Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 430944 - net-firewall/shorewall-4.5.6.2 version bump request
Summary: net-firewall/shorewall-4.5.6.2 version bump request
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Vieri
URL: http://www.shorewall.net/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-08-11 14:32 UTC by David J Cozatt
Modified: 2012-08-15 17:53 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description David J Cozatt 2012-08-11 14:32:57 UTC 
Portage has version 4.5.4.2 in ~arch. The latest stable version is (this list is truncated for the comment character limit)

		     S H O R E W A L L  4 . 5 . 6 . 2
                        A u g u s t  0 8 ,  2 0 1 2


I.    PROBLEMS CORRECTED IN THIS RELEASE
II.   KNOWN PROBLEMS REMAINING
III.  NEW FEATURES IN THIS RELEASE
IV.   RELEASE 4.4 HIGHLIGHTS
V.    MIGRATION ISSUES
VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES

  I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E


4.5.6.2

1)  The compiler now generates an error when a SOURCE interface is
    specified in a rule where the SOURCE zone is the firewall itself.

2)  Previously, entries in /etc/shorewall/notrack that specified a
    Vserver zone in the SOURCE column were omitted from the generated
    ruleset.

3)  The set of helpers available in the notrack file and in the HELPER
    column of the tcrules file was incorrect:

    - The Amanda helper requires a UDP port -- Shorewall was requiring
      TCP.

    - The H323 module supplies two helpers: 'RAW' and 'Q.931';
      Shorewall only accepted 'h323'.

    - The Netbios NS module supplies the 'netbios-ns' helper; Shorewall
      only accepted 'netbios_ns'.

4)  The conditional directive '?IF 0' generated an error from the
    compiler. It now causes following lines to be omitted.

4.5.6.1

1)  The 'systemctl' command in the Shorewall[6], Shorewall[6] Lite and
    Shorewall Init installers was incorrect with the result that the
    product was not started automatically on boot.

4.5.6

1)  This release includes the defect repairs from Shorewall 4.5.5.1 through
    4.5.5.4.

2)  Previously, the tcrules file was not processed when
    TC_ENABLED=No. That meant that to use features like TPROXY, it was
    necessary to set TC_ENABLED=Yes and create a dummy
    /etc/shorewall/tcstart file. Now, only MANGLE_ENABLED=Yes is
    required.

----------------------------------------------------------------------------
           I I.  K N O W N   P R O B L E M S   R E M A I N I N G


1)  On systems running Upstart, shorewall-init cannot reliably secure
    the firewall before interfaces are brought up.


      I I I.  N E W   F E A T U R E S   I N   T H I S  R E L E A S E


1)  Support for size tables has been added in complex TC. 

    The OPTIONS column of /etc/shorewall/tcdevices now allows a
    'linklayer' option whose value may be 'ethernet', 'atm' or 'adsl';
    the last two are synonyms.

    When 'linklayer' is specified, it may be followed by additional
    options:

	mtu=<mtu> - The device MTU; default 2048 (will be rounded up to a
		     power of two)

    	mpu=<mpubytes> - Minimum packet size used in
    		         calculations. Smaller packets will be rounded up
    		         to this size

    	tsize=<tablesize> - Size table entries; default is 512

    	overhead=<overheadbytes> - Number of overhead bytes per packet.

    See tc-stab (8) for details about these options.

2)  It is now possible to specify the LS (linksharing) rate for an HFSC
    class in /etc/shorewall/tcclasses. See shorewall-tcclasses (5) for
    details.

3)  It is now possible to specify that a leaf class will use the RED
    (Random Early Detection) queuing discipline rather than SFQ or
    pfifo. A new class OPTION is defined:

      red=(<red option>=<value>, ...)

      	When specified on a leaf class, causes the class to use the RED
      	(Random Early Detection) queuing discipline rather than
      	SFQ. See tc-red (8) for additional information.

    	Allowable <red option>s are:

    	min <min>
            Average queue size in bytes at which marking becomes a
            possibility.
    	max <max>
	    At this average queue size, the marking probability is
	    maximal. Must be at least twice <min> to prevent
            synchronous retransmits, higher for low <min>.
   	probability <probability>
            Maximum probability for marking, specified as a floating
            point number from 0.0 to 1.0. Suggested values are 0.01 or
            0.02 (1 or 2%, respectively).
        limit <limit>
            Hard limit on the real (not average) queue size in bytes.
	    Further packets are dropped. Should be set higher than
            <max>+<burst>. It is advised to set this a few times higher
            than <max>. Shorewall requires that <limit> be at least
            twice <min>.
        burst <burst>
            Used for determining how fast the average queue size is
            influenced by the real queue size. Larger values make the
            calculation more sluggish, allowing longer bursts of
            traffic before marking starts. Real life experiments
            support the following guideâ€line:
            (<min>+<min>+<max>)/(3*<avpkt>).
        avpkt <avpkt>
            Optional. Specified in bytes. Used with burst to determine
            the time constant for average queue size calculations. 1000
            is a good value and is the Shorewall default.
        bandwidth <bandwidth>
            Optional. This rate is used for calculating the average
            queue size after some idle time. Should be set to the
            bandwidth of your interface. Does not mean that RED will
            shape for you!
        ecn
            RED can either 'mark' or 'drop'. Explicit Congestion
            Notification (ECN) allows RED to notify remote hosts that
            their rate exceeds the amount of bandwidth
            available. Non-ECN capable hosts can only be notified by
            dropping a packet. If this parameter is specified, packets
            which indicate that their hosts honor ECN will only be
            marked and not dropped, unless the queue size hits limit
            bytes. Needs a tc binary with RED support compiled
            in. Recommended.

4)  The handling of the USER/GROUP column of the rules file has been
    rewritten. As part of this rewrite:

    a)  The ability to specify a program name (e.g., +prog) has been
        eliminated. The kernel feature which that ability depended on
        was removed in kernel version 2.6.14.

    b)  It is now possible to specify UID and/or GID ranges of the form
    	'low-high' where 'low' and 'high' are integers and low <= high.

5)  It is now possible to use Perl-compatible expressions in ?IF
    directives. As before, variables must be environmental variables,
    options from shorewall.conf, shell variables set in the params file
    or capabilities. As previously, capabilities may be entered with
    leading '__' rather than '$'.

    Example:

	?IF $BLACKLIST_LOGLEVEL && ! __LOG_OPTIONS

6)  The ?ELSIF directive has been added allowing more convenient
    expression of complex include scenarios.

    Example (column headings abbreviated to fit release notes format):

       #NAME     NUM MARK    DUP  INTERFACE GWAY   OPTIONS
       ?IF $FALLBACK
       ComcastB  1   0x10000 -    COMB_IF   detect fallback
       ComcastC  2   0x20000 -    COMC_IF   detect fallback
       ?ELSIF $STATISTICAL
       ComcastB  1   0x10000 -    COMB_IF   detect load=0.66666667
       ComcastC  2   0x20000 -    COMC_IF   detect load=0.33333333
       ?ELSE
       ComcastB  1   0x10000 -    COMB_IF   detect balance=2
       ComcastC  2   0x20000 -    COMC_IF   detect loose,balance
       ?ENDIF

7)  And ORIGINAL DEST column has been added to the masq file, allowing
    SNAT rules to match only DNAT traffic to a particular original source
    address.


                   V.  M I G R A T I O N   I S S U E S


1)  If you are migrating from Shorewall 4.2.x or earlier, please see
    http://www.shorewall.net/pub/shorewall/4.4/shorewall-4.4.27/releasenotes.txt

2)  The BLACKLIST section of the rules file has been eliminated. 
    If you have entries in that file section, you must move them to the
    blrules file.

3)  This version of Shorewall requires either the Digest::SHA1 or
    Digest::SHA Perl module.

        Debian: libdigest-sha1-perl or libdigest-sha-perl
	Fedora: perl-Digest-SHA1 or perl-Digest-SHA
	OpenSuSE: perl-Digest-SHA1 or perl-Digest-SHA

4)  The generated firewall script now maintains the
    /var/lib/shorewall[6][-lite]/interface.status files used by SWPING
    and by LSM.

    If you have optional providers and to not run a link monitor like
    SWPING  or LSM that updates these files, then you should remove
    /etc/shorewall[6]/isusable if it is installed.


Reproducible: Always
Comment 1 Constanze Hausner (RETIRED) gentoo-dev 2012-08-15 17:53:05 UTC 
Done :).