Shorewall 4.0 Patch release 15. ---------------------------------------------------------------------------- R E L E A S E 4 . 0 H I G H L I G H T S ---------------------------------------------------------------------------- 1) This is the first Shorewall release that fully integrates the new Shorewall-perl compiler. See the "New Features" section below. 2) You are now offered a choice as to which compiler(s) you install. In 4.0.0, there are the following packages: - Shorewall-common ( common files ) - Shorewall-shell ( the shell-based compiler ) - Shorewall-perl ( the Perl-based compiler ) You must install at least one of the compiler packages (you may install them both) along with Shorewall-common. YOU DO NOT NEED TO UNINSTALL ANY OF YOUR CURRENT PACKAGES. See the Migration Considerations below for further information. 3) The facilities for supporting bridge/firewalls under earlier releases are deprecated and their documentation is omitted from the 4.0 distribution. New bridge support is implemented in the Shorewall-perl compiler. This support utilizes the reduced-function physdev match support available in Linux kernel 2.6.20 and later. Problems Corrected in Shorewall 4.0.15. 1) Beginning with iptables version 1.4.1, the syntax for commands using the conntrack module has changed. Shorewall now detects if the installed version of iptables requires the new syntax. 2) Support for the LENGTH column in /etc/shorewall/tcrules was incomplete in Shorewall-perl with the result that the LENGTH column was ignored. Thanks go to Lennart Sorensen for the patch. 3) When ipranges were used to define zones, Shorewall-perl could generate invalid iptables-restore input if 'Repeat Match' was not available. Repeat Match is not a true match -- it rather is a feature of recent iptables releases that allows a match to be repeated within a rule. 4) The DISABLE_IPV6 option has been documented in the shorewall.conf man page. The option has been there all along, but it was not previously documented in the man page. 5) If a no-NAT rule (DNAT-, ACCEPT+, NONAT) included a destination IP address and no zone name in the DEST column, Shorewall-perl would reject the rule. If a zone name was specified, Shorewall-perl would issue a Warning message. 3) Following the Netfilter tradition, the IPP2P maintainer has made an incompatible syntax change (the --ipp2p option has been removed). Shorewall has always used "-m ipp2p --ipp2p" when detecting the presence of IPP2P support. Shorewall-common and Shorewall-perl have been modified to use "-m ipp2p --edk" instead. Known Problems Remaining. 1) The 'refresh' command doesn't refresh the mangle table. So changes made to /etc/shorewall/providers and/or /etc/shorewall/tcrules may not be reflected in the running ruleset. Other changes in Shorewall 4.0.15. None. Migration Considerations: 1) Beginning with Shorewall 4.0.0, there is no single 'shorewall' package. Rather there are two compiler packages (shorewall-shell and shorewall-perl) and a set of base files (shorewall-common) which are required by either compiler package. Although the names of the packages are changing, you can upgrade without having to uninstall/reinstall. To repeat: YOU DO NOT NEED TO UNINSTALL ANY EXISTING PACKAGE. If you attempt to upgrade using the shorewall-common RPM, you get this result: gateway:~ # rpm -Uvh shorewall-common-4.0.0.noarch.rpm error: Failed dependencies: shorewall_compiler is needed by shorewall-common-4.0.0-1.noarch gateway:~ # You must either: rpm -Uvh shorewall-shell-4.0.0.noarch.rpm \ shorewall-common-4.0.0.noarch.rpm or rpm -Uvh shorewall-shell-4.0.0.noarch.rpm \ shorewall-perl-4.0.0.noarch.rpm \ shorewall-common-4.0.0.noarch.rpm If you want to use shorewall-perl exclusively then use the second command above then rpm -e shorewall-shell If you are upgrading using the tarball, you must install shorewall-shell and/or shorewall-perl before you upgrade using shorewall-common. Otherwise, the install.sh script fails with: ERROR: No Shorewall compiler is installed The shorewall-shell and shorewall-perl packages are installed from the tarball in the expected way; untar the package, and run the install.sh script. Example 1: You have 'shorewall' installed and you want to continue to use the shorewall-shell compiler. tar -jxf shorewall-common-4.0.0.tar.bz2 tar -jxf shorewall-shell-4.0.0.tar.bz2 cd shorewall-shell-4.0.0 ./install.sh cd ../shorewall-common-4.0.0 ./install.sh shorewall check shorewall restart Example 2: You have shorewall 3.4.4 and shorewall-perl 4.0.0-Beta7 installed and you want to upgrade to 4.0. You do not need the shell-based compiler. tar -jxf shorewall-common-4.0.0.tar.bz2 tar -jxf shorewall-perl-4.0.0.tar.bz2 cd shorewall-perl-4.0.0 ./install.sh cd ../shorewall-common-4.0.0 ./install.sh shorewall check shorewall restart Be sure to modify shorewall.conf if it still has SHOREWALL_COMPILER=shell. 2) The ROUTE_FILTER and LOG_MARTIANS options in shorewall.conf work slightly differently in Shorewall 4.0.0. In prior releases, leaving these options empty was equivalent to setting them to 'No' which caused the corresponding flag in /proc to be reset for all interfaces. Beginning in Shorewall 4.0.0, leaving these options empty causes Shorewall to leave the flags in /proc as they are. You must set the option to 'No' in order to obtain the old behavior. 3) The -f option is no longer the default when Shorewall is started at boot time (usually via /etc/init.d/shorewall). With Shorewall-perl, "shorewall start" is nearly as fast as "shorewall restore" and "shorewall start" uses the current configuration which avoids confusion. If you plan on continuing to use Shorewall-shell and you want to use the "-f" option at boot time, then you must add the following to /etc/sysconfig/shorewall or /etc/default/shorewall: OPTIONS="-f" If you currently have neither of those files, you will need to create one of them. 4) This issue will only affect you if you use Shorewall Lite and have modified /usr/share/configpath to specify a different LITEDIR. The implementation of LITEDIR has always been unsatisfactory. Furthermore, there have been other cases where people have asked to be able to designate the state directory (default /var/lib/shorewall[-lite]). To meet these objectives: a) The LITEDIR variable has been eliminated in /usr/share/shorewall[-lite]/configpath. b) A new file /etc/shorewall[-lite]/vardir has been added. This file is not created by default but may be added as needed. It is expected to contain a single variable assignment: VARDIR=<directory> Example: VARDIR=/root/shorewall To change VARDIR, copy the old directory to the new one before you restart Shorewall[-lite]. To use this feature with Shorewall-lite, all packages involved (compiler, shorewall-common and shorewall-lite) must be version 4.0.0-RC2 or later. ---------------------------------------------------------------------------- N E W F E A T U R E S ---------------------------------------------------------------------------- 1) Shorewall-perl This Shorewall package includes a complete rewrite of the compiler in Perl. I decided to make Shorewall-perl a separate package for several reasons: a) Embedded applications are unlikely to adopt Shorewall-perl; even Mini-Perl has a substantial disk and RAM footprint. b) Because of the gross incompatibilities between the new compiler and the old (see below), migration to the new compiler must be voluntary. ------------------------------------------------------------------------ T H E G O O D N E W S: ------------------------------------------------------------------------ a) The compiler has a small disk footprint. b) The compiler is very fast. c) The compiler generates a firewall script that uses iptables-restore; so the script is very fast. d) The new compiler does a much better job of validating the configuration and catches many errors that resulted in run-time failures with the old compiler. e) Use of the Shorewall-perl is optional! The old slow clunky Bourne-shell compiler is still available. ------------------------------------------------------------------------ T H E B A D N E W S: ------------------------------------------------------------------------ There are a number of incompatibilities between the Perl-based compiler and the Bourne-shell one. a) The Perl-based compiler requires the following capability in your kernel and iptables. - multiport match This capability is in current distributions. b) Shorewall-perl does not attempt to break up SOURCE PORT(s) lists longer than 15 ports (where a port range counts as two ports). It also doesn't permit port ranges in a port list unless the kernel and iptables support Extended Multiport Match. c) The old BRIDGING=Yes support has been replaced by new bridge support that uses the reduced 'physdev match' capabilities found in kernel 2.6.20 and later. This new implementation may be used where it is desired to control traffic through a bridge. The new implementation includes the following features: a) A new "Bridge Port" zone type is defined. Specify 'bport' or 'bport4' in the TYPE column of /etc/shorewall/zones. Bridge Port zones should be a sub-zone of a regular ipv4 zone that represents all hosts attached to the bridge. b) A new 'bridge' option is defined for entries in /etc/shorewall/interfaces. Bridges should have this option specified, even if you don't want to filter traffic going through the bridge. c) Bridge ports must now be defined in /etc/shorewall/interfaces. The INTERFACE column contains both the bridge name and the port name separated by a colon (e.g., "br0:eth1"). No OPTIONS are allowed for bridge ports. The bridge must be defined before its ports and must have the 'bridge' option. Bridge Port (BP) zones have a number of limitations: a) Each BP zone may only be associated with ports on a single bridge. b) BP zones may not be associated with interfaces that are not bridge ports. c) You may not have policies or rules where the DEST is a BP zone but the source is not a BP zone. If you need such rules, you must use the BP zone's parent zone as the DEST zone. Example (Bridge br0 with ports eth1 and tap0): /etc/shorewall/zones: fw firewall net ipv4 loc ipv4 lan:loc bport vpn:loc bport /etc/shorewall/interfaces: net eth0 - ... loc br0 - ... lan eth1 vpn tap0 When using the /etc/shorewall/hosts file to define a bport4 zone, you specify only the port name: Example: /etc/shorewall/zones: fw firewall net ipv4 loc ipv4 lan:loc bport vpn:loc bport /etc/shorewall/hosts lan eth1:192.168.2.0/24 ... The structure of the accounting rules changes slightly when there are bridges defined in the Shorewall configuration. Because of the restrictions imposed by Netfilter in kernel 2.6.21 and later, output accounting rules must be segregated from forwarding and input rules. To accomplish this separation, Shorewall-perl creates two accounting chains: - accounting - for input and forwarded traffic. - accountout - for output traffic. If the CHAIN column contains '-', then: - If the SOURCE column in a rule includes the name of the firewall zone (e.g., $FW), then the rule is add only to the accountout chain. - Otherwise, if the DEST in the rule is any or all or 0.0.0.0/0, then the rule is added to both accounting and accountout. - Otherwise, the rule is added to accounting only. See http://www.shorewall.net/bridge-Shorewall-perl.html for additional information about the new bridge support. d) The BROADCAST column in the interfaces file is essentially unused; if you enter anything in this column but '-' or 'detect', you will receive a warning. e) Because the compiler is written in Perl, some of your extension scripts from earlier versions will no longer work because Shorewall-perl runs those extension scripts at compile-time rather than at run-time. Compile-time scripts are: initdone maclog All per-chain scripts including those associated with actions. Compile-time extension scripts are executed using the Perl 'eval `cat <file>`' mechanism. Be sure that each script returns a 'true' value; otherwise, the compiler will assume that the script failed and will abort the compilation. All scripts will need to begin with the following line: use Shorewall::Chains; For more complex scripts, you may need to 'use' other Shorewall Perl modules -- browse /usr/share/shorewall-perl/Shorewall/ to see what's available. When a script is invoked, the $chainref scalar variable will hold a reference to a chain table entry. $chainref->{name} contains the name of the chain $chainref->{table} holds the table name To add a rule to the chain: add_rule( $chainref, <the rule> [, <expand-dports> ] ); Where <the rule> is a scalar argument holding the rule text. Do not include "-A <chain name>" <expand-dports> is optional. If <expand-dports> is present and evaluates to True and if <the rule> contains a --dports list with more than 15 ports listed (each port range counts as two ports), then add_rule() will break <the rule> into multiple rules, each having 15 or fewer ports in its --dports list. Example: add_rule( $chainref, '-j ACCEPT' ); To insert a rule into the chain: insert_rule( $chainref, <rulenum>, <the rule> ); The log_rule_limit function works like it does in the shell compiler with two exceptions: - You pass the chain reference rather than the name of the chain. - The commands are 'add' and 'insert' rather than '-A' and '-I'. - There is only a single "pass as-is to iptables" argument (so you must quote that part). Example: log_rule_limit( 'info' , $chainref , $chainref->{name}, 'DROP' , '', #Limit '' , #Log tag 'add', #Command '-p tcp' #Pass as-is ); Note that in the 'initdone' script, there is no default chain ($chainref). You can objtain a reference to a standard chain by: my $chainref = $chain_table{<table>}{<chain name>}; Example: my $chainref = $chain_table{'filter'}{'INPUT'}; The 'continue' script is eliminated. That script was designed to allow you to add special rules during [re]start. Shorewall-perl doesn't need such rules. See http://www.shorewall.net/shorewall_extension_scripts.htm for further information about extension scripts under Shorewall-perl. f) The 'refresh' command now works like 'restart' with the following exceptions: - The refresh command is rejected if Shorewall is not running. - The refresh command only rebuilds the 'blacklst' chain. - A directory name may not be specified in the refresh command. g) The /etc/shorewall/tos file now has zone-independent SOURCE and DEST columns as do all other files except the rules and policy files. The SOURCE column may be one of the following: [all:]<address>[,...] [all:]<interface>[:<address>[,...]] $FW[:<address>[,...]] The DEST column may be one of the following: [all:]<address>[,...] [all:]<interface>[:<address>[,...]] This is a permanent change. The old zone-based rules have never worked right and this is a good time to replace them. I've tried to make the new syntax cover the most common cases without requiring change to existing files. In particular, it will handle the tos file released with Shorewall 1.4 and earlier. h) Shorewall-perl insists that ipset names begin with a letter and be composed of alphanumeric characters and underscores (_). When used in a Shorewall configuration file, the name must be preceded by a plus sign (+) as with the shell-based compiler. Shorewall-perl is now out of the ipset load/reload business. With scripts generated by the Perl-based Compiler, the Netfilter ruleset is never cleared. That means that there is no opportunity for Shorewall to load/reload your ipsets since that cannot be done while there are any current rules using ipsets. So: i) Your ipsets must be loaded before Shorewall starts. You are free to try to do that with the following code in /etc/shorewall/start: if [ "$COMMAND" = start ]; then ipset -U :all: :all: ipset -F ipset -X ipset -R < /my/ipset/contents fi The file '/my/ipset/contents' (not its real name of course) will normally be produced using the ipset -S command. The above will work most of the time but will fail in a 'shorewall stop' - 'shorewall start' sequence if you use ipsets in your routestopped file (see below). ii) Your ipsets may not be reloaded until Shorewall is stopped or cleared. iii) If you specify ipsets in your routestopped file then Shorewall must be cleared in order to reload your ipsets. As a consequence, scripts generated by the Perl-based compiler will ignore /etc/shorewall/ipsets and will issue a warning if you set SAVE_IPSETS=Yes in shorewall.conf. i) Because the configuration files (with the exception of /etc/shorewall/params) are now processed by the Perl-based compiler rather than by the shell, only the basic forms of Shell expansion ($variable and ${variable}) are supported. The more exotic forms such as ${variable:=default} are not supported. Both variables defined in /etc/shorewall/params and environmental variables (exported by the shell) can be used in configuration files. j) USE_ACTIONS=No is not supported. That option is intended to minimize Shorewall's footprint in embedded applications. As a consequence, Default Macros are not supported. k) DELAYBLACKLISTLOAD=Yes is not supported. The entire ruleset is atomically loaded with one execution of iptables-restore. l) MAPOLDACTIONS=Yes is not supported. People should have converted to using macros by now. m) The pre Shorewall-3.0 format of the zones file is not supported; neither is the /etc/shorewall/ipsec file. n) BLACKLISTNEWONLY=No is not permitted with FASTACCEPT=Yes. This combination doesn't work in previous versions of Shorewall so the Perl-based compiler simply rejects it. o) Shorewall-perl has a single rule generator that is used for all rule-oriented files. So it is important that the syntax is consistent between files. With shorewall-shell, there is a special syntax in the SOURCE column of /etc/shorewall/masq to designate "all traffic entering the firewall on this interface except...". Example: #INTERFACE SOURCE ADDRESSES eth0 eth1!192.168.4.9 ... Shorewall-perl uses syntax that is consistent with the rest of Shorewall: #INTERFACE SOURCE ADDRESSES eth0 eth1:!192.168.4.9 ... p) The 'allowoutUPnP' built-in action is no longer supported. The Netfilter team have removed support for '-m owner --owner-cmd' which that action depended on. q) The treatment of the following interface options has changed under Shorewall-perl. - arp_filter - routefilter - logmartians - proxy_arp - sourceroute With the Shorewall-shell compiler, Shorewall resets these options on all interfaces then sets the option on those interfaces for which the option is defined in /etc/shorewall/interfaces. Under Shorewall-perl, these options can be specified with the value 0 or 1 (e.g., proxy_arp=0). If no value is specified, the value 1 is assumed. Shorewall will modify only the setting of those interfaces for which the option is specified and will set the option to the given value. A fatal compilation error is also generated if you specify one of these options with a wildcard interface (one ending with '+'). r) The LOG_MARTIANS and ROUTE_FILTER options are now tri-valued in Shorewall-perl. Yes - Same as before No - Same as before except that it applies regardless of whether any interfaces have the logmartians/routefilter option Keep - Shorewall ignores the option entirely (which is the default). s) Support has been added to Shorewall-perl for the 'optional' option in /etc/shorewall/interfaces. This option is recognized by Shorewall-perl but not by Shorewall-shell. When 'optional' is specified for an interface, Shorewall will be silent when: - a /proc/sys/net/ipv4/conf/ entry for the interface cannot be modified (including for proxy ARP). - The first address of the interface cannot be obtained. I specify 'optional' on interfaces to Xen virtual machines that may or may not be running when Shorewall is [re]started. CAUTION: Use 'optional' at your own risk. If you [re]start Shorewall when an 'optional' interface is not available and then do a 'shorewall save', subsequent 'shorewall restore' and 'shorewall -f start' operations will instantiate a ruleset that does not support that interface, even if it is available at the time of the restore/start. t) Shorewall-perl validates all IP addresses and addresses ranges in rules. DNS names are resolved and an error is issued for any name that cannot be resolved. u) Shorewall-perl checks configuration files for the presense of characters that can cause problems if they are allowed into the generated firewall script: - Double Quotes. These are prohibited, except in the shorewall.conf and params files. - Single Quotes. These are prohibited, except in the shorewall.conf and params files and in COMMENT lines. - Single back quotes. These are prohibited, except in the shorewall.conf and params files. - Backslash. Prohibited, except as the last character on a line to denote line continuation. v) Under Shorewall-perl, macros may invoke other macros with the restriction that such macros may not be invoked within an action body. When marcros are invoked recursively, the parameter passed to an invocation are automatically propagated to lower level macros. Macro invocations may be nested to a maximum level of 5. w) The PKTTYPE option is ignored by Shorewall-perl. Shorewall-perl will use Address type match if it is available; otherwise, it will behave as if PKTTYPE=No had been specified. x) Shorewall-perl detects dead policy file entries that result when an entry is masked by an earlier more general entry. Example: all all REJECT info loc net ACCEPT y) In the SOURCE column of the rules file, when an interface name is followed by a list of IP addresses, the behavior of Shorewall-perl differs from that of Shorewall-shell. Example: ACCEPT loc:eth0:192.168.1.3,192.168.1.5 $FW tcp 22 With Shorewall-shell, this rule accepts SSH connection to the firewall from 192.168.1.3 through eth0 or from 192.168.1.5 through any interface. With Shorewall-perl, the rule accepts SSH connections through eth0 from 192.168.1.3 and through eth0 from 192.168.1.5. Shorewall-shell supports this syntax that gives the same result as Shorewall-perl. ACCEPT loc:eth0:192.168.1.3,eth0:192.168.1.5 ... Shorewall-perl does not support this alternative syntax. ------------------------------------------------------------------------ P R E R E Q U I S I T E S ------------------------------------------------------------------------ - Perl (I use Perl 5.8.8 but other versions should work fine) - Perl Cwd Module - Perl File::Basename Module - Perl File::Temp Module - Perl Getopt::Long Module - Perl FindBin Module - Perl Scalar::Util Module ------------------------------------------------------------------------ U S I N G T H E N E W C O M P I L E R ------------------------------------------------------------------------ If you only install one compiler, then that compiler will be used. If you install both compilers, then the compiler actually used depends on the SHOREWALL_COMPILER setting in shorewall.conf. The value of this new option can be either 'perl' or 'shell'. If you add 'SHOREWALL_COMPILER=perl' to /etc/shorewall/shorewall.conf then by default, the new compiler will be used on the system. If you add it to shorewall.conf in a separate directory (such as a Shorewall-lite export directory) then the new compiler will only be used when you compile from that directory. If you only install one compiler, it is suggested that you do not set SHOREWALL_COMPILER. You can also select the compiler to use on the command line using the 'C option: '-C shell' means use the shell compiler '-C perl' means use the perl compiler The -C option overrides the setting in shorewall.conf. Example: shorewall restart -C perl 2) Thanks to Paul Gear, an IPPServer macro has been added. Be sure to read the comments in the macro file before trying to use this macro. 3) Earlier generations of Shorewall Lite required that remote root login via ssh be enabled in order to use the 'load' and 'reload' commands. Beginning with this release, you may define an alternative means for accessing the remote firewall system. Two new options have been added to shorewall.conf: RSH_COMMAND RCP_COMMAND The default values for these are as follows: RSH_COMMAND: ssh ${root}@${system} ${command} RCP_COMMAND: scp ${files} ${root}@${system}:${destination} Shell variables that will be set when the commands are envoked are as follows: root - root user. Normally 'root' but may be overridden using the '-r' option. system - The name/IP address of the remote firewall system. command - For RSH_COMMAND, the command to be executed on the firewall system. files - For RCP_COMMAND, a space-separated list of files to be copied to the remote firewall system. destination - The directory on the remote system that the files are to be copied into. 4) The accounting, masq, rules and tos files now have a 'MARK' column similar to the column of the same name in the tcrules file. This column allows filtering by MARK and CONNMARK value (CONNMARK is only accepted under Shorewall Perl). 5) SOURCE and DEST are now reserved zone names to avoid problems with bi-directional macro definitions which use these as names as key words. 6) The "shorewall show zones" command now flags zone members that have been added using "shorewall add" by preceding them with a plus sign ("+"). Example: Shorewall 3.9.4 Zones at gateway - Mon May 14 07:48:16 PDT 2007 fw (firewall) net (ipv4) eth0:0.0.0.0/0 loc (ipv4) br0:0.0.0.0/0 eth4:0.0.0.0/0 eth5:0.0.0.0/0 +eth1:0.0.0.0/0 dmz (ipv4) eth3:0.0.0.0/0 vpn (ipv4) tun+:0.0.0.0/0 In the above output, "eth1:0.0.0.0/0" was dynamically added to the 'loc' zone. As part of this change, "shorewall delete" will only delete entries that have been added dynamically. In earlier versions, any entry could be deleted although the ruleset was only changed by deleting entries that had been added dynamically. 7) The 'shorewall version' command now lists the version of the installed compiler(s) if the -a option is used: gateway:/bulk/backup # shorewall version -a 4.0.0-Beta1 Shorewall-shell 4.0.0-Beta1 Shorewall-perl 4.0.0-Beta1 gateway:/bulk/backup # 8) The Perl compiler is externalized. Both the compiler.pl program and the Perl Module interface are documented. The compiler program is /usr/share/shorewall-perl/compiler.pl: compiler.pl [ <option> ... ] [ <filename> ] If a <filename> is given, then the configuration will be compiled output placed in the named file. If <filename> is not given, then the configuration will simply be syntax checked. Options are: -v <verbosity> --verbosity=<verbosity> The <verbosity> is a number between 0 and 2 and corresponds to the VERBOSITY setting in shorewall.conf. This setting controls the verbosity of the compiler itself. -e --export If given, the configuration will be compiled for export to another system. -d <directory> --directory=<directory> If this option is omitted, the configuration in /etc/shorewall is compiled/checked. Otherwise, the configuration in the named directory will be compiled/checked. -t --timestamp If given, each progress message issued by the compiler and by the compiled program will be timestamped. --debug If given, when a warning or error message is issued, it is supplimented with a stack trace. Requires the Carp Perl module. --refresh=<chainlist> If given, the compiled script's 'refresh' command will refresh the chains in the comma-separated <chainlist> rather than 'blacklst'. Example (compiles the configuration in the current directory generating a script named 'firewall' and using VERBOSITY 2). /usr/share/shorewall-perl/compiler.pl -v 2 -d . firewall The Perl Module is externalized as follows: use lib '/usr/share/shorewall-perl'; use Shorewall::Compiler; compiler $filename, $directory, $verbose, $options $chains The arguments to the compiler function are as follows: $filename - Name of the compiled script to be created. If the arguments evaluates to false, the configuration is syntax checked $directory - The directory containing the configuration. If passed as '', then /etc/shorewall/ is assumed. $verbose - The verbosity level (0-2). $options - A bitmap of options. Shorewall::Compiler exports two constants to help building this argument: EXPORT = 0x01 TIMESTAMP = 0x02 DEBUG = 0x04 $chains - A comma-separated list of chains that the generated script's 'refresh' command will reload. The compiler raises an exception with 'die' if it encounters an error; $@ contains the 'ERROR' messages describing the problem. The compiler function can be called repeatedly with different inputs. 9) When TC_ENABLED=Internal, Shorewall-perl now validates classids in the MARK/CLASSIFY column of /etc/shorewall/tcrules against the classes generated by /etc/shorewall/tcclasses. 10) Tuomo Soini has contributed bi-directional macros for various tunnel types: IPsecah GRE IPsec IPIP IPsecnat L2TP 11) The -f option is no longer the default when Shorewall is started at boot time (usually via /etc/init.d/shorewall). With Shorewall-perl, "shorewall start" is nearly as fast as "shorewall restore" and "shorewall start" uses the current configuration which avoids confusion. 12) The implementation of LITEDIR has always been unsatisfactory. Furthermore, there have been other cases where people have asked to be able to designate the state directory (default /var/lib/shorewall[-lite]). To meet these objectives: a) The LITEDIR variable has been eliminated in /usr/share/shorewall[-lite]/configpath. b) A new file /etc/shorewall[-lite]/vardir has been added. This file is not created by default but may be added as needed. It is expected to contain a single variable assignment: VARDIR=<directory> Example: VARDIR=/root/shorewall To change VARDIR, copy the old directory to the new one before you restart Shorewall[-lite]. To use this feature with Shorewall-lite, all packages involved (compiler, shorewall-common and shorewall-lite) must be version 4.0.0-RC2 or later. Problems Corrected in Shorewall 4.0.14. 1) If 'all-' appears in the DEST column of /etc/shorewall/rules and the SOURCE column is not some form of 'all', then $FW was incorrectly included in the DEST. 2) A bashism has been corrected in the init script shipped for Debian and Debian-like distributions which prevented the proper options from being passed to /sbin/shorewall or /sbin/shorewall-lite in some cases. Other changes in Shorewall 4.0.14. 1) Beginning with Shorewall 4.0.0, the -f option was no longer the default for '/etc/init.d/shorewall start'. Beginning with 4.0.13, this is also true for Shoreawall-lite. 2) A macro supporting RNDC (BIND remote management protocol) traffic has been added. It can be used as any other macro (e.g., RNDC/ACCEPT) in the rules file. Problems corrected in Shorewall 4.0.13. 1) When DYNAMIC_ZONES=Yes, certain configurations would produce an invalid /var/lib/shorewall/chains file at run-time. The invalid file contents resulted in errors during processing of the "shorewall add" command. 2) The 4.0.11 change which defers setting up ip forwarding until the rules are in place did not handle the 'restore' command correctly. So if '-f' is specified to the 'start' command and there is a saved configuration, the setting of ip forwarding will not be changed. Problems corrected in Shorewall-perl 4.0.13. 1) Previously, when the COPY column of /etc/shorewall/providers contained one or more interface names, Shorewall-perl was not adding the interface in the INTERFACE column to those interfaces being copied. This has been corrected. Problems corrected in Shorewall-shell 4.0.12. 1) When 'norfc1918' was specified on an interface with an RFC 1918 IP address, the compiled script would terminate without changing the state of the firewall. Under these circumstances, the script now issues a warning message and continues. Problems corrected in Shorewall-perl 4.0.12. 1) A value of 0 in the IN-BANDWITCH column of the tcdevices file caused Shorewall-perl to divide by zero. 2) Except in /etc/shorewall/hosts, ipset names may now be preceded by '!' to specify that matching IP addresses are not members of the set. Problems corrected in Shorewall 4.0.11. 1) Previously, when IP_FORWARDING=Yes in shorewall.conf, Shorewall would enable ip forwarding before instantiating the rules. This could lead to incorrect connection tracking entries being created between the time that forwarding was enabled and when the nat table rules were instantiated. Beginning with Shorewall 4.0.11, enabling of forwarding is deferred until after the rules are in place. 2) If /etc/shorewall/vardir is used to move Shorewall's state directory from /var/lib/shorewall, then the 'stop' will not delete IP addresses added by ADD_IP_ALIASES=Yes or ADD_SNAT_ALIASES=Yes nor will it delete proxy ARP entries. 3) The init script on Debian now reads and utilizes the value of the OPTIONS variable from /etc/default/shorewall[-lite]. Previously, the value of that variable was not passed to the shorewall[-lite] command. Problems corrected in Shorewall-perl 4.0.11. 1) If both the ESTABLISHED and RELATED sections were present then each connection through chains controlled by a RATE/LIMIT in /etc/shorewall/policies was counted twice toward the limit. 2) If DYNAMIC_ZONES=Yes and an entry in /etc/shorewall/hosts for an IPv4 zone specified 'ipsec', dynamic IPSEC zone members were mis-handled by the generated ruleset. 3) Previously, Shorewall-perl did not handle rates expressed in bytes/second properly: - The 'bps' suffix was not recognized - The result was not rounded to the nearest kbit 4) If ADMINISABSENTMINDED=No, entries in /etc/shorewall/routestopped are mis-handled. 5) Shorewall-perl now accepts upper case A through F in the MARK column of the tcclasses file when the mark value is expressed in hex. Previously, only lower-case A through F were accepted. Problems corrected in Shorewall-perl 4.0.10. 1) Shorewall-perl 4.0.9 erroneously reported an error message when a bridge port was defined in /etc/shorewall/interfaces: ERROR: Your iptables is not recent enough to support bridge ports 2) Under Shorewall-perl, if an empty action was invoked or was named in one of the DEFAULT_xxx options in shorewall.conf, an iptables-restore error occured. 3) If $ADMIN was empty, then the rule: ACCEPT loc:$ADMIN all became ACCEPT loc net It is now flagged as an error. 4) Previously, Shorewall-perl would reject an IP address range in the ecn and routestopped files. 5) A POLICY of ":" in /etc/shorewall/policy would produce Perl run-time errors. 6) An INTERFACE of ":" in /etc/shorewall/interfaces would produce Perl run-time errors. 7) A MARK of ":" in /etc/shorewall/tcrules would produce Perl run-time errors. Problems corrected in Shorewall-shell 4.0.10. 1) Specifying a value for ACCEPT_DEFAULT or QUEUE_DEFAULT resulted in a fatal error at compile time. Other changes in 4.0.10. 1) The Sample configurations have been updated to set LOG_MARTIANS=keep. In 4.2, this will be changed to LOG_MARTIANS=Yes. 2) Shorewall-perl now generates a fatal error if a non-existant shell variable is used in any configuration file (except /etc/shorewall/params). 3) Shorewall-perl now supports an 'l2tp' tunnel type. It opens UDP port 1701 in both directions and assumes that the source port will also be 1701. Some implementations (particularly OS X) use a different source port. In that case, you should use 'generic:udp:1701' rather than 'l2tp'. Problems corrected in Shorewall-perl 4.0.9 1) If a zone was defined with exclusion in /etc/shorewall/hosts, then the rules generated for directing outgoing connections to the zone were incorrect. Example: /etc/shorewall/zones: z ipv4 /etc/shorewall/interfaces: - eth2 /etc/shorewall/hosts: z eth2:192.168.1.0/24!192.168.1.5 Traffic from the firewall to 192.168.1.5 was incorrectly classified as $FW->z. 2) Qualifying 'SOURCE' and 'DEST' with an IP address in a macro file caused 'SOURCE' or 'DEST' to be interpreted incorrectly as the name of an interface. Example: PARAM DEST SOURCE:224.0.0.22 3) Specifying '!<user>' in the USER/GROUP column of the files that support it resulted in an invalid iptables rule under Shorewall-perl. 4) Previously, Shorewall would accept both an interface and an IP address in tcrules POSTROUTING entries (such as CLASSIFY). Example: 1:11 eth1:192.168.4.9 - tcp 22 It also allowed both a destination interface and address. Example: 1:P - eth1:192.168.4.9 tcp 22 Because Netfilter does not allow an input interface to be specified in POSTROUTING or an output interface to be specified in PREROUTING, Shorewall must use the routing table to generate a list of networks accessed through any interface specified in these cases. Given that a specific address (or set of addresses) has already been specified, it makes no sense qualify it (them) by another list of addresses. 5) Shorewall-perl incorrectly generated a fatal error when ':C', ':T' or ':CT' was used in a tcrules entry that gave $FW as the SOURCE. 6) Users have been confused about this error message: ERROR: Bridge Ports require Repeat match in your kernel and iptables The message has been replaced with: ERROR: Your iptables is not recent enough to support bridge ports The minimum version required is 1.3.8. Problems corrected in Shorewall-shell 4.0.9. 1) An optimization added to Shorewall-shell in 4.0.0 has been backed out to work around a limitation of Busybox 'sed'. 2) Previously, specifying both an interface and an address in the tcrules DEST column would cause an incomplete rule to be generated. Example: 1 192.168.1.4 eth2:206.124.146.177 tcp 22 The resulting tcrule would be as if this had been specified: 1 0.0.0.0/0 eth2:206.124.146.177 tcp 22 3) When HIGH_ROUTE_MARKS=Yes, the routing rules generated to match fwmarks to routing tables previously overflowed the designated range defined for such marks (10000 - 11000). Other changes in 4.0.9. 1) The Shorewall-perl now flags unprintable garbage characters in configuration files with the message: ERROR: Non-ASCII gunk in file 2) The /usr/share/shorewall/modules file has been updated to reflect module renaming in kernel 2.6.25. 3) The 'ip route replace' command is broken in kernel 2.6.24. To work around this problem, the undocumented option BROKEN_ROUTING has been added to shorewall.conf. The default is BROKEN_ROUTING=No. If you are experiencing 'File Exists' errors from 'ip route replace' commands, then add the following line to your shorewall.conf: BROKEN_ROUTING=Yes Note: This workaround is only available in Shorewall-perl. Problems corrected in Shorewall-perl 4.0.8. 1) Mark tests (such as in the TEST column of tcrules or the MARK column of the rules file) were ignoring the value 0. As part of this fix, the default mask generated by entries in these columns has been changed from 0xFF to 0xFFFF for compatibility with Shorewall-shell. 2) The compilation date recorded in the firewall.conf file produced by Shorewall-perl was previously mangled. 3) The ability to specify a DEST IP range (round-robin) in a DNAT rule has been restored. In versions 4.0.5 - 4.0.7, an IP range was incorrectly flagged as an error. Problems corrected in Shorewall-shell 4.0.8. 1) Shorewall-shell now properly parses comma separated SOURCE (formerly SUBNET) values in the masq configuration file. Previously, the comma separated list was not split up into its components, resulting in an invalid address being passed to the iptables command. Example: # /etc/shorewall/masq #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC eth0 192.168.2.1,192.168.2.3 Problems corrected in Shorewall-perl 4.0.7 1) If any of the following files was missing, a harmless Perl warning was issued: accounting maclist masq nat netmap rfc1918 routestopped tunnels This problem was experienced mostly by Debian users and users of Debian derivatives such as Ubuntu. 2) The iptables utility doesn't retry operations that fail due to resource shortage. Beginning with this release, Shorewall reruns iptables when such a failure occurs. 3) Previously, Shorewall-perl did not accept log levels in upper case (e.g., INFO). Beginning with 4.0.7, log levels are treated in a case-insensitive manner by Shorewall-perl. 4) The column headers in macro files were not aligned. This has been corrected, along with some inaccuracies in the macro.template file. 5) The shorewall.conf files in the Samples did not contain some recently-defined options. They are now up to date. 6) The names of the Jabber macros were shuffled. They are now named correctly. 7) If ADD_IP_ALIASES=Yes, an alias was incorrectly added when the specified INTERFACE ended with ":" (e.g., eth0:). 8) Shorewall-shell generated an incorrect iptables rule from the following: /etc/shorewall/rules: ACCEPT loc:eth0:~00-02-02-02-02-02 ... /etc/shorewall/tcrules: xxxx eth0:~00-02-02-02-02-02 ... Problems corrected in Shorewall-perl 4.0.6. 1) In a DNAT or REDIRECT rule, if no serverport was given and the DEST PORT(S) list contained a service name containing a hyphen ("-") then an ERROR was generated. Example -- Rules file: DNAT net loc:$WINDOWS_IP tcp https,pptp,ms-wbt-server,4125 Results in: ERROR: Invalid port range (ms:wbt:server) : rules (line 49) Problem was introduced in Shorewall 4.0.5 and does not occur in earlier releases. 2) If a long destination port list needed to be broken at a port pair, the generated rule contained an extra comma which resulted in an iptables-restore failure. 3) Several problems involving port ranges and port lists in REDIRECT rules have been corrected. 4) Shorewall-perl no longer requires an address in the GATEWAY column of /etc/shorewall/tunnels. If the column is left empty (or contains '-') then 0.0.0.0/0 is assumed. 5) Previously with Shorewall-perl, redirecting both STDOUT and STDERR to the same file descriptor resulted in scrambled output between the two. The error messages were often in the middle of the regular output far ahead of the point where the error occurred. This problem was possible in the Debian Shorewall init script (/etc/init.d/shorewall) which redirects output to the Debian-specific /var/log/shorewall-init.log file in this way: $SRWL $SRWL_OPTS start >> $INITLOG 2>&1 && ... 6) With both compilers, when HIGH_ROUTE_MARKS=Yes, unpredictable results could occur when marking in the PREROUTING or OUTPUT chains. When a rule specified a mark value > 255, the compilers were using the '--or-mark' operator rather than the '--set-mark' operator. Consequently, when a packet matched more than one rule, the resulting routing mark was the logical product of the mark values in the matching rules rather than the mark value from the last matching rule. Example: 0x100 192.168.1.44 0.0.0.0/0 0x200 0.0.0.0/0 0.0.0.0/0 tcp 25 A TCP packet from 192.168.1.44 with destination port 25 would have a mark value of 0x300 rather than the expected value of 0x200. 7) Previously, a 'start -f' on Shorewall Lite would produce the following distressing output before starting the firewall: make: *** No rule to make target `/firewall', needed by `/var/lib/shorewall-lite/restore'. Stop. Furthermore, the Makefile for both Shorewall and Shorewall Lite failed to take into account the /etc/shorewall/vardir file. This has been corrected. As part of the fix, both /sbin/shorewall and /sbin/shorewall-lite support a "show vardir" command that displays the VARDIR setting. 8) Shorewall-perl was previously ignoring the USER/GROUP column of the tcrules file. 9) Supplying the name of a built-in chain in the 'refresh' command caused entries in the chain to be duplicated. Since this is a feature of iptables-restore with the '-n' option, built-in chains in the 'refresh' list will now be rejected. Other changes in Shorewall 4.0.6. 1) Shorewall-perl now uses the '--physdev-is-bridged' option when it is available. This option will suppress messages like the following: kernel: physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore. This change only affects users who use bport/bport4 zones in a briged configuration and requires that capabilities files be regenerated using Shorewall-common or Shorewall-lite 4.0.6. 2) Shorewall-perl now allows you to embed Shell or Perl scripts in all configuration files except /etc/shorewall/params and /etc/shorewall/shorewall.conf (As always, you can continue to include arbitrary shell code in /etc/shorewall/params). To embed a one-line script, use one of the following: SHELL <shell script> PERL <perl script> For multi-line scripts, use: BEGIN SHELL <shell script> END SHELL BEGIN PERL <perl script> END PERL For SHELL scripts, the output from the script is processed as if it were part of the file. Example 1 (Shell): To generate SMTP/ACCEPT rules from zones a b c d and e to the firewall: Either: BEGIN SHELL for z in a b c d e; do echo SMTP/ACCEPT $z fw tcp 25 done END SHELL or SHELL for z in a b c d e; do echo SMTP/ACCEPT $z fw tcp 25; done Either is equivalent to: SMTP/ACCEPT a fw tcp 25 SMTP/ACCEPT b fw tcp 25 SMTP/ACCEPT c fw tcp 25 SMTP/ACCEPT d fw tcp 25 SMTP/ACCEPT e fw tcp 25 With a Perl script, if you want to output text to be processed as if it were part of the file, then pass the text to the shorewall() function. Example 2 (Perl): To generate SMTP/ACCEPT rules from zones a b c d and e to the firewall: BEGIN PERL for ( qw/a b c d e/ ) { shorewall "SMTP/ACCEPT $_ fw tcp 25"; } END PERL PERL scripts have access to any context accumulated in earlier PERL scripts. All such embedded Perl, as well as conventional Perl extension scripts are placed in the Shorewall::User package. That way, your global variables and functions won't conflict with any of Shorewall's. To allow you to load Perl modules and initialize any global state, a new 'compile' compile-time extension script has been added. It is called early in the compilation process. For additional information, see - http://www.shorewall.net/configuration_file_basics.html#Embedded 3) To complement Embedded Perl scripts, Shorewall 4.0.6 allows Perl scripts to create filter chains using Shorewall::Chains::new_manual_chain() and then use the chain as a target in subsequent entries in /etc/shorewall/rules. See http://www.shorewall.net/ManualChains.html for information. 4) The 'hits' command now accepts a -t option which limits the report to those log records generated today. 5) A DONT_LOAD option has been added to shorewall.conf. If there are kernel modules that you don't wish to have loaded, you can list them in this entry as a comma-separated list. Example: DONT_LOAD=nf_conntrack_sip,nf_nat_sip 6) Shorewall-perl now supports the --random option of the iptables SNAT, MASQUERADE, DNAT and REDIRECT targets. Please note that iptables support for this option is currently broken for the DNAT and REDIRECT targets; I've sent a patch to the Netfilter team. For MASQUERADE, simply place the word 'random' in the ADDRESS column. This causes Netfilter to randomize the source port seen by the remote host. Example: #INTERFACE SOURCE ADDRESS eth0 eth1 random For SNAT, follow the port list by ":random". Example: #INTERFACE SOURCE ADDRESS eth0 eth1 206.124.146.179:10000-10999:random For DNAT, follow the port list by ":random". Example: #ACTION SOURCE DEST PROTO DEST # PORT(S) DNAT net loc:192.168.1.4:40-50:random tcp 22 For REDIRECT, you must use the fully-qualified form of the DEST: #ACTION SOURCE DEST PROTO DEST # PORT(S) REDIRECT net $FW::40-50:random tcp 22 Note that ':random' is only effective with SNAT, DNAT and REDIRECT when a port range is specified in the ADDRESS/DEST column. It is ignored by iptables/iptables-restore otherwise. Problems corrected in Shorewall 4.0.5. 1) Previously, Shorewall-perl misprocessed $FW::<port> in the DEST column of a REDIRECT rule, generating an error. '$FW::<port>' now produces the same effect as '<port>'. 2) If the PROTOCOL (PROTO) column contained 'TCP' or 'UDP' and SOURCE PORT(S) or DEST PORT(S) were given, then Shorewall-perl rejected the entry with the error: ERROR: SOURCE/DEST PORT(S) not allowed with PROTO TCP : /etc/shorewall/rules The rule was accepted if 'tcp' or 'udp' was used instead. 3) Shorewall-shell now removes any default bindings of ipsets before attempting to reload them. Previously, default bindings were not removed with the result that the ipsets could not be destroyed. Other changes in Shorewall 4.0.5. 1) Two new options have been added to /etc/shorewall/hosts (Shorewall-perl only). broadcast: Permits limited broadcast (destination 255.255.255.255) to the zone. destonly: Normally used with the Multi-cast range. Specifies that traffic will be sent to the specified net(s) but that no traffic will be received from the net(s). Example: wifi eth1:192.168.3.0/24 broadcast wifi eth1:224.0.0.0/4 destonly In that example, limited broadcasts from the firewall with a source IP in the 192.168.3.0/24 range will be acccepted as will multicasts (with any source address). 2) A MULTICAST option has been added to shorewall.conf. This option will normally be set to 'No' (the default). It should be set to 'Yes' under the following circumstances: a) You have an interface that has parallel zones defined via /etc/shorewall/hosts. b) You want to forward multicast packets to two or more of those parallel zones. In such cases, you will configure a 'destonly' network on each zone receiving multicasts. The MULTICAST option is only recognized by Shorewall-perl and is ignored by Shorewall-shell. 3) As announced in the Shorewall 4.0.4 release notes, Shorewall-perl no longer supports the 'detectnets' option. Specifying that option now results in the following message: WARNING: Support for the 'detectnets' option has been removed It is suggested that 'detectnets' be replaced by 'routefilter,logmartians'. That will produce the same filtering effect as 'detectnets' while eliminating 1-2 rules per connection. One user has asked how to retain the output of 'shorewall show zones' if the 'detectnets' option is removed. While I don't advise doing so, you can reproduce the current 'shorewall show' behavior as follows. Suppose that you have a zone named 'wifi' that produces the following output with 'detectnets': wifi (ipv4) eth1:192.168.3.0/24 You can reproduce this behavior as follows: /etc/shorewall/interfaces: - eth1 detect ... /etc/shorewall/hosts: wifi eth1:192.168.3.0/24 broadcast If you send multicast to the 'wifi' zone, you also need this entry in your hosts file: wifi eth1:224.0.0.0/4 destonly 4) (Shorewall-perl only) The server port in a DNAT or REDIRECT rule may now be specified as a service name from /etc/services. Additionally: a) A port-range may be specified as the service port expressed in the format <low port>-<high port>. Connections are assigned to server ports in round-robin fashion. b) The compiler only permits a server port to be specified if the protocol is tcp or udp. c) The compiler ensures that the server IP address is valid (note that it is still not permitted to specify the server address as a DNS name). 5) (Shorewall-perl only) Users are complaining that when they migrate to Shorewall-perl, they have to restrict their port lists to 15 ports. In this release, we relax that restriction on destination port lists. Since the SOURCE PORT(s) column in the configuration files is rarely used, we have no plans to relax the restriction in that column. 6) There have been several cases where iptables-restore has failed while executing a COMMIT command in the .iptables_restore_input file. This gives neither the user nor Shorewall support much to go on when analyzing the problem. As a new debugging aid, the meaning of 'trace' and 'debug' have been changed. Traditionally, /sbin/shorewall and /sbin/shorewall-lite have allowed either 'trace' or 'debug' as the first run-line parameter. Prior to 4.0.5, the two words produced the same effect. Beginning with Shorewall 4.0.5, the two words have different effects when Shorewall-perl is used. trace - Like the previous behavior. In the Shorewall-perl compiler, generate a stack trace on WARNING and ERROR messages. In the generated script, sets the shell's -x option to trace execution of the script. debug - Ignored by the Shorewall-perl compiler. In the generated script, causes the commands in .iptables_restore_input to be executed as discrete iptables commands. The failing command can thus be identified and a diagnosis of the cause can be made. Users of Shorewall-lite will see the following change when using a script that was compiled with Shorewall-perl 4.0.5 or later. trace - In the generated script, sets the shell's -x option to trace execution of the script. debug - In the generated script, causes the commands in .iptables_restore_input to be executed as discrete iptables commands. The failing command can thus be identified and a diagnosis of the cause can be made. In all other cases, 'debug' and 'trace' remain synonymous. In particular, users of Shorewall-shell will see no change in behavior. WARNING: The 'debug' feature in Shorewall-perl is strictly for problem analysis. When 'debug' is used: a) The firewall is made 'wide open' before the rules are applied. b) The routestopped file is not consulted and the rules are applied in the canonical iptables-restore order (ASCIIbetical by chain). So if you need critical hosts to be always available during start/restart, you may not be able to use 'debug'. 7) /usr/share/shorewall-perl/buildports.pl, /usr/share/shorewall-perl/FallbackPorts.pm and /usr/share/shorewall-perl/Shorewall/Ports.pm have been removed. Shorewall now resolves protocol and port names as using Perl's interface to the the standard C library APIs getprotobyname() and getservbyname(). Note 1: The protocol names 'tcp', 'TCP', 'udp', 'UDP', 'all', 'ALL', 'icmp' and 'ICMP' are still resolved by Shorewall-perl itself. Note 2: Those of you running Shorewall-perl under Cygwin may wish to install "real" /etc/protocols and /etc/services files in place of the symbolic links installed by Cygwin. 8) The contents of the Shorewall::*::$VERSION variables are now a V-string (e.g., 4.0.5) rather than an integer (e.g., 4.05). This is only of interest for Perl programs that are using the modules and specifying a minimum version (e.g., "use Shorewall::Config 4.0.5;"). Each module continues to carry a separate version which indicates the release of Shorewall-perl when the module was last modified. Problems Corrected in Shorewall 4.0.4 1) If no interface had the 'blacklist' option, then when using Shorewall-perl, the 'start' and 'restart' command failed: ERROR: No filter chain found with name blacklst New Shorewall-perl 4.0.3 packages were released that corrected this problem; it is included here for completeness. 2) If no interface had the 'blacklist' option, then when using Shorewall-perl, the generated script would issue this harmless message during 'shorewall refresh': chainlist_reload: Not found 3) If /bin/sh was a light-weight shell such as ash or dash, then 'shorewall refresh' failed. 4) During start/restart, the script generated by Shorewall-perl was clearing the proxy_arp flag on all interfaces; that is not the documented behavior. 5) If the module-init-tools package was not installed and /etc/shorewall/modules did not exist or was non-empty, then Shorewall-perl would fail with the message: ERROR: Can't run lsmod : /etc/shorewall/modules (line 0) 6) Shorewall-perl now makes a compile-time check to insure that iptables-restore exists and is executable. This check is made when the compiler is being run by root and the -e option is not given. Note that iptables-restore must reside in the same directory as the iptables executable specified by IPTABLES in shorewall.conf or located by the PATH in the event that IPTABLES is not specified. 7) When using Shorewall-perl, if an action was invoked with more than 10 different combinations of log-levels/tags, some of those invocations would have incorrect logging. 8) Previously, when 'shorewall restore' was executed, the iptables-restore utility was always located using the PATH setting rather than the IPTABLES setting. With Shorewall-perl, the IPTABLES setting is now used to locate this utility during 'restore' as it is during the processing of other commands. 9) Although the shorewall.conf manpage indicates that the value 'internal' is allowed for TC_ENABLED, that value was previously rejected ('Internal' was accepted). 10) The meaning of the 'loose' provider option was accidentally reversed in Shorewall-perl. Rather than causing certain routing rules to be omitted when specified, it actually caused them to be added (these rules were omitted when the option was NOT specified). 11) If the 'bridge' option was specified on an interface but there were no bport zones, then traffic originating on the firewall was not passed through the accounting chain. 12) In commands such as: shorewall compile <directory> shorewall restart <directory> shorewall check <directory> if the name of the <directory> contained a period ("."), then Shorewall-perl would incorrectly substitute the current working directory for the name. 13) Previously, if the following sequence of routing rules was specified, then the first rule would always be omitted. #SOURCE DEST PROVIDER PRIORITY $SRC_A $DESTIP1 ISP1 1000 $SRC_A $DESTIP2 SOMEISP 1000 $SRC_A - ISP2 1000 The reason for this omission was that Shorewall uses a delete-before-add approach and attempting to delete the third rule resulted in the deletion of the first one instead. This problem occurred with both compilers. 14) When using Shorewall-shell, provider numbers were not recognized in the PROVIDER column of /etc/shorewall/route_rules. 15) An off-by-one problem in Shorewall-perl caused the value 255 to be rejected in the MARK column of /etc/shorewall/tcclasses. 16) When HIGH_ROUTE_MARKS=Yes, marks with values > 255 must be a multiple of 256. That restriction was being enforced by Shorewall-shell but not by Shorewall-perl. Shorewall-perl now also enforces this restriction. 17) Using REDIRECT with a parameterized macro (e.g., DNS/REDIRECT) failed with an "Unknown interface" error when using Shorewall-perl. Other Changes in Shorewall 4.0.4 1) The detection of 'Repeat Match' has been improved. 'Repeat Match' is not a match at all but rather is a feature of recent versions of iptables that allows a particular match to be used multiple times within a single rule. Example: -A foo -m physdev --physdev-in eth0 -m physdev --physdev-out ... When using Shorewall-shell, the availability of 'Repeat Match' can speed up compilation very slightly. 2) Apparently recent Fedora releases are broken. The following sequence of commands demonstrates the problem: ip rule add from 1.1.1.1 to 10.0.0.0/8 priority 1000 table 5 ip rule add from 1.1.1.1 to 0.0.0.0/0 priority 1000 table main ip rule del from 1.1.1.1 to 0.0.0.0/0 priority 1000 The third command should fail but doesn't; instead, it incorrectly removes the rule added by the first command. To work around this issue, you can set DELETE_THEN_ADD=No in shorewall.conf which prevents Shorewall from deleting ip rules before attempting to add a similar rule. 3) When using Shorewall-perl, the following message is now issued if the 'detectnets' option is specified in /etc/shorewall/interfaces: WARNING: Support for the 'detectnets' option will be removed from Shorewall-perl in version 4.0.5; better to use 'routefilter' and 'logmartians The 'detect' options has always been rather silly. On input, it duplicates the function of 'routefilter'. On output, it is a no-op since traffic that doesn't match a route out of an interface won't be sent through that interface (duh!). Beginning with Shorewall 4.0.5, the warning message will read: WARNING: Support for the 'detectnets' option has been removed Problems Corrected in 4.0.3 1) Using the LOG target in the rules file could result in two LOG rules being generated by Shorewall-shell. Additionally, using an IP address range in a rule that performed logging could result in an invalid iptables command. 2) Shorewall now loads the act_police kernel module needed by traffic shaping. 3) Previously, "shorewall show -f capabilities" and "shorecap" omitted the "TCPMSS Match" capability. This made it appear to a compiler using a capabilities file that the TCPMSS Match capability was not available. 4) Previously, Shorewall would truncate long log prefixes to 29 characters. This resulted in there being no space between the log prefix and the IN= part of the message. Example: fw2net:LOG:HTTPSoutIN= OUT=eth0 Beginning with this release, Shorewall will truncate the prefix to 28 bytes and add a trailing space. Example: fw2net:LOG:HTTPSou IN= OUT=eth0 5) Previously, if: - FASTACCEPT=No - The policy from Z1 to Z2 was CONTINUE - Neither Z1 nor Z2 had parent zones - There were no Z1->Z2 rules then connections from Z2->Z1 would fail even if there were rules/policies allowing them. This has been corrected. 6) The 'shorewall add' and 'shorewall delete' command would fail when: - The running configuration was compiled with Shorewall-perl. - The name of the interface specified in the command contained an embedded special character such as '.' or '-'. This problem was the result of the change in Shorewall 4.0.2 that removed the legacy mapping of interface names when embedding such names in a Netfilter chain name. To correct the problem, the pre-4.0.2 name mapping is restored when DYNAMIC_ZONES=Yes. 5) A bug in Shorewall-shell prevented proper handling of PREROUTING marks when HIGH_ROUTE_MARKS=No and the track option was specified in /etc/shorewall/providers. 6) With Shorewall-perl, if EXPORTPARAMS=Yes then INCLUDE directives in the params file would fail at script execution time with "INCLUDE: not found". This has been corrected. 7) Shorewall-perl was mis-sorting the zone list when zones were nested more than one deep. 8) Stale references to http://www.shorewall.net/Documentation.htm have been removed from the config files (including samples). That URL has been replaced by the online manpages. Other Changes in 4.0.3 1) A script generated by Shorewall-perl now tries to modify/restore /etc/iproute2/rt_tables only if the file is writable. This prevents run-time errors when /etc is mounted read-only. A new KEEP_RT_TABLES option has been added to shorewall.conf. When set to Yes, this option prevents Shorewall from altering the /etc/iproute2/rt_tables database. The KEEP_RT_TABLES option is only recognized by Shorewall-perl and is ignored by Shorewall-shell. 2) Shorewall-perl now requires the FindBin Perl module. 3) When an optional provider is not available, a script generated by Shorewall-perl will no longer add the corresponding routing rules. 4) A new 'isusable' extension script has been added. This script allows you to extend the availability test that Shorewall performs on optional providers. Here's an example that uses ping to ensure that the default gateways through eth0 and eth1 are reachable: case $1 in eth0) ping -c 4 -I eth0 206.124.146.254 > /dev/null 2>&1 return ;; eth1) ping -c 4 -I eth1 192.168.12.254 > /dev/null 2>&1 return ;; *) # Assume we don't need to do any additional testing # for this interface beyond Shorewall's return 0 ;; esac Additional information is available at http://www.shorewall.net/shorewall_extension_scripts.htm. 5) Processing of the message log in the 'show log', 'logwatch' and 'dump' commands has been speeded up thanks to a suggestion by Andrew Suffield. 6) Beginning with Shorewall 4.0, the shorewall 'stop', and 'clear' commands were processed by the generated script from the last successful 'start', 'restart' or 'refresh' command. This had the side effect that updates to the /etc/shorewall/routestopped file did not take effect until one of those three commands was successfully processed. Beginning with Shorewall 4.0.3, the old 3.x behavior is restored as the default and the 4.0 behavior is enabled using the '-f' command option. Example: shorewall stop -f 7) An 'mss' option has been added to the interfaces file. This option is only recognized by Shorewall-perl and causes Shorewall to set the MSS field in forwarded TCP SYN packets going in or out the interface to the value that you specify. Example: #ZONE INTERFACE BROADCAST OPTIONS vpn ppp0 - mss=1400 The mss option only affects incoming traffic that has not been decrypted by IPSEC and outgoing traffic that will not subsequently be encrypted by IPSEC. The MSS for IPSEC traffic is managed by the 'mss' option in /etc/shorewall/zones. 8) Shorewall now detects the presence of the 'hashlimit match' capability. There is no builtin support yet for hashlimit but detection allows extension scripts for user-supplied actions to determine if the capability exists. With Shorewall-shell, $HASHLIMIT_MATCH will be non-empty if the capability exists. With Shorewall-perl, $capabilities{HASHLIMIT_MATCH} will be true in a boolean context if the capability exists. Shorewall-perl users may also code the following in their extension script: use Shorewall::Config; require_capability( 'HASHLIMIT_MATCH', #Capability 'My hashlimit action' , #Feature requiring #capability 's' ); #Feature is singular #(if plural, pass the empty string) That call would procduce the following fatal error if the capability isn't available: ERROR: My hashlimit action requires the Hashlimit match capability in your kernel and iptables 9) NFQUEUE support has been added to Shorewall-perl. NFQUEUE may appear in actions, macros, rules and as a policy. When NFQUEUE is used by itself, queue number zero is assumed. To specify a queue number, follow NFQUEUE by a slash ("/") and the queue number. Examples (/etc/shorewall/rules): NFQUEUE loc net tcp #Queue number 0 NFQUEUE/22 loc net udp #Queue number 22 NFQUEUE/22:info loc net gre #With logging An NFQUEUE_DEFAULT option has been added to shorewall.conf for specifying the default action to use with NFQUEUE policies. Use of NFQUEUE requires the NFQUEUE Target capability in your kernel/iptables. If you intend to use NFQUEUE with Shorewall-lite, then you must install Shorewall-lite 4.0.3 in order to build a capabilities file that includes NFQUEUE Target. If your capabilities file was generated by a Shorewall/Shorewall-lite version earlier that 4.0.3, you will receive a warning during compilation. 10) The 'refresh' command can now refresh chains other than 'blacklst'. The syntax of the command is now: shorewall refresh [ <chain> ... ] If no <chain> is given then 'blacklst' is assumed. Otherwise, the Shorewall-perl compiler compiles a script whose 'refresh' command refreshes the listed <chain>(s). The listed chains are assumed to be in the filter table. You can refresh chains in other tables by prefixing the chain name with the table name followed by ":" (e.g., nat:net_dnat). Chain names which follow are assumed to be in that table until the end of the list or until an entry in the list names another table. This feature requires Shorewall-perl 4.0.3 as well as Shorewall-common 4.0.3. Problems corrected in 4.0.2 1) The Shorewall-perl compiler was still generating invalid iptables-restore input from entries in /etc/shorewall/ecn. 2) When using Shorewall-perl, unless an interface was specified as 'optional' in the interfaces file, the 'restore' command would fail if the routes through the interface or the addresses on the interface could not be detected. Route detection occurs when the interface is named in the SOURCE column of the masq file. Address detection occurs when DETECT_DNAT_IPADDRS=Yes and the interface is the SOURCE for a DNAT or REDIRECT rule or when 'maclist' is specified for the interface. Since the 'restore' command doesn't use the detected information, detection is now skipped if the command is 'restore'. 3) It was not previously possible to define traffic shaping on a bridge port; the generated script complained that the interface was not up and configured. 4) When Shorewall-shell was not installed, certain options in /etc/shorewall/interfaces and /etc/shorewall/hosts would cause the 'add' and 'delete' commands to fail with a missing library error. OPTION FILE maclist interfaces,hosts proxyarp interfaces 5) The /var/lib/shorewall/zones file was being overwritten during processing of the 'refresh' command by a script generated with Shorewall-perl. The result was that hosts previously added to dynamic zones could not be deleted after the 'refresh'. 6) If the file named as the output file in a Shorewall-perl 'compile' command was a symbolic link, the generated error message erroneously stated that the file's parent directory was a symbolic link. As part of this change, cosmetic changes were made to a number of other error messages. 7) Some intra-zone rules were missing when a zone involved multiple interfaces or when a zone included both IPSEC and non-IPSEC networks. 8) Shorewall was not previously loading the xt_multiport kernel module. 9) The Russian and French translations no longer have English headings on notes, cautions, etc.. 10) Previously, using a port list in the DEST PORT(S) column of the rules file or in an action file could cause an invalid iptables command to be generated by Shorewall-shell. 11) If there were no bridges in a configuration, Shorewall-perl would ignore the CHAIN column in /etc/shorewall/accounting. Other changes in 4.0.2 1) Shorewall-perl now detects when a port range is included in a list of ports and iptables/kernel support for Extended Multi-port Match is not available. This avoids an iptables-restore failure at run-time. 2) Most chains created by Shorewall-shell have names that can be embedded within shell variable names. This is a workaround for limitations in the shell programming language which has no equivalent to Perl hashes. Often chain names must have the name of a network interface encoded in them. Given that interface names can contain characters that are invalid in a shell variable name, Shorewall-shell performs a name mapping which was carried forward to Shorewall-perl: - Trailing '+' is dropped. - The characters ".", "-", "%' and "@" are translated to "_". This mapping has been elminated in the 4.0.2 release of Shorewall- perl. So where before you would see chain "eth0_0_in", you may now see the same chain named "eth0.0_in". Similarly, a chain previously named "ppp_fwd" may now be called "ppp+_fwd". 3) Shorewall-perl now uses the contents of the BROADCAST column in /etc/shorewall/interfaces when the Address Type match capability is not available. Problems corrected in 4.0.1. 1) The Shorewall Lite installer was producing an empty shorewall-lite manpage. Since the installer runs as part of creating the RPM, the RPM also suffered from this problem. The 4.0.0 Shorewall-lite packages were re-uploaded with this problem corrected. 2) The Shorewall Lite uninstaller incorrectly removed /sbin/shorewall rather than /sbin/shorewall-lite. 3) Both the Shorewall and Shorewall Lite uninstallers did a "shorewall clear" if Shorewall [Lite] was running. Now, the Shorewall Lite uninstaller correctly does "shorewall-lite clear" and both uninstallers only perform the 'clear' operation if the other product is not installed. This prevents the removal of one of the two products from clearing the firewall configuration established by the other one. 4) The 'ipsec' OPTION in /etc/shorewall/hosts was mis-handled by Shorewall-perl. If the zone type was changed to 'ipsec' or 'ipsec4' and the 'ipsec' option removed from the hosts file entry, the configuration worked properly. 5) If a CLASSID was specified in a tcrule and TC_ENABLED=No, then Shorewall-perl produced the following: Compiling... Use of uninitialized value in string ne at /usr/share/shorewall-perl/Shorewall/Tc.pm line 285, <$currentfile> line 18. ERROR: Class Id n:m is not associated with device eth0 : /etc/shorewall/tcrules (line 18) 6) If IPTABLES was not specified in shorewall.conf, Shorewall-perl was locating the binary using the PATH environmental variable rather than the PATH setting in shorewall.conf. If no PATH was available when Shorewall-perl was run and IPTABLES was not set in shorewall.conf, the following messages were issued: Use of uninitialized value in split at /usr/share/shorewall-perl/Shorewall/Config.pm line 1054. ERROR: Can't find iptables executable ERROR: Shorewall restart failed 7) If the "Mangle FORWARD Chain" capability was supported, entries in the /etc/shorewall/ecn file would cause invalid iptables commands to be generated. This problem occurred with both compilers. 8) Shorewall now starts at reboot after an upgrade from shorewall < 4.0.0. Previously, Shorewall was not started automatically at reboot after an upgrade using the RPM. 9) Shorewall-perl was generating invalid iptables-restore input when a log level was specified with the dropBcast and allowBcast builtin actions and when a log level followed by '!' was used with any builtin actions. 10) Shorewall-perl was incorrectly rejecting 'min' as a valid unit of time in rate-limiting specifications. 11) Certain errors occurring during start/restart/safe-start/safe-restart/try processing could cause the lockfile to be left behind. This resulted in a 60-second delay the next time one of these commands was run. Other changes in Shorewall 4.0.1. 1) A new EXPAND_POLICIES option is added to shorewall.conf. The option is recognized by Shorewall-perl and is ignored by Shorewall-shell. Normally, when the SOURCE or DEST columns in shorewall-policy(5) contains 'all', a single policy chain is created and the policy is enforced in that chain. For example, if the policy entry is #SOURCE DEST POLICY LOG # LEVEL net all DROP info then the chain name is 'net2all' which is also the chain named in Shorewall log messages generated as a result of the policy. If EXPAND_POLICIES=Yes, then Shorewall-perl will create a separate chain for each pair of zones covered by the policy. This makes the resulting log messages easier to interpret since the chain in the messages will have a name of the form 'a2b' where 'a' is the SOURCE zone and 'b' is the DEST zone. See http://linuxman.wikispaces.com/PPPPPPS for more information. 2) The Shorewall-perl dependency on the "Address Type Match" capability has been relaxed. This allows Shorewall 4.0.1 to be used on releases like RHEL4 that don't support that capability. 3) Shorewall-perl now detects dead policy file entries that result when an entry is masked by an earlier entry. Example: all all REJECT info loc net ACCEPT 4) Recent kernels are apparently hard to configure and we have been seeing a lot of problem reports where the root cause is the lack of state match support in the kernel. This problem is difficult to diagnose when using Shorewall-perl so the generated shell program now checks specifically for this problem and terminates with an error if the capability doesn't exist.