[Shorewall-announce] Shorewall 4.4.5

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

The Shorewall team is pleased to announce the availability of Shorewall
4.4.5.

----------------------------------------------------------------------------
          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 5
----------------------------------------------------------------------------

1)  The change which removed the 15 port limitation on
    /etc/shorewall/routestopped was incomplete. The result was that if
    more than 15 ports were listed, an error was generated.

2)  If any interfaces had the 'bridge' option specified, compilation
    failed with the error:

    Undefined subroutine &Shorewall::Rules::match_source_interface called 
    at /usr/share/shorewall/Shorewall/Rules.pm line 2319.

3)  The compiler now flags port number 0 as an error in all
    contexts. Previously, port 0 was allowed with the result that
    invalid iptables-restore input could be generated in some cases.

4)  The 'show policies' command now works in Shorewall6 and
    Shorewall6-lite.

5)  Traffic shaping modules from /lib/modules/<version>/net/sched/ are
    now correctly loaded. Previously, that directory was not
    searched. Additionally, Shorewall6 now tries to load the cls_flow
    module; previously, only Shorewall attempts to load that module.

6)  The Shorewall6-lite shorecap program was previously including the
    IPv4 base library rather than the IPv6 version. Also, Shorewall6
    capability detection was determing the availablity of the mangle
    capability before it had determined if ip6tables was installed.

7)  The setting of MODULE_SUFFIX was previously ignored except when
    compiling for export.

8)  Detection of the Enhanced Reject capability in the compiler was
    broken for IPv4 compilations.

9)  The 'reload -c' command would ignore the setting of DONT_LOAD in
    shorewall.conf. The 'reload' command without '-c' worked as
    expected. 

----------------------------------------------------------------------------
             K N O W N   P R O B L E M S   R E M A I N I N G
----------------------------------------------------------------------------

None.

----------------------------------------------------------------------------
                N E W   F E A T U R E S   I N   4 . 4 . 5
----------------------------------------------------------------------------

1)  Shorewall now allows DNAT rules that change only the destination
    port.

    Example:

        DNAT    loc     net::456        udp     234

    That rule will modify the destination port in UDP packets received
    from the 'loc' zone from 456 to 234. Note that if the destination
    is the firewall itself, then the destination port will be rewritten
    but that no ACCEPT rule from the loc zone to the $FW zone will have
    been created to handle the request. So such rules should probably
    exclude the firewall's IP addresses in the ORIGINAL DEST column.

2)  Systems that do not log Netfilter messages locally can now set
    LOGFILE=/dev/null in shorewall.conf.

3)  The 'shorewall show connections' and 'shorewall dump' commands now
    display the current number of connections and the max supported
    connections.

    Example:

        shorewall show connections
        Shorewall 4.5.0 Connections (62 out of 65536) at gateway - Sat ...

    In that case, there were 62 current connections out of a maximum
    number supported of 65536.

Happy Holidays and the Best of New Years,
-The Shorewall Team
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________