forked from extern/shorewall_code
ee51d49233
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@781 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
87 lines
3.1 KiB
Plaintext
Executable File
87 lines
3.1 KiB
Plaintext
Executable File
This is a minor release of Shorewall.
|
|
|
|
Problems Corrected since version 1.4.7:
|
|
|
|
1) Tuomo Soini has supplied a correction to a problem that occurs using
|
|
some versions of 'ash'. The symptom is that "shorewall start" fails
|
|
with:
|
|
|
|
local: --limit: bad variable name
|
|
iptables v1.2.8: Couldn't load match `-j':/lib/iptables/libipt_-j.so:
|
|
cannot open shared object file: No such file or directory
|
|
Try `iptables -h' or 'iptables --help' for more information.
|
|
|
|
2) Andres Zhoglo has supplied a correction that avoids trying to use
|
|
the multiport match iptables facility on ICMP rules.
|
|
|
|
Example of rule that previously caused "shorewall start" to fail:
|
|
|
|
ACCEPT loc $FW icmp 0,8,11,12
|
|
|
|
3) Previously, if the following error message was issued, Shorewall
|
|
was left in an inconsistent state.
|
|
|
|
Error: Unable to determine the routes through interface xxx
|
|
|
|
4) Handling of the LOGUNCLEAN option in shorewall.conf has been
|
|
corrected.
|
|
|
|
5) In Shorewall 1.4.2, an optimization was added. This optimization
|
|
involved creating a chain named "<zone>_frwd" for most zones
|
|
defined using the /etc/shorewall/hosts file. It has since been
|
|
discovered that in many cases these new chains contain redundant
|
|
rules and that the "optimization" turns out to be less than
|
|
optimal. The implementation has now been corrected.
|
|
|
|
6) When the MARK value in a tcrules entry is followed by ":F" or ":P",
|
|
the ":F" or ":P" was previously only applied to the first Netfilter
|
|
rule generated by the entry. It is now applied to all entries.
|
|
|
|
7) The original fix for item 5) above contained a bug which caused the
|
|
"<zone>_frwd" chain to have too few rules. That has been corrected
|
|
(twice).
|
|
|
|
8) An incorrect comment concerning Debian's use of the SYBSYSLOCK
|
|
option has been removed from shorewall.conf.
|
|
|
|
Migration Issues:
|
|
|
|
None.
|
|
|
|
New Features:
|
|
|
|
1. A new QUEUE action has been introduced for rules. QUEUE allows you
|
|
to pass connection requests to a user-space filter such as p2pwall
|
|
(http://p2pwall.sourceforge.net).
|
|
|
|
For example, to use p2pwall to filter P2P applications, you would
|
|
add the following rules:
|
|
|
|
QUEUE loc net tcp
|
|
QUEUE loc net udp
|
|
QUEUE loc fw udp
|
|
|
|
You would normally want to place those two rules BEFORE any ACCEPT
|
|
rules for loc->net.
|
|
|
|
Note: When the protocol specified is TCP ("tcp", "TCP" or "6"),
|
|
Shorewall will only pass connection requests (SYN packets) to user
|
|
space. This is for compatibility with p2pwall.
|
|
|
|
2. A BLACKLISTNEWNONLY option has been added to shorewall.conf. When
|
|
this option is set to "Yes", the blacklists (dynamic and static)
|
|
are only consulted for new connection requests. When set to "No"
|
|
(the default if the variable is not set), the blacklists are
|
|
consulted on every packet.
|
|
|
|
Setting this option to "No" allows blacklisting to stop existing
|
|
connections from a newly blacklisted host but is more expensive in
|
|
terms of packet processing time. This is especially true if the
|
|
blacklists contain a large number of entries.
|
|
|
|
3. Chain names used in the /etc/shorewall/accounting file may now begin
|
|
with a digit ([0-9]) and may contain embedded dashes ("-").
|
|
|
|
|
|
|