"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "releasenotes.txt" between
shorewall6-lite-5.2.3.6.tar.bz2 and shorewall6-lite-5.2.6.tar.bz2

About: Shorewall (The Shoreline Firewall) is an iptables based firewall (a light-weight Shorewall6 version that will run compiled firewall scripts generated on a system with Shorewall6 installed).

[ To the main shorewall6-lite source changes report ]

releasenotes.txt  (shorewall6-lite-5.2.3.6.tar.bz2):releasenotes.txt  (shorewall6-lite-5.2.6.tar.bz2)
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
S H O R E W A L L 5 . 2 . 3 . 6 S H O R E W A L L 5 . 2 . 6
------------------------------- -------------------------------
F E B R U A R Y 1 6 , 2 0 2 0 J U L Y 0 4 , 2 0 2 0
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
I. PROBLEMS CORRECTED IN THIS RELEASE I. PROBLEMS CORRECTED IN THIS RELEASE
II. KNOWN PROBLEMS REMAINING II. KNOWN PROBLEMS REMAINING
III. NEW FEATURES IN THIS RELEASE III. NEW FEATURES IN THIS RELEASE
IV. MIGRATION ISSUES IV. MIGRATION ISSUES
V. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES V. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
5.2.3.6 1) This release includes defect repair up through Shorewall version
5.2.5.2.
1) When both Docker containers and Libvirt VMs were in use, 'shorewall 2) When compiling for export, the compiler generates a firewall.conf
start' could fail as follows: file which is later installed on the remote firewall system as
${VARDIR}/firewall.conf. Previously, the CLI on that firewall was
not processing the file, resulting in some features not being
available:
- Default values for VERBOSITY, LOGFILE, LOGFORMAT, PATH,
SHOREWALL_SHELL, SUBSYSLOCK, RESTOREFILE, RESTART,
DYNAMIC_BLACKLIST and PAGER are not supplied.
Running /sbin/iptables-restore --wait 60... - scfilter file supplied at compile time.
iptables-restore v1.8.3 (legacy): Couldn't load target
`LIBVIRT_PRT':No such file or directory
Error occurred at line: 19
Try `iptables-restore -h' or 'iptables-restore --help' for more informatio
n.
ERROR: /sbin/iptables-restore --wait 60 Failed.
That has been corrected.
5.2.3.5 - dumpfilter file supplied at compile time.
1) A typo in the FTP documentation has been corrected.
2) The recommended mss setting when using IPSec with ipcomp has been
corrected.
3) A number of incorrect links in the manpages have been corrected.
4) The 'bypass' option is now allowed when specifying an NFQUEUE
policy. Previously, specifying that option resulted in an error.
5) Corrected IPv6 Address Range parsing.
Previously, such ranges were required to be of the form [<addr1>-<addr2>]
rather than the more standard form [<addr1>]-[<addr2>]. In the snat file
(and in nat actions), the latter form was actually flagged as an error
while in other contexts, it resulted in a less obvious error being
raised.
6) The manpages have been updated to refer to https://shorewall.org
rather than http://www.shorewall.org.
5.2.3.4
1) If multi-queue NFQUEUE (e.g., NFQUEUE(0:1) ) WAS used as a policy,
an error such as the following was previously incorrectly raised.
ERROR: Invalid policy (NFQUEUE(0) /etc/shorewall/policy (line
15)
That has been corrected such that no error is raised.
2) If multi-queue NFQUEUE( e.g., NFQUEUE(0:1,bypass) ) was passed to a
macro, an error such as the following was previously incorrectly
raised:
ERROR: Invalid ACTION (PARAM:1c,bypass)))
/usr/share/shorewall/macro.BitTorrent (line 12)
from /etc/shorewall/rules (line 40)
Now, the NFQUEUE action is correctly substituted for PARAM in
the Macro body.
3) If shorewall[6].conf didn't set AUTOMAKE, the 'update' command
previously produced a new file with 'AUTOMAKE=Yes'. This resulted
in an unexpected change of behavior. Now, the new file contains
'AUTOMAKE=No', which preserves the pre-update behavior.
4) Shorewall-rules(5) incorrectly stated that the 'bypass' option to
NFQUEUE causes the rule to be silently bypassed if there is no
application attached to the queue. The actual behavior is that the
rule acts like ACCEPT in that case. Shorewall-rules(5) has been
corrected.
5.2.3.3
1) Previously, if an ipset was specified in an SPORT column, the
compiler would raise an error similar to:
ERROR: Invalid ipset name () /etc/shorewall/rules (line 44)
That has been corrected. That has been corrected.
5.2.3.2 3) A bug in iptables (see
https://git.netfilter.org/iptables/commit/?id=d1555a0906e35ba8d170613d5a43da
1) Shorewall 5.2 automatically converts and existing 'masq' file to an 64e527dbe1)
equivalent 'snat' file. Regrettably, Shorewall 5.2.3 broke that prevents the '--queue-cpu-fanout' option from being applied unless
automatic update, such that the following error message was issued: that option is the last one specified. Unfortunately, Shorewall
places the '--queue-bypass' option last if that option is also
Use of uninitialized value $Shorewall::Nat::raw::currentline in specified.
pattern match (m//) at /usr/share/shorewall/Shorewall/Nat.pm
line 511, <$currentfile> line nnn. This release works around this issue by ensuring that the
'--queue-cpu-fanout' option appears last.
and the generted 'masq' file contains only initial comments.
4) The -D 'compile', 'check', 'reload' and 'Restart' option was
That has been corrected. previously omitted from the output of 'shorewall help'. It is now
included. As part of this change, an incorrect and conflicting
5.2.3.1 description of the -D option was removed from the 'remote-restart'
section of shorewall(8).
1) An issue in the implementation of policy file zone exclusion,
released in 5.2.3 has been resolved. In the original release, 5) Previously, when EXPAND_POLICIES=No, chains that enforced ACCEPT
if more than one zone was excluded, then the following error was policies were not completely optimized by optimize level 2 (ACCEPT
raised: rules preceding the final unconditional ACCEPT were not
deleted). That has been corrected such that these rules are now
ERROR: 'all' is not allowed in a source zone list optimized.
etc/shorewall/policy (line ...)
5.2.3
1) To prevent a helper kernel module from being loaded, it was
previously necessary to list both its current name and its
pre-kernel-2.6.20 name in the DONT_LOAD option in
/etc/shorewall[6].conf. For example, to prevent nf_conntrack_sip
from being loaded, it was necessary to also list ip_conntrack_sip
in DONT_LOAD. That is no longer necessary.
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G I I. K N O W N P R O B L E M S R E M A I N I N G
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
1) On systems running Upstart, shorewall-init cannot reliably secure 1) On systems running Upstart, shorewall-init cannot reliably secure
the firewall before interfaces are brought up. the firewall before interfaces are brought up.
2) The 'enable', 'reenable' and 'disable' commands do not work 2) The 'enable', 'reenable' and 'disable' commands do not work
correctly in configurations with USE_DEFAULT_RT=No and optional correctly in configurations with USE_DEFAULT_RT=No and optional
providers listed in the DUPLICATE column. providers listed in the DUPLICATE column.
3) While the 'ip' utility now accepts IPv6 routes with multiple 3) While the 'ip' utility now accepts IPv6 routes with multiple
'nexthop' destinations, these routes are not balanced. They are 'nexthop' destinations, these routes are not balanced. They are
rather instantiated as a sequence of single routes with different rather instantiated as a sequence of single routes with different
metrics. Furthermore, the 'ip route replace' command fails on metrics. Furthermore, the 'ip route replace' command fails on
such routes. Beginning with Shorewall6 5.0.15, the generated script such routes. Beginning with Shorewall6 5.0.15, the generated script
uses a "delete..add.." sequence on these routes rather than a uses a "delete..add.." sequence on these routes rather than a
single "replace" command. single "replace" command.
4) On Debian-derived systems, when DOCKER=Yes, the 'systemctl restart
shorewall' command looses Docker rules.
Workaround (courtesy of J Cliff Armstrong):
Type (as root):
`systemctl edit shorewall.service`.
This will open the default terminal editor to a blank file in
which you can paste the following:
[Service]
# reset ExecStop
ExecStop=
# set ExecStop to "stop" instead of "clear"
ExecStop=/sbin/shorewall $OPTIONS stop
Then type `systemctl daemon-reload` to activate the changes. This
change will survive future updates of the shorewall package from apt
repositories. The override file itself will be saved to
`/etc/systemd/system/shorewall.service.d/`.
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
I I I. N E W F E A T U R E S I N T H I S R E L E A S E I I I. N E W F E A T U R E S I N T H I S R E L E A S E
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
1) Zone exclusion (e.g., "all!z2,z2,...") is now supported in the 1) The 'actions' file now supports a 'dport' option to go along with
policy file. the 'proto' option. Using these two options can now restrict an
action to a particular service. See shorewall-actions(5) for
details.
2) With the availability of zone exclusion in the rules file, 'all[+]-' Example limiting net->all SSH connections to 3/min per source IP:
and 'any[+]-' are equivalent to 'all[+]!$FW' and 'any[+]!$FW'
respectively. Beginning with this release, the former are
deprecated in favor of the latter and will result in a warning
message, if used.
3) Internal documentaton of the undocumented 'test' parameter to /etc/shorewall/actions:
compiler.pl has been added (it is used by the regression test
library to suppress versions and date/times from the generated
script).
4) The LOAD_HELPERS_ONLY option has been removed from SSHLIMIT proto=tcp,\ # Blacklist overzealous SSHers
shorewall[6].conf. Hereafter, Shorewall[6] will behave as if dport=ssh
LOAD_HELPERS_ONLY=Yes had been specified.
/etc/shorewall/action.SSLHIMIT
ACCEPT { RATE=s:3/min:3 }
BLACKLIST:$LOG_LEVEL:net_SSHLIMIT
/etc/shorewall/rules:
SSHLIMIT net all
2) The change to 'show actions' implemented in 5.2.5.1 (see below)
has been further extended.
- "?IF...?ELSE...?ENDIF" sequences are now shown in the output
- Continuation lines are now shown in the output so that all
action options are now displayed
- If an action appears in both /usr/share/shorewall[6]/actions.std
and in /etc/shorewall[6]/actions, then the entry in the actions
file is shown followed by the entry in the actions.std file.
3) To emphasize that it specifies destination ports, the PORT column
in the snat file has been renamed DPORT. Beginning with this
release, both 'port' and 'dport' are accepted in the alternative
input format.
4) The snat file now supports ?FORMAT 2, which adds an SPORT (source
port) column immediately to the right of the DPORT (destination
port) column.
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
I V. M I G R A T I O N I S S U E S I V. M I G R A T I O N I S S U E S
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
If you are migrating from Shorewall 4.6.x or earlier, please see If you are migrating from Shorewall 4.6.x or earlier, please see
http://www.shorewall.org/pub/shorewall/5.0/shorewall-5.0.15/releasenotes.txt http://www.shorewall.org/pub/shorewall/5.0/shorewall-5.0.15/releasenotes.txt
Immediately after installing Shorewall 5.2.x, we recommend that you run Immediately after installing Shorewall 5.2.x, we recommend that you run
'shorewall[6] update'. This command will handle many of the migration 'shorewall[6] update'. This command will handle many of the migration
skipping to change at line 279 skipping to change at line 254
http://www.shorewall.org/Shorewall-5.html#idp41228128. http://www.shorewall.org/Shorewall-5.html#idp41228128.
This issue is not handled by 'shorewall update' and must be This issue is not handled by 'shorewall update' and must be
corrected manually. corrected manually.
4) The Netfilter team have removed support for the rawpost table, so 4) The Netfilter team have removed support for the rawpost table, so
Shorewall no longer supports features requiring that table Shorewall no longer supports features requiring that table
(stateless netmapping in the netmap file). The good news is that, (stateless netmapping in the netmap file). The good news is that,
since kernel 3.7, Netfilter supports stateful IPv6 network mapping since kernel 3.7, Netfilter supports stateful IPv6 network mapping
which is now also supported in Shorewall6 (see which is now also supported in Shorewall6 (see
shorewall6-netmap(5)). shorewall-netmap(5)).
This issue is not handled by 'shorewall update' and must be This issue is not handled by 'shorewall update' and must be
corrected manually. corrected manually.
5) The (undocumented) Makefiles haven't been maintained for many 5) The (undocumented) Makefiles haven't been maintained for many
releases and have been removed. releases and have been removed.
6) Beginning with Shorewall 5.1.2, The DROP_DEFAULT, REJECT_DEFAULT, 6) Beginning with Shorewall 5.1.2, The DROP_DEFAULT, REJECT_DEFAULT,
etc. options may now specify a comma-separated list of actions etc. options may now specify a comma-separated list of actions
rather than just a single action. The actions are invoked in the rather than just a single action. The actions are invoked in the
skipping to change at line 567 skipping to change at line 542
message, if used. message, if used.
9) Beginning with Shorewall 5.2.3, the LOAD_HELPERS_ONLY option in 9) Beginning with Shorewall 5.2.3, the LOAD_HELPERS_ONLY option in
shorewall[6].conf has been removed, and the behavior is as if shorewall[6].conf has been removed, and the behavior is as if
LOAD_HELPERS_ONLY=Yes had been specified. 'shorewall[6] update' LOAD_HELPERS_ONLY=Yes had been specified. 'shorewall[6] update'
will remove the option from shorewall[6].conf. will remove the option from shorewall[6].conf.
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
V. N O T E S F R O M O T H E R 5 . 2 R E L E A S E S V. N O T E S F R O M O T H E R 5 . 2 R E L E A S E S
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
N E W F E A T U R E S I N 5 . 2 . 5
----------------------------------------------------------------------------
1) Prior to this release, when a 'timeout' value was specified in the
DYNAMIC_BLACKLIST setting, the dynamic-blacklisting ipset was
created with this default timeout. This had the unfortunate
disadvantage that it was not possible to add permanent entries
into the ipset. Even if 'timeout 0' was specified in a 'blacklist'
command, the entry would still age out of the ipset after the
default timeout had elapsed.
Beginning with this release, the dynamic-blacklisting ipset is
created with 'timeout 0'. When an address is added to the set,
either by BLACKLIST policy enforcement, by the BLACKLIST action,
or by the CLI 'blacklist' command (where no 'timeout' is
specified), the default timeout is applied to the new entry.
Once you have upgraded to this version of Shorewall, you can
convert your existing dynamic-blacklisting ipset (with a non-zero
default timeout) to have a default timeout of zero as follows:
a) If RESTART=restart in shorewall[6].conf, then simply
'shorewall[6] restart'.
b) Otherwise, 'shorewall[6] stop && shorewall[6] start'.
2) Previously, when an ADD or DEL rule specified logging, the entire
action (e.g. 'ADD(+NET_BL:src:7200)') was included in the log
message. This could easily lead to a "Log prefix shortened..."
warning during compilation.
Beginning with this release, such log messages will contain only
the basic action ('ADD' or 'DEL') and the set name (e.g.,
'ADD(NET_BL)') to reduce the liklihood of producing the warning.
3) Traditionally, Shorewall has logged state change messages using
the 'user' syslog facility. Beginning with this release, these
messages will be logged using the 'daemon' facility to more
accurately reflect that these messages relate to a service.
4) The DYNAMIC_BLACKLIST setting now allows a 'log' option to be
specified for ipset-based blacklisting. When this option is given,
successful 'blacklist' and 'allow' commands generate a 'daemon.info'
log message.
5) When ipset-based dynamic blacklisting is enabled, the generated
ruleset has traditionally refreshed the 'timeout' of an ipset
entry when a packet from blacklisted host is received. This has
the unfortunate side effect that it can change a permanent entry
(timeout 0) to a temporary (one with non-zero timeout). Beginning
with this release, this timeout refresh can be avoided by
specifying the 'noupdate' option in the DYNAMIC_BLACKLIST
setting.
6) To allow Shorewall's ipset-based blacklisting to play nicely with
fail2ban, the 'blacklist!' CLI command has been added.
The command
blacklist! <ip>
is equivalent to
blacklist <ip> timeout 0
thus allowing 'blacklist!' to be specified as the 'blocktype' in
/etc/fail2ban/actions.d/shorewall.conf.
See https://shorewall.org/blacklisting_support.htm#fail2ban for
further information about using Shorewall dynamic blacklisting
with fail2ban.
7) Previously, when a zone name was too long, the resulting error
message was "Invalid zone name (<name>)". To make the cause of
the failure clearer, the message is now "Zone name (<name>) too
long".
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 5 . 2 . 5
----------------------------------------------------------------------------
5.2.5.1
1) The change in 5.2.5 base which changed the 'user' facility to the
'daemon' facility in Shorewall syslog messages did not change the
messages with severity 'err'. That has been corrected such that
all syslog messages now use the 'daemon' facility.
2) The actions.std file contains "?IF...?ELSE...?ENDIF" sequences
that provide different action options depending on the availabilty
of certain capabilities. This has resulted in the Broadcast and
Multicast options being listed twice in the output of
"shorewall[6] show actions". Beginning with this release, this
duplication is eliminated. Note, however, that the options shown
will be incomplete if they were continued onto another line, and
may be incorrect for Broadcast and Multicast.
3) A typo in shorewall-providers(5) has been corrected.
5.2.5 Base
1) Previously, Shorewall-init installed a 'shorewall' script in
/etc/network/if-down.d on Debian and derivatives. This script was
unnecessary and required Debian-specific code in the generated
firewall script. The Shorewall-init script is no longer installed
and the generated firewall script is now free of
distribution-specific code.
2) Also on Debian and derivatives, Shorewall-init installed
/etc//NetworkManager/dispatcher.d/01-shorewall which was also
unnecessary. Beginning with this release, that file is no longer
installed.
3) Previously, if the dynamic-blacklisting default timeout was set in
a variable in the params file and the variable was used in setting
DYNAMIC_BLACKLIST, then the 'allow' command would fail with
the message:
ERROR: Invalid value (ipset-only,disconnect,timeout=) for
DYNAMIC_BLACKLIST
That has been corrected.
4) When EXPAND_POLICIES=No in shorewall[6].conf, policies in complex
rulesets are enforced in chains such as 'net-all' and
'all-all'. Previously, these chains included redundant
state-oriented rules. In addition to being redundant. these rules
could actually break complex IPv6 configurations. The extra rules are
now omitted.
----------------------------------------------------------------------------
N E W F E A T U R E S I N 5 . 2 . 4
----------------------------------------------------------------------------
1) Previously, Shorewall's Docker support assumed that the default
Docker Bridge (docker0) was being used. Beginning with this
release, the DOCKER_BRIDGE option in Shorewall.conf allows an
arbitrary name to be assigned to the bridge. In particular, when
CNI is being used, DOCKER_BRIDGE=cni0 is the appropriate setting.
2) The CLI keywords 'debug' and 'trace' have been replaced by -D and
-T options respectively (e.g., 'shorewall trace reload' is now
'shorewall -T reload'). Like the keywords, only one of these
options can be active at a time; if both are entered, only the
last one is activated. A similar change has been made to the
generated script.
The -T option (formerly 'trace') now applies only to shell-level
tracing in the CLI and generated script. Those commands that
invoke the rules compiler now accept a -D command option which
causes the compiler to generate debugging information (e.g.,
'shorewall check -D').
The 'nolock' keyword is now deprecated in favor of the -N
option (e.g., 'shorewall nolock reload' becomes 'shorewall -N
reload').
See shorewall(8) for details.
3) Within the source code and documentation, 'shorewall.net' has been
replaced by 'shorewall.org'.
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 5 . 2 . 4
----------------------------------------------------------------------------
5.2.4.4
1) When DYNAMIC_BLACKLIST=ipset... or when SAVE_IPSETS=Yes in
shorewall[6].conf, 'shorewall[6] start' could hang when 5.2.4.3
was installed. That has been corrected.
2) When 5.2.4.3 was installed, 'shorewall[6] start' would not
automatically create dynamic blacklisting ipsets. That has been
corrected.
5.2.4.3
1) When interfaces was managed by Network Manager and IFUPDOWN=1 was
specified in the Shorewall-init configuration file, when an optional
interface was brought up, enabling the interface in
Shorewall6[-lite] could fail.
Correcting this issue involves corrected code in this release of
Shorewall, but also may require a configuration change in
/etc/shorewall6/interfaces. The change in Shorewall makes the
generated script honor the 'wait=<seconds>' specification in
/etc/shorewall6/interfaces when executing the 'enable' command.
If there are optional interfaces that do not specify 'wait=...',
then the interfaces file must be altered to include such
specifications.
2) An unnecessary test during command initialization in the generated
script has been eliminated.
3) Previously, 'shorewall[6] stop' or 'shorewall[6] clear' would
create the dynamic blacklist ipset if it did not exist. Creation
of the ipset is now defered until the next 'start'.
4) Previously, 'shorewall[6] start' would delete all corresponding
ipsets before restoring. It now deletes only those sets that will
be restored, thus allowing SAVE_IPSETS to be specified in the
Shorewall-init configuration when ipset-based dynamic blacklisting
is also enabled. Previously, if any additional ipsets were used,
it was necessary to set SAVE_IPSETS=Yes in shorewall[6].conf as
well.
5) Previously, 'Shorewall-init start' restored ipsets after stopping
the firewalls, precluding use of ipsets in the stoppedrules file.
Shorewall-init now restores the ipsets before stopping the
firewalls.
6) Optimize level 16 has been speeded up by an order of magnitude.
Tests using a large user-supplied configuration showed compilation
time with OPTIMIZE=all was reduced from 22min 40 seconds to 21.5
seconds.
5.2.4.2
1) This release corrects two problems associated with Debian
Shorewall-init when IFUPDOWN=1 in the Shorewall-init
configuration file (/etc/default/shorewall-init):
a) Down events were ignored when Network Manager was being used.
b) Up events were processed twice when a dual-stack interface
was brought up.
Both problems have been corrected. To make the fixes effective,
it is necessary to recompile the firewall script (shorewall[6]
compile, start, restart or reload).
5.2.4.1
1) The web site and documentation have been improved to correct some
invalid links in the manpages (including the manpages released
in Shorewall components) and to link directly to the current
website at https://shorewall.org. (Tuomo Soini)
2) Cautions regarding SAVE_IPSETS have been added to the ipsets
article.
3) OpenSuSE users running systemd have complained that the firewalls
are stopped after a Shorewall product upgrade. The problem is that
OpenSuSE restarts all running products that have been
upgraded. Recall that 'systemctl restart' is equivalent to
'systemctl stop && systemctl start'. But starting Shorewall-init
results in the firewall products specified in the Shorewall-init
config file to be stopped. To address this issue, Shorewall-init
will now ignore 'start' and 'stop' commands, for running firewalls
(Tuomo Soini).
4) On Redhat-based system and on OpenSuSE, extraneous Shorewall-init
log messages regarding invalid commands were being issued. These
harmless messages are now suppressed (Tuomo Soini).
5.2.4 Final
1) Previously, when a Shorewall6 firewall was placed into the
'stopped' state, ICMP6 packets required by RFC 4890 were not
automatically accepted by the generated ruleset.
Beginning with this release, those packets are automatically
accepted.
2) Previously, the output of 'shorewall[6] help' displayed the
superseded 'load' command. That text has been deleted.
3) The QOSExample.html file in the documentation and on the web site
previously showed tcrules content for the /etc/shorewall/mangle
file (recall that 'mangle' superseded 'tcrules'). That page has
been corrected.
4) The 'Starting and Stopping' and 'Configuration file basics'
documents have been updated to align them with the current product
behavior.
5) The 'ipsets' document has been updated to clarify the use of
ipsets in the stoppedrules file.
----------------------------------------------------------------------------
N E W F E A T U R E S I N 5 . 2 . 3
----------------------------------------------------------------------------
1) Zone exclusion (e.g., "all!z2,z2,...") is now supported in the
policy file.
2) With the availability of zone exclusion in the rules file, 'all[+]-'
and 'any[+]-' are equivalent to 'all[+]!$FW' and 'any[+]!$FW'
respectively. Beginning with this release, the former are
deprecated in favor of the latter and will result in a warning
message, if used.
3) Internal documentaton of the undocumented 'test' parameter to
compiler.pl has been added (it is used by the regression test
library to suppress versions and date/times from the generated
script).
4) The LOAD_HELPERS_ONLY option has been removed from
shorewall[6].conf. Hereafter, Shorewall[6] will behave as if
LOAD_HELPERS_ONLY=Yes had been specified.
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 5 . 2 . 3
----------------------------------------------------------------------------
5.2.3.7
1) When DOCKER=Yes, if both the DOCKER-ISOLATE and
DOCKER-ISOLATE-STAGE-1 existed then the DOCKER-ISOLATE-STAGE-*
chains were not preserved through shorewall state changes.
That has been corrected so that both chains are preserved if
present.
2) Previously, the compiler always detected the OLD_CONNTRACK_MATCH
capability as being available in IPv6. When OLD_CONNTRACK_MATCH
was available, the compiler also mishandled inversion ('!') in the
ORIGDEST columns, leading to an assertion failure:
Shorewall::Config::fatal_error("Internal error in
Shorewall::Chains::set_rule_option at /usr/"...) called at
/usr/share/shorewall/Shorewall/Config.pm line 1619
Both the incorrect capability detection and the mishandled
inversion have been corrected.
3) During 'enable' processing, if address variables associated with
the interface have values different than those when the firewall
was last started/restarted/reloaded, then a 'reload' is performed
rather than a simple 'enable'. The logic that checks for those
changes was incorrect in some configurations, leading to unneeded
reload operations. That has been corrected.
4) When MANGLE_ENABLED=No in shorewall[6].conf, some features
requiring use of the mangle table can be allowed, even though the
mangle table is not updated. That has been corrected such that use
of such features will raise an error.
5) When an invocation of the IfEvent(...,reset) action was invoked,
the compiler previously emitted a spurious "Resetting..." message.
That message has been suppressed.
5.2.3.6
1) When both Docker containers and Libvirt VMs were in use, 'shorewall
start' could fail as follows:
Running /sbin/iptables-restore --wait 60...
iptables-restore v1.8.3 (legacy): Couldn't load target
`LIBVIRT_PRT':No such file or directory
Error occurred at line: 19
Try `iptables-restore -h' or 'iptables-restore --help' for more informatio
n.
ERROR: /sbin/iptables-restore --wait 60 Failed.
That has been corrected.
5.2.3.5
1) A typo in the FTP documentation has been corrected.
2) The recommended mss setting when using IPSec with ipcomp has been
corrected.
3) A number of incorrect links in the manpages have been corrected.
4) The 'bypass' option is now allowed when specifying an NFQUEUE
policy. Previously, specifying that option resulted in an error.
5) Corrected IPv6 Address Range parsing.
Previously, such ranges were required to be of the form [<addr1>-<addr2>]
rather than the more standard form [<addr1>]-[<addr2>]. In the snat file
(and in nat actions), the latter form was actually flagged as an error
while in other contexts, it resulted in a less obvious error being
raised.
6) The manpages have been updated to refer to https://shorewall.org
rather than http://www.shorewall.org.
5.2.3.4
1) If multi-queue NFQUEUE (e.g., NFQUEUE(0:1) ) WAS used as a policy,
an error such as the following was previously incorrectly raised.
ERROR: Invalid policy (NFQUEUE(0) /etc/shorewall/policy (line
15)
That has been corrected such that no error is raised.
2) If multi-queue NFQUEUE( e.g., NFQUEUE(0:1,bypass) ) was passed to a
macro, an error such as the following was previously incorrectly
raised:
ERROR: Invalid ACTION (PARAM:1c,bypass)))
/usr/share/shorewall/macro.BitTorrent (line 12)
from /etc/shorewall/rules (line 40)
Now, the NFQUEUE action is correctly substituted for PARAM in
the Macro body.
3) If shorewall[6].conf didn't set AUTOMAKE, the 'update' command
previously produced a new file with 'AUTOMAKE=Yes'. This resulted
in an unexpected change of behavior. Now, the new file contains
'AUTOMAKE=No', which preserves the pre-update behavior.
4) Shorewall-rules(5) incorrectly stated that the 'bypass' option to
NFQUEUE causes the rule to be silently bypassed if there is no
application attached to the queue. The actual behavior is that the
rule acts like ACCEPT in that case. Shorewall-rules(5) has been
corrected.
5.2.3.3
1) Previously, if an ipset was specified in an SPORT column, the
compiler would raise an error similar to:
ERROR: Invalid ipset name () /etc/shorewall/rules (line 44)
That has been corrected.
5.2.3.2
1) Shorewall 5.2 automatically converts and existing 'masq' file to an
equivalent 'snat' file. Regrettably, Shorewall 5.2.3 broke that
automatic update, such that the following error message was issued:
Use of uninitialized value $Shorewall::Nat::raw::currentline in
pattern match (m//) at /usr/share/shorewall/Shorewall/Nat.pm
line 511, <$currentfile> line nnn.
and the generted 'masq' file contains only initial comments.
That has been corrected.
5.2.3.1
1) An issue in the implementation of policy file zone exclusion,
released in 5.2.3 has been resolved. In the original release,
if more than one zone was excluded, then the following error was
raised:
ERROR: 'all' is not allowed in a source zone list
etc/shorewall/policy (line ...)
5.2.3
1) To prevent a helper kernel module from being loaded, it was
previously necessary to list both its current name and its
pre-kernel-2.6.20 name in the DONT_LOAD option in
/etc/shorewall[6].conf. For example, to prevent nf_conntrack_sip
from being loaded, it was necessary to also list ip_conntrack_sip
in DONT_LOAD. That is no longer necessary.
----------------------------------------------------------------------------
N E W F E A T U R E S I N 5 . 2 . 2
----------------------------------------------------------------------------
1) New macros have been contributed by Vincas Dargis:
Bitcoin
Tor
ONCRPC
Additionally, Tuomo Soini has contributed a WUDO (Windows Update
Delivery Optimization) macro.
2) The Perl modules have undergone some cleanup/optimization.
3) Given that recent kernels have dropped ULOG support, use of ULOG in
Shorewall is now deprecated and results in a warning message. The
warning can be eliminated by switching to NFLOG and ulogd2.
4) Shorewall can now detect interface default gateways configured by
Network Manager.
5) Inline matches are now supported in the 'conntrack' file.
6) In the 'accounting' file, Inline matches in an INLINE(...) rule now
allow a leading '+' to cause the matches to be evaluated before
those generated by the column specifications.
7) If view of the fact that some modems take an eternity to recover
from a power failure, the limit of the 'wait' interface option
setting has been increased from 120 seconds (2 minutes) to 300
seconds (5 minutes).
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 5 . 2 . 2 P R O B L E M S C O R R E C T E D I N 5 . 2 . 2
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
5.2.2.1
1) A typo has been corrected in shorewall-providers(5). The manpage
previously referred to RESTORE_DEFAULT_OPTION; that should have
been RESTORE_DEFAULT_GATEWAY.
1) This release includes defect repair through Shorewall 5.2.1.4. 1) This release includes defect repair through Shorewall 5.2.1.4.
2) When processing inline matches, the compiler previously inserted 2) When processing inline matches, the compiler previously inserted
the matches before the column-generated matches if there was a plus the matches before the column-generated matches if there was a plus
sign ("+") anywhere in the matches. Now, it only does so if the sign ("+") anywhere in the matches. Now, it only does so if the
first non-blank character in the matches is a plus sign. first non-blank character in the matches is a plus sign.
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
N E W F E A T U R E S I N 5 . 2 . 1 N E W F E A T U R E S I N 5 . 2 . 1
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
 End of changes. 15 change blocks. 
122 lines changed or deleted 590 lines changed or added
To the Text Files section of the shorewall6-lite source changes report or the top of this page
Mainly generated by pkgdiff using rfcdiff
Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)