---------------------------------------------------------------------------- S H O R E W A L L 5 . 0 . 1 4 . 1 ------------------------------ N o v e m b e r 0 7, 2 0 1 6 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE II. KNOWN PROBLEMS REMAINING III. NEW FEATURES IN THIS RELEASE IV. MIGRATION ISSUES V. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES ---------------------------------------------------------------------------- I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- 5.0.14.1 1) The two-interface sample 'snat' file in 5.0.14 contained a typo (a spurious '1' in the first column of the last line). That has been removed. 2) Previously, when /proc/sys/net/xt_recent/ was empty, the 'show events' and 'dump' commands would cause a shell syntax error. That has been corrected. 5.0.14 1) This release includes defect repair up through Shorewall 5.0.13.4. 2) When the address variable for an optional interface was used, and the interface did not have an IP address when the firewall was started, then enabling the interface did not previously create/alter the rules that use the address variable. Also, if the IP address of a disabled interface changed, enabling the interface did not update/add rules using the interface's gateway address variable. Now, if the IP address of a disabled optional interface changes from its value (if any) when the netfilter ruleset was instantiated, then after a successful 'enable', the ruleset is automatically reloaded if the interface's address variable was used. Similarly, if 'detect' is specified as the GATEWAY for an optional provider, then if the gateway at the time that the provider is successfully enabled is different from that (if any) when the netfilter ruleset was instantiated, then the ruleset is automatically reloaded if the provider interface's run-time gateway variable was used. As part of this change, if an IP address is specified as the GATEWAY for a provider, then the run-time gateway variable for the provider's interface is expanded at compile time rather than at runtime. Example: #PROVIDER NUMBER MARK DUPLICATE INTRFACE GATEWAY OPTIONS COPY foo 1 1 - eth0 1.2.3.4 primary - Then %eth0 will be expanded at compile time to '1.2.3.4'. 3) Previously, the ADDRESS column in /etc/shorewall[6]/masq was documented as allowing a list of addresses and/or address ranges. That feature depended on iptables support which is no longer present in current distributions. The code now disallows more than one address[-range] and the documentation has been changed accordingly. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G ---------------------------------------------------------------------------- 1) On systems running Upstart, shorewall-init cannot reliably secure the firewall before interfaces are brought up. 2) The 'enable', 'reenable' and 'disable' commands do not work correctly in configurations with USE_DEFAULT_RT=No and optional providers listed in the DUPLICATE column. ---------------------------------------------------------------------------- I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- 1) /etc/shorewall[6]/masq has been superseded by /etc/shorewall[6]/snat. The new 'snat' file is similar to most of the other configuration files in that the first column specifies the ACTION to be performed, the second contains the SOURCE and so on. The 'shorewall[6] update' command will convert an existing masq file into the equivalent 'snat' file and will rename masq to masq.bak. See shorewall[6]-snat(5) for details. 2) Actions (both inline and regular) are now supported out of the new snat file. Like other actions, these 'SNAT actions' must be declared in the /etc/shorewall[6]/actions file where the new 'nat' option must be specified. Like other actions, the action rules are placed in a file named action.. Those rules have the same format as those in the snat file with two restrictions: 1. The '+' is not allowed in the ACTION column to specify that the rules should be applied before one-to-one NAT. It must rather be specified when the action is invoked. 2. Interface names are not permitted in the DEST column, so all of the rules apply to the interface(s) specified when the action was invoked. ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S ---------------------------------------------------------------------------- 1) If you are migrating from Shorewall 4.4.x or earlier, please see http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.21/releasenotes.txt 2) It is strongly recommended that you first upgrade your installation to a 4.6 release >= 4.6.12 prior to upgrading to Shorewall 5.0. Once you are on the Shorewall 4.6 release: - shorewall update -A If you also run Shorewall6: - shorewall6 update -A These steps are necessary because Shorewall 5.0: - Does not contain support for the 'tcrules' and 'tos' files -- existing 'tcrules' and 'tos' files must be converted to an equivalent set of 'mangle' file entries. - Does not contain support for the 'blacklist' file -- it must be converted to an equivalent 'blrules' file. - Does not contain support for the 'notrack' file -- it must be converted to an equivalent 'conntrack' file. - Does not contain support for the 'routestopped' file -- it must be converted to an equivalent 'stoppedrules' file. Note that you can run the update command(s) after you upgrade to Shorewall 5 but your firewall will not work correctly until you do those update(s). 3) The following configuration options have been eliminated: - EXPORTPARAMS - IPSECFILE - LEGACY_FASTSTART - LOGRATE * - LOGBURST * - WIDE_TC_MARKS * - HIGH_ROUTE_MARKS * - BLACKLISTNEWONLY * A fatal error results if those flagged with an asterisk ("*") appear in the .conf file -- run the 'shorewall[6] update' command to convert their settings to use supported options. A warning is issued if any of the rest appear in the .conf file. 'shorewall[6] update' will drop them from the file. 4) To make the command names more accurately reflect what they do, several changes have been included: a) Beginning with this release, the 'restart' command now does a true restart and is equivalent to a 'stop' followed by a 'start'. b) The pre-5.0.0 'load' command has been renamed 'remote_start'. c) The pre-5.0.0 'reload' command has been renamed 'remote_reload'. c) The 'reload' command now performs the same function as the pre-5.0.0 'restart' command. d) A 'remote_restart' command has been added to Shorewall and Shorewall6 to allow a remote 'restart' after updating the remote firewall system's compiled script. For those that can't get used to the idea of using 'reload' in place of 'restart', a RESTART option has been added. The option defaults to 'reload' for compatibility with earlier releases. If set to 'restart', then the 'restart' command does a true restart (stop followed by start) 5) While the WORKAROUNDS setting is still present in the shorewall[6].conf file: a) It's default setting has been changed to No. b) All workarounds for old distributions have been eliminated. 6) Beginning with Shorewall 5.0.0, all macros and actions are assumed to be FORMAT-2. FORMAT-1 macros and actions are no longer supported and will be silently processed as if they were FORMAT-2. For most macros and actions, this change will be of no concern, but may cause compilation errors in rare cases. To review, FORMAT-1 actions have the following columns: TARGET SOURCE DEST PROTO DEST PORT(S) SOURCE PORT(S) RATE USER/GROUP MARK FORMAT-1 macros have these columns: TARGET SOURCE DEST PROTO DEST PORT(S) SOURCE PORT(S) RATE USER/GROUP FORMAT-2 actions and macros, on the other hand, have: TARGET SOURCE DEST PROTO DEST PORT(S) SOURCE PORT(S) ORIGINAL DEST RATE USER/GROUP MARK CONNLIMIT TIME HEADERS (Only valid for IPv6) SWITCH HELPER To summarize, if your action or macro only uses the first 6 columns (which most do), then it will process fine as FORMAT-2. Otherwise, it must be modified to place specifications in the proper columns. 7) COMMENT, FORMAT and SECTION lines must now begin with a question mark ("?"). The 'update' command will change all bare COMMENT, FORMAT and SECTION lines to include the question mark. 8) Beginning with Shorewall 5.0.8, the IPv6 default treatment of Auth (TCP 113) is now consistent with IPv4; nothing special is done with these requests, so they are simply logged and dropped. IMPORTANT: If you want to continue to reject Auth requests, you can do so by changing your DROP_DEFAULT setting to make the second parameter REJECT. For example, if you currently have: DROP_DEFAULT=Drop you can change it to: DROP_DEFAULT="Drop(-,REJECT)" ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 5 . 0 R E L E A S E S ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 5 . 0 . 1 3 ---------------------------------------------------------------------------- 5.0.13.4 1) DETECT_DNAT_IPADDRS=Yes in shorewall6.conf previously resulted in an incorrect test in the generated script (0.0.0.0 was used rather than ::). That has been corrected. 2) Use of an inline mangle action could cause the compiler to fail with the following diagnostic: Use of uninitialized value in bitwise and (&) at /usr/share/shorewall/Shorewall/Rules.pm line 4826, <$currentfile> line 6. That has been corrected. 3) Handling of ipsets in the tcfilters file has been corrected (Luigi). 4) Previously, ipsets used in the tcfilters file were not auto-created. That has been corrected. 5) Previously, the compiler would issue a Perl runtime diagnostic if a tcclasses entry with the 'occurs' option appeared before the entry with the 'default' option. That has been corrected (Luigi). 5.0.13.3 1) When the effective verbosity was < 2 and the 'disconnect' option was specified in DYNAMIC_BLACKLIST, a successful 'blacklist' command would issue the following error message and would produce no other output. sed: -e expression #1, char 8: unknown command: `/' 5.0.13.2 1) Fix number 1 in 5.0.13.1 uncovered a latent defect that was not discovered until after release. The defect caused the compiler to crash when all of the following were true: 1) LOAD_HELPERS_ONLY=Yes and a capabilities file was not being used. 2) SAVE_IPSETS=Yes or SAVE_IPSETS=ipv4 in shorewall.conf. 3) Ipset-based dynamic blacklisting was being used. 4) No other ipset-based rules appeared in the configuration. This defect has been corrected. 5.0.13.1 1) Previously, Shorewall ipset creation could fail on older releases, such as Centos 6, with a message similar to the following: WARNING: ipset lvpn does not exist; creating it as an hash:net set ipset v6.11: Unknown argument: `counters' Try `ipset help' for more information. That problem has been corrected so that the ipset is now created successfully. 2) Another problem with the DEST column in inline mangle action bodies has been corrected. 5.0.13 1) This release contains defect repair from 5.0.12.1. 2) The compiler now detects shell metacharacters in interface names defined in /etc/shorewall[6]/interfaces. Previously, such characters could cause runtime failures in the generated script. 3) Previously, the compiler ignored DEST column entries in inline mangle action bodies. That value is now used unless it is '-', in which case the DEST column value in the action invocation is used. ---------------------------------------------------------------------------- N E W F E A T U R E S I N 5 . 0 . 1 3 ---------------------------------------------------------------------------- 1) A 'disconnect' option has been added to the DYNAMIC_BLACKLIST setting. The option is only accepted for ipset-based dynamic blacklisting and requires that the 'conntrack' utility be installed. See shorewall[6].conf(5) for details. With this option, when an address is blackliseted using the 'blacklist' command, the conntrack utility is used to break all connections from that address. If the 'src-dst' option is also specified in the BLACKLIST setting, then all connections to the address are also broken. If the effective VERBOSITY is greater than 0, then a messages is displayed that indicated the number of flows deleted by the command. If the effective VERBOSITY is 2, the conntrack entries delected by the command are also displayed. This option is more efficient for packet processing than including the ESTABLISHED state in the BLACKLIST setting. 2) A 'timeout' option has been added to the DYNAMIC_BLACKLIST setting. The option is only accepted for ipset-based dynamic blacklisting and causes entries in the blacklist ipset to be automatically deleted if they are not matched within a specified time. See shorewall[6].conf(5) for details. 3) A new FIREWALL option has been added to shorewall[6].conf. This option is intended to be used on an admisitrative system in configurations of remote firewalls. It defines the DNS name or IP address of the remote system so that the system name does not have to be given in the remote-start, remote-reload and remote-restart commmands. See shorewall[6](8) for details. 4) Shorewall6 now allows more that one provider to specify the 'balance' or 'fallback' options. 5) When using port numbers (as opposed to service names), the hyphen ("-") is now accepted as the separator in port ranges. When service names are used, the colon (":") must still be used. ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 5 . 0 . 1 2 ---------------------------------------------------------------------------- 1) Minor cleanup, mostly commentary, in the Rules.pm module. 2) In Shorewall 5.0.7, The assumed 'use Shorewall::Config(shorewall)' statement in ?PERL and ?BEGIN PERL...?END PERL handling was inadvertently removed. This results in Perl compilation errors if the 'shorewall' function is invoked. The statement has now been restored. 3) Previously, the firewall would fail to start if the configuration contained a CHECKSUM rule without a chain designator and MARK_IN_FORWARD_CHAIN=No. Now, the compiler defaults these rules to the POSTROUTING chain and forbids them in the PREROUTING chain. 4) Recently, a case was observed where certain incoming packets had a non-zero packet mark in the raw PREROUTING chain, causing them to be misrouted. To guard against this issue, packet marks are now cleared at the top of the PREROUTING and OUTPUT mangle chains when the new ZERO_MARKS option is set to yes. Note that ZERO_MARKS=Yes can break IPSEC in multi-ISP configurations. 5) Two distinct problems have been corrected in the 'disable' command logic: a) If a balanced or fallback interface was down or had been deleted, then the 'disable' command could fail. b) If a persistent optional interface was down, then the generated script would fail when it attempted to add routes out of the interface. 6) Previously, the generated script would attempt to reenable a disabled persistent provider at each 'start', 'reload' or 'restart'. Now, disabled persistent providers are handled the same as other providers and require the 'enable' or 'reenable' command to enable them. 7) Previously, the generated script assumed that all probability-balanced providers (those with the 'load' option specified) were optional. That assumption has been removed. 8) Previously, the permissions of files created by the 'save' command were more relaxed than necessary. This has been corrected. ---------------------------------------------------------------------------- N E W F E A T U R E S I N 5 . 0 . 1 2 ---------------------------------------------------------------------------- 1) You may now place comma-separated zone lists in the SOURCE and DEST columns in /etc/shorewall[6]/policy. Example: #SOURCE DEST POLICY ... loc,dmz net REJECT That line is equivalent to: #SOURCE DEST POLICY ... loc net REJECT dmz net REJECT If the same zone appears in both columns, the default ACCEPT intrazone policy is not overridden unless the list is followed immediately by '+'. Example: #SOURCE DEST POLICY ... dmz,loc loc,dmz+ REJECT That line is equivalent to: #SOURCE DEST POLICY ... dmz loc REJECT dmz dmz REJECT loc loc REJECT loc dmz REJECT Without the plus sine, it would be equivalent to #SOURCE DEST POLICY ... dmz loc REJECT loc dmz REJECT 2) Distribution maintainers may now set a default pager via the configure and configure.pl programs in Shorewall-core to set DEFAULT_PAGER in the generated shorewallrc file. The Shorewall-provided shorewallrc files for Debian currently specify 'less' for DEFAULT_PAGER. The other shorewallrc files do not specify DEFAULT_PAGER. If shorewall[6].conf does not specify PAGER then the DEFAULT_PAGER setting is used. 3) The 'contiguous' option is now supported in TIME columns. When the 'timestop' value is smaller than the 'timestart' value, match this as a single time period instead distinct intervals. Example: weekdays=Mo×tart=23:00×top=01:00 Will match Monday, for one hour from midnight to 1 a.m., and then again for another hour from 23:00 onwards. If this is unwanted, e.g. if you would like 'match for two hours from Monday 23:00 onwards' you need to also specify the 'contiguous' option in the example above. See http://www.shorewall.org/configuration_file_basics.htm#TIME for additional TIME column examples. ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 5 . 0 . 1 1 ---------------------------------------------------------------------------- 1) This release contains defect repair through Shorewall 5.0.10.1. 2) In Shorewall 5.0, the default chain for DSCP rules was inadvertently chained to PREROUTING (FORWARD, if MARK_IN_FORWARD_CHAIN=Yes). The default is now restored to POSTROUTING, its earlier value. 3) When 'trace' was specified, previously the output of ip[6]tables rules containing a comment were displayed incorrectly. The "-m comment --comment" specification was missing and the comment was not enclosed in double quotes. This has been corrected. 4) Previously, if a provider interface matched only a wildcard entry (one whose physical interface name ended in '+'), then the generated script would always find the interface to be unusable. That has been corrected. 5) A change released in 5.0.9.1 and that allowed simple traffic shaping to support more than 9 interfaces prevented some users' configurations from starting. That has been corrected. ---------------------------------------------------------------------------- N E W F E A T U R E S I N 5 . 0 . 1 1 ---------------------------------------------------------------------------- 1) When using the alternate input form, it is now possible to specify a comment to be attached to the generated ip[6]tables rule. Simply use the 'comment' keyword. If the comment contains embedded white space, then it must be enclosed in double quotes. Any double quotes embedded in the comment must be escaped using a backslash. Example: ACCEPT net $FW { proto=tcp, dport=22, comment="Accept \"SSH\"" } 2) OPTIMIZE level 16 no longer deletes duplicate COUNT rules, allowing multiple similar COUNT rules in a chain. 3) Beginning with this release, source RPMs are available on the download sites. ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 5 . 0 . 1 0 ---------------------------------------------------------------------------- 5.0.10.1 1) Several issues with the Debian SysV init scripts have been corrected: a) The scripts now issue progress messages for the 'stop' command based on the setting of SAFESTOP in /etc/default/shorewall*. b) The firewall is now stopped or cleared in runlevel 1 (minimal), based on the setting of SAFESTOP. c) A typo in the Shorewall init script prevented the force-stop command from working correctly. Roberto Sánchez. 5.0.10 1) This release includes defect repair through Shorewall 5.0.9.2. 2) Previously, the 'update' commmand could result in updated files having the user's default permissions rather than the permissions of the original file. That has been corrected. 3) A number of update and update-compatibility issues have been corrected: a) : (e.g., "fred:") is once again accepted in USER columns. b) The USER column in the mangle file can once again be specified when :T is the chain designator. c) The 'notrack' file is now correctly appended to the 'mangle' file during update. d) IPMARK entries in 'tcrules' are now correctly converted into the 'mangle' file. 4) When multiple zones are configured on an interface, the 'tcpflags', 'nosmurfs' and 'maclist' options could previously result in silly duplicate rules. That problem has been corrected. ---------------------------------------------------------------------------- N E W F E A T U R E S I N 5 . 0 . 1 0 ---------------------------------------------------------------------------- 5.0.10.1 1) You can now specify LOGFILE=systemd to cause 'journelctl -r' to be used to read the system log (journel). Scott Sumate. 5.0.10 1) The 'allow' command can now remove entries from the ipset-based dynamic blacklists. allow
... 2) A new 'dbl' (Dynamic Blacklist) option is now available in the 'interfaces' file. Possible settings are: none - equivalent to specifying 'nodbl'. src - packets entering the firewall on the interface have their source IP address checked against the ipset-based blacklist. dst - packets entering the firewall on the interface have their destination IP address checked against the ipset-based blacklist. src-dst - packets entering the firewall on the interface have their source IP address checked against the ipset-based blacklist. Packets originating on the fireawll and leaving through the interface have their destination IP address checked against the ipset-based blacklist. The normal setting for an internet-facing interface will be either 'src' or 'src-dst'. The normal setting for an internal interface will be either 'none' or 'dst'. 3) The RPMs from shorewall.net are now created to assume that systemd is being used. They are targeted specifically at OpenSuSE and have been verified on OpenSuSE 42.1. ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 5 . 0 . 9 ---------------------------------------------------------------------------- 1) This release contains defect repair through Shorewall 5.0.8.2. 2) Previously, if: - DOCKER=Yes - docker0 was defined in /etc/shorewall/interfaces - Docker was not running then Shorewall would fail to start with an error similar to this iptables-restore v1.4.21: Couldn't load target `DOCKER': No such file or directory Error occurred at line: 29 Try `iptables-restore -h' or 'iptables-restore --help' for more information. ERROR: /sbin/iptables-restore Failed. This has been corrected such that Shorewall starts correctly under these conditions. ---------------------------------------------------------------------------- N E W F E A T U R E S I N 5 . 0 . 9 ---------------------------------------------------------------------------- 1) The file 'lib.core' has been renamed 'lib.runtime' to more accurately reflect the file's role. 2) The CLI now produces helpful error messages rather than simply dumping out the complete usage syntax. 3) The 'status' and 'version -a" command outputs now include the time and date when the current firewall script was compiled. This feature implements a new 'info' command that is recognized by the compiled script. That command produces output similar to the following: compiled Thu Apr 28 14:18:58 2016 by Shorewall version 5.0.9 Note 1: The time and date of compilation will only be displayed after the firewall script has been compiled using this or a later Shorewall release. Note 2: Information about the current firewall script is only displayed by the 'version -a' command when the command is executed by root. Caution: If you execute 'shorewall compile', a subsequent 'status' command will display the compilation information for the newly compiled script and not for the one that was used to instantiate the running firewall configuration. Note that the compilation date/time, in this case, will be later than the started date/time: Example: State:Started Sun Apr 24 12:22:18 PDT 2016 from /etc/shorewall/ (/var/lib/shorewall/firewall compiled Thu Apr 28 14:18:58 2016 by Shorewall version 5.0.9) 4) The ?INFO and ?WARNING directives added in Shorewall 5.0.8 include the current filename and line number in the generated message. That behavior can be suppressed by using ?INFO! AND ?WARNING! instead. Additionally, the default behavior can be changed by setting VERBOSE_MESSAGES=No in shorewall[6].conf. In that case, including the exclaimation point causes the filename and line number to be included. 5) NFLOG(...) is now supported in the mangle files. 6) The compiler now checks the version of the installed Shorewall-core and issues a warning message if there is a mis-match. Example (folded to fit within 72 columns): WARNING: Version Mismatch: Shorewall-core is version 5.0.8.2, while the Shorewall version is 5.0.9-Beta2 When compiling for IPv6, the Shorewall6 version is also verified and a similar warning is issued in the case of a mismatch. 7) The sample configurations now have AUTOMAKE enabled. 8) Full date and time strings generated by the compiler are now in 'date' format rather than Perl's 'localtime' format. ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 5 . 0 . 8 ---------------------------------------------------------------------------- 1) This release includes defect repair through Shorewall 5.0.7.2 2) If a physical interface name was used in the INTERFACE column of an entry in /etc/shorewall/masq, then previously a Perl diagnostic was issued as the masq rule was being processed and the iptables rule and its containing chain were dropped by the optimizer. That has been corrected so that physical interface names are handled correctly. Similar issues with physical names in the INTERFACE column of the nat, netmap and ecn files have also been resolved. 3) The optional plus sign ('+') in the MODULESDIR setting, added in Shorewall 5.0.3, is now documented in the shorewall[6].conf manpages. 4) Address variables that specified the physical interface name previously caused Perl diagnostics to be issued and wrong code to be generated. That has been corrected. 5) The IPv6 default treatment of Auth (TCP 113) is now consistent with IPv4; nothing special is done with these requests, so they are simply logged and dropped or rejected. IMPORTANT: If you want to continue to silengly reject Auth requests, you can do so by changing your xxx_DEFAULT settings to make the second parameter 'Reject'. For example, if you currently have: DROP_DEFAULT=Drop REJECT_DEFAULT=Reject you can change it to: DROP_DEFAULT="Drop(-,REJECT)" REJECT_DEFAULT="Reject(-,REJECT)" 6) Previously, if a zone had two or more interfaces, then the interfaces' option rules (DHCP, dynamic blacklisting, etc.) could be moved into the fw->zone chain without being restricted to their respective interfaces. This could result in needless duplication of rules. These rules are now kept in separate chains which, if they are identical, will be combined by the optimizer if OPTIMIZE level 8 is enabled. 7) A number of issues have been resolved with saving/restoring ipsets in Shorewall and Shorewall6. - Even if Shorewall's SAVE_IPSETS was set to ipv4, restarting one configuration would attempt to flush/destroy the ipsets for the other address family. - The same set could be saved multiple times, with the result that ipset error messages were issued during 'shorewall[6] start'. - Needless repetition of code was generated due to the use of compile-time loops rather than run-time loops. 8) Previously, when AUTOMAKE=Yes, the 'start' command would not regenerate an out-of-date firewall script. 9) A couple of recent changes have resulted in file name collisions on Cygwin with its underlying case-insensitive filesystem. To avoid these collisions. - /usr/share/shorewall/deprecated and /usr/share/shorewall6/deprecated directories have been created. - When a name collision occurs, the file with the older name is moved to the deprecated directory - The compiler automatically searches the deprecated directory (both directories in the case of Shorewall6) for files. In this release, macro.SNMPTraps and action.A_Reject were moved to /usr/share/shorewall/deprecated/. Note that both are deprecated - Reject accepts an 'audit' parameter, and macro.SNMPTraps has been superseded by macro.SNMPtraps. 10) Previously, the 'reload' command did not produce a system log message when it succeeded. That has been corrected. 11) Previously, when compilation was done as part of a reload or restart operation, compiler logging to the STARTUP_LOG was suppressed. Such logging is now enabled. 12) The compiler now uses a uniform format for timestamps in the STARTUP_LOG and on standard output (when the -t option is specified). Previously, some messages suppressed a leading zero in the hour where others did not. Now, the leading zero is never suppressed for compatibility with the timestamps produced by the generated script. 13) Previously, the compiler would allow 0 to be specified in the MARK column of the tcclasses file, resulting in a run-time failure: Setting up Traffic Control... RTNETLINK answers: Invalid argument We have an error talking to the kernel ERROR: Command "tc filter add dev eth0 protocol all parent 1:0 prio 276 handle 0 fw classid 1:10" Failed Now, the following error is generated by the compiler: ERROR: MARK value must be non-zero As part of this change, the shorewall[6]-tcclasses(5) manpages have been updated: - Specifity a filter priority in the MARK column is now documented (this feature has been in the code for several years) - The default priorities of the filters for tos= and tcp-ack have been correcgted. 14) For consistency with Docker, when bridge docker0 is listed in /etc/shorewall/interfaces, the following rule is now generated: -A FORWARD -o docker0 -m conntrack \ --ctstate RELATED,ESTABLISHED -j ACCEPT 15) Previously, the safe-* commands did not direct the compiler to write to the STARTUP_LOG. That has been corrected. The commands which direct the compiler to write to that log are now: start try refresh reload restart safe-* ---------------------------------------------------------------------------- N E W F E A T U R E S I N 5 . 0 . 8 ---------------------------------------------------------------------------- 1) Support for later versions of miniupnpd has been added in the form of a MINIUPNPD option in shorewall.conf. If set to Yes, Shorewall will create a chain in the nat table named MINIUPNPD-POSTROUTING and will add jumps from POSTROUTING to that chain for each interface with the upnpd option specified. Default is No. The contents of the chain are preserved over 'shorewall reload' and 'shorewall restart' operations. 2) The REJECT and A_REJECT actions may now take an optional parameter that specifies the way in which the packet is to be rejected. See shorewall[6]-rules(5) for details. 3) The standard action files and shell libraries now have a uniform format for their header comments (Tuomo Soini). 4) The compiler now uses the iptables goto (-g) parameter rather than the jump (-j) parameter, when the target is a terminating chain (does not have any rules with the RETURN target and the last rule in the chain is an unconditional jump to a terminating target or chain). 5) The compiler now raises an error if the target of a chain's rule is the chain itself. 6) The compiler now raises an error if the action specified in REJECT_ACTION contains a RETURN (CONTINUE) jump or if the last rule in the action is not an unconditional jump to a terminating target. 7) The Drop and Reject default actions now accept a sixth parameter that specifies the action to be taken on UPnP packets. Previously, the same action was performed on UPnP as was performed on late DNS replies. The default is DROP in both cases. 8) Heretofore, when DYNAMIC_BLACKLISTING=Yes, blacklists were checked on packets arriving and leaving on all interfaces. Now, individual interfaces may be exempted from dynamic blacklisting through use of the "nodbl" interface option. 9) Prior to this release, dynamic blacklisting has been implemented using rules in an ip[6]tables chain. This scales poorly when there are a large number of blacklisted addresses. Beginning with this release, dynamic blacklisting can be ipset- based. See DYNAMIC_BLACKLIST in shorewall.conf(5) and shorewall6.conf(5) and the 'blacklist' command in shorewall(8) and shorewall6(8). As part of this change, ipsets created by Shorewall are now of type hash:net with the 'timeout 0 counters' options, rather than hash:ip with no options. This allows both network and individual host addresses to be added to these ipsets, a timeout to be specified when addresses are added to the ipsets, and visibility into matches on individual members of the ipset. 10) New new Redis macros have been added, one for Redis Cluster and the other for Redis Sentinal (Tuomo Soini). 11) The system log messages created by Shorewall via the 'logger' utility may now be augmented using logger's -t (--tag) option through use of the SW_LOGGERTAG environmental variable. If this variable is set to a non-empty value, then its contents will be passed as the -t option (e.g. logger -t "$SW_LOGGERTAG" ...). 12) Similar to ?ERROR, which was introduced in Shorewall 5.0.7, this release supports additional ?WARNING and ?INFO directives ?ERROR ?WARNING ?INFO The is written to STDERR prefaced by the directive name (WARNING or INFO) followed by a colon (':'). It is also written to the STARTUP_LOG if: - A STARTUP_LOG has been configured - The command is start, try, restart, reload, refresh or one of the safe-* commands Unlike ?ERROR, ?WARNING and ?INFO do not cause compilation to be aborted. ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 5 . 0 . 7 ---------------------------------------------------------------------------- 5.0.7.2 1) When using older versions of Perl, the following warnings were generated with 5.0.7 and 5.0.7.1. Found = in conditional, should be == at /usr/share/perl5/Shorewall/Chains.pm line 8630. Found = in conditional, should be == at /usr/share/perl5/Shorewall/Chains.pm line 8635. That has been corrected. (Tuomo Soini) 2) Several typos in the manpages have been corrected (Roberto Sánchez). 3) Previously, if an inline match was used in the last line of an action, then the inline match could also be applied to the jump to the action's chain. That has been corrected so that the jump to the chain contains the correct set of matches. 5.0.7.1 1) In 5.0.6.2 and 5.0.7, use of an inline match in a rule that generated multiple ip[6]tables rules caused only the first generated rule to contain the inline match. That has been corrected. 2) In 5.0.7, if ':R' was specified with the DIVERT action, an error message was erroneously generated. That has been corrected. 5.0.7 1) This release includes defect repair from Shorewall 5.0.6.2. 2) Previously, the compiler failed to catch invalid action/chain combinations which caused iptables-restore failures when such combinations were present in the configuration. That has been corrected. 3) An issue involving nested inlined action and macro invocations has been resolved. 4) The '&' (and) and '|' (or) symbols were previously ignored when the action was CONNMARK (mangle file). These symbols now work as documented. 5) When 'DOCKER=Yes', 'check -r' would previously fail. The command now works correctly. 6) Previously, the specified linklayer, overhead, mtu, mpu and tsize were not applied to ingress qdiscs that provide IN-BANDWIDTH limiting. That has been corrected so that these options also apply to inbound traffic. IMPORTANT: If you have specified linklayer, overhead, etc., then after this fix is installed, your inbound speed will be less than it was before the fix. You are advised to re-test and possibly adjust your IN-BANDWIDTH accordingly. 7) The syntax which Shorewall previously used to define ingress filters is misinterpreted by the tc utility, with the result that rather than dropping packets exceeding the IN-BANDWIDTH, the filter instead reclassified them. That caused 'packet reclassify loop' errors during periods of high inbound traffic. The compiler now generates the options in the 'tc add filter' command in an order that tc handles correctly. 8) If a log level was specified in one of the *_DEFAULT options, the compiler would previously raise a fatal error when applying the default action. That has been corrected. ---------------------------------------------------------------------------- N E W F E A T U R E S I N 5 . 0 . 7 ---------------------------------------------------------------------------- 1) Actions may now be used in the mangle file. To be used in the mangle file, an action must be declared in the actions file with the 'mangle' option. Actions with this option may only be used in the mangle file (or in other actions with the mangle option); they may not be used in the rules file. Mangle actions may be inlined using the 'inline' option in the actions file. A new template file (/usr/share/shorewall/action.mangletemplate) is included in the release for use in creating mangle actions. 2) The 'check -r' command now uses the PAGER program unless the -d option is also specified. Additionally, when the compiler runs with 'trace', the PAGER program is used unless -d is set. 3) It is now possible to raise an error if a condition isn't met using the ?ERROR directive. ?ERROR The text after ?ERROR is displayed in a standard Shorewall error message. 4) Using the new ?ERROR directive, embedded Perl has been eliminated from a number of standard actions. Example from action.GlusterFS: ?if @1 !~ /^\d+/ || ! @1 || @1 > 1024 ?error Invalid value for Bricks (@1) ?elsif @2 !~ /^[01]$/ ?error Invalid value for IB (@2) ?endif The above logic insures that the first action paramater is a non-zero number <= 1024 and that the second parameter is either 0 or 1. If 2000 is passed for the first parameter, the following error message is generated: ERROR: Invalid value for Bricks (2000) /usr/share/shorewall/action.GlusterFS (line 15) from /etc/shorewall/rules (line 45) 5) Previously, inline matches were placed after column-generated matches in the generated rule. This meant that "-p' could not be used in inline matches. Beginning with this release, if the first non-blank characters in an inline match is '+', then the remainder of the inline matches are placed at the front of the generated rule. There are a couple of restrictions: a. When -p is used in an inline match and the PROTO column is supplied, then an error is generated unless the resolved contents of the column matches the protocol specified in the inline match. This means that only protocol numbers should appear in the inline match. b. Use of -i, -s, -o, or -d (or their long-form equivalents) in an inline match will result in a compilation error if the contents of the columns generates the same match. 6) The TCPFlags action has been modified to use '+' in inline matches rather than embedded Perl with perl_action_tcp_handler() calls. 7) A new 'audit' action option has been added. Such actions are expected to have at least two parameters; the first is a target and the second is either omitted or is 'audit'. Two existing standard actions (RST and NotSyn) have this characteristic and they have been converted to use the 'audit' option, eliminating embedded Perl within their bodies. 8) Within an action body, if a parameter is omitted in a DEFAULTS statement, then the value of the corresponding action and Shorewall variables is '-', while if the parameter is specified as '-' in the parameter list, the value of the variables is '' if expanded before the DEFAULTS statement. Additionally, when an expression is evaluated, the value 0 evaluates as false; so '?IF @n' and 'IF $n' both fail if the nth parameter is passed with value zero. To make testing of the presense of parameters more efficient and uniform, an new function has been added for use in ?IF and ?ELSEIF: ?IF [!] passed() where is an action or Shoreall variable. 'passed(@n)' and 'passed($n)' evaluate to true if the nth parameter is not empty and its contents are other than '-'. If '!' is present, the result is inverted. In this simple form, the expression is evaluated by the compiler without having to invoke the (expensive) Perl exec() function. The 'passed' function may also be used in more complex expressions, but exec() will be invoked to evaluate those expressions. 9) The MARK and CONNMARK targets are now available in the rules file, macros, and actions. Mark ranges are not currently supported with these targets. ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 5 . 0 . 6 ---------------------------------------------------------------------------- 1) This release includes defect repair through Shorewall 5.0.5.1. 2) Previously, the generated function define_firewall() contained logic for handling the 'stop' and 'clear' commands. Beginning with this release, the function will no longer include that logic, since the function is not called when processing those commands. 3) The 'persistent' option on a provider previously resulted in a duplicate routing rule was created each time that the provider was disabled. This has been corrected so that duplicate rules are not created. ---------------------------------------------------------------------------- N E W F E A T U R E S I N 5 . 0 . 6 ---------------------------------------------------------------------------- 1) The GATEWAY column in /etc/shorewall[6]/providers may now contain the keyword 'none'. This will create a routing table with no default route, to allow handling policy-routing senarios where a default route is not required. 2) Previously, when both Shorewall and Docker were used on the same system, one of two approaches had to be followed: a) Run docker with --iptables=false and use Shorewall to configure Netfilter. b) Run docker with ---iptables=true and use extension scripts to save/restore the Docker-generated rules. The first is complex and the second is difficult to do in a way that insures that changes to the Shorewall configuration aren't lost during restart/reload. In this release, a new DOCKER option is available in shorewall.conf. When DOCKER=Yes, the generated script takes responsibility for saving and restoring the Docker-generated rules. The Shorewall implementation assumes that the default 'docker0' bridge is being used. It is recommended that docker0 be assigned to a zone in /etc/shorewall/interfaces. When you do that, the setting of 'routeback' for that interface determines whether inter-container communication is allowed. If docker0 is not listed in the interfaces file, then the generated script will save/restore the FORWARD chain rules for that interface. If you are using Docker's network features where bridges with names of the form br-xxxxxxxxxxxx are created, those bridges should not be defined to Shorewall. Note that DOCKER=Yes is currently supported only in Shorewall and not in Shorewall6. 3) A new SNMPtrap macro has been added and is intended to supersede SNMPTrap. The latter is now deprecated, but is still available for use. 4) As an alternative to entries in the ecn file, the IPv4 mangle file now supports an ECN target for clearing the ECN flags in the TCP header. See shorewall-mangle(8) for details. 5) The remainder of the documentation has been updated to use the new column headings. 6) Beginning with this release, voluminous CLI output to terminals from 'show' and 'dump' commands may be automatically paged using a program like 'less' or 'more'. The pager program to be used, if any, is specified using the PAGER option in shorewall[6].conf. ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 5 . 0 . 5 ---------------------------------------------------------------------------- 1) Previously, an interface could be erroneously assigned to two different providers and the compiler did not flag that as an error. The compiler now correctly catches this violation. 2) The alignment of the output of the 'shorewall[6] show macros' command has been corrected. ---------------------------------------------------------------------------- N E W F E A T U R E S I N 5 . 0 . 5 ---------------------------------------------------------------------------- 1) The .ip[6]tables-restore-input file may now include comments which indicate the origin of the rules, similar to the ip[6]tables comments that are generated when TRACK_RULES=Yes in shorewall[6].conf. This additional information is added when TRACK_RULES=File. Note: This change also enhances TRACK_RULES=Yes by adding tracking comments to additional generated ip[6]tables rules. 2) The output of 'shorewall[6] show actions' is now sorted. 3) The macro file headers have been updated to use the new column names. Also, some macros now invoke other macros rather than duplicating their rules. This is intended to ease future maintenance (Tuomo Soini). 4) Additional documentation articles have been updated to use the new column names (Tuomo Soini). ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 5 . 0 . 4 ---------------------------------------------------------------------------- 1) There previously existed a slight possibility that starting both Shorewall and Shorewall6 simultaneously could lead to a failure such as this one: Dec 18 13:18:35 elmo.example.com shorewall6[1889]: Loading Modules... Dec 18 13:18:38 elmo.example.com shorewall6[1889]: Another app is currently holding the xtables lock. Perhaps you want to use the -w option? Dec 18 13:18:40 elmo.example.com shorewall6[1889]: ERROR: Cannot Create Mangle chain fooX2349 Dec 18 13:18:40 elmo.example.com systemd[1]: shorewall6.service: main process exited, code=exited, status=255/n/a That problem can no longer occur. 2) Previously, when a source- or destination-specific RATE was specified on a logging rule (LOG, ULOG or NFLOG), the compiler incorrectly applied both the specified RATE as well as the global LOGLIMIT. That has been corrected so that only the specified RATE is applied. 3) Previously, when @caller was used within an action body, the compiler would not create unique ip[6]tables chains for each invocation of the action, even though the invocations had different values of @caller. Now, each invocation of such an action creates a separate ip[6]tables chain for each unique caller. 4) Previously, the 'status -i' command produced error output when there were no optional interfaces. That erroneous output is no longer produced. 5) Traffic shaping configurations that use red or codel will now produce consistent compiled scripts. Previously, these configurations could produce equivalent but different scripts on consecutive compilations. 6) Previously, the Shoreall compiler enforced old rules about where country codes could appear. As those restrictions have now been removed, the compiler no longer issues messages such as these: ERROR: A countrycode list may not be used in this context ---------------------------------------------------------------------------- N E W F E A T U R E S I N 5 . 0 . 4 ---------------------------------------------------------------------------- 1) Shorewall Init is now supported on OpenWRT. 2) The IPTABLES and IP6TABLES actions in the rules and mangle files can now correctly handle logging targets (LOG, ULOG and NFLOG). Previously, an attempt to use these targets would result in an error similar to: ERROR: LOG requires a level 3) To further reduce the possibility of failures caused by Shorewall and Shorewall6 starting concurrently, a new WAIT_OPTION capability has been implemented. On systems with that capability, all 'iptables' and 'ip6tables' commands will use the --wait option. 4) The .214.service files have been removed and the .service files (with the exception of Debian) have been updated to use the network-pre.target (Tuomo Soini). 5) Shorewall, Shorewall6, Shorewall-lite and Shorewall6-lite now install /etc/sysconfig/ files for specifying start/restart/reload options on those distributions that use /etc/sysconfig. 6) The mangle file now supports an DIVERTHA action that provides support for HAProxy. To setup the HAProxy configuration described at http://www.loadbalancer.org/blog/setting-up-haproxy-with-transparent-mode-on-centos-6-x, place this entry in shorewall-providers(5): #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS TProxy 1 - - lo - tproxy and use this DIVERTHA entry: #ACTION SOURCE DEST PROTO ... DIVERTHA - - tcp ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 5 . 0 . 3 ---------------------------------------------------------------------------- 1) This release includes defect repair through Shorewall 5.0.2.1. 2) To avoid interference with other subsystem settings, all released shorewall6.conf files now specify IP_FORWARDING=keep. Previously, the settings were inconsistent among the various sample files. 3) This release includes more fixes to the configure, install and uninstall scripts (Matt Darfeuille). 4) Previously, Shorewall6 rejected rules in which the SOURCE contained both an interface name and a MAC address (in Shorewall format). That defect has been corrected so that such rules are now accepted. ---------------------------------------------------------------------------- N E W F E A T U R E S I N 5 . 0 . 3 ---------------------------------------------------------------------------- 1) The MODULESDIR option in shorewall[6].conf has been extended to allow specification of additional directories to be added to those defaulted by Shorewall. If the specified value begins with "+", then the remainder of the value is assumed to be a colon-separated list of directory names that are relative to /lib/modules/`uname -r`. For example, to load the xt_RTPENGINE module, you would create /etc/shorewall/modules as follows: INCLUDE /usr/share/shorewall/modules loadmodule xt_RTPENGINE You would then set MODULESDIR as: MODULESDIR="+extra/rtpengine" 2) Previously, some of the column headings in the configuration files required two lines to display. For example, in the rules file: #ACTION SOURCE DESTINATION PROTOCOL DEST SOURCE # PORT(S) PORT(S) To use the alternative input format for such two-word columns, a one-word abbreviation was required. For example, DEST PORTS(S) is abbreviated as 'dport' and SOURCE PORT(S) is abbreviated as 'sport'. The two-line column headings are also a nuisance for Emacs users because when the key is struck, Emacs positions the cursor based on the white space in the preceding line. So if an ACTION is typed and the key is then depressed, rather than position the cursor in the SOURCE column, Emacs positions it in the DEST PORT(S) column. To eliminate these issues, the multi-word columns have been relabled to use their abbreviated names. Note that this relabelling does not require modification of existing configurations. It simply means that the sample files released with Shorewall and the manpages that describe column-oriented files now use the abbreviated names rather than the previous names (Tuomo Soini and Tom Eastep). 3) ADD rules may now include a timeout value which will override any timeout that was specified when the related ipset was created. 4) Commas are now allowed in log tags when LOGTAGONLY=Yes. Previously, characters after the first comma in a log tag were discarded when LOGTAGONLY=Yes. ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 5 . 0 . 2 ---------------------------------------------------------------------------- 5.0.2.1 1) When processing the 'dump' command, the CLI now uses 'netstat' to print socket information when the 'ss' utility is not installed. 2) Several defects in the installers/uninstallers have been corrected (Matt Darfeuille). 5.0.2 1) This release includes defect repair up through Shoreall 5.0.1.1. 2) The MSSQL macro now allows UDP port 1434 (Tuomo Soini). 3) A number of issues with param file processing on Cygwin have been corrected. The most serious of these issues was introduction of syntax errors into the generated firewall script. 4) More version numbers have been removed from configuration files and Macros (Tuomo Soini). 5) The check for use of a circular kernel log buffer (as opposed to a log file) has been improved. 6) Previously, HOST=default was accepted by configure[.pl], but the generated shorewallrc file was unusable. Now, HOST=default is equivalent to HOST=linux. 7) Previously, if a circular log buffer was being used, the output of various commands still displayed '/var/log/messages' as the log file. Now, it is displayed as 'logread'. 8) The 'remote-*' commands now return correct exit status. 9) Previously, if LOCKFILE specified a file in a directory other than $VARDIR, and that directory did not exist, it was not created automatically. 10) Previously, optional interfaces were not enabled during 'start' and 'restart' unless there was at least one entry in the 'providers' file. This resulted in these interfaces not appearing in the output of 'shorewall[6] status -i'. ---------------------------------------------------------------------------- N E W F E A T U R E S I N 5 . 0 . 2 ---------------------------------------------------------------------------- 1) The providers file now supports a 'persistent' option. When specified, this option removes the need to configure host routes to systems used as the 'checkip' in LSM. As part of this change, two other configuration files have changed: a) The 'rtrules' file now allows the rule priority to be followed by an exclaimation mark ("!"). b) An OPTION column has been added to the 'routes' file. The only option currently supported is 'persistent'. The option affects the routing configuration when the provider is disabled: - The provider's routing table still exists and contains the provider's default route. - Unless 'noautosrc' is specified, connections originating from the interfaces IP address(es) are routed via the provider's default gateway. - Routing rules for the provider that specify '!' after the priority are left in place. - 'persistent' routes for the provider are left in place, allowing communication with local networks that are still accessible. 2) It is now possible to replace any function in the CLI libraries except for get_config(). This is accomplished by placing the replacement function(s) in a shell library named 'lib.cli-user' in a directory on the CONFIG_PATH. This allows for customization of commands as well as working around distribution-specific issues. 3) Support for OpenWRT versions BB and later has been added. Included in this support are: - The log display commands (show log, logwatch, etc.) no longer depend on the 'tac' utility (although it will be used if it is installed). - Shorewall-core's 'configure' script detects OpenWRT and accepts HOST=openwrt as an argument. - Shorewall-core, Shorewall-lite and Shoreawll6-lite installers support openwrt. Additionally, those installers no longer depend on the 'install' utility. - Shorewall[6]-lite will use OpenWRT's 'lock' utility to create the LOCKFILE. A special thanks to Matt Darfeuille for his help in making this support possible. 4) Configuration files and extension scripts now have uniform introductory comments (Tuomo Soini). ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 5 . 0 . 1 ---------------------------------------------------------------------------- 1) Previously, if statistical load balancing was used in the providers file, the default route in the main table was not deleted during firewall start/restart. That route is now correctly deleted. 2) Certain files in /etc/shorewall[6] previously had permissions 644. Those have been changed to 600 to match the other files in the directories. 3) Previously, the CLI programs did not deal properly with the absense of the 'hostname' utility. Now, if that utility is not present, the programs look for 'uname' and if it is present, they use the 'uname -n' command. If neither 'hostname' nor 'uname' are installed, the programs display 'localhost' as the system name. ---------------------------------------------------------------------------- N E W F E A T U R E S I N 5 . 0 . 1 ---------------------------------------------------------------------------- 1) 'second' and 'minute' are now allowed in the LOGLIMIT specification in place of 'sec' and 'min' respectively. This enhancement was present in Shorewall 4.6.13 but was not available in Shoreall 5.0.0. 2) The LEGACY_RESTART option has been superseded by the RESTART option. RESTART may be set as follows: RESTART=reload Causes the 'restart' command to perform the same action as the 'reload' command. This is the default if RESTART is not set. RESTART=restart Causes the 'restart' command to perform a true restart (stop followed by start). If LEGACY_RESTART is present in shorewall[6].conf and RESTART is not, then its setting will govern the behavior of 'restart'. The 'update' command will convert the LEGACY_RESTART setting to the equivalent RESTART setting. ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 5 . 0 . 0 ---------------------------------------------------------------------------- 1) This release includes defect repair up through Shorewall 4.6.13.1. 2) The compiled script now uses the %e date format rather than %_d, for Busybox compatibilty. (Erich Titl) ---------------------------------------------------------------------------- N E W F E A T U R E S I N 5 . 0 . 0 ---------------------------------------------------------------------------- 1) To make the command names more accurately reflect what they do, several changes have been included: a) Beginning with this release, the 'restart' command now does a true restart and is equivalent to a 'stop' followed by a 'start'. b) The pre-5.0.0 'load' command has been renamed 'remote_start'. c) The pre-5.0.0 'reload' command has been renamed 'remote_reload'. c) The 'reload' command now performs the same function as the pre-5.0.0 'restart' command. d) A 'remote_restart' command has been added to Shorewall and Shorewall6 to allow a remote 'restart' after updating the remote firewall system's compiled script. 2) For those that can't get used to the idea of using 'reload' in place of 'restart', a LEGACY_RESTART option has been added. The option defaults to No but if set to Yes, then the 'restart' command does what it has always done. 3) It is now possible to limit connections by destination address in the rules file by prefixing the CONNLIMIT setting with 'd:'. 4) While the WORKAROUNDS setting is still present in the shorewall[6].conf files: a) Its default setting has been changed to No. b) All workarounds for old distributions have been eliminated. See the Migration Issues for additional information. 5) A number of configuration options have been eliminated: - EXPORTPARAMS - IPSECFILE - LEGACY_FASTSTART - LOGRATE * - LOGBURST * - WIDE_TC_MARKS * - HIGH_ROUTE_MARKS * - BLACKLISTNEWONLY * A fatal error results if those flagged with an asterisk ("*") appear in the .conf file -- run the 'shorewall[6] update' command to convert their settings to use supported options. A warning is issued if any of the rest appear in the .conf file. 'shorewall[6] update' will drop them from the file. 7) The -b, -D, -r, -s, -t and -n options have been removed from the 'update' command. The command now behaves as if all of those options had been specified. 6) Support has been removed for the 'blacklist', 'tcrules', 'routestopped', 'notrack' and 'tos' files. The 'update' command will: - convert the 'tcrules' and 'tos' files to the equivalent 'mangle' file. - convert the 'blacklist' file into an equivalent 'blrules' file. - convert the routestopped' file into the equivalent 'stoppedrules' file. - convert a 'notrack' file to the equivalent 'conntrack' file. 7) Beginning with this release, all macros and actions are assumed to be FORMAT-2. FORMAT-1 macros and actions are no longer supported and will be silently processed as if they were FORMAT-2. For most macros and actions, this change will be of no concern, but may cause compilation errors in rare cases. 8) Beginning with this release, COMMENT, FORMAT and SECTION lines must begin with a question mark ("?"). The 'update' command makes these changes for you. 9) As an alternative to INLINE_MATCHES=Yes, you may now specify inline matches (raw ip[6]tables text) after a double semicolon (';;'). Example from the 'masq' file to split SNAT between two public addresses on eth1: #INTERFACE SOURCE ADDRESS eth1 - 1.2.3.1 ;; -m statistic --mode random --probability 0.50 eth1 - 1.2.3.2 10) Options in shorewall[6].conf that accept a log level now also allow specification of a log tag. Example: TCP_FLAGS_LOG_LEVEL=info:,tcpflags 11) A PROBABILITY column has been added to the masq file. One usage scenario is to balance SNAT between two or more IP addresses on a WAN interface: #INTERFACE SOURCE ADDRESS eth1 - 1.2.3.4 { probability=0.50 } eth2 - 1.2.3.5 12) Previously, when chain names were included in a 'reset' command, they were assumed to be filter table chains. Now, both a table name and a chain name can be given (e.g., mangle:PREROUTING). The specified table remains the default for the remainder of the command unless a following entry also includes a table name. 13) An action for Gluster FS (action.GlusterFS) has been added. See the action file for a description of the parameters.