"Fossies" - the Fresh Open Source Software Archive 
As a special service "Fossies" has tried to format the requested text file into HTML format (style:
standard) with prefixed line numbers.
Alternatively you can here
view or
download the uninterpreted source code file.
See also the latest
Fossies "Diffs" side-by-side code changes report for "releasenotes.txt":
5.2.7_vs_5.2.8.
1 ----------------------------------------------------------------------------
2 S H O R E W A L L 5 . 2 . 8
3 -------------------------------
4 S E P T E M B E R 2 4 , 2 0 2 0
5 ----------------------------------------------------------------------------
6
7 I. PROBLEMS CORRECTED IN THIS RELEASE
8 II. KNOWN PROBLEMS REMAINING
9 III. NEW FEATURES IN THIS RELEASE
10 IV. MIGRATION ISSUES
11 V. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
12
13 ----------------------------------------------------------------------------
14 I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
15 ----------------------------------------------------------------------------
16
17 1) Certain restrictions that apply to wildcard interfaces (interface
18 name ends in '+') were previously not enforced when the logical
19 interface name did not end in '+' but the physical interface name
20 did end in '+'. That has been corrected.
21
22 2) To ensure that error messages appear in the correct place in the
23 output stream, stderr is now redirected to stdout when the
24 configured PAGER is used by a command.
25
26 3) Since Shorewall 5.1.0, the Shorewall uninstall.sh script has
27 incorrectly removed ${SBINDIR}/shorewall, while the Shorewall-core
28 uninstall.sh script has failed to remove that file. Both scripts
29 have been corrected.
30
31 4) Previously, the Shorewall CLI included a spurious hyphen ('-')
32 between the product name (e.g., 'Shorewall6') and the version when
33 printing a command output banner.
34
35 Example:
36
37 Shorewall6 Lite 5.2.8-RC1 Logwatch at foo8 - Thu 17 Sep 2020 ...
38
39 That has been corrected.
40
41 5) The shorewall-snat(5) manpage previously stated that a
42 comma-separated list of IP address could be specified for
43 SNAT. That statement was in error and has been removed. As part of
44 this change, IPv4 Example 6 has been updated to use the
45 PROBABILITY column.
46
47 ----------------------------------------------------------------------------
48 I I. K N O W N P R O B L E M S R E M A I N I N G
49 ----------------------------------------------------------------------------
50
51 1) On systems running Upstart, shorewall-init cannot reliably secure
52 the firewall before interfaces are brought up.
53
54 2) The 'enable', 'reenable' and 'disable' commands do not work
55 correctly in configurations with USE_DEFAULT_RT=No and optional
56 providers listed in the DUPLICATE column.
57
58 3) While the 'ip' utility now accepts IPv6 routes with multiple
59 'nexthop' destinations, these routes are not balanced. They are
60 rather instantiated as a sequence of single routes with different
61 metrics. Furthermore, the 'ip route replace' command fails on
62 such routes. Beginning with Shorewall6 5.0.15, the generated script
63 uses a "delete..add.." sequence on these routes rather than a
64 single "replace" command.
65
66 4) On Debian-derived systems, when DOCKER=Yes, the 'systemctl restart
67 shorewall' command looses Docker rules.
68
69 Workaround (courtesy of J Cliff Armstrong):
70
71 Type (as root):
72
73 `systemctl edit shorewall.service`.
74
75 This will open the default terminal editor to a blank file in
76 which you can paste the following:
77
78 [Service]
79 # reset ExecStop
80 ExecStop=
81 # set ExecStop to "stop" instead of "clear"
82 ExecStop=/sbin/shorewall $OPTIONS stop
83
84 Then type `systemctl daemon-reload` to activate the changes. This
85 change will survive future updates of the shorewall package from apt
86 repositories. The override file itself will be saved to
87 `/etc/systemd/system/shorewall.service.d/`.
88
89 5) RFC 2526 describes IPv6 subnet anycast addresses. The RFC makes a
90 distinction between subnets with "IPv6 address types required to
91 have 64-bit interface identifiers in EUI-64 format" and all other
92 subnets. When generating these anycast addresses, the Shorewall
93 compiler does not make this distinction and unconditionally
94 assumes that the last 128 addresses in the subnet are reserved as
95 anycast addresses.
96
97 ----------------------------------------------------------------------------
98 I I I. N E W F E A T U R E S I N T H I S R E L E A S E
99 ----------------------------------------------------------------------------
100
101 1) The 'show tc' command now shows the classifiers associated with
102 each interface (as displayed by the 'show classifiers'
103 command). This integrated qdisc/filter information is also included
104 in the output of the 'dump' command. This change deprecates the
105 'show classifiers' ('show filters') command, as that command's
106 output is now included in the 'show tc' output.
107
108 2) Shorewall6 has traditionally generated rules for IPv6 anycast
109 addresses. These rules include:
110
111 a) Packets with these destination IP addresses are dropped by
112 REJECT rules.
113
114 b) Packets with these source IP addresses are dropped by the
115 'nosmurfs' interface option and by the 'dropSmurfs' action.
116
117 c) Packets with these destination IP addresses are not logged
118 during policy enforcement.
119
120 d) Packets with these destination IP addresses are processes by
121 the 'Broadcast' action.
122
123 Beginning with this release, individual network interfaces can be
124 excluded from this treatment through use of the 'omitanycast'
125 option in /etc/shorewall6/interfaces.
126
127 Note: This option was named 'noanycast' in earlier Beta releases.
128
129 3) Duplicate function names have been eliminated between the
130 Shorewall-core lib.cli shell library and the Shorewall lib.cli-std
131 library.
132
133 4) The 'status' command in Shorewall[6]-lite now precedes the
134 configuration directory name with the administrative host name
135 separated with a colon (":").
136
137 Example (Firewall script generated on host 'debianvm'):
138
139 root@gateway:~# shorewall-lite status
140 Shorewall Lite-5.2.8 Status at gateway - Tue 15 Sep 2020 03:09:15 PM PDT
141
142 Shorewall Lite is running
143 State:Started Tue 15 Sep 2020 03:08:33 PM PDT from
144 debianvm:/home/teastep/shorewall/gateway/shorewall/
145 (/var/lib/shorewall-lite/firewall compiled Tue 15 Sep 2020
146 03:08:28 PM PDT by Shorewall version 5.2.8)
147
148 root@gateway:~#
149
150 5) Tuomo Soini has contributed a macro that handles NFS v1.4 (no
151 dynamic ports).
152
153 ----------------------------------------------------------------------------
154 I V. M I G R A T I O N I S S U E S
155 ----------------------------------------------------------------------------
156
157 If you are migrating from Shorewall 4.6.x or earlier, please see
158 http://www.shorewall.org/pub/shorewall/5.0/shorewall-5.0.15/releasenotes.txt
159
160 Immediately after installing Shorewall 5.2.x, we recommend that you run
161 'shorewall[6] update'. This command will handle many of the migration
162 issues described here.
163
164 ------------------------------------------------------------------------
165 I S S U E S M I G R A T I N G T O S H O R E W A L L 5 . 2
166 F R O M S H O R E W A L L 5 . 0
167 ------------------------------------------------------------------------
168
169 If you are migrating from Shorewall 5.0, this section will
170 familiarize you with the changes in Shorewall 5.1 that may affect
171 your configuration.
172
173 1) Shorewall 5.1 now has a single CLI program, ${SBINDIR}/shorewall
174 (normally /sbin/shorewall). This program performs all of the same
175 functions previously performed by /sbin/shorewall,
176 /sbin/shorewall6, /sbin/shorewall-lite and /sbin/shorewall6-lite
177 and is installed as part of the Shorewall-core package. It's
178 default 'personality' is determined by the Shorewall packages
179 installed:
180
181 a) If the Shorewall package is installed, then by default,
182 /sbin/shorewall behaves as in prior versions.
183
184 b) If the Shorewall package is not installed, but the
185 Shorewall-lite package is present, then /sbin/shorewall behaves
186 as did /sbin/shorewall-lite in prior versions.
187
188 c) If neither the Shorewall nor Shorewall-lite packages are
189 installed, but the Shorewall6-lite package is installed, then
190 /sbin/shorewall behaves as did /sbin/shorewall6-lite in prior
191 versions.
192
193 The program's personality can be altered through use of two new
194 options.
195
196 -6 When specified, changes the personality from Shorewall to
197 Shorewall6 or from Shorewall-lite to Shorewall6-lite.
198
199 -l When specified, changes the personality from Shorewall to
200 Shorewall-lite or from Shorewall6 to Shorewall6-lite. This
201 option is only required when both the standard package
202 (Shorewall or Shorewall6) and the corresponding -lite package
203 are installed on the system.
204
205 The following is a comparison of Shorewall 5.0 and Shorewall 5.1
206 with respect to the CLI invocation:
207
208 All four packages installed:
209
210 Shorewall 5.0 Shorewall 5.1
211
212 shorewall shorewall
213 shorewall6 shorewall -6
214 shorewall-lite shorewall -l
215 shorewall6-lite shorewall -6l
216
217 Only Shorewall-lite and Shorewall6-lite installed:
218
219 Shorewall 5.0 Shorewall 5.1
220
221 shorewall-lite shorewall
222 shorewall6-lite shorewall -6
223
224 A single shorewall(8) manpage now describes the CLI.
225
226 The shorewall6(8), shorewall-lite(8) and shorewall6-lite(8)
227 manpages are now minimal and refer the reader to shorewall(8).
228
229 For backward compatibility, Shorewall6, Shorewall-lite and
230 Shorewall6-lite install symlinks $SBINDIR/shorewall6,
231 $SBINDIR/shorewall-lite and
232 $SBINDIR/shorewall6-lite respectively. When the shorewall program
233 is invoked through one of these symlinks, it adopts the appropriate
234 personality.
235
236 2) The CHAIN_SCRIPTS option in the .conf files has been eliminated,
237 and the compiler no longer looks for script files with the same
238 name as a chain or action.
239
240 If you are using such files, you will need to convert them into
241 equivalent ?begin perl .... ?end perl text or to use the
242 IP[6]TABLES target and/or inline matches.
243
244 For the common case where you have an action xxx with an empty
245 action.xxx file and have perl code in a file named xxx, the
246 compiler will now generate a fatal error:
247
248 ERROR: File action.xxx is empty and file xxx exists - the two
249 must be combined as described in the Migration
250 Considerations section of the Shorewall release notes
251
252 For information about resolving this error, see
253 http://www.shorewall.org/Shorewall-5.html#idp41228128.
254
255 This issue is not handled by 'shorewall update' and must be
256 corrected manually.
257
258 4) The Netfilter team have removed support for the rawpost table, so
259 Shorewall no longer supports features requiring that table
260 (stateless netmapping in the netmap file). The good news is that,
261 since kernel 3.7, Netfilter supports stateful IPv6 network mapping
262 which is now also supported in Shorewall6 (see
263 shorewall-netmap(5)).
264
265 This issue is not handled by 'shorewall update' and must be
266 corrected manually.
267
268 5) The (undocumented) Makefiles haven't been maintained for many
269 releases and have been removed.
270
271 6) Beginning with Shorewall 5.1.2, The DROP_DEFAULT, REJECT_DEFAULT,
272 etc. options may now specify a comma-separated list of actions
273 rather than just a single action. The actions are invoked in the
274 order in which they are listed and each action may optionally be
275 followed by a colon (":") and a log level. The POLICY column in
276 shorewall[6]-policy can now specify a similar list of actions. In
277 that file, the list may be preceded by a plus sign ("+"), in which
278 case the listed actions will be in addition to those listed in the
279 related _DEFAULT setting in shorewall[6].conf.
280
281 With these changes, the Drop and Reject policy actions are now
282 deprecated in favor of a list of smaller actions. A warning is
283 issued when these deprecated actions are used; the warning refers
284 the reader to http://www.shorewall.org/Actions.html#Default.
285
286 This issue is partially handled by 'shorewall update' - see
287 the 5.2 issues below.
288
289 7) Beginning with Shorewall 5.1.2, the allowBcast, dropBcast, and
290 Broadcast no longer handle multicast. Multicast is handeled
291 separately in actions allowMcast, dropMcast and Multicast. The
292 now-deprecated Drop and Reject policy actions have been modified so
293 that they continue to silently drop multicast packets.
294
295 8) According to the Netfilter team (see
296 https://patchwork.kernel.org/patch/9198133/), the --nflog-range option
297 of the NFLOG target has never worked correctly, and they have
298 deprecated that option in favor of the --nflog-size option.
299
300 To accomodate this change, Shorewall 5.1.5 added an "--nflog-size
301 support" (NFLOG_SIZE) Shorewall capability and a USE_NFLOG_SIZE
302 option in shorewall[6].conf. If USE_NFLOG_SIZE=Yes, then if the
303 capability is present, Shorewall will use '--nflog-size' in place
304 of '--nflog-range'. If USE_NFLOG_SIZE=Yes and the capability is not
305 present, an error is raised.
306
307 If you don't use NFLOG or if you use NFLOG with omittted second
308 parameter or with 0 as the second parameter, and 'shorewall show
309 capabilities' indicated that --nflog-size support is present, you
310 may safely set USE_NFLOG_SIZE=Yes.
311
312 If you pass a non-zero value as the second parameter to NFLOG and
313 the '--nflog-size support' capability is present, you need to
314 verify that those NFLOG messages are as you expect with
315 USE_NFLOG_SIZE=Yes.
316
317 This issue is not handled by 'shorewall update' and must be
318 corrected manually.
319
320 9) The MODULE_SUFFIX option in shorewall[6].conf was eliminated in
321 Shorewall 5.1.7. Shorewall now finds modules, independent of their
322 filename suffix.
323
324 'shorewall [-6] update' will automatically remove any MODULE_SUFFIX
325 setting.
326
327 10) Beginning with Shorewall 5.1.8, when RESTORE_DEFAULT_ROUTE=Yes the
328 default route is only restored when there are no enabled
329 'balance/primary' providers and no enabled fallback providers.
330
331 Also beginning with Shorewall 5.1.8, if the default route(s) have
332 been restored to the 'main' table, and a fallback provider is
333 successfully enabled, the default route(s) are removed from the
334 main table.
335
336 11) Because restoring default routes to the main routing table can
337 break the ability of Foolsm and other link status monitors to
338 properly detect non-functioning provider links, a warning message
339 is issued when the 'persistent' provider option is specified and
340 RESTORE_DEFAULT_ROUTE=Yes.
341
342 WARNING: When RESTORE_DEFAULT_ROUTE=Yes, the 'persistent' option
343 may not work as expected
344
345 This change was released in Shorewall 5.1.8.
346
347 This issue is not handled by 'shorewall update' and must be
348 corrected manually.
349
350 12) Most interface OPTIONS have always been ignored when the INTERFACE
351 name is '+'. Beginning with the Shorewall 5.1.10 release, a warning
352 is issued when an ignored option is specified with interface name '+'.
353
354 Example: The 'sourceroute' option is ignored when used with
355 interface name '+'
356
357 In many cases, this issue can be worked around by a change similar
358 to the following:
359
360 Original:
361
362 net + dhcp,routeback,sourceroute=0
363
364 Change to:
365
366 net all dhcp,physical=+,routeback,sourceroute=0
367 --- ----------
368
369 As part of this change, interfaces that specify a wildcard physical
370 interface name will generate a warning if any of the following
371 options are specified:
372
373 accept_ra
374 arp_filter
375 arp_ignore
376 forward
377 logmartians
378 proxyarp
379 proxyndp
380 routefilter
381 sourceroute
382
383 When the warning is issued, the specified option is then ignored
384 for the interface.
385
386 Example:
387
388 WARNING: The 'sourceroute' option is ignored when used with a
389 wildcard physical name
390 /etc/shorewall6.universal/interfaces (line 14)
391
392 This issue is not handled by 'shorewall update' and must be
393 corrected manually.
394
395 13) INLINE_MATCHES=Yes has been documented as deprecated for some
396 time, but it has not generated a warning. Beginning with the
397 Shorewall 5.1.12 release, a warning is issued:
398
399 WARNING: Option INLINE_MATCHES=Yes is deprecated
400
401 Additionally, each line that requires modification to work with
402 INLINE_MATCHES=No is flagged with the warning:
403
404 WARNING: This entry needs to be changed (replace ';' with ';;')
405 before the INLINE_MATCHES option is removed in
406 Shorewall 5.2
407
408 You can eliminate the warnings by setting INLINE_MATCHES=No and
409 by replacing the single semicolon (";") separating inline matches
410 from the column-oriented part of the rule with two semicolons
411 (";;") in each entry flagged by the second warning.
412
413 This issue is mostly handled by 'shorewall update' - see
414 the 5.2 issues below.
415
416 ------------------------------------------------------------------------
417 I S S U E S M I G R A T I N G T O S H O R E W A L L 5 . 2
418 F R O M S H O R E W A L L 5 . 0 A N D 5 . 1
419 ------------------------------------------------------------------------
420
421 1) The MAPOLDACTIONS option in shorewall.conf has been removed. This
422 option provided compatibility with releases prior to Shorewall 3.0.
423 'shorewall update' will remove the setting of this option from
424 shorewall.conf.
425
426 2) The INLINE_MATCH option has been removed. Shorewall now behaves as
427 if INLINE_MATCH=No had been specified:
428
429 - A single semicolon (';') is used to separate column-oriented
430 input from column-name/value input.
431
432 - The preferred method of specifying column-name/value input is to
433 enclose such input in curly braces ("{....}").
434
435 - A pair of semicolons (';;') is used to introduce raw IP[6]TABLES
436 input. This is true in INLINE and IP[6]TABLES rules as well as
437 rules with other targets.
438
439 As part of this change, 'shorewall update' will replace ';' with
440 ';;' in INLINE and IP[6]TABLES rules. It will also replace ';' by
441 ';;', if ';' is followed by '-m', '-j' or '-g'.
442
443 3) With the wide availability of ipset-based blacklisting, the need
444 for the 'refresh' command has been largely eliminated. As a result,
445 that command has been removed.
446
447 Some users may have been using 'refresh' as a lightweight form of
448 reload. The most common of these uses seem to be for reloading
449 traffic shaping after an interface has gone down and come back up.
450 The best way to handle this situation under 5.2 is to make the
451 interface 'optional' in your /etc/shorewall[6]/interfaces file,
452 then either:
453
454 - Install Shorewall-init and enable IFUPDOWN; or
455 - Use the 'reenable' command when the interface comes back up
456 in place of the 'refresh' command.
457
458 4) The following deprecated macros and actions have been removed:
459
460 Action A_AllowICMPs - use AllowICMPs(A_ACCEPT)
461 Action A_Drop - see below
462 Action A_Reject - see below
463 Action Drop - see below
464 Action Reject - see below
465 Macro SNMPTrap - use SNMPtrap
466
467 The [A_]Drop and [A_]Reject actions are used primarily as policy
468 actions. As part of this change, 'shorewall update' will update
469 DROP_DEFAULT=[A_]Drop and REJECT_DEFAULT=[A_]Reject as follows:
470
471 IPv4
472
473 DROP_DEFAULT=Drop becomes Broadcast(DROP),Multicast(DROP)
474 DROP_DEFAULT=A_Drop becomes
475 Broadcast(A_DROP),Multicast(A_DROP)
476 REJECT_DEFAULT=Reject becomes Broadcast(DROP),Multicast(DROP)
477 REJECT_DEFAULT=A_Reject becomes
478 Broadcast(A_DROP),Multicast(A_DROP)
479
480 IPv6
481
482 DROP_DEFAULT=Drop becomes
483 AllowICMPs,Broadcast(DROP),Multicast(DROP)
484 DROP_DEFAULT=A_Drop becomes
485 AllowICMPs(A_ACCEPT),Broadcast(A_DROP),Multicast(A_DROP)
486 REJECT_DEFAULT=Reject becomes
487 AllowICMPs,Broadcast(DROP),Multicast(DROP)
488 REJECT_DEFAULT=A_Reject becomes
489 AllowICMPs(A_ACCEPT),Broadcast(A_DROP),Multicast(A_DROP)
490
491 The 'update' commmand will also make similar changes in the policy
492 file.
493
494 'shorewall update' does not handle invocations of 'Drop' and
495 'Reject' within the rules file, or within actions and macros. Those
496 instances will generate an error which must be corrected manually.
497
498 It should also be noted that, in prior releases, Drop and Reject
499 silently dropped more traffic than their replacements. As a
500 consequence, you will see more traffic being logged with Shorewall
501 5.2 than you did on earlier releases. The translations performed
502 by 'update' can be extended after the update to drop additional
503 traffic as desired.
504
505 5) When AUTOMAKE=Yes, each directory in the CONFIG_PATH was originally
506 searched recursively for files newer than the compiled script. That
507 was changed in Shorewall 5.1.10.2 such that only the listed
508 directories themselves were searched. That broke some
509 configurations that played tricks with embedded SHELL such as:
510
511 SHELL cat /etc/shorewall/rules.d/loc/*.rules
512
513 Prior to 5.1.10.2, a change to a file in or adding a file to
514 /etc/shorewall/rules.d/loc/ would trigger recompilation. Beginning
515 with 5.1.10.2, such changes would not trigger recompilation.
516
517 Beginning with Shorewall 5.2.0, the pre-5.1.10.2 behavior can be
518 obtained by setting AUTOMAKE=recursive.
519
520 Also beginning with Shorewall 5.2.0, AUTOMAKE may be set to a
521 numeric <depth> which specifies how deeply each listed directory is
522 to be searched. AUTOMAKE=1 only searches each directory itself and
523 is equivalent to AUTOMAKE=Yes. AUTOMAKE=2 will search each
524 directory and its immediate sub-directories; AUTOMAKE=3 will search
525 each diretory, each of its immediate sub-directories, and each of
526 their immediate sub-directories, etc.
527
528 6) Support for the deprecated 'masq' file has been deleted. Any
529 existing 'masq' file will automatically be converted to the
530 equivalent 'snat' file.
531
532 7) Where two or more providers share a network interface, the
533 'optional' interface/provider option has never worked correctly.
534 Beginning with Shorewall 5.2.1, the 'optional' option is disallowed
535 on such interfaces and providers.
536
537 8) With the availability of zone exclusion in the rules file, 'all[+]-'
538 and 'any[+]-' are equivalent to 'all[+]!$FW' and 'any[+]!$FW'
539 respectively. Beginning with Shorewall 5.2.3, the former are
540 deprecated in favor of the latter and will result in a warning
541 message, if used.
542
543 9) Beginning with Shorewall 5.2.3, the LOAD_HELPERS_ONLY option in
544 shorewall[6].conf has been removed, and the behavior is as if
545 LOAD_HELPERS_ONLY=Yes had been specified. 'shorewall[6] update'
546 will remove the option from shorewall[6].conf.
547
548 ----------------------------------------------------------------------------
549 V. N O T E S F R O M O T H E R 5 . 2 R E L E A S E S
550 ----------------------------------------------------------------------------
551 N E W F E A T U R E S I N 5 . 2 . 7
552 ----------------------------------------------------------------------------
553
554 1) Previously, it was not possible to classify traffic by destination
555 IP address when using an Intermediate Functional Block (IFB) for
556 traffic shaping. This is because such classification takes place
557 before the traffic passes through the mangle PREROUTING chain.
558
559 Such filtering is now possible by setting the 'connmark' option in
560 the tcdevices file. This option causes the current connection mark
561 to be copied to the packet mark prior to filtering, thus allowing
562 the packet mark to be used for classification.
563
564 This change adds a new CONNMARK_ACTION capability which is
565 required to be able to specify the 'connmark' option.
566
567 Rodrigo Araujo provided the bulk of the code for this enhancement.
568
569 2) The tcpri file now supports ?FORMAT 2 which inserts an SPORT
570 column directly to the right of the PORT column. As part of this
571 change, the PORT column is renamed to DPORT while allowing both
572 'port' and 'dport' to be used in the alternate input format. See
573 shorewall-tcpri(5) and
574 http://shorewall.org/simple_traffic_shaping.html for additional
575 information.
576
577 3) The Simple TC document is now linked to FAQs 97 and 97a.
578
579 ----------------------------------------------------------------------------
580 N E W F E A T U R E S I N 5 . 2 . 6
581 ----------------------------------------------------------------------------
582
583 1) The 'actions' file now supports a 'dport' option to go along with
584 the 'proto' option. Using these two options can now restrict an
585 action to a particular service. See shorewall-actions(5) for
586 details.
587
588 Example limiting net->all SSH connections to 3/min per source IP:
589
590 /etc/shorewall/actions:
591
592 SSHLIMIT proto=tcp,\ # Blacklist overzealous SSHers
593 dport=ssh
594
595 /etc/shorewall/action.SSLHIMIT
596
597 ACCEPT { RATE=s:3/min:3 }
598 BLACKLIST:$LOG_LEVEL:net_SSHLIMIT
599
600 /etc/shorewall/rules:
601
602 SSHLIMIT net all
603
604 2) The change to 'show actions' implemented in 5.2.5.1 (see below)
605 has been further extended.
606
607 - "?IF...?ELSE...?ENDIF" sequences are now shown in the output
608 - Continuation lines are now shown in the output so that all
609 action options are now displayed
610 - If an action appears in both /usr/share/shorewall[6]/actions.std
611 and in /etc/shorewall[6]/actions, then the entry in the actions
612 file is shown followed by the entry in the actions.std file.
613
614 3) To emphasize that it specifies destination ports, the PORT column
615 in the snat file has been renamed DPORT. Beginning with this
616 release, both 'port' and 'dport' are accepted in the alternative
617 input format.
618
619 4) The snat file now supports ?FORMAT 2, which adds an SPORT (source
620 port) column immediately to the right of the DPORT (destination
621 port) column.
622
623 ----------------------------------------------------------------------------
624 P R O B L E M S C O R R E C T E D I N 5 . 2 . 6
625 ----------------------------------------------------------------------------
626
627 5.2.6.1
628
629 1) Previously, Perl diagnostics or outright failures could occur
630 during update.
631
632 Examples:
633
634 Processing /etc/shorewall/params ...
635 Use of uninitialized value $policy in pattern match (m//) at
636 /usr/share/shorewall/Shorewall/Config.pm line 5531.
637 Use of uninitialized value $policy in pattern match (m//) at
638 /usr/share/shorewall/Shorewall/Config.pm line 5537.
639 Use of uninitialized value $policy in pattern match (m//) at
640 /usr/share/shorewall/Shorewall/Config.pm line 5543.
641 Use of uninitialized value $policy in pattern match (m//) at
642 /usr/share/shorewall/Shorewall/Config.pm line 5531.
643 Use of uninitialized value $policy in pattern match (m//) at
644 /usr/share/shorewall/Shorewall/Config.pm line 5537.
645 Use of uninitialized value $policy in pattern match (m//) at
646 /usr/share/shorewall/Shorewall/Config.pm line 5543.
647 Configuration file /root/try/shorewall.conf updated - old file renamed
648 /root/try/shorewall.conf.bak
649 Loading Modules...
650 ERROR: Internal error in Shorewall::Config::detect_capability
651
652 This defect has been corrected.
653
654 2) Previously, if 'update' added a CONFIG_PATH setting to
655 shorewall[6].conf, that setting could contain "::" which could
656 then cause the next 'update' to fail. Now, the compiler correctly
657 handles double colons in the CONFIG_PATH setting.
658
659 3) Local zones (type 'local' in /etc/shorewall[6]/zones) are only
660 accessible from the firewall and from vserver zones. Previously,
661 the compiler generated superluous rules for handling forwarded
662 traffic from such zones; that has been corrected, and no
663 forwarding rules are now generated.
664
665 5.2.6
666
667 1) This release includes defect repair up through Shorewall version
668 5.2.5.2.
669
670 2) When compiling for export, the compiler generates a firewall.conf
671 file which is later installed on the remote firewall system as
672 ${VARDIR}/firewall.conf. Previously, the CLI on that firewall was
673 not processing the file, resulting in some features not being
674 available:
675
676 - Default values for VERBOSITY, LOGFILE, LOGFORMAT, PATH,
677 SHOREWALL_SHELL, SUBSYSLOCK, RESTOREFILE, RESTART,
678 DYNAMIC_BLACKLIST and PAGER are not supplied.
679
680 - scfilter file supplied at compile time.
681
682 - dumpfilter file supplied at compile time.
683
684 That has been corrected.
685
686 3) A bug in iptables (see
687 https://git.netfilter.org/iptables/commit/?id=d1555a0906e35ba8d170613d5a43da64e527dbe1)
688 prevents the '--queue-cpu-fanout' option from being applied unless
689 that option is the last one specified. Unfortunately, Shorewall
690 places the '--queue-bypass' option last if that option is also
691 specified.
692
693 This release works around this issue by ensuring that the
694 '--queue-cpu-fanout' option appears last.
695
696 4) The -D 'compile', 'check', 'reload' and 'Restart' option was
697 previously omitted from the output of 'shorewall help'. It is now
698 included. As part of this change, an incorrect and conflicting
699 description of the -D option was removed from the 'remote-restart'
700 section of shorewall(8).
701
702 5) Previously, when EXPAND_POLICIES=No, chains that enforced ACCEPT
703 policies were not completely optimized by optimize level 2 (ACCEPT
704 rules preceding the final unconditional ACCEPT were not
705 deleted). That has been corrected such that these rules are now
706 optimized.
707
708 ----------------------------------------------------------------------------
709 N E W F E A T U R E S I N 5 . 2 . 5
710 ----------------------------------------------------------------------------
711
712 1) Prior to this release, when a 'timeout' value was specified in the
713 DYNAMIC_BLACKLIST setting, the dynamic-blacklisting ipset was
714 created with this default timeout. This had the unfortunate
715 disadvantage that it was not possible to add permanent entries
716 into the ipset. Even if 'timeout 0' was specified in a 'blacklist'
717 command, the entry would still age out of the ipset after the
718 default timeout had elapsed.
719
720 Beginning with this release, the dynamic-blacklisting ipset is
721 created with 'timeout 0'. When an address is added to the set,
722 either by BLACKLIST policy enforcement, by the BLACKLIST action,
723 or by the CLI 'blacklist' command (where no 'timeout' is
724 specified), the default timeout is applied to the new entry.
725
726 Once you have upgraded to this version of Shorewall, you can
727 convert your existing dynamic-blacklisting ipset (with a non-zero
728 default timeout) to have a default timeout of zero as follows:
729
730 a) If RESTART=restart in shorewall[6].conf, then simply
731 'shorewall[6] restart'.
732
733 b) Otherwise, 'shorewall[6] stop && shorewall[6] start'.
734
735 2) Previously, when an ADD or DEL rule specified logging, the entire
736 action (e.g. 'ADD(+NET_BL:src:7200)') was included in the log
737 message. This could easily lead to a "Log prefix shortened..."
738 warning during compilation.
739
740 Beginning with this release, such log messages will contain only
741 the basic action ('ADD' or 'DEL') and the set name (e.g.,
742 'ADD(NET_BL)') to reduce the liklihood of producing the warning.
743
744 3) Traditionally, Shorewall has logged state change messages using
745 the 'user' syslog facility. Beginning with this release, these
746 messages will be logged using the 'daemon' facility to more
747 accurately reflect that these messages relate to a service.
748
749 4) The DYNAMIC_BLACKLIST setting now allows a 'log' option to be
750 specified for ipset-based blacklisting. When this option is given,
751 successful 'blacklist' and 'allow' commands generate a 'daemon.info'
752 log message.
753
754 5) When ipset-based dynamic blacklisting is enabled, the generated
755 ruleset has traditionally refreshed the 'timeout' of an ipset
756 entry when a packet from blacklisted host is received. This has
757 the unfortunate side effect that it can change a permanent entry
758 (timeout 0) to a temporary (one with non-zero timeout). Beginning
759 with this release, this timeout refresh can be avoided by
760 specifying the 'noupdate' option in the DYNAMIC_BLACKLIST
761 setting.
762
763 6) To allow Shorewall's ipset-based blacklisting to play nicely with
764 fail2ban, the 'blacklist!' CLI command has been added.
765
766 The command
767
768 blacklist! <ip>
769
770 is equivalent to
771
772 blacklist <ip> timeout 0
773
774 thus allowing 'blacklist!' to be specified as the 'blocktype' in
775 /etc/fail2ban/actions.d/shorewall.conf.
776
777 See https://shorewall.org/blacklisting_support.htm#fail2ban for
778 further information about using Shorewall dynamic blacklisting
779 with fail2ban.
780
781 7) Previously, when a zone name was too long, the resulting error
782 message was "Invalid zone name (<name>)". To make the cause of
783 the failure clearer, the message is now "Zone name (<name>) too
784 long".
785
786 ----------------------------------------------------------------------------
787 P R O B L E M S C O R R E C T E D I N 5 . 2 . 5
788 ----------------------------------------------------------------------------
789
790 5.2.5.1
791
792 1) The change in 5.2.5 base which changed the 'user' facility to the
793 'daemon' facility in Shorewall syslog messages did not change the
794 messages with severity 'err'. That has been corrected such that
795 all syslog messages now use the 'daemon' facility.
796
797 2) The actions.std file contains "?IF...?ELSE...?ENDIF" sequences
798 that provide different action options depending on the availabilty
799 of certain capabilities. This has resulted in the Broadcast and
800 Multicast options being listed twice in the output of
801 "shorewall[6] show actions". Beginning with this release, this
802 duplication is eliminated. Note, however, that the options shown
803 will be incomplete if they were continued onto another line, and
804 may be incorrect for Broadcast and Multicast.
805
806 3) A typo in shorewall-providers(5) has been corrected.
807
808 5.2.5 Base
809
810 1) Previously, Shorewall-init installed a 'shorewall' script in
811 /etc/network/if-down.d on Debian and derivatives. This script was
812 unnecessary and required Debian-specific code in the generated
813 firewall script. The Shorewall-init script is no longer installed
814 and the generated firewall script is now free of
815 distribution-specific code.
816
817 2) Also on Debian and derivatives, Shorewall-init installed
818 /etc//NetworkManager/dispatcher.d/01-shorewall which was also
819 unnecessary. Beginning with this release, that file is no longer
820 installed.
821
822 3) Previously, if the dynamic-blacklisting default timeout was set in
823 a variable in the params file and the variable was used in setting
824 DYNAMIC_BLACKLIST, then the 'allow' command would fail with
825 the message:
826
827 ERROR: Invalid value (ipset-only,disconnect,timeout=) for
828 DYNAMIC_BLACKLIST
829
830 That has been corrected.
831
832 4) When EXPAND_POLICIES=No in shorewall[6].conf, policies in complex
833 rulesets are enforced in chains such as 'net-all' and
834 'all-all'. Previously, these chains included redundant
835 state-oriented rules. In addition to being redundant. these rules
836 could actually break complex IPv6 configurations. The extra rules are
837 now omitted.
838
839 ----------------------------------------------------------------------------
840 N E W F E A T U R E S I N 5 . 2 . 4
841 ----------------------------------------------------------------------------
842
843 1) Previously, Shorewall's Docker support assumed that the default
844 Docker Bridge (docker0) was being used. Beginning with this
845 release, the DOCKER_BRIDGE option in Shorewall.conf allows an
846 arbitrary name to be assigned to the bridge. In particular, when
847 CNI is being used, DOCKER_BRIDGE=cni0 is the appropriate setting.
848
849 2) The CLI keywords 'debug' and 'trace' have been replaced by -D and
850 -T options respectively (e.g., 'shorewall trace reload' is now
851 'shorewall -T reload'). Like the keywords, only one of these
852 options can be active at a time; if both are entered, only the
853 last one is activated. A similar change has been made to the
854 generated script.
855
856 The -T option (formerly 'trace') now applies only to shell-level
857 tracing in the CLI and generated script. Those commands that
858 invoke the rules compiler now accept a -D command option which
859 causes the compiler to generate debugging information (e.g.,
860 'shorewall check -D').
861
862 The 'nolock' keyword is now deprecated in favor of the -N
863 option (e.g., 'shorewall nolock reload' becomes 'shorewall -N
864 reload').
865
866 See shorewall(8) for details.
867
868 3) Within the source code and documentation, 'shorewall.net' has been
869 replaced by 'shorewall.org'.
870
871 ----------------------------------------------------------------------------
872 P R O B L E M S C O R R E C T E D I N 5 . 2 . 4
873 ----------------------------------------------------------------------------
874
875 5.2.4.4
876
877 1) When DYNAMIC_BLACKLIST=ipset... or when SAVE_IPSETS=Yes in
878 shorewall[6].conf, 'shorewall[6] start' could hang when 5.2.4.3
879 was installed. That has been corrected.
880
881 2) When 5.2.4.3 was installed, 'shorewall[6] start' would not
882 automatically create dynamic blacklisting ipsets. That has been
883 corrected.
884
885 5.2.4.3
886
887 1) When interfaces was managed by Network Manager and IFUPDOWN=1 was
888 specified in the Shorewall-init configuration file, when an optional
889 interface was brought up, enabling the interface in
890 Shorewall6[-lite] could fail.
891
892 Correcting this issue involves corrected code in this release of
893 Shorewall, but also may require a configuration change in
894 /etc/shorewall6/interfaces. The change in Shorewall makes the
895 generated script honor the 'wait=<seconds>' specification in
896 /etc/shorewall6/interfaces when executing the 'enable' command.
897 If there are optional interfaces that do not specify 'wait=...',
898 then the interfaces file must be altered to include such
899 specifications.
900
901 2) An unnecessary test during command initialization in the generated
902 script has been eliminated.
903
904 3) Previously, 'shorewall[6] stop' or 'shorewall[6] clear' would
905 create the dynamic blacklist ipset if it did not exist. Creation
906 of the ipset is now defered until the next 'start'.
907
908 4) Previously, 'shorewall[6] start' would delete all corresponding
909 ipsets before restoring. It now deletes only those sets that will
910 be restored, thus allowing SAVE_IPSETS to be specified in the
911 Shorewall-init configuration when ipset-based dynamic blacklisting
912 is also enabled. Previously, if any additional ipsets were used,
913 it was necessary to set SAVE_IPSETS=Yes in shorewall[6].conf as
914 well.
915
916 5) Previously, 'Shorewall-init start' restored ipsets after stopping
917 the firewalls, precluding use of ipsets in the stoppedrules file.
918 Shorewall-init now restores the ipsets before stopping the
919 firewalls.
920
921 6) Optimize level 16 has been speeded up by an order of magnitude.
922 Tests using a large user-supplied configuration showed compilation
923 time with OPTIMIZE=all was reduced from 22min 40 seconds to 21.5
924 seconds.
925
926 5.2.4.2
927
928 1) This release corrects two problems associated with Debian
929 Shorewall-init when IFUPDOWN=1 in the Shorewall-init
930 configuration file (/etc/default/shorewall-init):
931
932 a) Down events were ignored when Network Manager was being used.
933
934 b) Up events were processed twice when a dual-stack interface
935 was brought up.
936
937 Both problems have been corrected. To make the fixes effective,
938 it is necessary to recompile the firewall script (shorewall[6]
939 compile, start, restart or reload).
940
941 5.2.4.1
942
943 1) The web site and documentation have been improved to correct some
944 invalid links in the manpages (including the manpages released
945 in Shorewall components) and to link directly to the current
946 website at https://shorewall.org. (Tuomo Soini)
947
948 2) Cautions regarding SAVE_IPSETS have been added to the ipsets
949 article.
950
951 3) OpenSuSE users running systemd have complained that the firewalls
952 are stopped after a Shorewall product upgrade. The problem is that
953 OpenSuSE restarts all running products that have been
954 upgraded. Recall that 'systemctl restart' is equivalent to
955 'systemctl stop && systemctl start'. But starting Shorewall-init
956 results in the firewall products specified in the Shorewall-init
957 config file to be stopped. To address this issue, Shorewall-init
958 will now ignore 'start' and 'stop' commands, for running firewalls
959 (Tuomo Soini).
960
961 4) On Redhat-based system and on OpenSuSE, extraneous Shorewall-init
962 log messages regarding invalid commands were being issued. These
963 harmless messages are now suppressed (Tuomo Soini).
964
965 5.2.4 Final
966
967 1) Previously, when a Shorewall6 firewall was placed into the
968 'stopped' state, ICMP6 packets required by RFC 4890 were not
969 automatically accepted by the generated ruleset.
970
971 Beginning with this release, those packets are automatically
972 accepted.
973
974 2) Previously, the output of 'shorewall[6] help' displayed the
975 superseded 'load' command. That text has been deleted.
976
977 3) The QOSExample.html file in the documentation and on the web site
978 previously showed tcrules content for the /etc/shorewall/mangle
979 file (recall that 'mangle' superseded 'tcrules'). That page has
980 been corrected.
981
982 4) The 'Starting and Stopping' and 'Configuration file basics'
983 documents have been updated to align them with the current product
984 behavior.
985
986 5) The 'ipsets' document has been updated to clarify the use of
987 ipsets in the stoppedrules file.
988
989 ----------------------------------------------------------------------------
990 N E W F E A T U R E S I N 5 . 2 . 3
991 ----------------------------------------------------------------------------
992
993 1) Zone exclusion (e.g., "all!z2,z2,...") is now supported in the
994 policy file.
995
996 2) With the availability of zone exclusion in the rules file, 'all[+]-'
997 and 'any[+]-' are equivalent to 'all[+]!$FW' and 'any[+]!$FW'
998 respectively. Beginning with this release, the former are
999 deprecated in favor of the latter and will result in a warning
1000 message, if used.
1001
1002 3) Internal documentaton of the undocumented 'test' parameter to
1003 compiler.pl has been added (it is used by the regression test
1004 library to suppress versions and date/times from the generated
1005 script).
1006
1007 4) The LOAD_HELPERS_ONLY option has been removed from
1008 shorewall[6].conf. Hereafter, Shorewall[6] will behave as if
1009 LOAD_HELPERS_ONLY=Yes had been specified.
1010
1011 ----------------------------------------------------------------------------
1012 P R O B L E M S C O R R E C T E D I N 5 . 2 . 3
1013 ----------------------------------------------------------------------------
1014
1015 5.2.3.7
1016
1017 1) When DOCKER=Yes, if both the DOCKER-ISOLATE and
1018 DOCKER-ISOLATE-STAGE-1 existed then the DOCKER-ISOLATE-STAGE-*
1019 chains were not preserved through shorewall state changes.
1020 That has been corrected so that both chains are preserved if
1021 present.
1022
1023 2) Previously, the compiler always detected the OLD_CONNTRACK_MATCH
1024 capability as being available in IPv6. When OLD_CONNTRACK_MATCH
1025 was available, the compiler also mishandled inversion ('!') in the
1026 ORIGDEST columns, leading to an assertion failure:
1027
1028 Shorewall::Config::fatal_error("Internal error in
1029 Shorewall::Chains::set_rule_option at /usr/"...) called at
1030 /usr/share/shorewall/Shorewall/Config.pm line 1619
1031
1032 Both the incorrect capability detection and the mishandled
1033 inversion have been corrected.
1034
1035 3) During 'enable' processing, if address variables associated with
1036 the interface have values different than those when the firewall
1037 was last started/restarted/reloaded, then a 'reload' is performed
1038 rather than a simple 'enable'. The logic that checks for those
1039 changes was incorrect in some configurations, leading to unneeded
1040 reload operations. That has been corrected.
1041
1042 4) When MANGLE_ENABLED=No in shorewall[6].conf, some features
1043 requiring use of the mangle table can be allowed, even though the
1044 mangle table is not updated. That has been corrected such that use
1045 of such features will raise an error.
1046
1047 5) When an invocation of the IfEvent(...,reset) action was invoked,
1048 the compiler previously emitted a spurious "Resetting..." message.
1049 That message has been suppressed.
1050
1051 5.2.3.6
1052
1053 1) When both Docker containers and Libvirt VMs were in use, 'shorewall
1054 start' could fail as follows:
1055
1056 Running /sbin/iptables-restore --wait 60...
1057 iptables-restore v1.8.3 (legacy): Couldn't load target
1058 `LIBVIRT_PRT':No such file or directory
1059 Error occurred at line: 19
1060 Try `iptables-restore -h' or 'iptables-restore --help' for more information.
1061 ERROR: /sbin/iptables-restore --wait 60 Failed.
1062
1063 That has been corrected.
1064
1065 5.2.3.5
1066
1067 1) A typo in the FTP documentation has been corrected.
1068
1069 2) The recommended mss setting when using IPSec with ipcomp has been
1070 corrected.
1071
1072 3) A number of incorrect links in the manpages have been corrected.
1073
1074 4) The 'bypass' option is now allowed when specifying an NFQUEUE
1075 policy. Previously, specifying that option resulted in an error.
1076
1077 5) Corrected IPv6 Address Range parsing.
1078
1079 Previously, such ranges were required to be of the form [<addr1>-<addr2>]
1080 rather than the more standard form [<addr1>]-[<addr2>]. In the snat file
1081 (and in nat actions), the latter form was actually flagged as an error
1082 while in other contexts, it resulted in a less obvious error being
1083 raised.
1084
1085 6) The manpages have been updated to refer to https://shorewall.org
1086 rather than http://www.shorewall.org.
1087
1088 5.2.3.4
1089
1090 1) If multi-queue NFQUEUE (e.g., NFQUEUE(0:1) ) WAS used as a policy,
1091 an error such as the following was previously incorrectly raised.
1092
1093 ERROR: Invalid policy (NFQUEUE(0) /etc/shorewall/policy (line
1094 15)
1095
1096 That has been corrected such that no error is raised.
1097
1098 2) If multi-queue NFQUEUE( e.g., NFQUEUE(0:1,bypass) ) was passed to a
1099 macro, an error such as the following was previously incorrectly
1100 raised:
1101
1102 ERROR: Invalid ACTION (PARAM:1c,bypass)))
1103 /usr/share/shorewall/macro.BitTorrent (line 12)
1104 from /etc/shorewall/rules (line 40)
1105
1106 Now, the NFQUEUE action is correctly substituted for PARAM in
1107 the Macro body.
1108
1109 3) If shorewall[6].conf didn't set AUTOMAKE, the 'update' command
1110 previously produced a new file with 'AUTOMAKE=Yes'. This resulted
1111 in an unexpected change of behavior. Now, the new file contains
1112 'AUTOMAKE=No', which preserves the pre-update behavior.
1113
1114 4) Shorewall-rules(5) incorrectly stated that the 'bypass' option to
1115 NFQUEUE causes the rule to be silently bypassed if there is no
1116 application attached to the queue. The actual behavior is that the
1117 rule acts like ACCEPT in that case. Shorewall-rules(5) has been
1118 corrected.
1119
1120 5.2.3.3
1121
1122 1) Previously, if an ipset was specified in an SPORT column, the
1123 compiler would raise an error similar to:
1124
1125 ERROR: Invalid ipset name () /etc/shorewall/rules (line 44)
1126
1127 That has been corrected.
1128
1129 5.2.3.2
1130
1131 1) Shorewall 5.2 automatically converts and existing 'masq' file to an
1132 equivalent 'snat' file. Regrettably, Shorewall 5.2.3 broke that
1133 automatic update, such that the following error message was issued:
1134
1135 Use of uninitialized value $Shorewall::Nat::raw::currentline in
1136 pattern match (m//) at /usr/share/shorewall/Shorewall/Nat.pm
1137 line 511, <$currentfile> line nnn.
1138
1139 and the generted 'masq' file contains only initial comments.
1140
1141 That has been corrected.
1142
1143 5.2.3.1
1144
1145 1) An issue in the implementation of policy file zone exclusion,
1146 released in 5.2.3 has been resolved. In the original release,
1147 if more than one zone was excluded, then the following error was
1148 raised:
1149
1150 ERROR: 'all' is not allowed in a source zone list
1151 etc/shorewall/policy (line ...)
1152
1153 5.2.3
1154
1155 1) To prevent a helper kernel module from being loaded, it was
1156 previously necessary to list both its current name and its
1157 pre-kernel-2.6.20 name in the DONT_LOAD option in
1158 /etc/shorewall[6].conf. For example, to prevent nf_conntrack_sip
1159 from being loaded, it was necessary to also list ip_conntrack_sip
1160 in DONT_LOAD. That is no longer necessary.
1161
1162 ----------------------------------------------------------------------------
1163 N E W F E A T U R E S I N 5 . 2 . 2
1164 ----------------------------------------------------------------------------
1165 1) New macros have been contributed by Vincas Dargis:
1166
1167 Bitcoin
1168 Tor
1169 ONCRPC
1170
1171 Additionally, Tuomo Soini has contributed a WUDO (Windows Update
1172 Delivery Optimization) macro.
1173
1174 2) The Perl modules have undergone some cleanup/optimization.
1175
1176 3) Given that recent kernels have dropped ULOG support, use of ULOG in
1177 Shorewall is now deprecated and results in a warning message. The
1178 warning can be eliminated by switching to NFLOG and ulogd2.
1179
1180 4) Shorewall can now detect interface default gateways configured by
1181 Network Manager.
1182
1183 5) Inline matches are now supported in the 'conntrack' file.
1184
1185 6) In the 'accounting' file, Inline matches in an INLINE(...) rule now
1186 allow a leading '+' to cause the matches to be evaluated before
1187 those generated by the column specifications.
1188
1189 7) If view of the fact that some modems take an eternity to recover
1190 from a power failure, the limit of the 'wait' interface option
1191 setting has been increased from 120 seconds (2 minutes) to 300
1192 seconds (5 minutes).
1193
1194 ----------------------------------------------------------------------------
1195 P R O B L E M S C O R R E C T E D I N 5 . 2 . 2
1196 ----------------------------------------------------------------------------
1197
1198 5.2.2.1
1199
1200 1) A typo has been corrected in shorewall-providers(5). The manpage
1201 previously referred to RESTORE_DEFAULT_OPTION; that should have
1202 been RESTORE_DEFAULT_GATEWAY.
1203
1204 1) This release includes defect repair through Shorewall 5.2.1.4.
1205
1206 2) When processing inline matches, the compiler previously inserted
1207 the matches before the column-generated matches if there was a plus
1208 sign ("+") anywhere in the matches. Now, it only does so if the
1209 first non-blank character in the matches is a plus sign.
1210
1211 ----------------------------------------------------------------------------
1212 N E W F E A T U R E S I N 5 . 2 . 1
1213 ----------------------------------------------------------------------------
1214
1215 1) New macros have been contributed by Vincas Dargis:
1216
1217 Bitcoin
1218 Tor
1219 ONCRPC
1220
1221 Additionally, Tuomo Soini has contributed a WUDO (Windows Update
1222 Delivery Optimization) macro.
1223
1224 2) The Perl modules have undergone some cleanup/optimization.
1225
1226 3) Given that recent kernels have dropped ULOG support, use of ULOG in
1227 Shorewall is now deprecated and results in a warning message. The
1228 warning can be eliminated by switching to NFLOG and ulogd2.
1229
1230 4) Shorewall can now detect interface default gateways configured by
1231 Network Manager.
1232
1233 5) Inline matches are now supported in the 'conntrack' file.
1234
1235 6) In the 'accounting' file, Inline matches in an INLINE(...) rule now
1236 allow a leading '+' to cause the matches to be evaluated before
1237 those generated by the column specifications.
1238
1239 7) If view of the fact that some modems take an eternity to recover
1240 from a power failure, the limit of the 'wait' interface option
1241 setting has been increased from 120 seconds (2 minutes) to 300
1242 seconds (5 minutes).
1243
1244 ----------------------------------------------------------------------------
1245 P R O B L E M S C O R R E C T E D I N 5 . 2 . 1
1246 ----------------------------------------------------------------------------
1247
1248 5.2.1.4
1249
1250 1) A change in 5.2.0.5 that corrected an ip[6]tables error in the
1251 UNTRACKED section of the rules file, changed the name of the chain
1252 used to hold UNTRACKED rules. Previously, the chain was named
1253 &z1-z2, where 'z1' is the source zone and 'z2' is the
1254 destination; after the change, the chain was named =z1-z2.
1255 Unfortunately, some log messages generated out of these chains
1256 still referred to &z1-z2; that has been corrected.
1257
1258 2) Some dead/silly code has been removed from two functions in
1259 the Chains.pm Perl module. The two functions have been combined
1260 into a single function.
1261
1262 3) When the RATE column contains both a source and a destination rate,
1263 it was previously impossible to specifiy a netmask (VLSM) on either
1264 rate. Attempting to specify a mask would result in:
1265
1266 ERROR: Invalid rate (...)
1267
1268 That has been corrected. Note that when specifying a
1269 netmask, the leading 's' or 'd' may not be omitted.
1270
1271 4) Several typos in the man pages have been corrected (Roberto
1272 Sánchez).
1273
1274 5.2.1.3
1275
1276 1) When a configuration had optional interfaces but no providers, the
1277 'status -i' command previously would fail to show interface status
1278 for interfaces that had not been disabled or enabled since the
1279 last start, restart or reload. That has been corrected.
1280
1281 5.2.1.2
1282
1283 1) The fix for DOCKER=Yes in 5.2.1.1 inadvertantly results in an
1284 assertion failure when processing a 'check -r' command when
1285 DOCKER=Yes. That has been corrected. As part of that change,
1286 empty 'cat' commands in the generated script were eliminated.
1287
1288 2) When the HELPER target is used with an empty HELPER column, the
1289 error message produced previously incorrectly read:
1290
1291 ERROR: HELPER require requires that ...
1292
1293 That has been corrected so that the message now reads:
1294
1295 ERROR: HELPER requires that ...
1296
1297 3) On Centos 7, the following journal message appeared when Shorewall
1298 attempted to load kernel modules:
1299
1300 nf_log: can't load ipt_ULOG, conflicting nfnetlink_log already
1301 loaded
1302
1303 To eliminate that message, Shorewall no longer attempts to load
1304 ipt_ULOG. Note that most current distributions no longer support
1305 ULOG. Current users of ULOG should convert to using NFLOG at the
1306 earliest opportunity.
1307
1308 5.2.1.1
1309
1310 1) The Perl module versions were not updated for the 5.2.1
1311 release. That has been corrected.
1312
1313 2) The lib.common file previously confused Emacs such that editing the
1314 file in shell mode was awkward. Because lib.common is included in
1315 compiled scripts, this defect also made editing a compiled script
1316 awkward. The issue has been resolved, so that the file now renders
1317 properly in Emacs's shell mode.
1318
1319 3) Previously, if ip6tables-restore failed during Shorewall6 start,
1320 restart or reload, the resulting error message indicated that
1321 iptables-load had failed. That has been corrected.
1322
1323 4) Setting Docker=Yes did not work correctly with Docker version
1324 18.03.1-ce. In that version, the DOCKER-ISOLATION chain was
1325 replaced by a pair of chains: DOCKER-ISOLATION-STAGE-1 and
1326 DOCKER-ISOLATION-STAGE-2. That has been corrected. As part of this
1327 change, Shorewall now correctly handles the DOCKER-USER chain as
1328 well as the two new isolation chains.
1329
1330 5) Previously, if there were multiple 'balance' providers and more
1331 than one of them were experiencing carrier loss, then the 'enable' and
1332 'disable' operations could fail. That has been corrected.
1333
1334 5.2.1
1335
1336 1) This release contains defect repair up through Shorewall 5.2.0.5.
1337
1338 2) Previously, if:
1339
1340 a) IP[6]TABLES was not set in shorewall[6].conf; and
1341 b) The ip[6]tables binary was not found on the PATH.
1342
1343 then a shell 'not found' error on 'fatal-error' was generated. That
1344 has been corrected (Matt Darfeuille)
1345
1346 3) A number of files in the Shorewall-common package have had their
1347 heading version updated to version 5.2 (Matt Darfeuille).
1348
1349 4) Previously, if statistical load balancing ('load=<load-factor>' in
1350 provider OPTIONS) was configured on providers that shared an
1351 interface, then the compiler would die with an assertion
1352 failure. That has been corrected so that this combination now works
1353 as expected.
1354
1355 5) Where two or more providers share a network interface, the
1356 'optional' interface/provider option has never worked correctly.
1357 Beginning with this release, the 'optional' option is disallowed
1358 on such interfaces and providers.
1359
1360 6) Previously, when rate limiting was applied to a DNAT or
1361 REDIRECT rule, rate limiting was applied to the accompanying
1362 ACCEPT rule. Since logging is applied in the DNAT/REDIRECT rule, if
1363 the connection failed the rate limit then the connection attempt
1364 could be logged twice - once in the nat table and once when the
1365 applicable policy was applied. Beginning with this release, rate
1366 limiting is applied to the DNAT/REDIRECT rule so that no nat-table
1367 logging occurs if the connection attempt exceeds the rate limit.
1368
1369 7) Some regular expressions used in Shorewall's Perl code will be
1370 disallowed by Perl version 5.23. These have been changed to be
1371 acceptable to that version of Perl.
1372
1373 8) Previously, if SNAT(detect) was used on an optional interface and
1374 the resulting ip[6]tables rule was unreachable, then invalid shell
1375 code similar to the following was generated:
1376
1377 if [ "$SW_PPP1_ADDRESS" != 0.0.0.0 ]; then
1378 fi
1379
1380 That has been corrected such that the above code is not generated
1381 and a warning message is issued, indicating that the entry generated
1382 no ip[6]tables rule.
1383
1384 ----------------------------------------------------------------------------
1385 N E W F E A T U R E S I N 5 . 2 . 1
1386 ----------------------------------------------------------------------------
1387
1388 5.2.1.2
1389
1390 1) A new variable SW_CONFDIR has been added. $SW_CONFDIR evaluates to
1391 $CONFDIR/shorewall[6] if no directory name is passed to a compile,
1392 check, start, restart or reload command. If a directory name is
1393 passed to one of these commands, then $SW_CONFDIR expands to that
1394 directory name.
1395
1396 5.2.1
1397
1398 1) New macros for IPFS (https://ipfs.io/) have been contributed by
1399 Răzvan Sandu.
1400
1401 2) Several new man pages have been added:
1402
1403 - shorewall-addresses(5) describes specification of addresses in
1404 shorewall configuration files.
1405
1406 - shorewall-files(5) describes the shorewall configuration files
1407 together with features common to multiple files.
1408
1409 - shorewall-logging(5) describes shorewall's logging facilities.
1410
1411 - shorewall-names(5) describes restrictions on names used in
1412 Shorewall configuration files.
1413
1414 Additional man pages will be included in future 5.2.1 pre-releases.
1415
1416 3) In the SOURCE and DEST columns, it is now possible to exclude an
1417 interface by preceding the interface name with '!'. This is useful
1418 for excluding the loopback interface (lo).
1419
1420 Example from the mangle file:
1421
1422 #ACTION SOURCE DEST
1423 DROP:T 127.0.0.0/8 !lo
1424
1425 4) The MARK, CONNMARK, SAVE and RESTORE commands may now be placed in
1426 the nat table through used of new chain designators in the mangle
1427 file:
1428
1429 NP - nat table PREROUTING chain
1430 NI - nat table INPUT chain
1431 NO - nat table OUTPUT chain
1432 NT - nat table POSTROUTING chain
1433
1434 5) When TC_EXPERT=Yes, it is now possible to specify any mark/mask
1435 values that are displayed by the 'show marks' command, including
1436 the Exclusion and TPROXY values.
1437
1438 6) The configure and install scripts now support ALT Linux (Alexey
1439 Shabalin).
1440
1441 7) The verbosity of the 'remote-*' CLI commands has been increased
1442 (Matt Darfeuille).
1443
1444 8) You may now specify a VLSM in the RATE columns of the policy and
1445 rules files, when per-IP limiting is used. This results in one hash
1446 table entry per subnet rather than one entry per hosts, and applies
1447 the limit to the subnet. See shorewall-policy(5) and
1448 shorewall-rules(5) for details. This provides a means for reducing
1449 the size of the hash tables.
1450
1451 9) You man now specify the number of hash table buckets and the
1452 maximum number of hash table entries in the RATE columns of the
1453 policy and rules files, when per-IP limiting is used. This allows
1454 you to increase the size of the tables to more fully handle DDOS
1455 attacks. See shorewall-policy(5) and shorewall-rules(5) for
1456 details.
1457
1458 10) Eric Teeter has contributed a macro for Cockpit.
1459
1460 ----------------------------------------------------------------------------
1461 P R O B L E M S C O R R E C T E D I N 5 . 2 . 0
1462 ----------------------------------------------------------------------------
1463
1464 5.2.0.1
1465
1466 1) This release includes defect repair through Shorewall 5.1.12.4.
1467
1468 2) The getrc and getcaps commands added in 5.2.0 did not read the
1469 params file. That has been corrected.
1470
1471 3) A shell syntax error in the code that implements the 'ipdecimal'
1472 command has been corrected.
1473
1474 5.2.0
1475
1476 1) This release includes defect repair through Shorewall 5.1.12.3.
1477
1478 2) Previously, optimize category 8 (combine identical chains) was
1479 applied before optimize category 16 (eliminate duplicate rules,
1480 ...). This could (and has) resulted in uncombined identical chains
1481 in the final ruleset. Beginning with this release:
1482
1483 a) Optimize category 16 will be applied before optimize category 8.
1484 b) If optimize category 8 combined any chains, then optimize
1485 category 16 will be applied again.
1486
1487 This change ensures that the final ruleset has no duplicate chains
1488 and that all combatible adjacent port and state rules are combined.
1489
1490 3) Previously, use of &lo would result in an error:
1491
1492 ERROR: Can't determine the IP address of lo: Firewall state not changed
1493
1494 That problem has been corrected such that &lo always expands to
1495 127.0.0.1 (IPv4) or ::1 (IPv6).
1496
1497 ----------------------------------------------------------------------------
1498 N E W F E A T U R E S I N 5 . 2 . 0
1499 ----------------------------------------------------------------------------
1500
1501 1) The MAPOLDACTIONS option in shorewall.conf has been removed. This
1502 option provided compatibility with releases prior to Shorewall 3.0.
1503 'shorewall update' will remove the setting of this option from
1504 shorewall.conf.
1505
1506 2) The INLINE_MATCH option has been removed. Shorewall now behaves as
1507 if INLINE_MATCH=No had been specified:
1508
1509 - A single semicolon (';') is used to separate column-oriented
1510 input from column-name/value input.
1511
1512 - The preferred method of specifying column-name/value input is to
1513 enclose such input in curly braces ("{....}").
1514
1515 - A pair of semicolons (';;') is used to introduce raw IP[6]TABLES
1516 input. This is true in INLINE and IP[6]TABLES rules as well as
1517 rules with other targets.
1518
1519 As part of this change, 'shorewall update' will replace ';' with
1520 ';;' in INLINE and IP[6]TABLES rules.
1521
1522 3) With the wide availability of ipset-based blacklisting, the need
1523 for the 'refresh' command has been largely eliminated. As a result,
1524 that command has been removed.
1525
1526 Some users may have been using 'refresh' as a lightweight form of
1527 reload. The most common of these uses seem to be for reloading
1528 traffic shaping after an interface has gone down and come back up.
1529 The best way to handle this situation under 5.2 is to make the
1530 interface 'optional' in your /etc/shorewall[6]/interfaces file,
1531 then either:
1532
1533 - Install Shorewall-init and enable IFUPDOWN; or
1534 - Use the 'reenable' command when the interface comes back up
1535 in place of the 'refresh' command.
1536
1537 4) The following deprecated macros and actions have been removed:
1538
1539 Action A_AllowICMPs - use AllowICMPs(A_ACCEPT)
1540 Action A_Drop - see below
1541 Action A_Reject - see below
1542 Action Drop - see below
1543 Action Reject - see below
1544 Macro SNMPTrap - use SNMPtrap
1545
1546 The [A_]Drop and [A_]Reject actions are used primarily as policy
1547 actions. As part of this change, 'shorewall update' will update
1548 DROP_DEFAULT=[A_]Drop and REJECT_DEFAULT=[A_]Reject as follows:
1549
1550 IPv4
1551
1552 DROP_DEFAULT=Drop becomes Broadcast(DROP),Multicast(DROP)
1553 DROP_DEFAULT=A_Drop becomes
1554 Broadcast(A_DROP),Multicast(A_DROP)
1555 REJECT_DEFAULT=Reject becomes Broadcast(DROP),Multicast(DROP)
1556 REJECT_DEFAULT=A_Reject becomes
1557 Broadcast(A_DROP),Multicast(A_DROP)
1558
1559 IPv6
1560
1561 DROP_DEFAULT=Drop becomes
1562 AllowICMPs,Broadcast(DROP),Multicast(DROP)
1563 DROP_DEFAULT=A_Drop becomes
1564 AllowICMPs(A_ACCEPT),Broadcast(A_DROP),Multicast(A_DROP)
1565 REJECT_DEFAULT=Reject becomes
1566 AllowICMPs,Broadcast(DROP),Multicast(DROP)
1567 REJECT_DEFAULT=A_Reject becomes
1568 AllowICMPs(A_ACCEPT),Broadcast(A_DROP),Multicast(A_DROP)
1569
1570 See the Migration Issues for additional information.
1571
1572 5) A 'show saves' command has been added to list the snapshots
1573 created using the 'save' command.
1574
1575 Example:
1576
1577 root@gateway:~# shorewall show saves
1578 Shorewall 5.2.0 Saves at gateway - Thu Feb 15 11:58:37 PST 2018
1579 Saved snapshots are:
1580
1581 Feb 15 10:08 foo
1582 Feb 14 12:34 restore (default)
1583
1584 root@gateway:~#
1585
1586 The snapshots are listed by creation time from latest to
1587 earliest. If the name of one matches the RESTOREFILE setting, that
1588 snapshot is marked as the default for the 'restore' command.
1589
1590 6) For installing into a Sandbox, the file shorewallrc.sandbox has
1591 been added to Shorewall-core. See
1592 http://www.shorewall.org/install.htm#idm327.
1593
1594 7) The "Use Pkttype Match (USEPKTTYPE)" capability is no longer used
1595 and has been deleted. This removal has introduced a new
1596 capabilities version.
1597
1598 8) When a log message is issued from a chain that relates to a pair of
1599 zones (e.g, 'fw-net'), the chain name normally appears in the log
1600 message (unless LOGTAGONLY=Yes and a log tag is specified). This
1601 can prevent OPTIMIZE category 8 from combining chains which are
1602 identical except for chain names in logging rules. The new
1603 LOG_ZONE option in shorewall[6].conf allows for only the source or
1604 destination zone to appear in the messages by setting LOG_ZONE to
1605 'src' or 'dst' respectively. If LOG_ZONE=both (the default), then
1606 the full chain name is included in log messages
1607
1608 Setting LOG_ZONE=src has been shown to decrease the size of the
1609 generated ruleset by more than 10 prcent in some cases. Your
1610 results may vary.
1611
1612 9) Traditionally, when OPTIMIZE category 8 is enabled, identical
1613 chains are combined under a name beginning with '~comb' or
1614 '~blacklist'. Beginning with this release, setting
1615 RENAME_COMBINED=Yes (the default) in shorewall[6].conf retains that
1616 behavior. If RENAME_COMBINED=No, identical chains are combined
1617 under the original name of one of the chains.
1618
1619 10) When AUTOMAKE=Yes, each directory in the CONFIG_PATH was originally
1620 searched recursively for files newer than the compiled script. That
1621 was changed in Shorewall 5.1.10.2 such that only the listed
1622 directories themselves were searched. That broke some
1623 configurations that played tricks with embedded SHELL such as:
1624
1625 SHELL cat /etc/shorewall/rules.d/loc/*.rules
1626
1627 Prior to 5.1.10.2, a change to a file in or adding a file to
1628 /etc/shorewall/rules.d/loc/ would trigger recompilation. Beginning
1629 with 5.1.10.2, such changes would not trigger
1630 recompilation.
1631
1632 Beginning with this release, the pre-5.1.10.2 behavior can be
1633 obtained by setting AUTOMAKE=recursive.
1634
1635 Also beginning with this release, AUTOMAKE may be set to a numeric
1636 <depth> which specifies how deeply each listed directory is to be
1637 searched. AUTOMAKE=1 only searches each directory itself and is
1638 equivalent to AUTOMAKE=Yes. AUTOMAKE=2 will search each directory
1639 and its immediate sub-directories; AUTOMAKE=3 will search each
1640 diretory, each of its immediate sub-directories, and each of their
1641 immediate sub-directories, etc.
1642
1643 11) Previously, the maximum depth of INCLUDEs was four (although the
1644 documentation gave the limit as three). Beginning with this
1645 release, that limit has been raised to 20.
1646
1647 12) Support for the deprecated 'masq' file has been deleted. Any
1648 existing 'masq' file will automatically be converted to the
1649 equivalent 'snat' file.
1650
1651 13) Three new shorewall commands have been implemented:
1652
1653 a) show rc
1654
1655 Displays the contents of the shorewallrc file
1656 ($SHAREDIR/shorewall/shorewallrc).
1657
1658 b) getcaps
1659
1660 Generates a capabilities file on a remote system and copies it
1661 to a directory on the local system.
1662
1663 c) getrc
1664
1665 Copies the shorewallrc file from a remote system to a directory
1666 on the local system.
1667
1668 See shorewall(8) for details.
1669
1670 Implemented by Matt Darfeuille