Discussion:
[Shorewall-users] Shorewall 5.0.14
Tom Eastep
2016-11-04 00:00:10 UTC
Permalink
The Shorewall Team is pleased to announce the availability of
Shorewall 5.0.14.

Problems Corrected:

1) This release includes defect repair up through Shorewall 5.0.13.4.

2) When the address variable for an optional interface was used, and
the interface did not have an IP address when the firewall was
started, then enabling the interface did not previously
create/alter the rules that use the address variable. Also, if the
IP address of a disabled interface changed, enabling the interface
did not update/add rules using the interface's gateway address
variable.

Now, if the IP address of a disabled optional interface
changes from its value (if any) when the netfilter ruleset was
instantiated, then after a successful 'enable', the ruleset is
automatically reloaded if the interface's address variable was
used.

Similarly, if 'detect' is specified as the GATEWAY for an optional
provider, then if the gateway at the time that the provider is
successfully enabled is different from that (if any) when the
netfilter ruleset was instantiated, then the ruleset is
automatically reloaded if the provider interface's run-time gateway
variable was used.

As part of this change, if an IP address is specified as the
GATEWAY for a provider, then the run-time gateway variable for the
provider's interface is expanded at compile time rather than at
runtime.

Example:

#PROVIDER NUMBER MARK DUPLICATE INTRFACE GATEWAY OPTIONS COPY
foo 1 1 - eth0 1.2.3.4 primary -

Then %eth0 will be expanded at compile time to '1.2.3.4'.

3) Previously, the ADDRESS column in /etc/shorewall[6]/masq was
documented as allowing a list of addresses and/or address ranges.
That feature depended on iptables support which is no longer
present in current distributions. The code now disallows more than
one address[-range] and the documentation has been changed
accordingly.

New Features:

1) /etc/shorewall[6]/masq has been superseded by
/etc/shorewall[6]/snat. The new 'snat' file is similar to most of
the other configuration files in that the first column specifies
the ACTION to be performed, the second contains the SOURCE and so
on.

The 'shorewall[6] update' command will convert an existing masq
file into the equivalent 'snat' file and will rename masq to
masq.bak.

See shorewall[6]-snat(5) for details.

2) Actions (both inline and regular) are now supported out of the new
snat file. Like other actions, these 'SNAT actions' must be
declared in the /etc/shorewall[6]/actions file where the new 'nat'
option must be specified.

Like other actions, the action rules are placed in a file named
action.<action>. Those rules have the same format as those in the
snat file with two restrictions:

1. The '+' is not allowed in the ACTION column to specify that the
rules should be applied before one-to-one NAT. It must rather be
specified when the action is invoked.

2. Interface names are not permitted in the DEST column, so all of
the rules apply to the interface(s) specified when the action was
invoked.

Thank you for using Shorewall,

- -The Shorewall Team
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
Simon Matter
2016-11-04 07:28:35 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
The Shorewall Team is pleased to announce the availability of
Shorewall 5.0.14.
Hi Tom and Team,

Thanks for the new release!

I just found a little issue, it can be seen by comparing the samples as
shown below. First I was trying what kind of flag the single "1" is, until
I found the obvious. Could this be related to a problem in the update
command? If so maybe it would be good to find a solution before people
just update blindly?

Thanks and Regards,
Simon

$ diff three-interfaces/snat two-interfaces/snat -Nau
--- three-interfaces/snat 2016-11-03 23:06:38.000000000 +0100
+++ two-interfaces/snat 2016-11-03 23:06:38.000000000 +0100
@@ -1,5 +1,5 @@
#
-# Shorewall - Sample SNAT/Masqueradee File for three-interface
configuration.
+# Shorewall - Sample SNAT/Masqueradee File for two-interface configuration.
# Copyright (C) 2006-2016 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
@@ -15,9 +15,9 @@
###########################################################################################################################################
#ACTION SOURCE DEST
PROTO PORT IPSEC MARK USER SWITCH ORIGDEST
PROBABILITY
#
-# Rules generated from masq file
/home/teastep/shorewall/trunk/Shorewall/Samples/three-interfaces/masq by
Shorewall 5.0.13-RC1 - Sat Oct 15 11:43:47 PDT 2016
+# Rules generated from masq file
/home/teastep/shorewall/trunk/Shorewall/Samples/two-interfaces/masq by
Shorewall 5.0.13-RC1 - Sat Oct 15 11:41:40 PDT 2016
#
MASQUERADE 10.0.0.0/8,\
169.254.0.0/16,\
172.16.0.0/12,\
- 192.168.0.0/16 eth0
+ 1 92.168.0.0/16 eth0
Tom Eastep
2016-11-04 15:31:05 UTC
Permalink
Post by Simon Matter
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
The Shorewall Team is pleased to announce the availability of
Shorewall 5.0.14.
Hi Tom and Team,
Thanks for the new release!
I just found a little issue, it can be seen by comparing the
samples as shown below. First I was trying what kind of flag the
single "1" is, until I found the obvious. Could this be related to
a problem in the update command? If so maybe it would be good to
find a solution before people just update blindly?
Thanks and Regards, Simon
$ diff three-interfaces/snat two-interfaces/snat -Nau ---
three-interfaces/snat 2016-11-03 23:06:38.000000000 +0100 +++
three-interface configuration. +# Shorewall - Sample
SNAT/Masqueradee File for two-interface configuration. # Copyright
(C) 2006-2016 by the Shorewall Team # # This library is free
###########################################################################################################################################
#ACTION SOURCE DEST
Post by Simon Matter
PROTO PORT IPSEC MARK USER SWITCH ORIGDEST
PROBABILITY # -# Rules generated from masq file
/home/teastep/shorewall/trunk/Shorewall/Samples/three-interfaces/masq
by Shorewall 5.0.13-RC1 - Sat Oct 15 11:43:47 PDT 2016 +# Rules
generated from masq file
/home/teastep/shorewall/trunk/Shorewall/Samples/two-interfaces/masq
by Shorewall 5.0.13-RC1 - Sat Oct 15 11:41:40 PDT 2016 # MASQUERADE
10.0.0.0/8,\ 169.254.0.0/16,\ 172.16.0.0/12,\ -
192.168.0.0/16 eth0 + 1 92.168.0.0/16
eth0
Hi Simon,

That isn't a bug in 'update' -- I obviously did that when I
reformatted the two-interface snat file producted by 'update'. But
that error will affect new installs that use the two-interface sample,
so I will want to correct it in the next day or so :-(

Thanks for pointing it out.

- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
Simon Matter
2016-11-04 17:01:09 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Post by Simon Matter
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
The Shorewall Team is pleased to announce the availability of
Shorewall 5.0.14.
Hi Tom and Team,
Thanks for the new release!
I just found a little issue, it can be seen by comparing the
samples as shown below. First I was trying what kind of flag the
single "1" is, until I found the obvious. Could this be related to
a problem in the update command? If so maybe it would be good to
find a solution before people just update blindly?
Thanks and Regards, Simon
$ diff three-interfaces/snat two-interfaces/snat -Nau ---
three-interfaces/snat 2016-11-03 23:06:38.000000000 +0100 +++
three-interface configuration. +# Shorewall - Sample
SNAT/Masqueradee File for two-interface configuration. # Copyright
(C) 2006-2016 by the Shorewall Team # # This library is free
###########################################################################################################################################
#ACTION SOURCE DEST
Post by Simon Matter
PROTO PORT IPSEC MARK USER SWITCH ORIGDEST
PROBABILITY # -# Rules generated from masq file
/home/teastep/shorewall/trunk/Shorewall/Samples/three-interfaces/masq
by Shorewall 5.0.13-RC1 - Sat Oct 15 11:43:47 PDT 2016 +# Rules
generated from masq file
/home/teastep/shorewall/trunk/Shorewall/Samples/two-interfaces/masq
by Shorewall 5.0.13-RC1 - Sat Oct 15 11:41:40 PDT 2016 # MASQUERADE
10.0.0.0/8,\ 169.254.0.0/16,\ 172.16.0.0/12,\ -
192.168.0.0/16 eth0 + 1 92.168.0.0/16
eth0
Hi Simon,
That isn't a bug in 'update' -- I obviously did that when I
reformatted the two-interface snat file producted by 'update'. But
that error will affect new installs that use the two-interface sample,
so I will want to correct it in the next day or so :-(
Hi Tom,

While we are at it, and because it's the first time I tried the update
command, is it expected behavior that all params are evaluated and
replaced with the current values in the converted file?

Thanks,
Simon
Tom Eastep
2016-11-04 22:09:01 UTC
Permalink
Post by Simon Matter
While we are at it, and because it's the first time I tried the
update command, is it expected behavior that all params are
evaluated and replaced with the current values in the converted
file?
Yes -- that is the expected behavior in all update senarios.

- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
Loading...