml
+++ b/manpages/shorewall-rules.xml
@ -891,10 +891,10 @@
          respectively. The <replaceable>name</replaceable> may be chosen by
          the user and specifies a hash table to be used to count matching
          connections. If not give, the name <emphasis
-          role="bold">shorewall</emphasis> is assumed. Where more than one
+          role="bold">shorewallN</emphasis> (where N is a unique integer) is
-          rule specifies the same name, the connections counts for the rules
+          assumed. Where more than one rule specifies the same name, the
-          are aggregated and the individual rates apply to the aggregated
+          connections counts for the rules are aggregated and the individual
-          count.</para>
+          rates apply to the aggregated count.</para>
          <para>Example: <emphasis role="bold">s:ssh:3/min:5</emphasis></para>
        </listitem>
--- a/manpages6/shorewall6-rules.xml
+++ b/manpages6/shorewall6-rules.xml
@ -692,10 +692,10 @@
          respectively. The <replaceable>name</replaceable> may be chosen by
          the user and specifies a hash table to be used to count matching
          connections. If not give, the name <emphasis
-          role="bold">shorewall</emphasis> is assumed. Where more than one
+          role="bold">shorewallN</emphasis> (where N is a unique integer) is
-          POLICY specifies the same name, the connections counts for the rules
+          assumed. Where more than one POLICY specifies the same name, the
-          are aggregated and the individual rates apply to the aggregated
+          connections counts for the rules are aggregated and the individual
-          count.</para>
+          rates apply to the aggregated count.</para>
        </listitem>
      </varlistentry>
Author	SHA1	Message	Date
Tom Eastep	08c5ce0f95	Add a known problem Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-03-22 08:10:25 -07:00
Tom Eastep	1fd4c32f21	Avoid multiple policy matches with OPTIMIZE=7 and not KLUDGEFREE Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-03-08 07:41:09 -08:00
Tom Eastep	bb5dcb56fb	Update Known Problems Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-03-08 07:36:51 -08:00
Tom Eastep	b69e61a510	Bring CORRECT RE to 4.4.7 Branch Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-03-01 13:39:51 -08:00
Tom Eastep	479e4e323a	Bring change to RE in add_jump() to 4.4.7 Branch Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-03-01 13:38:54 -08:00
Tom Eastep	f8b4246cef	Add fwlogwatch info	2010-03-01 12:16:36 -08:00
Tom Eastep	81902a6fa5	Update release documents for fix for multiple policy matches Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-03-01 08:38:43 -08:00
Tom Eastep	47e0ef4816	Avoid multiple policy matches with OPTIMIZE=7 and not KLUDGEFREE Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-03-01 08:33:30 -08:00
Tom Eastep	09b6fca867	Correct handling of NFQUEUE(queue-num) in policies	2010-02-25 08:51:16 -08:00
Tom Eastep	db39402e75	Correct handling of NFQUEUE(queue-num) in a policy Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-02-25 08:46:20 -08:00
Tom Eastep	141f93f4c5	Update release documents for NFQUEUE issue. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-02-25 07:57:55 -08:00
Tom Eastep	223e1e434a	Correct handling of NFQUEUE(queue-num) as a policy. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-02-25 07:51:40 -08:00
Tom Eastep	99ec099c98	Apply debian init script change to the other packages Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-02-21 16:35:21 -08:00
Tom Eastep	422dbaa902	Bump the version to 4.4.7.6. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-02-20 08:19:21 -08:00
Tom Eastep	181c757614	Return failure status when a supported command fails. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-02-20 08:10:13 -08:00
Tom Eastep	cc5c312421	Correct release notes Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-02-19 16:36:36 -08:00
Tom Eastep	5cafb22c15	Add ACCEPT+ to problems corrected and Known Problems. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-02-19 14:13:12 -08:00
Tom Eastep	8eb3de7db2	Don't apply rate limiting twice in ACCEPT+ rules Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-02-19 13:57:45 -08:00
Tom Eastep	5b77f378e5	Use Hex representation of device numbers > 9 in simple TC. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-02-18 12:50:56 -08:00
Tom Eastep	b3ae035302	Update Known Problems Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-02-18 10:10:38 -08:00
Tom Eastep	7eddb8310a	Clean up rate limiting fixes (documentation) Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-02-18 07:09:22 -08:00
Tom Eastep	6db2c5fbe3	Document change to hashlimit Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-02-17 15:38:38 -08:00
Tom Eastep	579f4d4698	Create a unique hashtable for each instance of a per-IP rate limit Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-02-17 15:34:14 -08:00
Tom Eastep	b8fc1a9b22	Fix Typo Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-02-17 09:23:11 -08:00
Tom Eastep	f5c954295d	Final (hopefully) fix for SFQ handle assignment Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-02-17 09:20:33 -08:00
Tom Eastep	4299e6db3b	Another tweak to SFQ handle assignment. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-02-17 08:01:24 -08:00
Tom Eastep	37720d7f25	Improve assignment of class ID for SFQ classses Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-02-17 07:46:43 -08:00
Tom Eastep	69d0bb69b8	Avoid duplicate SFQ class numbers. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-02-17 06:42:30 -08:00
Tom Eastep	9d7bd3f651	Avoid duplicate SFQ class numbers	2010-02-17 06:38:06 -08:00
Tom Eastep	af2fb42cf8	Add --hashlimit-htable-expire if the units are minutes or larger	2010-02-16 22:54:59 -08:00
Tom Eastep	c3842aeeab	Prepare for 4.4.7.5. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-02-15 14:48:40 -08:00
Tom Eastep	e8807f3e7e	Correction to logging rule fix Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-02-15 14:41:01 -08:00
Tom Eastep	eb8d96135e	Don't create log chain for 'RETURN' rules Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-02-15 14:25:40 -08:00
Tom Eastep	16bf45fce4	Add $remote_fs to Required-start and Required-stop for Debian Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-02-15 07:05:47 -08:00
Tom Eastep	d72855e8f9	Prepare 4.4.7.3 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-02-14 12:11:11 -08:00
Tom Eastep	a6ba499cca	Fix FLOW_FILTER detection with LOAD_HELPERS_ONLY=Yes	2010-02-14 12:03:54 -08:00
Tom Eastep	53902b058e	Explain RATE and BURST in the basics doc Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-02-14 08:53:58 -08:00
Tom Eastep	da4b2049c7	Fix typo in known problems Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-02-14 08:53:31 -08:00
Tom Eastep	11b86e99e6	Fix detection of FLOW_FILTER when LOAD_HELPERS_ONLY=No Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-02-14 07:55:41 -08:00
Tom Eastep	09f8011a49	Create 4.4.7.2 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-02-14 07:28:52 -08:00
Tom Eastep	a88be42a73	Fix for OLD_HL_MATCH. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-02-14 07:23:46 -08:00
Tom Eastep	b5859d63c9	Delete redundant change log entry Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-02-13 09:17:25 -08:00
Tom Eastep	602dcd1bab	Set version to 4.4.7.1 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-02-13 07:28:22 -08:00
Tom Eastep	b8453c4bda	Document per-IP rate limiting bug. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-02-13 07:26:49 -08:00
Tom Eastep	53069ebf27	Don't apply rate limiting twice in NAT rules Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-02-13 07:22:06 -08:00
Tom Eastep	8224a2971e	Prepare 4.4.7.1 in case it is needed	2010-02-11 15:25:46 -08:00