From: Tom E. <te...@sh...> - 2009-12-19 17:29:56
|
The Shorewall team is pleased to announce the availability of Shorewall 4.4.5. ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 4 . 5 ---------------------------------------------------------------------------- 1) The change which removed the 15 port limitation on /etc/shorewall/routestopped was incomplete. The result was that if more than 15 ports were listed, an error was generated. 2) If any interfaces had the 'bridge' option specified, compilation failed with the error: Undefined subroutine &Shorewall::Rules::match_source_interface called at /usr/share/shorewall/Shorewall/Rules.pm line 2319. 3) The compiler now flags port number 0 as an error in all contexts. Previously, port 0 was allowed with the result that invalid iptables-restore input could be generated in some cases. 4) The 'show policies' command now works in Shorewall6 and Shorewall6-lite. 5) Traffic shaping modules from /lib/modules/<version>/net/sched/ are now correctly loaded. Previously, that directory was not searched. Additionally, Shorewall6 now tries to load the cls_flow module; previously, only Shorewall attempts to load that module. 6) The Shorewall6-lite shorecap program was previously including the IPv4 base library rather than the IPv6 version. Also, Shorewall6 capability detection was determing the availablity of the mangle capability before it had determined if ip6tables was installed. 7) The setting of MODULE_SUFFIX was previously ignored except when compiling for export. 8) Detection of the Enhanced Reject capability in the compiler was broken for IPv4 compilations. 9) The 'reload -c' command would ignore the setting of DONT_LOAD in shorewall.conf. The 'reload' command without '-c' worked as expected. ---------------------------------------------------------------------------- K N O W N P R O B L E M S R E M A I N I N G ---------------------------------------------------------------------------- None. ---------------------------------------------------------------------------- N E W F E A T U R E S I N 4 . 4 . 5 ---------------------------------------------------------------------------- 1) Shorewall now allows DNAT rules that change only the destination port. Example: DNAT loc net::456 udp 234 That rule will modify the destination port in UDP packets received from the 'loc' zone from 456 to 234. Note that if the destination is the firewall itself, then the destination port will be rewritten but that no ACCEPT rule from the loc zone to the $FW zone will have been created to handle the request. So such rules should probably exclude the firewall's IP addresses in the ORIGINAL DEST column. 2) Systems that do not log Netfilter messages locally can now set LOGFILE=/dev/null in shorewall.conf. 3) The 'shorewall show connections' and 'shorewall dump' commands now display the current number of connections and the max supported connections. Example: shorewall show connections Shorewall 4.5.0 Connections (62 out of 65536) at gateway - Sat ... In that case, there were 62 current connections out of a maximum number supported of 65536. Happy Holidays and the Best of New Years, -The Shorewall Team -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ |